!150 [sync] PR-149: ip6tables:Fix checking existence of rule

From: @openeuler-sync-bot Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan
ip6tables:Fix checking existence of rule
2025-04-28 11:42:36 +00:00 · 2025-04-25 18:35:48 +08:00 · 2024-12-16 07:38:57 +00:00 · 2024-12-10 14:48:45 +08:00 · 2024-11-26 02:45:23 +00:00 · 2024-11-21 11:53:40 +00:00
5 changed files with 567 additions and 12 deletions
--- a/backport-extensions-recent-Fix-format-string-for-unsigned-values.patch
+++ b/backport-extensions-recent-Fix-format-string-for-unsigned-values.patch
@ -0,0 +1,56 @@
+From 8696f659eadd58505469841a3af16ad2c830e8e5 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 20 Jun 2024 18:17:16 +0200
+Subject: extensions: recent: Fix format string for unsigned values
+
+Both fields 'seconds' and 'hit_count' are unsigned, use '%u'
+accordingly. While being at it, also fix coding-style in those lines.
+
+Basically a day-1 bug, have Fixes: point at a reasonably old commit.
+
+Fixes: af1660fe0e88c ("Move libipt_recent to libxt_recent")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=8696f659eadd58505469841a3af16ad2c830e8e5
+---
+ extensions/libxt_recent.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/extensions/libxt_recent.c b/extensions/libxt_recent.c
+index 055ae350..0221d446 100644
+--- a/extensions/libxt_recent.c
+++ b/extensions/libxt_recent.c
+@@ -193,10 +193,12 @@ static void recent_print(const void *ip, const struct xt_entry_match *match,
+ 		printf(" UPDATE");
+ 	if (info->check_set & XT_RECENT_REMOVE)
+ 		printf(" REMOVE");
+-	if(info->seconds) printf(" seconds: %d", info->seconds);
+	if (info->seconds)
+		printf(" seconds: %u", info->seconds);
+ 	if (info->check_set & XT_RECENT_REAP)
+ 		printf(" reap");
+-	if(info->hit_count) printf(" hit_count: %d", info->hit_count);
+	if (info->hit_count)
+		printf(" hit_count: %u", info->hit_count);
+ 	if (info->check_set & XT_RECENT_TTL)
+ 		printf(" TTL-Match");
+ 	printf(" name: %s", info->name);
+@@ -233,10 +235,12 @@ static void recent_save(const void *ip, const struct xt_entry_match *match,
+ 		printf(" --update");
+ 	if (info->check_set & XT_RECENT_REMOVE)
+ 		printf(" --remove");
+-	if(info->seconds) printf(" --seconds %d", info->seconds);
+	if (info->seconds)
+		printf(" --seconds %u", info->seconds);
+ 	if (info->check_set & XT_RECENT_REAP)
+ 		printf(" --reap");
+-	if(info->hit_count) printf(" --hitcount %d", info->hit_count);
+	if (info->hit_count)
+		printf(" --hitcount %u", info->hit_count);
+ 	if (info->check_set & XT_RECENT_TTL)
+ 		printf(" --rttl");
+ 	printf(" --name %s",info->name);
+-- 
+cgit v1.2.3
+
--- a/backport-ip6tables-Fix-checking-existence-of-rule.patch
+++ b/backport-ip6tables-Fix-checking-existence-of-rule.patch
@ -0,0 +1,35 @@
+From 78850e7dba64a949c440dbdbe557f59409c6db48 Mon Sep 17 00:00:00 2001
+From: Markus Boehme <markubo@amazon.com>
+Date: Mon, 3 Apr 2023 23:13:47 +0200
+Subject: ip6tables: Fix checking existence of rule
+
+Pass the proper entry size when creating a match mask for checking the
+existence of a rule. Failing to do so causes wrong results.
+
+Reported-by: Jonathan Caicedo <jonathan@jcaicedo.com>
+Fixes: eb2546a846776 ("xshared: Share make_delete_mask() between ip{,6}tables")
+Signed-off-by: Markus Boehme <markubo@amazon.com>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:Adapt context
+Reference:https://git.netfilter.org/iptables/commit/?id=78850e7dba64a949c440dbdbe557f59409c6db48
+---
+ iptables/ip6tables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
+index 7038689..5c10679 100644
+--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
+@@ -352,7 +352,7 @@ check_entry(const xt_chainlabel chain, struct ip6t_entry *fw,
+                 return 0;
+         }
+ 
+-	mask = make_delete_mask(matches, target, sizeof(fw));
+	mask = make_delete_mask(matches, target, sizeof(*fw));
+ 	for (i = 0; i < nsaddrs; i++) {
+ 		fw->ipv6.src = saddrs[i];
+ 		fw->ipv6.smsk = smasks[i];
+-- 
+2.43.0
+
--- a/backport-nft-cmd-Init-struct-nft_cmd-head-early.patch
+++ b/backport-nft-cmd-Init-struct-nft_cmd-head-early.patch
@ -0,0 +1,36 @@
+From db7fc1862b8bd5e2eea83ed4089fcf35fc01c032 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 23 Jul 2024 21:31:34 +0200
+Subject: nft: cmd: Init struct nft_cmd::head early
+
+Calling nft_cmd_free() in error case segfaults otherwise if the to be
+freed object is not part of a list yet.
