tests/py: Check differing rule output for sanity

If an added rule's listing differs from the input (either expected or
not), reinsert that output and check payload again to make sure the
asymmetry doesn't lead to (internal) changes in ruleset.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/tests/py/nft-test.py b/tests/py/nft-test.py
index 4e69cd2782232ca8dbd0980f7971a2dfc3919391..1837c9c9353078f91754afd77382eebae8546b89 100755 (executable)
--- a/tests/py/nft-test.py
+++ b/tests/py/nft-test.py
@@ -823,8 +823,10 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
                 continue
 
             rule_output = output_clean(pre_output, chain)
+            retest_output = False
             if len(rule) == 3:
                 teoric_exit = rule[2]
+                retest_output = True
             else:
                 teoric_exit = rule[0]
 
@@ -833,6 +835,7 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
                     if set_check_element(teoric_exit.rstrip(),
                                          rule_output.rstrip()) != 0:
                         warning += 1
+                        retest_output = True
                         print_differences_warning(filename, lineno,
                                                   teoric_exit.rstrip(),
                                                   rule_output, cmd)
@@ -846,6 +849,7 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
                             return [ret, warning, error, unit_tests]
 
                     warning += 1
+                    retest_output = True
                     print_differences_warning(filename, lineno,
                                               teoric_exit.rstrip(),
                                               rule_output, cmd)
@@ -853,6 +857,26 @@ def rule_add(rule, filename, lineno, force_all_family_option, filename_path):
                     if not force_all_family_option:
                         return [ret, warning, error, unit_tests]
 
+            if retest_output:
+                table_flush(table, filename, lineno)
+
+                # Add rule and check return code
+                cmd = "add rule %s %s %s" % (table, chain, rule_output.rstrip())
+                ret = execute_cmd(cmd, filename, lineno, payload_log, debug="netlink")
+
+                if ret != 0:
+                    test_state = "Replaying rule failed."
+                    reason = cmd + ": " + test_state
+                    print_warning(reason, filename, lineno)
+                    ret = -1
+                    error += 1
+                    if not force_all_family_option:
+                        return [ret, warning, error, unit_tests]
+                # Check for matching payload
+                elif not payload_check(table_payload_expected,
+                                       payload_log, cmd):
+                    error += 1
+
             if not enable_json_option:
                 continue