tests: iptables-test: Properly assert rule deletion errors

Capture any non-zero return code, iptables not necessarily returns 1 on
error.

A known issue with trying to delete a rule by spec is the unsupported
--set-counters option. Strip it before deleting the rule.

Fixes: c8b7aaabbe1fc ("add iptables unit test infrastructure")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables-test.py b/iptables-test.py
index 0d2f30dfb0d7cae0f2e7f9253498d62153e56f6a..413e3fdccc9e38ced3e5a760730eaa53557e3e1e 100755 (executable)
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -58,10 +58,23 @@ def print_error(reason, filename=None, lineno=None, log_file=sys.stderr):
 def delete_rule(iptables, rule, filename, lineno, netns = None):
     '''
     Removes an iptables rule
+
+    Remove any --set-counters arguments, --delete rejects them.
     '''
+    delrule = rule.split()
+    for i in range(len(delrule)):
+        if delrule[i] in ['-c', '--set-counters']:
+            delrule.pop(i)
+            if ',' in delrule.pop(i):
+                break
+            if len(delrule) > i and delrule[i].isnumeric():
+                delrule.pop(i)
+            break
+    rule = " ".join(delrule)
+
     cmd = iptables + " -D " + rule
     ret = execute_cmd(cmd, filename, lineno, netns)
-    if ret == 1:
+    if ret != 0:
         reason = "cannot delete: " + iptables + " -I " + rule
         print_error(reason, filename, lineno)
         return -1