+
+Exposed by commit eab75ed36a4f2 ("nft: Avoid memleak in error path of
+nft_cmd_new()"), but belongs to commit a7f1e208cdf9c (and may go well
+along with it).
+
+Fixes: a7f1e208cdf9c ("nft: split parsing from netlink commands")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Conflict:NA
+Reference:https://git.netfilter.org/iptables/commit/?id=db7fc1862b8bd5e2eea83ed4089fcf35fc01c032
+---
+ iptables/nft-cmd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
+index b38da9bd..58d5aa11 100644
+--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
+@@ -28,6 +28,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command,
+ 	struct nft_cmd *cmd;
+ 
+ 	cmd = xtables_calloc(1, sizeof(struct nft_cmd));
+	INIT_LIST_HEAD(&cmd->head);
+ 	cmd->error.lineno = h->error.lineno;
+ 	cmd->command = command;
+ 	cmd->table = xtables_strdup(table);
+-- 
+cgit v1.2.3
+
--- a/iptables.spec
+++ b/iptables.spec
@ -2,7 +2,7 @@
 %global legacy_actions %{_libexecdir}/initscripts/legacy-actions
 Name:		  iptables
 Version:	  1.8.9
-Release:	  5
+Release:	  10
 Summary:	  IP packet filter administration utilities
 License:	  GPL-2.0-only and Artistic-2.0
 URL:		  https://www.netfilter.org/
@ -28,6 +28,10 @@ Patch11:          backport-Prevent-XTOPT_PUT-with-XTTYPE_HOSTMASK.patch
 Patch12:          backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch
 Patch13:          backport-libxtables-Fix-memleak-of-matches-udata.patch
 Patch14:          backport-xshared-Fix-parsing-of-empty-string-arg-in-c-option.patch
+Patch15:          tests-extensions-add-some-testcases.patch
+Patch16:          backport-extensions-recent-Fix-format-string-for-unsigned-values.patch
+Patch17:          backport-nft-cmd-Init-struct-nft_cmd-head-early.patch
+Patch18:          backport-ip6tables-Fix-checking-existence-of-rule.patch


 BuildRequires:    bison flex gcc kernel-headers libpcap-devel libselinux-devel systemd
@ -73,6 +77,7 @@ Header files for iproute.
 %package          nft
 Summary:          nft package for iproute
 Requires:         %{name} = %{version}-%{release}
+Requires:         %{name}-help
 Obsoletes:        iptables-compat < 1.6.2-4

 %description      nft
@ -152,8 +157,6 @@ install -m 0755 iptables/iptables-apply.8 %{buildroot}%{_mandir}/man8
 # Remove /etc/ethertypes (now part of setup)
 rm -f %{buildroot}%{_sysconfdir}/ethertypes

-touch %{buildroot}%{_libexecdir}/arptables-helper
-
 touch %{buildroot}%{_mandir}/man8/arptables.8
 touch %{buildroot}%{_mandir}/man8/arptables-save.8
 touch %{buildroot}%{_mandir}/man8/arptables-restore.8
@ -196,7 +199,7 @@ fi
 pfx=%{_sbindir}/iptables
 pfx6=%{_sbindir}/ip6tables
 %{_sbindir}/update-alternatives --install \
-	$pfx iptables $pfx-nft 10 \
+	$pfx iptables $pfx-nft 20 \
 	--slave $pfx6 ip6tables $pfx6-nft \
 	--slave $pfx-restore iptables-restore $pfx-nft-restore \
 	--slave $pfx-save iptables-save $pfx-nft-save \
@ -214,7 +217,7 @@ if [ "$(readlink -e $manpfx.8.gz)" == $manpfx.8.gz ]; then
 	rm -f $manpfx.8.gz
 fi
 %{_sbindir}/update-alternatives --install \
-	$pfx ebtables $pfx-nft 10 \
+	$pfx ebtables $pfx-nft 20 \
 	--slave $pfx-save ebtables-save $pfx-nft-save \
 	--slave $pfx-restore ebtables-restore $pfx-nft-restore \
 	--slave $manpfx.8.gz ebtables-man $manpfx-nft.8.gz
@ -230,17 +233,13 @@ for sfx in "" "-restore" "-save"; do
 		rm -f $manpfx$sfx.8.gz
 	fi
 done
-if [ "$(readlink -e $lepfx-helper)" == $lepfx-helper ]; then
-	rm -f $lepfx-helper
-fi
 %{_sbindir}/update-alternatives --install \
-	$pfx arptables $pfx-nft 10 \
+	$pfx arptables $pfx-nft 20 \
