diff --git a/iptables.spec b/iptables.spec
index 62ab6f409570e63ca4ff9036fe31867e545b6b84..07f7cc39cc454a1da18c7a9a0badf61e57d9edb9 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.9
-Release:	  5
+Release:	  6
 Summary:	  IP packet filter administration utilities
 License:	  GPL-2.0-only and Artistic-2.0
 URL:		  https://www.netfilter.org/
@@ -28,6 +28,7 @@ Patch11:          backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch
 Patch12:          backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch
 Patch13:          backport-libxtables-Fix-memleak-of-matches-udata.patch
 Patch14:          backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.patch
+Patch15:          tests-extensions-add-some-testcases.patch
 
 
 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
@@ -345,6 +346,12 @@ fi
 %{_datadir}/xtables/iptables.xslt
 
 %changelog
+* Mon Aug 19 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-6
+- Type: enhancement
+- ID: NA
+- SUG: NA
+- DESC: add some testcases of extensions
+
 * Tue Jun 25 2024 liweigang <liweiganga@uniontech.com> - 1.8.9-5
 - Type: bugfix
 - ID: NA
diff --git a/tests-extensions-add-some-testcases.patch b/tests-extensions-add-some-testcases.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4afd817195601460aff3187ffa7654f0d6677a38
--- /dev/null
+++ b/tests-extensions-add-some-testcases.patch
@@ -0,0 +1,399 @@
+From 0663cc944204ed3afa7fa4f7cf3beadb3ea8e1e4 Mon Sep 17 00:00:00 2001
+From: chenzhen <vchanger123456@163.com>
+Date: Fri, 1 Apr 2022 11:26:32 +0800
+Subject: [PATCH] tests: extensions: add some testcases
+
+These testcases are intended to test options of commonly used extentions like
+DNAT/SNAT/tcp/udp as much as possible, covering normal and abnormal scenes.
+
+Signed-off-by: chenzhen <vchanger123456@163.com>
+---
+ extensions/libip6t_DNAT.t       |  9 +++++++++
+ extensions/libip6t_LOG.t        |  1 +
+ extensions/libip6t_LOG.txlate   |  9 +++++++++
+ extensions/libip6t_MASQUERADE.t |  1 +
+ extensions/libip6t_REJECT.t     |  1 +
+ extensions/libip6t_SNAT.t       |  8 ++++++++
+ extensions/libip6t_icmp6.t      |  4 ++++
+ extensions/libip6t_rt.t         |  6 ++++++
+ extensions/libip6t_rt.txlate    |  3 +++
+ extensions/libipt_DNAT.t        |  8 ++++++++
+ extensions/libipt_LOG.t         |  1 +
+ extensions/libipt_LOG.txlate    |  9 +++++++++
+ extensions/libipt_MASQUERADE.t  |  1 +
+ extensions/libipt_NETMAP.t      |  1 +
+ extensions/libipt_REJECT.t      |  1 +
+ extensions/libipt_SNAT.t        |  8 ++++++++
+ extensions/libipt_icmp.t        |  4 ++++
+ extensions/libxt_DNAT.txlate    |  6 ++++++
+ extensions/libxt_REDIRECT.t     |  2 ++
+ extensions/libxt_iprange.t      |  7 ++-----
+ extensions/libxt_limit.t        |  7 +++++++
+ extensions/libxt_string.t       | 12 ++++++++++++
+ extensions/libxt_tcp.t          |  3 +++
+ iptables-test.py                | 22 ++++++++++++++++++++++
+ 24 files changed, 129 insertions(+), 5 deletions(-)
+
+diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
+index e53dfa1..3f89f4d 100644
+--- a/extensions/libip6t_DNAT.t
++++ b/extensions/libip6t_DNAT.t
+@@ -17,4 +17,13 @@
+ -p tcp -j DNAT --to-destination [dead::beef]:ftp-data;-p tcp -j DNAT --to-destination [dead::beef]:20;OK
+ -p tcp -j DNAT --to-destination [dead::beef]:echo-ssh;;FAIL
+ -p tcp -j DNAT --to-destination [dead::beef]:10-20/ftp;-p tcp -j DNAT --to-destination [dead::beef]:10-20/21;OK
++-p tcp -j DNAT --to-destination dead::beef --random --persistent;=;OK
++-p tcp -j DNAT --to-destination [dead::beef;;FAIL
++-p tcp -j DNAT --to-destination [dead::beef]:65536;;FAIL
++-p tcp -j DNAT --to-destination [dead::beef]:1-65536;;FAIL
++-p tcp -j DNAT --to-destination [dead::beef]:1:65535;;FAIL
