From f9ed681f9c8896d7f09f21a8425983fb5ccf6114 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sun, 19 Apr 2026 15:37:47 +0200 Subject: [PATCH] tests: shell: add test case for checkentry hook validations A few matches/targets reject based on the calling hook mask from their checkentry functions. Some are cosmetic (reject nonsensical rule that would not work, but others are mandatory rejects, in particular TCPMSS which may need skb_dst() depending on the requested mode of operation. For -legacy this yields: xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks xt_addrtype: output interface limitation not valid in PREROUTING and INPUT xt_addrtype: input interface limitation not valid in POSTROUTING and OUTPUT xt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic xt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic xt_policy: input policy not valid in POSTROUTING and OUTPUT xt_policy: output policy not valid in PREROUTING and INPUT ... in dmesg. -j SET is currently missing, could be added later (needs an existing ipset). Signed-off-by: Florian Westphal --- .../iptables/0012-bad-matches-and-targets_0 | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100755 iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0 diff --git a/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0 b/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0 new file mode 100755 index 00000000..fe7d9a9a --- /dev/null +++ b/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0 @@ -0,0 +1,103 @@ +#!/bin/sh + +set -x + +die() { + local flavor="$1" + echo "$1: $2 was accepted" + $XT_MULTI "$flavor-save" + exit 1 +} + +die_err() { + local flavor="$1" + echo "$1: $2 should work" + $XT_MULTI "$flavor-save" + exit 1 +} + +do_link() { + local flavor="$1" + local chain="$2" + + $XT_MULTI "$flavor" -t mangle -A "$chain" -j USERCHAIN && die "$flavor" "$chain -j USERCHAIN" + + $XT_MULTI "$flavor" -t mangle -F USERCHAIN || die_err "$flavor" "flush USERCHAIN" +} + +do_link_prerouting() { + do_link "$1" "PREROUTING" +} + +do_link_output() { + do_link "$1" "OUTPUT" +} + +check_TCPMSS() { + local flavor="$1" + + $XT_MULTI "$flavor" -t mangle -A PREROUTING -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu && die "$flavor" "TCPMSS in PREROUTING" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu || die_err "$flavor" "TCPMSS in USERCHAIN" + do_link_prerouting "$flavor" +} + +check_addrtype() { + local flavor="$1" + + $XT_MULTI "$flavor" -t mangle -A PREROUTING -m addrtype --limit-iface-out --src-type UNICAST && die "$flavor" "addrtype iface-out in PREROUTING" + + $XT_MULTI "$flavor" -t mangle -A OUTPUT -m addrtype --limit-iface-in --src-type UNICAST && die "$flavor" "addrtype in iface-in OUTPUT" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m addrtype --limit-iface-out --src-type UNICAST || die_err "$flavor" "addrtype iface-out in USERCHAIN" + do_link_prerouting "$flavor" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m addrtype --limit-iface-in --src-type UNICAST || die_err "$flavor" "addrtype iface-in in USERCHAIN" + do_link_output "$flavor" +} + +check_devgroup() { + local flavor="$1" + + $XT_MULTI "$flavor" -t mangle -A PREROUTING -m devgroup --dst-group 1 && die "$flavor" "dst-group in PREROUTING" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m devgroup --dst-group 1 || die_err "$flavor" "dst-group in USERCHAIN" + do_link_prerouting "$flavor" + + $XT_MULTI "$flavor" -t mangle -A OUTPUT -m devgroup --src-group 1 && die "$flavor" "src-group in OUTPUT" + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m devgroup --src-group 1 || die_err "$flavor" "src-group in USERCHAIN" + do_link_output "$flavor" +} + +check_physdev() { + local flavor="$1" + + $XT_MULTI "$flavor" -t mangle -A OUTPUT -m physdev --physdev-out "foo" && die "$flavor" "physdev-out in OUTPUT" + $XT_MULTI "$flavor" -t mangle -A OUTPUT -m physdev --physdev-out "foo" --physdev-is-out && die "$flavor" "physdev-out in OUTPUT" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m physdev --physdev-out "foo" || die_err "$flavor" "physdev-out in USERCHAIN" + do_link_output "$flavor" + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m physdev --physdev-out "foo" --physdev-is-out || die_err "$flavor" "physdev-out in USERCHAIN" + do_link_output "$flavor" +} + +check_policy() { + local flavor="$1" + + $XT_MULTI "$flavor" -t mangle -A OUTPUT -m policy --dir in --pol none && die "$flavor" "policy dir in OUTPUT" + $XT_MULTI "$flavor" -t mangle -A PREROUTING -m policy --dir out --pol none && die "$flavor" "policy dir out PREROUTING" + + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m policy --dir in --pol none || die_err "$flavor" "policy dir in USERCHAIN" + do_link_output "$flavor" + $XT_MULTI "$flavor" -t mangle -A USERCHAIN -m policy --dir out --pol none || die_err "$flavor" "policy dir out USERCHAIN" + do_link_prerouting "$flavor" +} + +for f in "iptables" "ip6tables";do + $XT_MULTI "$f" -t mangle -N USERCHAIN || die_err "$f" "cannot create USERCHAIN" + check_TCPMSS "$f" + check_addrtype "$f" + check_devgroup "$f" + check_physdev "$f" + check_policy "$f" +done -- 2.47.3