 	--slave $pfx-save arptables-save $pfx-nft-save \
 	--slave $pfx-restore arptables-restore $pfx-nft-restore \
 	--slave $manpfx.8.gz arptables-man $manpfx-nft.8.gz \
 	--slave $manpfx-save.8.gz arptables-save-man $manpfx-nft-save.8.gz \
-	--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz \
-	--slave $lepfx-helper arptables-helper $lepfx-nft-helper
+	--slave $manpfx-restore.8.gz arptables-restore-man $manpfx-nft-restore.8.gz

 if [ x`rpm -qa firewalld` != x ]; then
 	firews=`systemctl status firewalld | grep Active | awk '{print $3}'`
@ -324,7 +323,6 @@ fi
 %ghost %{_sbindir}/arptables
 %ghost %{_sbindir}/arptables-save
 %ghost %{_sbindir}/arptables-restore
-%ghost %{_libexecdir}/arptables-helper

 %files            help
 %defattr(-,root,root)
@ -345,6 +343,37 @@ fi
 %{_datadir}/xtables/iptables.xslt

 %changelog
+* Fri Apr 25 2025 yanglu <yanglu72@h-partners.com> - 1.8.9-10
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:ip6tables:Fix checking existence of rule
+
+* Tue Dec 3 2024 sunsuwan <sunsuwan3@huawei.com> - 1.8.9-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:use xtables-nft when iptables-nft install
+
+* Thu Nov 21 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:extensions:recent:Fix format string for unsigned values
+       nft:cmd:Init struct nft_cmd::head early
+
+* Mon Sep 30 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.8.9-7
+- Type: bugfix
+- ID: NA
+- SUG: NA
+- DESC: fix broken symbolic link
+
+* Mon Aug 19 2024 yanglu <yanglu72@h-partners.com> - 1.8.9-6
+- Type: enhancement
+- ID: NA
+- SUG: NA
+- DESC: add some testcases of extensions
+
 * Tue Jun 25 2024 liweigang <liweiganga@uniontech.com> - 1.8.9-5
 - Type: bugfix
 - ID: NA
--- a/tests-extensions-add-some-testcases.patch
+++ b/tests-extensions-add-some-testcases.patch
@ -0,0 +1,399 @@
+From 0663cc944204ed3afa7fa4f7cf3beadb3ea8e1e4 Mon Sep 17 00:00:00 2001
+From: chenzhen <vchanger123456@163.com>
+Date: Fri, 1 Apr 2022 11:26:32 +0800
+Subject: [PATCH] tests: extensions: add some testcases
+
+These testcases are intended to test options of commonly used extentions like
+DNAT/SNAT/tcp/udp as much as possible, covering normal and abnormal scenes.
+
+Signed-off-by: chenzhen <vchanger123456@163.com>
+---
+ extensions/libip6t_DNAT.t       |  9 +++++++++
+ extensions/libip6t_LOG.t        |  1 +
+ extensions/libip6t_LOG.txlate   |  9 +++++++++
+ extensions/libip6t_MASQUERADE.t |  1 +
+ extensions/libip6t_REJECT.t     |  1 +
+ extensions/libip6t_SNAT.t       |  8 ++++++++
+ extensions/libip6t_icmp6.t      |  4 ++++
+ extensions/libip6t_rt.t         |  6 ++++++
+ extensions/libip6t_rt.txlate    |  3 +++
+ extensions/libipt_DNAT.t        |  8 ++++++++
+ extensions/libipt_LOG.t         |  1 +
+ extensions/libipt_LOG.txlate    |  9 +++++++++
+ extensions/libipt_MASQUERADE.t  |  1 +
+ extensions/libipt_NETMAP.t      |  1 +
+ extensions/libipt_REJECT.t      |  1 +
+ extensions/libipt_SNAT.t        |  8 ++++++++
+ extensions/libipt_icmp.t        |  4 ++++
+ extensions/libxt_DNAT.txlate    |  6 ++++++
+ extensions/libxt_REDIRECT.t     |  2 ++
+ extensions/libxt_iprange.t      |  7 ++-----
+ extensions/libxt_limit.t        |  7 +++++++
+ extensions/libxt_string.t       | 12 ++++++++++++
+ extensions/libxt_tcp.t          |  3 +++
+ iptables-test.py                | 22 ++++++++++++++++++++++
+ 24 files changed, 129 insertions(+), 5 deletions(-)
+
+diff --git a/extensions/libip6t_DNAT.t b/extensions/libip6t_DNAT.t
+index e53dfa1..3f89f4d 100644
+--- a/extensions/libip6t_DNAT.t
