代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/iptables 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 0663cc944204ed3afa7fa4f7cf3beadb3ea8e1e4 Mon Sep 17 00:00:00 2001
From: chenzhen <vchanger123456@163.com>
Date: Fri, 1 Apr 2022 11:26:32 +0800
Subject: [PATCH] tests: extensions: add some testcases
These testcases are intended to test options of commonly used extentions like
DNAT/SNAT/tcp/udp as much as possible, covering normal and abnormal scenes.
Signed-off-by: chenzhen <vchanger123456@163.com>
---
extensions/libip6t_DNAT.t | 9 +++++++++
extensions/libip6t_LOG.t | 1 +
extensions/libip6t_LOG.txlate | 9 +++++++++
extensions/libip6t_MASQUERADE.t | 1 +
extensions/libip6t_REJECT.t | 1 +
extensions/libip6t_SNAT.t | 8 ++++++++
extensions/libip6t_icmp6.t | 4 ++++
extensions/libip6t_rt.t | 6 ++++++
extensions/libip6t_rt.txlate | 3 +++
extensions/libipt_DNAT.t | 8 ++++++++
extensions/libipt_LOG.t | 1 +
extensions/libipt_LOG.txlate | 9 +++++++++
extensions/libipt_MASQUERADE.t | 1 +
extensions/libipt_NETMAP.t | 1 +
extensions/libipt_REJECT.t | 1 +
extensions/libipt_SNAT.t | 8 ++++++++
extensions/libipt_icmp.t | 4 ++++
extensions/libxt_DNAT.txlate | 6 ++++++
extensions/libxt_REDIRECT.t | 2 ++
extensions/libxt_iprange.t | 7 ++-----
extensions/libxt_limit.t | 7 +++++++
extensions/libxt_string.t | 12 ++++++++++++
extensions/libxt_tcp.t | 3 +++
iptables-test.py | 22 ++++++++++++++++++++++
24 files changed, 129 insertions(+), 5 deletions(-)
diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
index e53dfa1..3f89f4d 100644
--- a/extensions/libip6t_DNAT.t
+++ b/extensions/libip6t_DNAT.t
@@ -17,4 +17,13 @@
-p tcp -j DNAT --to-destination [dead::beef]:ftp-data;-p tcp -j DNAT --to-destination [dead::beef]:20;OK
-p tcp -j DNAT --to-destination [dead::beef]:echo-ssh;;FAIL
-p tcp -j DNAT --to-destination [dead::beef]:10-20/ftp;-p tcp -j DNAT --to-destination [dead::beef]:10-20/21;OK
+-p tcp -j DNAT --to-destination dead::beef --random --persistent;=;OK
+-p tcp -j DNAT --to-destination [dead::beef;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:65536;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:1-65536;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:1:65535;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:2-1;;FAIL
+-p tcp -j DNAT --to-destination live::beef;;FAIL
+-p tcp -j DNAT --to-destination dead::beef-live::beef;;FAIL
+-p tcp -j DNAT --to-destination :65535;=;OK
-j DNAT;;FAIL
diff --git a/extensions/libip6t_LOG.t b/extensions/libip6t_LOG.t
index fbf5118..e3fb58f 100644
--- a/extensions/libip6t_LOG.t
+++ b/extensions/libip6t_LOG.t
@@ -8,5 +8,6 @@
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
+-j LOG --log-prefix "test: " --log-macdecode;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
diff --git a/extensions/libip6t_LOG.txlate b/extensions/libip6t_LOG.txlate
index 29ffce7..79358a9 100644
--- a/extensions/libip6t_LOG.txlate
+++ b/extensions/libip6t_LOG.txlate
@@ -6,3 +6,12 @@ nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log level debug'
ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log prefix "Checking log"'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence,options flags ip options flags skuid'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags all'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence flags ether'
diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
index e25d2a0..e254fa7 100644
--- a/extensions/libip6t_MASQUERADE.t
+++ b/extensions/libip6t_MASQUERADE.t
@@ -7,3 +7,4 @@
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
+-j MASQUERADE --to-ports 1024;;FAIL
diff --git a/extensions/libip6t_REJECT.t b/extensions/libip6t_REJECT.t
index 8294f0b..6e41b00 100644
--- a/extensions/libip6t_REJECT.t
+++ b/extensions/libip6t_REJECT.t
@@ -9,3 +9,4 @@
-j REJECT --reject-with icmp6-reject-route;=;OK
-p tcp -j REJECT --reject-with tcp-reset;=;OK
-j REJECT --reject-with tcp-reset;;FAIL
+-j REJECT --reject-with icmp6-wrong;;FAIL
diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t
index 98aa760..12c0479 100644
--- a/extensions/libip6t_SNAT.t
+++ b/extensions/libip6t_SNAT.t
@@ -14,4 +14,12 @@
-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
-p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535 --to-source [dead::beef-dead::fee8]:1025-65535;;FAIL
+-p tcp -j SNAT --to-source dead::beef --random --random-fully --persistent;=;OK
+-p tcp -j SNAT --to-source :65535;=;OK
+-p tcp -j SNAT --to-source [dead::beef;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:1-65536;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:1:65535;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:2-1;;FAIL
+-p tcp -j SNAT --to-source live::beef;;FAIL
+-p tcp -j SNAT --to-source dead::beef-live::beef;;FAIL
-j SNAT;;FAIL
diff --git a/extensions/libip6t_icmp6.t b/extensions/libip6t_icmp6.t
index 028cfc1..539ed7b 100644
--- a/extensions/libip6t_icmp6.t
+++ b/extensions/libip6t_icmp6.t
@@ -4,3 +4,7 @@
-p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK
# cannot use option twice:
-p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL
+-p ipv6-icmp -m icmp6 ! --icmpv6-type 2;=;OK
+-p ipv6-icmp -m icmp6 --icmpv6-type router;;FAIL
+-p ipv6-icmp -m icmp6 --icmpv6-type -1;;FAIL
+-p ipv6-icmp -m icmp6 --icmpv6-type 1/65536;;FAIL
diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t
index 3c7b2d9..730603e 100644
--- a/extensions/libip6t_rt.t
+++ b/extensions/libip6t_rt.t
@@ -2,4 +2,10 @@
-m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK
-m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
-m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
+-m rt --rt-type 0 --rt-0-addrs beef::feed --rt-0-not-strict;=;OK
+-m rt --rt-0-addrs beef::feed;;FAIL
+-m rt --rt-0-res;;FAIL
+-m rt --rt-type 0 --rt-0-not-strict;;FAIL
+-m rt --rt-type 0 --rt-0-addrs beef::wrong --rt-0-not-strict;;FAIL
+-m rt --rt-type 0 --rt-segsleft 1:1 --rt-len 42 --rt-0-res;-m rt --rt-type 0 --rt-segsleft 1 --rt-len 42 --rt-0-res;OK
-m rt;=;OK
diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate
index 3578bcb..98344fb 100644
--- a/extensions/libip6t_rt.txlate
+++ b/extensions/libip6t_rt.txlate
@@ -12,3 +12,6 @@ nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop'
ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT
nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept'
+
+ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 --rt-segsleft 1:26 -j ACCEPT
+nft 'add rule ip6 filter INPUT rt type 0 rt seg-left 1-26 rt hdrlength 22 counter accept'
diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t
index 9007572..884da87 100644
--- a/extensions/libipt_DNAT.t
+++ b/extensions/libipt_DNAT.t
@@ -17,4 +17,12 @@
-p tcp -j DNAT --to-destination 1.1.1.1:ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:20;OK
-p tcp -j DNAT --to-destination 1.1.1.1:echo-ssh;;FAIL
-p tcp -j DNAT --to-destination 1.1.1.1:10-20/ftp;-p tcp -j DNAT --to-destination 1.1.1.1:10-20/21;OK
+-p tcp -j DNAT --to-destination 1.1.1.1 --random --persistent;=;OK
+-p tcp -j DNAT --to-destination :65535;=;OK
+-p tcp -j DNAT --to-destination 1.1.1.1:1000;=;OK
+-p tcp -j DNAT --to-destination 1.1.1.1:1025-65536;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1:1025:65535;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1:2000-1000;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.a;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.a;;FAIL
-j DNAT;;FAIL
diff --git a/extensions/libipt_LOG.t b/extensions/libipt_LOG.t
index fbf5118..e3fb58f 100644
--- a/extensions/libipt_LOG.t
+++ b/extensions/libipt_LOG.t
@@ -8,5 +8,6 @@
-j LOG --log-prefix "test: " --log-tcp-options;=;OK
-j LOG --log-prefix "test: " --log-ip-options;=;OK
-j LOG --log-prefix "test: " --log-uid;=;OK
+-j LOG --log-prefix "test: " --log-macdecode;=;OK
-j LOG --log-prefix "test: " --log-level bad;;FAIL
-j LOG --log-prefix;;FAIL
diff --git a/extensions/libipt_LOG.txlate b/extensions/libipt_LOG.txlate
