git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Fri, 26 Jan 2024 15:59:56 +0000 (16:59 +0100)
committer	Phil Sutter <phil@nwl.cc>
	Thu, 1 Feb 2024 13:51:30 +0000 (14:51 +0100)
commit	c10d356c1a87b2181e148d6054c856c50d5b2159
tree	6fb0cd0ac0ef289a648fc2ec82e3357762cb39e0	tree \| snapshot
parent	ee87ad419e9a0c66a0b80fd73a530af741d2629e	commit \| diff

tests: iptables-test: Increase non-fast mode strictness

The simple search for the rule in save output accepted arbitrary leading
and trailing rule parts. This was partly desired as it allowed to omit
the leading '-A' flag or ignore the mandatory '-j CONTINUE' in ebtables
rules, though it could hide bugs.

Introduction of fast mode mitigated this due to the way how it searches
for multiple rules at the same time, but there are cases which fast mode
does not support yet (e.g. test cases containing variant-specific rule
output).

Given save output format will never contain the rule in first or last
line, so enclosing the searched rule in newline characters is sufficient
to make the search apply to full lines only. The only drawback is having
to add '-A' and '-j CONTINUE' parts if needed.

The hidden bugs this revealed were:
- Long --nflog-prefix strings are not cut to 64 chars with iptables-nft
- The TCPMSS rule supposed to fail with legacy only must specify an
expected save output

Signed-off-by: Phil Sutter <phil@nwl.cc>

extensions/libxt_NFLOG.t		diff \| blob \| blame \| history
extensions/libxt_TCPMSS.t		diff \| blob \| blame \| history
iptables-test.py		diff \| blob \| blame \| history