+++ b/extensions/libip6t_DNAT.t
+@@ -17,4 +17,13 @@
+ -p tcp -j DNAT --to-destination [dead::beef]:ftp-data;-p tcp -j DNAT --to-destination [dead::beef]:20;OK
+ -p tcp -j DNAT --to-destination [dead::beef]:echo-ssh;;FAIL
+ -p tcp -j DNAT --to-destination [dead::beef]:10-20/ftp;-p tcp -j DNAT --to-destination [dead::beef]:10-20/21;OK
+-p tcp -j DNAT --to-destination dead::beef --random --persistent;=;OK
+-p tcp -j DNAT --to-destination [dead::beef;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:65536;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:1-65536;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:1:65535;;FAIL
+-p tcp -j DNAT --to-destination [dead::beef]:2-1;;FAIL
+-p tcp -j DNAT --to-destination live::beef;;FAIL
+-p tcp -j DNAT --to-destination dead::beef-live::beef;;FAIL
+-p tcp -j DNAT --to-destination :65535;=;OK
+ -j DNAT;;FAIL
+diff --git a/extensions/libip6t_LOG.t b/extensions/libip6t_LOG.t
+index fbf5118..e3fb58f 100644
+--- a/extensions/libip6t_LOG.t
+++ b/extensions/libip6t_LOG.t
+@@ -8,5 +8,6 @@
+ -j LOG --log-prefix "test: " --log-tcp-options;=;OK
+ -j LOG --log-prefix "test: " --log-ip-options;=;OK
+ -j LOG --log-prefix "test: " --log-uid;=;OK
+-j LOG --log-prefix "test: " --log-macdecode;=;OK
+ -j LOG --log-prefix "test: " --log-level bad;;FAIL
+ -j LOG --log-prefix;;FAIL
+diff --git a/extensions/libip6t_LOG.txlate b/extensions/libip6t_LOG.txlate
+index 29ffce7..79358a9 100644
+--- a/extensions/libip6t_LOG.txlate
+++ b/extensions/libip6t_LOG.txlate
+@@ -6,3 +6,12 @@ nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log level debug'
+ 
+ ip6tables-translate -A FORWARD -p tcp -j LOG --log-prefix "Checking log"
+ nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log prefix "Checking log"'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence,options flags ip options flags skuid'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags all'
+
+ip6tables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
+nft 'add rule ip6 filter FORWARD meta l4proto tcp counter log flags tcp sequence flags ether'
+diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
+index e25d2a0..e254fa7 100644
+--- a/extensions/libip6t_MASQUERADE.t
+++ b/extensions/libip6t_MASQUERADE.t
+@@ -7,3 +7,4 @@
+ -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
+ -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
+ -p udp -j MASQUERADE --to-ports -1;;FAIL
+-j MASQUERADE --to-ports 1024;;FAIL
+diff --git a/extensions/libip6t_REJECT.t b/extensions/libip6t_REJECT.t
+index 8294f0b..6e41b00 100644
+--- a/extensions/libip6t_REJECT.t
+++ b/extensions/libip6t_REJECT.t
+@@ -9,3 +9,4 @@
+ -j REJECT --reject-with icmp6-reject-route;=;OK
+ -p tcp -j REJECT --reject-with tcp-reset;=;OK
+ -j REJECT --reject-with tcp-reset;;FAIL
+-j REJECT --reject-with icmp6-wrong;;FAIL
+diff --git a/extensions/libip6t_SNAT.t b/extensions/libip6t_SNAT.t
+index 98aa760..12c0479 100644
+--- a/extensions/libip6t_SNAT.t
+++ b/extensions/libip6t_SNAT.t
+@@ -14,4 +14,12 @@
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535;=;OK
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65536;;FAIL
+ -p tcp -j SNAT --to-source [dead::beef-dead::fee7]:1025-65535 --to-source [dead::beef-dead::fee8]:1025-65535;;FAIL
+-p tcp -j SNAT --to-source dead::beef --random --random-fully --persistent;=;OK
+-p tcp -j SNAT --to-source :65535;=;OK
+-p tcp -j SNAT --to-source [dead::beef;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:1-65536;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:1:65535;;FAIL
