On Mon, Nov 21, 2022 at 12:19:32PM +0100, Florian Westphal wrote: > This is just to demonstrate yet another problem. > > For the rule itself it doesn't matter if '-i' or '-s' is passed first, > but the test script has no deeper understanding for the rules and will > do a simple textual comparision, this will fail because as-is the output > is different than the input (options are written out in different > order). > > We either need to sanoitize the input or update the test script to > split lines and re-order the options or similar. My solution was to add replay records to test files like so: | diff --git a/extensions/generic.txlate b/extensions/generic.txlate | index 6779d6f86dec8..8c3b7dbeb7320 100644 | --- a/extensions/generic.txlate | +++ b/extensions/generic.txlate | @@ -1,69 +1,70 @@ | -iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT | +iptables-translate -I OUTPUT -p udp -d 8.8.8.8 -j ACCEPT;-d 8.8.8.8/32 -p udp -j ACCEPT | nft insert rule ip filter OUTPUT ip protocol udp ip daddr 8.8.8.8 counter accept | | iptables-translate -F -t nat | nft flush table ip nat Since iptables is able to compare rules though, we could utilize this. So when checking the replay, instead of calling iptables-save and searching the output, we could call 'iptables -C'. I'll try this, it sounds simple and doable. Thanks, Phil
