Extend iptables-test.py by a third mode, which is using xtables-nft-multi and passing --compat to all calls creating rules. Also add a shell testcase asserting the effectiveness of --compat by comparing debug (-vv) output. Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables-test.py | 19 ++++-- .../testcases/nft-only/0011-compat-mode_0 | 63 +++++++++++++++++++ 2 files changed, 78 insertions(+), 4 deletions(-) create mode 100755 iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 diff --git a/iptables-test.py b/iptables-test.py index 6f63cdbeda9af..22b445df00b9c 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -28,6 +28,8 @@ EBTABLES_SAVE = "ebtables-save" #IPTABLES_SAVE = ['xtables-save','-4'] #IP6TABLES_SAVE = ['xtables-save','-6'] +COMPAT_ARG = "" + EXTENSIONS_PATH = "extensions" LOGFILE="/tmp/iptables-test.log" log_file = None @@ -83,7 +85,7 @@ STDERR_IS_TTY = sys.stderr.isatty() ''' ret = 0 - cmd = iptables + " -A " + rule + cmd = iptables + COMPAT_ARG + " -A " + rule ret = execute_cmd(cmd, filename, lineno, netns) # @@ -318,7 +320,7 @@ STDERR_IS_TTY = sys.stderr.isatty() # load all rules via iptables_restore - command = EXECUTABLE + " " + iptables + "-restore" + command = EXECUTABLE + " " + iptables + "-restore" + COMPAT_ARG if netns: command = "ip netns exec " + netns + " " + command @@ -558,6 +560,8 @@ STDERR_IS_TTY = sys.stderr.isatty() help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', help='Test iptables-over-nftables') + parser.add_argument('-c', '--nft-compat', action='store_true', + help='Test iptables-over-nftables in compat mode') parser.add_argument('-N', '--netns', action='store_const', const='____iptables-container-test', help='Test netnamespace path') @@ -577,8 +581,10 @@ STDERR_IS_TTY = sys.stderr.isatty() variants.append("legacy") if args.nftables: variants.append("nft") + if args.nft_compat: + variants.append("nft_compat") if len(variants) == 0: - variants = [ "legacy", "nft" ] + variants = [ "legacy", "nft", "nft_compat" ] if os.getuid() != 0: print("You need to be root to run this, sorry", file=sys.stderr) @@ -598,7 +604,12 @@ STDERR_IS_TTY = sys.stderr.isatty() total_tests = 0 for variant in variants: global EXECUTABLE - EXECUTABLE = "xtables-" + variant + "-multi" + global COMPAT_ARG + if variant == "nft_compat": + EXECUTABLE = "xtables-nft-multi" + COMPAT_ARG = " --compat" + else: + EXECUTABLE = "xtables-" + variant + "-multi" test_files = 0 tests = 0 diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 new file mode 100755 index 0000000000000..c8cee8aef1b94 --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 @@ -0,0 +1,63 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +set -e + +# reduce noise in debug output +$XT_MULTI iptables -t raw -A OUTPUT +$XT_MULTI iptables -t raw -F + +# add all the things which were "optimized" here +RULE='-t raw -A OUTPUT' + +# prefix matches on class (actually: byte) boundaries no longer need a bitwise +RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' + +# these were turned into native matches meanwhile +# (plus -m tcp, but it conflicts with -m udp) +RULE+=' -m limit --limit 1/min' +RULE+=' -p udp -m udp --sport 1024:65535' +RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' +RULE+=' -j TRACE' + +EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe +ip raw OUTPUT' + +EXPECT="$EXPECT_COMMON + [ payload load 1b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 2b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ limit rate 1/minute burst 5 type packets flags 0x0 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ range eq reg 1 0x00000004 0x0000ffff ] + [ meta load mark => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] + [ cmp eq reg 1 0xfeedcafe ] + [ counter pkts 0 bytes 0 ] + [ immediate reg 9 0x00000001 ] + [ meta set nftrace with reg 9 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) + +EXPECT="$EXPECT_COMMON + [ payload load 4b @ network header + 12 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] + [ cmp eq reg 1 0x0000a8c0 ] + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000011 ] + [ match name limit rev 0 ] + [ match name udp rev 0 ] + [ match name mark rev 1 ] + [ counter pkts 0 bytes 0 ] + [ target name TRACE rev 0 ] +" + +diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) -- 2.40.0