+-p tcp -j SNAT --to-source [dead::beef]:2-1;;FAIL
+-p tcp -j SNAT --to-source live::beef;;FAIL
+-p tcp -j SNAT --to-source dead::beef-live::beef;;FAIL
+ -j SNAT;;FAIL
+diff --git a/extensions/libip6t_icmp6.t b/extensions/libip6t_icmp6.t
+index 028cfc1..539ed7b 100644
+--- a/extensions/libip6t_icmp6.t
+++ b/extensions/libip6t_icmp6.t
+@@ -4,3 +4,7 @@
+ -p ipv6-icmp -m icmp6 --icmpv6-type 2;=;OK
+ # cannot use option twice:
+ -p ipv6-icmp -m icmp6 --icmpv6-type no-route --icmpv6-type packet-too-big;;FAIL
+-p ipv6-icmp -m icmp6 ! --icmpv6-type 2;=;OK
+-p ipv6-icmp -m icmp6 --icmpv6-type router;;FAIL
+-p ipv6-icmp -m icmp6 --icmpv6-type -1;;FAIL
+-p ipv6-icmp -m icmp6 --icmpv6-type 1/65536;;FAIL
+diff --git a/extensions/libip6t_rt.t b/extensions/libip6t_rt.t
+index 3c7b2d9..730603e 100644
+--- a/extensions/libip6t_rt.t
+++ b/extensions/libip6t_rt.t
+@@ -2,4 +2,10 @@
+ -m rt --rt-type 0 --rt-segsleft 1:23 --rt-len 42 --rt-0-res;=;OK
+ -m rt --rt-type 0 ! --rt-segsleft 1:23 ! --rt-len 42 --rt-0-res;=;OK
+ -m rt ! --rt-type 1 ! --rt-segsleft 12:23 ! --rt-len 42;=;OK
+-m rt --rt-type 0 --rt-0-addrs beef::feed --rt-0-not-strict;=;OK
+-m rt --rt-0-addrs beef::feed;;FAIL
+-m rt --rt-0-res;;FAIL
+-m rt --rt-type 0 --rt-0-not-strict;;FAIL
+-m rt --rt-type 0 --rt-0-addrs beef::wrong --rt-0-not-strict;;FAIL
+-m rt --rt-type 0 --rt-segsleft 1:1 --rt-len 42 --rt-0-res;-m rt --rt-type 0 --rt-segsleft 1 --rt-len 42 --rt-0-res;OK
+ -m rt;=;OK
+diff --git a/extensions/libip6t_rt.txlate b/extensions/libip6t_rt.txlate
+index 3578bcb..98344fb 100644
+--- a/extensions/libip6t_rt.txlate
+++ b/extensions/libip6t_rt.txlate
+@@ -12,3 +12,6 @@ nft 'add rule ip6 filter INPUT rt type 0 rt hdrlength 22 counter drop'
+ 
+ ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 ! --rt-segsleft 26 -j ACCEPT
+ nft 'add rule ip6 filter INPUT rt type 0 rt seg-left != 26 rt hdrlength 22 counter accept'
+
+ip6tables-translate -A INPUT -m rt --rt-type 0 --rt-len 22 --rt-segsleft 1:26 -j ACCEPT
+nft 'add rule ip6 filter INPUT rt type 0 rt seg-left 1-26 rt hdrlength 22 counter accept'
+diff --git a/extensions/libipt_DNAT.t b/extensions/libipt_DNAT.t
+index 9007572..884da87 100644
+--- a/extensions/libipt_DNAT.t
+++ b/extensions/libipt_DNAT.t
+@@ -17,4 +17,12 @@
+ -p tcp -j DNAT --to-destination 1.1.1.1:ftp-data;-p tcp -j DNAT --to-destination 1.1.1.1:20;OK
+ -p tcp -j DNAT --to-destination 1.1.1.1:echo-ssh;;FAIL
+ -p tcp -j DNAT --to-destination 1.1.1.1:10-20/ftp;-p tcp -j DNAT --to-destination 1.1.1.1:10-20/21;OK
+-p tcp -j DNAT --to-destination 1.1.1.1 --random --persistent;=;OK
+-p tcp -j DNAT --to-destination :65535;=;OK
+-p tcp -j DNAT --to-destination 1.1.1.1:1000;=;OK
+-p tcp -j DNAT --to-destination 1.1.1.1:1025-65536;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1:1025:65535;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1:2000-1000;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.a;;FAIL
+-p tcp -j DNAT --to-destination 1.1.1.1-1.1.1.a;;FAIL
+ -j DNAT;;FAIL
+diff --git a/extensions/libipt_LOG.t b/extensions/libipt_LOG.t
+index fbf5118..e3fb58f 100644
+--- a/extensions/libipt_LOG.t
+++ b/extensions/libipt_LOG.t
+@@ -8,5 +8,6 @@
+ -j LOG --log-prefix "test: " --log-tcp-options;=;OK
+ -j LOG --log-prefix "test: " --log-ip-options;=;OK
+ -j LOG --log-prefix "test: " --log-uid;=;OK
+-j LOG --log-prefix "test: " --log-macdecode;=;OK
+ -j LOG --log-prefix "test: " --log-level bad;;FAIL
+ -j LOG --log-prefix;;FAIL
+diff --git a/extensions/libipt_LOG.txlate b/extensions/libipt_LOG.txlate
