git.ipfire.org Git - thirdparty/iptables.git/commit

author	Florian Westphal <fw@strlen.de>
	Sun, 19 Apr 2026 13:37:47 +0000 (15:37 +0200)
committer	Florian Westphal <fw@strlen.de>
	Thu, 23 Apr 2026 15:21:08 +0000 (17:21 +0200)
commit	f9ed681f9c8896d7f09f21a8425983fb5ccf6114
tree	eea768182ad8112737438a8ab3ed880839901bfa	tree \| snapshot
parent	5812fe5585e7187753439a654ccf1dbc4c7c515a	commit \| diff

tests: shell: add test case for checkentry hook validations

A few matches/targets reject based on the calling hook mask
from their checkentry functions. Some are cosmetic (reject
nonsensical rule that would not work, but others are mandatory
rejects, in particular TCPMSS which may need skb_dst()
depending on the requested mode of operation.

For -legacy this yields:
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks
xt_addrtype: output interface limitation not valid in PREROUTING and INPUT
xt_addrtype: input interface limitation not valid in POSTROUTING and OUTPUT
xt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic
xt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic
xt_policy: input policy not valid in POSTROUTING and OUTPUT
xt_policy: output policy not valid in PREROUTING and INPUT

... in dmesg. -j SET is currently missing, could be added
later (needs an existing ipset).

Signed-off-by: Florian Westphal <fw@strlen.de>