tests: add initial save/restore test cases

Add script to restore ipt-save files and compare it with save output.
This should be extended to cover as many rulesets as possible, so this
is only a start.

The test script is changed to pass XT_MULTI instead of
iptables/ip6tables.

This allows ip(6)tables/ebt/arp only test scripts and avoids running all scripts
multiple times for ip/ip6tables.

Current expected output:

I: [OK]          ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK]          ./iptables/tests/shell/testcases/chain/000newchain_0
I: [OK]          ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK]          ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: legacy results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: [OK]          ./iptables/tests/shell/testcases/chain/0001duplicate_1
I: [OK]          ./iptables/tests/shell/testcases/chain/0004newchain_0
I: [OK]          ./iptables/tests/shell/testcases/chain/0005rename_1
I: [OK]          ./iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
I: nft results: [OK] 10 [FAILED] 0 [TOTAL] 10
I: combined results: [OK] 20 [FAILED] 0 [TOTAL] 20

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/tests/shell/run-tests.sh b/iptables/tests/shell/run-tests.sh
index 38f3c2d491248cc012d751b8dc7f2c84747297e4..a984a457768f52214daf277c82a3d3b2bb27925d 100755 (executable)
--- a/iptables/tests/shell/run-tests.sh
+++ b/iptables/tests/shell/run-tests.sh
@@ -59,29 +59,26 @@ do_test() {
        testfile="$1"
        xtables_multi="$2"
 
-       for it in iptables ip6tables; do
-               rc_spec=`echo $(basename ${testfile}) | cut -d _ -f2-`
-               IPTABLES="$xtables_multi $it"
-
-               msg_info "[EXECUTING]   $testfile"
-
-               if [ "$VERBOSE" = "y" ]; then
-                       IPTABLES="$IPTABLES" unshare -n ${testfile}
-               else
-                       IPTABLES="$IPTABLES" unshare -n ${testfile} > /dev/null 2>&1
-               fi
-
-               rc_got=$?
-               echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
-
-               if [ "$rc_got" == "$rc_spec" ] ; then
-                       msg_info "[OK]          $testfile"
-                       ((ok++))
-               else
-                       ((failed++))
-                       msg_warn "[FAILED]      $testfile: expected $rc_spec but got $rc_got"
-               fi
-       done
+       rc_spec=`echo $(basename ${testfile}) | cut -d _ -f2-`
+
+       msg_info "[EXECUTING]   $testfile"
+
+       if [ "$VERBOSE" = "y" ]; then
+               XT_MULTI=$xtables_multi unshare -n ${testfile}
+       else
+               XT_MULTI=$xtables_multi unshare -n ${testfile} > /dev/null 2>&1
+       fi
+
+       rc_got=$?
+       echo -en "\033[1A\033[K" # clean the [EXECUTING] foobar line
+
+       if [ "$rc_got" == "$rc_spec" ] ; then
+               msg_info "[OK]          $testfile"
+               ((ok++))
+       else
+               ((failed++))
+               msg_warn "[FAILED]      $testfile: expected $rc_spec but got $rc_got"
+       fi
 }
 
 echo ""

diff --git a/iptables/tests/shell/testcases/chain/0001duplicate_1 b/iptables/tests/shell/testcases/chain/0001duplicate_1
index e88f82ad24ff7e19db74430f8c0d8682e326dd76..80ebb119c2689a39f8615a3c15db46cc66d02e05 100755 (executable)
--- a/iptables/tests/shell/testcases/chain/0001duplicate_1
+++ b/iptables/tests/shell/testcases/chain/0001duplicate_1
@@ -2,8 +2,11 @@
 
 set -x
 
-$IPTABLES -t filter -N c1
-$IPTABLES -t filter -N c1 || exit 1
+$XT_MULTI iptables -t filter -N c1 || exit 0
+$XT_MULTI iptables -t filter -N c1 || exit 1
+
+$XT_MULTI ip6tables -t filter -N c1 || exit 0
+$XT_MULTI ip6tables -t filter -N c1 || exit 1
 