+index 13a2ef5..509b075 100644
+--- a/extensions/libipt_LOG.txlate
+++ b/extensions/libipt_LOG.txlate
+@@ -3,3 +3,12 @@ nft 'add rule ip filter FORWARD ip protocol tcp counter log level err'
+ 
+ iptables-translate -A FORWARD -p tcp -j LOG --log-prefix "Random prefix"
+ nft 'add rule ip filter FORWARD ip protocol tcp counter log prefix "Random prefix"'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence,options flags ip options flags skuid'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags all'
+
+iptables-translate -A FORWARD -p tcp -j LOG --log-tcp-sequence --log-macdecode
+nft 'add rule ip filter FORWARD ip protocol tcp counter log flags tcp sequence flags ether'
+diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t
+index e25d2a0..e254fa7 100644
+--- a/extensions/libipt_MASQUERADE.t
+++ b/extensions/libipt_MASQUERADE.t
+@@ -7,3 +7,4 @@
+ -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
+ -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL
+ -p udp -j MASQUERADE --to-ports -1;;FAIL
+-j MASQUERADE --to-ports 1024;;FAIL
+diff --git a/extensions/libipt_NETMAP.t b/extensions/libipt_NETMAP.t
+index 0de856f..2455354 100644
+--- a/extensions/libipt_NETMAP.t
+++ b/extensions/libipt_NETMAP.t
+@@ -2,3 +2,4 @@
+ *nat
+ -j NETMAP --to 1.2.3.0/24;=;OK
+ -j NETMAP --to 1.2.3.4;-j NETMAP --to 1.2.3.4/32;OK
+-j NETMAP --to 1.2.3.4/33;-j NETMAP --to 0.0.0.0/0.0.0.33;OK
+diff --git a/extensions/libipt_REJECT.t b/extensions/libipt_REJECT.t
+index 3f69a72..7ae90c3 100644
+--- a/extensions/libipt_REJECT.t
+++ b/extensions/libipt_REJECT.t
+@@ -7,3 +7,4 @@
+ -j REJECT --reject-with icmp-net-prohibited;=;OK
+ -j REJECT --reject-with icmp-host-prohibited;=;OK
+ -j REJECT --reject-with icmp-admin-prohibited;=;OK
+-j REJECT --reject-with echo-reply;;FAIL
+diff --git a/extensions/libipt_SNAT.t b/extensions/libipt_SNAT.t
+index c31d6e7..4998fba 100644
+--- a/extensions/libipt_SNAT.t
+++ b/extensions/libipt_SNAT.t
+@@ -14,4 +14,12 @@
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535;=;OK
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65536;;FAIL
+ -p tcp -j SNAT --to-source 1.1.1.1-1.1.1.10:1025-65535 --to-source 2.2.2.2-2.2.2.20:1025-65535;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1 --random --random-fully --persistent;=;OK
+-p tcp -j SNAT --to-source :65535;=;OK
+-p tcp -j SNAT --to-source 1.1.1.1:1025;=;OK
+-p tcp -j SNAT --to-source 1.1.1.1:1025-65536;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1:1025:65535;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1:65535-1025;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.a;;FAIL
+-p tcp -j SNAT --to-source 1.1.1.1-1.1.1.a;;FAIL
+ -j SNAT;;FAIL
+diff --git a/extensions/libipt_icmp.t b/extensions/libipt_icmp.t
+index ce4a33f..3d68c2d 100644
+--- a/extensions/libipt_icmp.t
+++ b/extensions/libipt_icmp.t
+@@ -15,3 +15,7 @@
+ # -p icmp -m icmp;=;OK
+ -p icmp -m icmp --icmp-type 255/255;=;OK
+ -p icmp -m icmp --icmp-type 255/0:255;-p icmp -m icmp --icmp-type any;OK
+-p icmp -m icmp ! --icmp-type 1/0;=;OK
+-p icmp -m icmp --icmp-type router;;FAIL
+-p icmp -m icmp --icmp-type -1;;FAIL
+-p icmp -m icmp --icmp-type 1/65536;;FAIL
+diff --git a/extensions/libxt_DNAT.txlate b/extensions/libxt_DNAT.txlate
+index e005245..454ab1a 100644
+--- a/extensions/libxt_DNAT.txlate
+++ b/extensions/libxt_DNAT.txlate
+@@ -13,6 +13,9 @@ nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1
+ iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent
+ nft 'add rule ip nat prerouting oifname "eth0" ip protocol tcp counter dnat to 1.2.3.4 random,persistent'