++-p tcp -j DNAT --to-destination [dead::beef]:2-1;;FAIL
++-p tcp -j DNAT --to-destination live::beef;;FAIL
++-p tcp -j DNAT --to-destination dead::beef-live::beef;;FAIL
++-p tcp -j DNAT --to-destination :65535;=;OK
+ -j DNAT;;FAIL
+diff --git a/extensions/libip6t_LOG.t b/extensions/libip6t_LOG.t
+index fbf5118..e3fb58f 100644
+--- a/extensions/libip6t_LOG.t
++++ b/extensions/libip6t_LOG.t
+@@ -8,5 +8,6 @@
+ -j LOG --log-prefix "test: " --log-tcp-options;=;OK
+ -j LOG --log-prefix "test: " --log-ip-options;=;OK
+ -j LOG --log-prefix "test: " --log-uid;=;OK
++-j LOG --log-prefix "test: " --log-macdecode;=;OK
+ -j LOG --log-prefix "test: " --log-level bad;;FAIL
+ -j LOG --log-prefix;;FAIL
+diff --git a/extensions/libip6t_LOG.txlate b/extensions/libip6t_LOG.txlate
+index 29ffce7..79358a9 100644
+--- a/extensions/libip6t_LOG.txlate
++++ b/extensions/libip6t_LOG.txlate
+@@ -6,3 +6,12 @@ nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log level debug'
+ 
+ ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
+ nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log prefix "Checking log"'
++
++ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
++nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence,options flags ip options flags skuid'
++
++ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
++nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags all'
++
++ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
++nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence flags ether'
+diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
+index e25d2a0..e254fa7 100644
+--- a/extensions/libip6t_MASQUERADE.t
++++ b/extensions/libip6t_MASQUERADE.t
+@@ -7,3 +7,4 @@
+ -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
+ -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
+ -p udp -j MASQUERADE --to-ports -1;;FAIL
++-j MASQUERADE --to-ports 1024;;FAIL
+diff --git a/extensions/libip6t_REJECT.t b/extensions/libip6t_REJECT.t
+index 8294f0b..6e41b00 100644
+--- a/extensions/libip6t_REJECT.t
++++ b/extensions/libip6t_REJECT.t
+@@ -9,3 +9,4 @@
+ -j REJECT --reject-with icmp6-reject-route;=;OK
+ -p tcp -j REJECT --reject-with tcp-reset;=;OK
+ -j REJECT --reject-with tcp-reset;;FAIL
++-j REJECT --reject-with icmp6-wrong;;FAIL
+diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t
+index 98aa760..12c0479 100644
+--- a/extensions/libip6t_SNAT.t
++++ b/extensions/libip6t_SNAT.t
+@@ -14,4 +14,12 @@
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535 --to-source [dead::beef-dead::fee8]:1025-65535;;FAIL
++-p tcp -j SNAT --to-source dead::beef --random --random-fully --persistent;=;OK
++-p tcp -j SNAT --to-source :65535;=;OK
++-p tcp -j SNAT --to-source [dead::beef;;FAIL
++-p tcp -j SNAT --to-source [dead::beef]:1-65536;;FAIL
++-p tcp -j SNAT --to-source [dead::beef]:1:65535;;FAIL
++-p tcp -j SNAT --to-source [dead::beef]:2-1;;FAIL
++-p tcp -j SNAT --to-source live::beef;;FAIL
++-p tcp -j SNAT --to-source dead::beef-live::beef;;FAIL
+ -j SNAT;;FAIL
+diff --git a/extensions/libip6t_icmp6.t b/extensions/libip6t_icmp6.t
+index 028cfc1..539ed7b 100644
+--- a/extensions/libip6t_icmp6.t
++++ b/extensions/libip6t_icmp6.t
+@@ -4,3 +4,7 @@
+ -p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK
+ # cannot use option twice:
+ -p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL
++-p ipv6-icmp -m icmp6 ! --icmpv6-type 2;=;OK
++-p ipv6-icmp -m icmp6 --icmpv6-type router;;FAIL
++-p ipv6-icmp -m icmp6 --icmpv6-type -1;;FAIL
++-p ipv6-icmp -m icmp6 --icmpv6-type 1/65536;;FAIL
+diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t
+index 3c7b2d9..730603e 100644
+--- a/extensions/libip6t_rt.t
++++ b/extensions/libip6t_rt.t
+@@ -2,4 +2,10 @@
+ -m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK
+ -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
+ -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
++-m rt --rt-type 0 --rt-0-addrs beef::feed --rt-0-not-strict;=;OK
++-m rt --rt-0-addrs beef::feed;;FAIL
++-m rt --rt-0-res;;FAIL
++-m rt --rt-type 0 --rt-0-not-strict;;FAIL
++-m rt --rt-type 0 --rt-0-addrs beef::wrong --rt-0-not-strict;;FAIL
++-m rt --rt-type 0 --rt-segsleft 1:1 --rt-len 42 --rt-0-res;-m rt --rt-type 0 --rt-segsleft 1 --rt-len 42 --rt-0-res;OK
+ -m rt;=;OK
+diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate
+index 3578bcb..98344fb 100644
+--- a/extensions/libip6t_rt.txlate
++++ b/extensions/libip6t_rt.txlate
+@@ -12,3 +12,6 @@ nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop'
+ 
+ ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT
+ nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept'
++
++ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 --rt-segsleft 1:26 -j ACCEPT
++nft 'add rule ip6 filter INPUT rt type 0 rt seg-left 1-26 rt hdrlength 22 counter accept'
+diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t
+index 9007572..884da87 100644
+--- a/extensions/libipt_DNAT.t
++++ b/extensions/libipt_DNAT.t
+@@ -17,4 +17,12 @@
+ -p tcp -j DNAT --to-destination 1.1.1.1:ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:20;OK
+ -p tcp -j DNAT --to-destination 1.1.1.1:echo-ssh;;FAIL
+ -p tcp -j DNAT --to-destination 1.1.1.1:10-20/ftp;-p tcp -j DNAT --to-destination 1.1.1.1:10-20/21;OK
++-p tcp -j DNAT --to-destination 1.1.1.1 --random --persistent;=;OK
++-p tcp -j DNAT --to-destination :65535;=;OK
++-p tcp -j DNAT --to-destination 1.1.1.1:1000;=;OK
++-p tcp -j DNAT --to-destination 1.1.1.1:1025-65536;;FAIL
++-p tcp -j DNAT --to-destination 1.1.1.1:1025:65535;;FAIL
++-p tcp -j DNAT --to-destination 1.1.1.1:2000-1000;;FAIL
++-p tcp -j DNAT --to-destination 1.1.1.a;;FAIL
++-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.a;;FAIL
+ -j DNAT;;FAIL
+diff --git a/extensions/libipt_LOG.t b/extensions/libipt_LOG.t
+index fbf5118..e3fb58f 100644
+--- a/extensions/libipt_LOG.t
++++ b/extensions/libipt_LOG.t
+@@ -8,5 +8,6 @@
+ -j LOG --log-prefix "test: " --log-tcp-options;=;OK
+ -j LOG --log-prefix "test: " --log-ip-options;=;OK
+ -j LOG --log-prefix "test: " --log-uid;=;OK
++-j LOG --log-prefix "test: " --log-macdecode;=;OK
+ -j LOG --log-prefix "test: " --log-level bad;;FAIL
+ -j LOG --log-prefix;;FAIL
+diff --git a/extensions/libipt_LOG.txlate b/extensions/libipt_LOG.txlate
+index 13a2ef5..509b075 100644
+--- a/extensions/libipt_LOG.txlate
++++ b/extensions/libipt_LOG.txlate
+@@ -3,3 +3,12 @@ nft 'add rule ip filter FORWARD ip protocol tcp counter log level err'
+ 
+ iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
+ nft 'add rule ip filter FORWARD ip protocol tcp counter log prefix "Random prefix"'
++
++iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
++nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence,options flags ip options flags skuid'
++
++iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
++nft 'add rule ip filter FORWARD ip protocol tcp counter log flags all'
++
++iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
++nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence flags ether'
+diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t
+index e25d2a0..e254fa7 100644
+--- a/extensions/libipt_MASQUERADE.t
++++ b/extensions/libipt_MASQUERADE.t
+@@ -7,3 +7,4 @@
+ -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
+ -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
+ -p udp -j MASQUERADE --to-ports -1;;FAIL
++-j MASQUERADE --to-ports 1024;;FAIL
+diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
+index 0de856f..2455354 100644
