Capture any non-zero return code, iptables not necessarily returns 1 on error. A known issue with trying to delete a rule by spec is the unsupported --set-counters option. Strip it before deleting the rule. Fixes: c8b7aaabbe1fc ("add iptables unit test infrastructure") Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables-test.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/iptables-test.py b/iptables-test.py index 0d2f30dfb0d7c..413e3fdccc9e3 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -58,10 +58,23 @@ STDERR_IS_TTY = sys.stderr.isatty() def delete_rule(iptables, rule, filename, lineno, netns = None): ''' Removes an iptables rule + + Remove any --set-counters arguments, --delete rejects them. ''' + delrule = rule.split() + for i in range(len(delrule)): + if delrule[i] in ['-c', '--set-counters']: + delrule.pop(i) + if ',' in delrule.pop(i): + break + if len(delrule) > i and delrule[i].isnumeric(): + delrule.pop(i) + break + rule = " ".join(delrule) + cmd = iptables + " -D " + rule ret = execute_cmd(cmd, filename, lineno, netns) - if ret == 1: + if ret != 0: reason = "cannot delete: " + iptables + " -I " + rule print_error(reason, filename, lineno) return -1 -- 2.47.0