+ 
+iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
+nft # -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1000-2000/65535
+
+ ip6tables-translate -t nat -A prerouting -p tcp --dport 8080 -j DNAT --to-destination fec0::1234
+ nft 'add rule ip6 nat prerouting tcp dport 8080 counter dnat to fec0::1234'
+ 
+@@ -33,3 +36,6 @@ nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:8
+ 
+ ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [fec0::1234]:80 --random --persistent
+ nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to [fec0::1234]:80 random,persistent'
+
+ip6tables-translate -t nat -A prerouting -p tcp -j DNAT --to-destination [dead::beef-dead::beef]
+nft 'add rule ip6 nat prerouting meta l4proto tcp counter dnat to dead::beef'
+diff --git a/extensions/libxt_REDIRECT.t b/extensions/libxt_REDIRECT.t
+index 362efa8..832acd3 100644
+--- a/extensions/libxt_REDIRECT.t
+++ b/extensions/libxt_REDIRECT.t
+@@ -15,3 +15,5 @@
+ -p tcp -j REDIRECT --to-ports 10-ssh;;FAIL
+ -j REDIRECT --to-ports 42;;FAIL
+ -j REDIRECT --random;=;OK
+-p tcp -j REDIRECT --to-ports -1;;FAIL
+-p tcp -j REDIRECT --to-ports 42-65536;;FAIL
+diff --git a/extensions/libxt_iprange.t b/extensions/libxt_iprange.t
+index 6fd98be..5e6b065 100644
+--- a/extensions/libxt_iprange.t
+++ b/extensions/libxt_iprange.t
+@@ -3,9 +3,6 @@
+ -m iprange ! --src-range 1.1.1.1-1.1.1.10;=;OK
+ -m iprange --dst-range 1.1.1.1-1.1.1.10;=;OK
+ -m iprange ! --dst-range 1.1.1.1-1.1.1.10;=;OK
+-# it shows -A INPUT -m iprange --src-range 1.1.1.1-1.1.1.1, should we support this?
+-# ERROR: should fail: iptables -A INPUT -m iprange --src-range 1.1.1.1
+-# -m iprange --src-range 1.1.1.1;;FAIL
+-# ERROR: should fail: iptables -A INPUT -m iprange --dst-range 1.1.1.1
+-#-m iprange --dst-range 1.1.1.1;;FAIL
+-m iprange --src-range 1.1.1.1;-m iprange --src-range 1.1.1.1-1.1.1.1;OK
+-m iprange --dst-range 1.1.1.1;-m iprange --dst-range 1.1.1.1-1.1.1.1;OK
+ -m iprange;;FAIL
+diff --git a/extensions/libxt_limit.t b/extensions/libxt_limit.t
+index b0af653..95b5ef2 100644
+--- a/extensions/libxt_limit.t
+++ b/extensions/libxt_limit.t
+@@ -4,3 +4,10 @@
+ -m limit --limit 1000/hour;=;OK
+ -m limit --limit 1000/day;=;OK
+ -m limit --limit 1/sec --limit-burst 1;=;OK
+-m limit --limit 0/sec;;FAIL
+-m limit --limit 1/bad;;FAIL
+-m limit ! --limit 1/sec;;FAIL
+# Rate too fast(> 10000/sec)
+-m limit --limit 10001/second;;FAIL
+# Default value for --limit
+-m limit;-m limit --limit 3/hour;OK
+diff --git a/extensions/libxt_string.t b/extensions/libxt_string.t
+index 2f4b30c..eeb48b1 100644
+--- a/extensions/libxt_string.t
+++ b/extensions/libxt_string.t
+@@ -4,8 +4,20 @@
+ -m string ! --string "test" --algo kmp;=;OK
+ -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;=;OK
+ -m string --string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" --algo bm;;FAIL
+-m string --string "\\" --algo bm;-m string --hex-string "|5c|" --algo bm;OK
+ -m string --hex-string "|0a0a0a0a|" --algo bm;=;OK
+-m string ! --hex-string "|0a0a0a0a|" --algo bm;=;OK
+ -m string --algo bm --from 0 --to 65535 --string "test";-m string --string "test" --algo bm;OK
+-m string --algo bm --hex-string "| 0a|";-m string --hex-string "|0a|" --algo bm;OK
+-m string --algo bm --hex-string "|0a0|";;FAIL
+-m string --algo bm --hex-string "|ww|";;FAIL
+-m string --algo bm --hex-string "";;FAIL
+-m string --algo bm --hex-string "|0a\\|";;FAIL
+-m string --algo bm --hex-string "xxx\\";;FAIL
+-m string --algo bm --hex-string "|\\";;FAIL