index 13a2ef5..509b075 100644
--- a/extensions/libipt_LOG.txlate
+++ b/extensions/libipt_LOG.txlate
@@ -3,3 +3,12 @@ nft 'add rule ip filter FORWARD ip protocol tcp counter log level err'
iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
nft 'add rule ip filter FORWARD ip protocol tcp counter log prefix "Random prefix"'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence,options flags ip options flags skuid'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags all'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence flags ether'
diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t
index e25d2a0..e254fa7 100644
--- a/extensions/libipt_MASQUERADE.t
+++ b/extensions/libipt_MASQUERADE.t
@@ -7,3 +7,4 @@
-p udp -j MASQUERADE --to-ports 1024-65535;=;OK
-p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
-p udp -j MASQUERADE --to-ports -1;;FAIL
+-j MASQUERADE --to-ports 1024;;FAIL
diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
index 0de856f..2455354 100644
--- a/extensions/libipt_NETMAP.t
+++ b/extensions/libipt_NETMAP.t
@@ -2,3 +2,4 @@
*nat
-j NETMAP --to 1.2.3.0/24;=;OK
-j NETMAP --to 1.2.3.4;-j NETMAP --to 1.2.3.4/32;OK
+-j NETMAP --to 1.2.3.4/33;-j NETMAP --to 0.0.0.0/0.0.0.33;OK
diff --git a/extensions/libipt_REJECT.t b/extensions/libipt_REJECT.t
index 3f69a72..7ae90c3 100644
--- a/extensions/libipt_REJECT.t
+++ b/extensions/libipt_REJECT.t
@@ -7,3 +7,4 @@
-j REJECT --reject-with icmp-net-prohibited;=;OK
-j REJECT --reject-with icmp-host-prohibited;=;OK
-j REJECT --reject-with icmp-admin-prohibited;=;OK
+-j REJECT --reject-with echo-reply;;FAIL
diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t
index c31d6e7..4998fba 100644
--- a/extensions/libipt_SNAT.t
+++ b/extensions/libipt_SNAT.t
@@ -14,4 +14,12 @@
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK
+-p tcp -j SNAT --to-source :65535;=;OK
+-p tcp -j SNAT --to-source 1.1.1.1:1025;=;OK
+-p tcp -j SNAT --to-source 1.1.1.1:1025-65536;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1:1025:65535;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1:65535-1025;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.a;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.a;;FAIL
-j SNAT;;FAIL
diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
index ce4a33f..3d68c2d 100644
--- a/extensions/libipt_icmp.t
+++ b/extensions/libipt_icmp.t
@@ -15,3 +15,7 @@
# -p icmp -m icmp;=;OK
-p icmp -m icmp --icmp-type 255/255;=;OK
-p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK
+-p icmp -m icmp ! --icmp-type 1/0;=;OK
+-p icmp -m icmp --icmp-type router;;FAIL
+-p icmp -m icmp --icmp-type -1;;FAIL
+-p icmp -m icmp --icmp-type 1/65536;;FAIL
diff --git a/extensions/libxt_DNAT.txlate b/extensions/libxt_DNAT.txlate
index e005245..454ab1a 100644
--- a/extensions/libxt_DNAT.txlate
+++ b/extensions/libxt_DNAT.txlate
@@ -13,6 +13,9 @@ nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1
iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent'
+iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
+nft # -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
+
ip6tables-translate -t nat -A prerouting -p tcp --dport 8080 -j DNAT --to-destination fec0::1234
nft 'add rule ip6 nat prerouting tcp dport 8080 counter dnat to fec0::1234'
@@ -33,3 +36,6 @@ nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:8
ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 random,persistent'
+
+ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [dead::beef-dead::beef]
+nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to dead::beef'
diff --git a/extensions/libxt_REDIRECT.t b/extensions/libxt_REDIRECT.t
index 362efa8..832acd3 100644
--- a/extensions/libxt_REDIRECT.t
+++ b/extensions/libxt_REDIRECT.t
@@ -15,3 +15,5 @@
-p tcp -j REDIRECT --to-ports 10-ssh;;FAIL
-j REDIRECT --to-ports 42;;FAIL
-j REDIRECT --random;=;OK
+-p tcp -j REDIRECT --to-ports -1;;FAIL
+-p tcp -j REDIRECT --to-ports 42-65536;;FAIL
diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t
index 6fd98be..5e6b065 100644
--- a/extensions/libxt_iprange.t
+++ b/extensions/libxt_iprange.t
@@ -3,9 +3,6 @@
-m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
-m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
-m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
-# -m iprange --src-range 1.1.1.1;;FAIL
-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
-#-m iprange --dst-range 1.1.1.1;;FAIL
+-m iprange --src-range 1.1.1.1;-m iprange --src-range 1.1.1.1-1.1.1.1;OK
+-m iprange --dst-range 1.1.1.1;-m iprange --dst-range 1.1.1.1-1.1.1.1;OK
-m iprange;;FAIL
diff --git a/extensions/libxt_limit.t b/extensions/libxt_limit.t
index b0af653..95b5ef2 100644
--- a/extensions/libxt_limit.t
+++ b/extensions/libxt_limit.t
@@ -4,3 +4,10 @@
-m limit --limit 1000/hour;=;OK
-m limit --limit 1000/day;=;OK
-m limit --limit 1/sec --limit-burst 1;=;OK
+-m limit --limit 0/sec;;FAIL
+-m limit --limit 1/bad;;FAIL
+-m limit ! --limit 1/sec;;FAIL
+# Rate too fast(> 10000/sec)
+-m limit --limit 10001/second;;FAIL
+# Default value for --limit
+-m limit;-m limit --limit 3/hour;OK
diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t
index 2f4b30c..eeb48b1 100644
--- a/extensions/libxt_string.t
+++ b/extensions/libxt_string.t
@@ -4,8 +4,20 @@
-m string ! --string "test" --algo kmp;=;OK
-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK
-m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL
+-m string --string "\\" --algo bm;-m string --hex-string "|5c|" --algo bm;OK
-m string --hex-string "|0a0a0a0a|" --algo bm;=;OK
+-m string ! --hex-string "|0a0a0a0a|" --algo bm;=;OK
-m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK
+-m string --algo bm --hex-string "| 0a|";-m string --hex-string "|0a|" --algo bm;OK
+-m string --algo bm --hex-string "|0a0|";;FAIL
+-m string --algo bm --hex-string "|ww|";;FAIL
+-m string --algo bm --hex-string "";;FAIL
+-m string --algo bm --hex-string "|0a\\|";;FAIL
+-m string --algo bm --hex-string "xxx\\";;FAIL
+-m string --algo bm --hex-string "|\\";;FAIL
+-m string --algo bm --hex-string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";;FAIL
+-m string --string "test" --algo bm --from 1 --to 65535;-m string --string "test" --algo bm --from 1;OK
+-m string --string "test" --algo bm --to 65535 --icase;-m string --string "test" --algo bm --icase;OK
-m string --algo wrong;;FAIL
-m string --algo bm;;FAIL
-m string;;FAIL
diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t
index 7a3bbd0..0c15895 100644
--- a/extensions/libxt_tcp.t
+++ b/extensions/libxt_tcp.t
@@ -25,5 +25,8 @@
-m tcp --dport 1;;FAIL
-m tcp --dport 1 -p tcp;-p tcp -m tcp --dport 1;OK
-m tcp --dport 1 -p 6;-p tcp -m tcp --dport 1;OK
+-p tcp -m tcp --tcp-option 1;=;OK
+-p tcp -m tcp --tcp-option -1;;FAIL
+-p tcp -m tcp ! --tcp-option 1;=;OK
# should we accept this below?
-p tcp -m tcp;=;OK
diff --git a/iptables-test.py b/iptables-test.py
index de1e1e9..ba4bede 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -68,6 +68,23 @@ def delete_rule(iptables, rule, filename, lineno, netns = None):
return 0
+def list_rules(iptables, rule, filename, lineno):
+ '''
+ list iptables rules
+ '''
+ cmd = iptables + " -vvL "
+ if " -t " in rule:
+ cmd += " -t " + rule.split(" -t ")[1].split(" ")[0]
+
+ ret = execute_cmd(cmd, filename, lineno)
+ if ret:
+ reason = "cannot list: " + iptables + " -vvL " + rule
+ print_error(reason, filename, lineno)
+ return -1
+
+ return 0
+
+
def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
'''
Executes an unit test. Returns the output of delete_rule().
@@ -163,6 +180,11 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
if netns:
return 0
+ ret = list_rules(iptables, rule, filename, lineno)
+ if ret < 0:
+ delete_rule(iptables, rule, filename, lineno)
+ return -1
+
return delete_rule(iptables, rule, filename, lineno)
def execute_cmd(cmd, filename, lineno = 0, netns = None):
--
2.43.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手