 echo "E: Duplicate chains" >&2
 exit 0

diff --git a/iptables/tests/shell/testcases/chain/0004newchain_0 b/iptables/tests/shell/testcases/chain/0004newchain_0
new file mode 100755 (executable)
index 0000000..b1a7663
--- /dev/null
+++ b/iptables/tests/shell/testcases/chain/0004newchain_0
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+$XTABLES_MULTI iptables -N c1
+$XTABLES_MULTI ip6tables -N c1
+
+$XTABLES_MULTI iptables -N c2
+$XTABLES_MULTI ip6tables -N c2

diff --git a/iptables/tests/shell/testcases/chain/0004rename_0 b/iptables/tests/shell/testcases/chain/0004rename_0
deleted file mode 100755 (executable)
index a85369a..0000000
--- a/iptables/tests/shell/testcases/chain/0004rename_0
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-set -e
-
-$IPTABLES -N c1
-$IPTABLES -E c1 c2

diff --git a/iptables/tests/shell/testcases/chain/0005rename_1 b/iptables/tests/shell/testcases/chain/0005rename_1
index f2f6e55af44b232d9b93ccba258d6073a44e54b2..3ccdc033cb788ea2e2d69b7839fbbd41107e123f 100755 (executable)
--- a/iptables/tests/shell/testcases/chain/0005rename_1
+++ b/iptables/tests/shell/testcases/chain/0005rename_1
@@ -1,8 +1,12 @@
 #!/bin/bash
 
-$IPTABLES -N c1 || exit 0
-$IPTABLES -N c2 || exit 0
-$IPTABLES -E c1 c2 || exit 1
+$XTABLES_MULTI iptables -N c1 || exit 0
+$XTABLES_MULTI iptables -N c2 || exit 0
+$XTABLES_MULTI iptables -E c1 c2 || exit 1
+
+$XTABLES_MULTI ip6tables -N c1 || exit 0
+$XTABLES_MULTI ip6tables -N c2 || exit 0
+$XTABLES_MULTI ip6tables -E c1 c2 || exit 1
 
 echo "E: Renamed with existing chain" >&2
 exit 0

diff --git a/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0 b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
new file mode 100755 (executable)
index 0000000..acbc7b7
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0001load-dumps_0
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+set -x
+
+
+clean_tmpfile()
+{
+        if [ ! -z "$tmpfile" ];then
+                rm -f "$tmpfile"
+        fi
+}
+
+trap clean_tmpfile EXIT
+
+do_diff()
+{
+       A="$1"
+       B="$2"
+
+       AT=$(mktemp)
+       grep -v "^#" "$A" > "$AT"
+
+       diff -u "$AT" "$B"
+
+       x=$?
+       rm -f "$AT"
+       echo "Return $x for $XT_MULTI $A"
+
+       return $x
+}
+
+tmpfile=$(mktemp) || exit 1
+do_simple()
+{
+       iptables="$1"
+       dumpfile="$2"
+
+       $XT_MULTI ${iptables}-restore < "$dumpfile"
+       $XT_MULTI ${iptables}-save | grep -v "^#" > "$tmpfile"
+       do_diff $dumpfile "$tmpfile"
+       if [ $? -ne 0 ]; then
+               # cp "$tmpfile" "$dumpfile.got"
+               RET=1
+       fi
+}
+
+do_simple "iptables" $(dirname "$0")/dumps/ipt-save-filter.txt
+do_simple "iptables" $(dirname "$0")/dumps/policy-drop.txt
+
+exit $RET

diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
new file mode 100644 (file)
index 0000000..bfb6bdd
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/ipt-save-filter.txt
@@ -0,0 +1,69 @@
+# Generated by iptables-save v1.2.4 on Mon Mar 17 19:59:10 2003
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:WLAN - [0:0]
+:accept_log - [0:0]
+:block - [0:0]
+:in_icmp - [0:0]
+:in_trusted - [0:0]
+:reject_log - [0:0]
+:wlanout - [0:0]
+-A INPUT -i wlan0 -j WLAN
+-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
+-A INPUT -i ppp0 -p icmp -m limit --limit 1/sec -j in_icmp
+-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j in_trusted
+-A INPUT -j block
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p udp -m udp --dport 4166 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 4180 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 4162 -j ACCEPT
+-A FORWARD -d 192.168.100.77/32 -i ppp0 -p tcp -m tcp --dport 20376 -j ACCEPT
+-A FORWARD -d 192.168.100.2/32 -i ppp0 -p tcp -m tcp --dport 10209 -j ACCEPT
+-A FORWARD -d 192.168.100.2/32 -i ppp0 -p tcp -m tcp --dport 881 -j ACCEPT
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p icmp -j DROP
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p udp -j DROP
+-A FORWARD ! -s 192.168.0.0/24 -i eth2 -p tcp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p icmp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p udp -j DROP
+-A FORWARD ! -s 192.168.100.0/24 -i eth1 -p tcp -j DROP
+-A FORWARD -o ppp0 -p udp -m udp --sport 137:139 -j DROP
+-A FORWARD -o ppp0 -p udp -m udp --sport 445 -j DROP
+-A FORWARD -o ppp0 -p tcp -m tcp --sport 137:139 -j DROP
+-A FORWARD -o ppp0 -p tcp -m tcp --sport 445 -j DROP
+-A FORWARD -i ppp0 -p udp -m udp --dport 137:139 -j DROP
+-A FORWARD -i ppp0 -p udp -m udp --dport 445 -j DROP
+-A FORWARD -i ppp0 -p tcp -m tcp --dport 137:139 -j DROP
+-A FORWARD -i ppp0 -p tcp -m tcp --dport 445 -j DROP
+-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A FORWARD -j block
+-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -j ACCEPT
+-A OUTPUT -o wlan0 -j wlanout
+-A OUTPUT -j block
+-A WLAN -s 192.168.200.4/32 -m mac --mac-source 00:00:F1:05:A0:E0 -j RETURN
+-A WLAN -s 192.168.200.9/32 -m mac --mac-source 00:00:F1:05:99:85 -j RETURN
+-A WLAN -m limit --limit 12/min -j LOG --log-prefix "UNKNOWN WLAN dropped:"
+-A WLAN -j DROP
+-A accept_log -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "TCPConnect on ppp0:"
+-A accept_log -i ppp0 ! -p tcp -m limit --limit 1/sec -j LOG --log-prefix "Accepted Datagram on ppp0:"
+-A accept_log -j ACCEPT
+-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A block ! -i ppp0 -m state --state NEW -j ACCEPT
+-A block -p tcp -j reject_log
+-A block -p udp -j reject_log
+-A in_icmp -p icmp -m icmp --icmp-type 8 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 4 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 1 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A in_icmp -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A in_trusted -s 10.230.173.148/32 -j ACCEPT
+-A in_trusted -s 10.230.173.151/32 -j ACCEPT
+-A reject_log -i ppp0 -p tcp -m tcp --dport 22:80 --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "RejectTCPConnectReq on ppp0:"
+-A reject_log -p tcp -j REJECT --reject-with tcp-reset
+-A reject_log -p udp -j REJECT --reject-with icmp-port-unreachable
+-A wlanout -d 192.168.200.4/32 -j RETURN
+-A wlanout -d 192.168.200.9/32 -j RETURN
+-A wlanout -j DROP
+COMMIT
+# Completed on Mon Mar 17 19:59:10 2003

diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt b/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt
new file mode 100644 (file)
index 0000000..7522231
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/policy-drop.txt
@@ -0,0 +1,8 @@
+# Generated by xtables-save v1.6.2 on Tue Jun 26 22:28:41 2018
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A OUTPUT -j ACCEPT
+COMMIT
+# Completed on Tue Jun 26 22:28:41 2018