+-m string --algo bm --hex-string "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";;FAIL
+-m string --string "test" --algo bm --from 1 --to 65535;-m string --string "test" --algo bm --from 1;OK
+-m string --string "test" --algo bm --to 65535 --icase;-m string --string "test" --algo bm --icase;OK
+ -m string --algo wrong;;FAIL
+ -m string --algo bm;;FAIL
+ -m string;;FAIL
+diff --git a/extensions/libxt_tcp.t b/extensions/libxt_tcp.t
+index 7a3bbd0..0c15895 100644
+--- a/extensions/libxt_tcp.t
+++ b/extensions/libxt_tcp.t
+@@ -25,5 +25,8 @@
+ -m tcp --dport 1;;FAIL
+ -m tcp --dport 1 -p tcp;-p tcp -m tcp --dport 1;OK
+ -m tcp --dport 1 -p 6;-p tcp -m tcp --dport 1;OK
+-p tcp -m tcp --tcp-option 1;=;OK
+-p tcp -m tcp --tcp-option -1;;FAIL
+-p tcp -m tcp ! --tcp-option 1;=;OK
+ # should we accept this below?
+ -p tcp -m tcp;=;OK
+diff --git a/iptables-test.py b/iptables-test.py
+index de1e1e9..ba4bede 100755
+--- a/iptables-test.py
+++ b/iptables-test.py
+@@ -68,6 +68,23 @@ def delete_rule(iptables, rule, filename, lineno, netns = None):
+     return 0
+ 
+ 
+def list_rules(iptables, rule, filename, lineno):
+    '''
+    list iptables rules
+    '''
+    cmd = iptables + " -vvL "
+    if " -t " in rule:
+        cmd += " -t " + rule.split(" -t ")[1].split(" ")[0]
+
+    ret = execute_cmd(cmd, filename, lineno)
+    if ret:
+        reason = "cannot list: " + iptables + " -vvL " + rule
+        print_error(reason, filename, lineno)
+        return -1
+
+    return 0
+
+
+ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
+     '''
+     Executes an unit test. Returns the output of delete_rule().
+@@ -163,6 +180,11 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns):
+     if netns:
+         return 0
+ 
+    ret = list_rules(iptables, rule, filename, lineno)
+    if ret < 0:
+        delete_rule(iptables, rule, filename, lineno)
+        return -1
+
+     return delete_rule(iptables, rule, filename, lineno)
+ 
+ def execute_cmd(cmd, filename, lineno = 0, netns = None):
+-- 
+2.43.0
+
Author	SHA1	Message	Date
openeuler-ci-bot	b507a77478	!150 [sync] PR-149: ip6tables:Fix checking existence of rule From: @openeuler-sync-bot Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan	2025-04-28 11:42:36 +00:00
yangl777	8724b1aa12	ip6tables:Fix checking existence of rule (cherry picked from commit dfda463ee924bf1be5bed272a2ecc2c4c1f4d7b0)	2025-04-25 18:35:48 +08:00
openeuler-ci-bot	556fbd1378	!145 [sync] PR-135: use xtables-nft when iptables-nft install From: @openeuler-sync-bot Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan	2024-12-16 07:38:57 +00:00
sunsuwan	c72bd535a4	use xtables-nft when iptables-nft install Signed-off-by: sunsuwan <sunsuwan3@huawei.com> (cherry picked from commit 6561caa6453dc8061d07209a0f59d9476c643ab9)	2024-12-10 14:48:45 +08:00
openeuler-ci-bot	7fc842386d	!127 backport some upstream patches From: @yangl777 Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan	2024-11-26 02:45:23 +00:00
yangl777	b0cd0fc9cf	backport some upstream patches	2024-11-21 11:53:40 +00:00
openeuler-ci-bot	a4ad7f0af7	!119 fix broken symbolic link From: @sherlock2010 Reviewed-by: @sunsuwan Signed-off-by: @sunsuwan	2024-10-08 02:52:32 +00:00
sherlock2010	179f221b24	fix broken symbolic link	2024-09-30 07:35:50 +00:00
openeuler-ci-bot	ed1032557a	!113 add some testcases of extensions From: @yangl777 Reviewed-by: @jiangheng12 Signed-off-by: @jiangheng12	2024-08-20 07:02:40 +00:00
yangl777	413d06a737	add some testcases of extensions	2024-08-19 09:59:53 +00:00