+--- a/extensions/libipt_NETMAP.t
++++ b/extensions/libipt_NETMAP.t
+@@ -2,3 +2,4 @@
+ *nat
+ -j NETMAP --to 1.2.3.0/24;=;OK
+ -j NETMAP --to 1.2.3.4;-j NETMAP --to 1.2.3.4/32;OK
++-j NETMAP --to 1.2.3.4/33;-j NETMAP --to 0.0.0.0/0.0.0.33;OK
+diff --git a/extensions/libipt_REJECT.t b/extensions/libipt_REJECT.t
+index 3f69a72..7ae90c3 100644
+--- a/extensions/libipt_REJECT.t
++++ b/extensions/libipt_REJECT.t
+@@ -7,3 +7,4 @@
+ -j REJECT --reject-with icmp-net-prohibited;=;OK
+ -j REJECT --reject-with icmp-host-prohibited;=;OK
+ -j REJECT --reject-with icmp-admin-prohibited;=;OK
++-j REJECT --reject-with echo-reply;;FAIL
+diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t
+index c31d6e7..4998fba 100644
+--- a/extensions/libipt_SNAT.t
++++ b/extensions/libipt_SNAT.t
+@@ -14,4 +14,12 @@
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL
++-p tcp -j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK
++-p tcp -j SNAT --to-source :65535;=;OK
++-p tcp -j SNAT --to-source 1.1.1.1:1025;=;OK
++-p tcp -j SNAT --to-source 1.1.1.1:1025-65536;;FAIL
++-p tcp -j SNAT --to-source 1.1.1.1:1025:65535;;FAIL
++-p tcp -j SNAT --to-source 1.1.1.1:65535-1025;;FAIL
++-p tcp -j SNAT --to-source 1.1.1.a;;FAIL
++-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.a;;FAIL
+ -j SNAT;;FAIL
+diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
+index ce4a33f..3d68c2d 100644
+--- a/extensions/libipt_icmp.t
++++ b/extensions/libipt_icmp.t
+@@ -15,3 +15,7 @@
+ # -p icmp -m icmp;=;OK
+ -p icmp -m icmp --icmp-type 255/255;=;OK
+ -p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK
++-p icmp -m icmp ! --icmp-type 1/0;=;OK
++-p icmp -m icmp --icmp-type router;;FAIL
++-p icmp -m icmp --icmp-type -1;;FAIL
++-p icmp -m icmp --icmp-type 1/65536;;FAIL
+diff --git a/extensions/libxt_DNAT.txlate b/extensions/libxt_DNAT.txlate
+index e005245..454ab1a 100644
+--- a/extensions/libxt_DNAT.txlate
++++ b/extensions/libxt_DNAT.txlate
+@@ -13,6 +13,9 @@ nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1
+ iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
+ nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent'
+ 
++iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
++nft # -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
++
+ ip6tables-translate -t nat -A prerouting -p tcp --dport 8080 -j DNAT --to-destination fec0::1234
+ nft 'add rule ip6 nat prerouting tcp dport 8080 counter dnat to fec0::1234'
+ 
+@@ -33,3 +36,6 @@ nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:8
+ 
+ ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
+ nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 random,persistent'
++
++ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [dead::beef-dead::beef]
++nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to dead::beef'
+diff --git a/extensions/libxt_REDIRECT.t b/extensions/libxt_REDIRECT.t
+index 362efa8..832acd3 100644
+--- a/extensions/libxt_REDIRECT.t
++++ b/extensions/libxt_REDIRECT.t
+@@ -15,3 +15,5 @@
+ -p tcp -j REDIRECT --to-ports 10-ssh;;FAIL
+ -j REDIRECT --to-ports 42;;FAIL
+ -j REDIRECT --random;=;OK
++-p tcp -j REDIRECT --to-ports -1;;FAIL
++-p tcp -j REDIRECT --to-ports 42-65536;;FAIL
+diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t
+index 6fd98be..5e6b065 100644
+--- a/extensions/libxt_iprange.t
++++ b/extensions/libxt_iprange.t
+@@ -3,9 +3,6 @@
+ -m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
+ -m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
+ -m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
+-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
+-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
+-# -m iprange --src-range 1.1.1.1;;FAIL
+-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
+-#-m iprange --dst-range 1.1.1.1;;FAIL
++-m iprange --src-range 1.1.1.1;-m iprange --src-range 1.1.1.1-1.1.1.1;OK
++-m iprange --dst-range 1.1.1.1;-m iprange --dst-range 1.1.1.1-1.1.1.1;OK
+ -m iprange;;FAIL
+diff --git a/extensions/libxt_limit.t b/extensions/libxt_limit.t
+index b0af653..95b5ef2 100644
+--- a/extensions/libxt_limit.t
++++ b/extensions/libxt_limit.t
+@@ -4,3 +4,10 @@
+ -m limit --limit 1000/hour;=;OK
+ -m limit --limit 1000/day;=;OK
+ -m limit --limit 1/sec --limit-burst 1;=;OK
++-m limit --limit 0/sec;;FAIL
++-m limit --limit 1/bad;;FAIL
++-m limit ! --limit 1/sec;;FAIL
++# Rate too fast(> 10000/sec)
++-m limit --limit 10001/second;;FAIL
++# Default value for --limit
++-m limit;-m limit --limit 3/hour;OK
+diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t
+index 2f4b30c..eeb48b1 100644
+--- a/extensions/libxt_string.t
++++ b/extensions/libxt_string.t
+@@ -4,8 +4,20 @@
+ -m string ! --string "test" --algo kmp;=;OK
+ -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK
+ -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL
++-m string --string "\\" --algo bm;-m string --hex-string "|5c|" --algo bm;OK
+ -m string --hex-string "|0a0a0a0a|" --algo bm;=;OK
++-m string ! --hex-string "|0a0a0a0a|" --algo bm;=;OK
+ -m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK
++-m string --algo bm --hex-string "| 0a|";-m string --hex-string "|0a|" --algo bm;OK
++-m string --algo bm --hex-string "|0a0|";;FAIL
++-m string --algo bm --hex-string "|ww|";;FAIL
++-m string --algo bm --hex-string "";;FAIL
++-m string --algo bm --hex-string "|0a\\|";;FAIL
++-m string --algo bm --hex-string "xxx\\";;FAIL
++-m string --algo bm --hex-string "|\\";;FAIL
++-m string --algo bm --hex-string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";;FAIL
++-m string --string "test" --algo bm --from 1 --to 65535;-m string --string "test" --algo bm --from 1;OK
++-m string --string "test" --algo bm --to 65535 --icase;-m string --string "test" --algo bm --icase;OK
+ -m string --algo wrong;;FAIL
+ -m string --algo bm;;FAIL
+ -m string;;FAIL
+diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t
+index 7a3bbd0..0c15895 100644
+--- a/extensions/libxt_tcp.t
++++ b/extensions/libxt_tcp.t
+@@ -25,5 +25,8 @@
+ -m tcp --dport 1;;FAIL
+ -m tcp --dport 1 -p tcp;-p tcp -m tcp --dport 1;OK
+ -m tcp --dport 1 -p 6;-p tcp -m tcp --dport 1;OK
++-p tcp -m tcp --tcp-option 1;=;OK
++-p tcp -m tcp --tcp-option -1;;FAIL
++-p tcp -m tcp ! --tcp-option 1;=;OK
+ # should we accept this below?
+ -p tcp -m tcp;=;OK
+diff --git a/iptables-test.py b/iptables-test.py
+index de1e1e9..ba4bede 100755
+--- a/iptables-test.py
++++ b/iptables-test.py
+@@ -68,6 +68,23 @@ def delete_rule(iptables, rule, filename, lineno, netns = None):
+     return 0
+ 
+ 
++def list_rules(iptables, rule, filename, lineno):
++    '''
++    list iptables rules
++    '''
++    cmd = iptables + " -vvL "
++    if " -t " in rule:
++        cmd += " -t " + rule.split(" -t ")[1].split(" ")[0]
++
++    ret = execute_cmd(cmd, filename, lineno)
++    if ret:
++        reason = "cannot list: " + iptables + " -vvL " + rule
++        print_error(reason, filename, lineno)
++        return -1
++
++    return 0
++
++
+ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
+     '''
+     Executes an unit test. Returns the output of delete_rule().
+@@ -163,6 +180,11 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
+     if netns:
+         return 0
+ 
++    ret = list_rules(iptables, rule, filename, lineno)
++    if ret < 0:
++        delete_rule(iptables, rule, filename, lineno)
++        return -1
++
+     return delete_rule(iptables, rule, filename, lineno)
+ 
+ def execute_cmd(cmd, filename, lineno = 0, netns = None):
+-- 
+2.43.0
+