[LTP] [PATCH 2/2] network/iptables: add new test for iptables-tranlsate and nft

Alexey Kodanev alexey.kodanev@oracle.com
Tue Nov 26 12:53:44 CET 2019


* Reuse the test-cases from iptables_tests by moving them
  into iptables_lib.sh.

* create nft rules with iptables-translate.

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
 runtest/net.tcp_cmds                          |   3 +-
 testcases/network/iptables/Makefile           |  23 +--
 testcases/network/iptables/iptables01.sh      |  18 ++
 .../{iptables_tests.sh => iptables_lib.sh}    | 163 +++++++++---------
 testcases/network/iptables/nft01.sh           |  18 ++
 5 files changed, 119 insertions(+), 106 deletions(-)
 create mode 100755 testcases/network/iptables/iptables01.sh
 rename testcases/network/iptables/{iptables_tests.sh => iptables_lib.sh} (65%)
 create mode 100755 testcases/network/iptables/nft01.sh

diff --git a/runtest/net.tcp_cmds b/runtest/net.tcp_cmds
index 423a81756..afe6d7c71 100644
--- a/runtest/net.tcp_cmds
+++ b/runtest/net.tcp_cmds
@@ -17,7 +17,8 @@ rsh rsh01.sh
 sendfile sendfile01.sh
 tcpdump tcpdump01.sh
 telnet telnet01.sh
-iptables iptables_tests.sh
+iptables iptables01.sh
+nft nft01.sh
 dhcpd dhcpd_tests.sh
 dnsmasq dnsmasq_tests.sh
 iproute ip_tests.sh
diff --git a/testcases/network/iptables/Makefile b/testcases/network/iptables/Makefile
index afb96e9cb..1b42f25db 100644
--- a/testcases/network/iptables/Makefile
+++ b/testcases/network/iptables/Makefile
@@ -1,29 +1,12 @@
-#
-#    network/iptables testcases Makefile.
-#
-#    Copyright (C) 2009, Cisco Systems Inc.
-#
-#    This program is free software; you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation; either version 2 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program; if not, write to the Free Software Foundation, Inc.,
-#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2009, Cisco Systems Inc.
 #
 # Ngie Cooper, July 2009
-#
 
 top_srcdir		?= ../../..
 
 include $(top_srcdir)/include/mk/env_pre.mk
 
-INSTALL_TARGETS		:= iptables_tests.sh
+INSTALL_TARGETS		:= *.sh
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/network/iptables/iptables01.sh b/testcases/network/iptables/iptables01.sh
new file mode 100755
index 000000000..de38272e1
--- /dev/null
+++ b/testcases/network/iptables/iptables01.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2018-2019 Oracle and/or its affiliates. All Rights Reserved.
+
+TST_CNT=6
+TST_SETUP="init"
+TST_TESTFUNC="test"
+TST_CLEANUP="cleanup"
+TST_NEEDS_TMPDIR=1
+TST_NEEDS_ROOT=1
+TST_NEEDS_CMDS="iptables grep ping telnet"
+TST_NEEDS_DRIVERS="ip_tables"
+use_iptables=1
+
+. iptables_lib.sh
+. tst_test.sh
+
+tst_run
diff --git a/testcases/network/iptables/iptables_tests.sh b/testcases/network/iptables/iptables_lib.sh
similarity index 65%
rename from testcases/network/iptables/iptables_tests.sh
rename to testcases/network/iptables/iptables_lib.sh
index d8b23283f..35548d88e 100755
--- a/testcases/network/iptables/iptables_tests.sh
+++ b/testcases/network/iptables/iptables_lib.sh
@@ -6,41 +6,47 @@
 #  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
 #				       <hubertNOSPAAAM@symbio.com.tw>
 
-TST_CNT=6
-TST_SETUP="init"
-TST_TESTFUNC="test"
-TST_CLEANUP="cleanup"
-TST_NEEDS_TMPDIR=1
-TST_NEEDS_ROOT=1
-TST_NEEDS_CMDS="iptables grep ping telnet"
+if [ "$use_iptables" -eq 1 ]; then
+	toolname=iptables
+else
+	toolname=nft
+fi
 
-. tst_test.sh
-
-init()
+NFRUN()
 {
-	tst_res TINFO "INIT: Inititalizing tests."
+	local rule
 
-	modprobe ip_tables
-	if [ $? -ne 0 ]; then
-		iptables -L > tst_iptables.out 2>&1
-		if [ $? -ne 0 ]; then
-			tst_brk TCONF "no iptables support in kernel."
-		fi
+	if [ "$use_iptables" -eq 1 ]; then
+		iptables $@
+	else
+		$(iptables-translate $@ | sed 's,\\,,g')
 	fi
+}
 
+NFRUN_REMOVE()
+{
+	if [ "$use_iptables" -eq 1 ]; then
+		ROD iptables -D INPUT 1
+	else
+		ROD nft flush chain ip filter INPUT
+	fi
+}
+
+init()
+{
 	tst_res TINFO "INIT: Flushing all rules."
-	iptables -F -t filter > tst_iptables.out 2>&1
-	iptables -F -t nat > tst_iptables.out 2>&1
-	iptables -F -t mangle > tst_iptables.out 2>&1
+	NFRUN -F -t filter > tst_iptables.out 2>&1
+	NFRUN -F -t nat > tst_iptables.out 2>&1
+	NFRUN -F -t mangle > tst_iptables.out 2>&1
 }
 
 cleanup()
 {
 	lsmod | grep "ip_tables" > tst_iptables.out 2>&1
 	if [ $? -eq 0 ]; then
-		iptables -F -t filter > tst_iptables.out 2>&1
-		iptables -F -t nat > tst_iptables.out 2>&1
-		iptables -F -t mangle > tst_iptables.out 2>&1
+		NFRUN -F -t filter > tst_iptables.out 2>&1
+		NFRUN -F -t nat > tst_iptables.out 2>&1
+		NFRUN -F -t mangle > tst_iptables.out 2>&1
 		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
 			 iptable_mangle iptable_nat ip_conntrack \
 			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
@@ -52,6 +58,11 @@ cleanup()
 
 test1()
 {
+
+	if [ "$use_iptables" -ne 1 ]; then
+		tst_res TCONF "$toolname not applicable for test $1"
+		return
+	fi
 	local chaincnt=0
 
 	local cmd="iptables -L -t filter"
@@ -112,12 +123,12 @@ test1()
 
 test2()
 {
-	tst_res TINFO "Use iptables to DROP packets from particular IP"
+	tst_res TINFO "Use $toolname to DROP packets from particular IP"
 	tst_res TINFO "Rule to block icmp from 127.0.0.1"
 
-	iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
+	NFRUN -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -128,47 +139,43 @@ test2()
 		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
 			tst_res TFAIL \
-				 "iptables did not block packets from loopback"
+				 "$toolname did not block packets from loopback"
 			cat tst_iptables.err
 			return
 		else
 			tst_res TINFO "Ping 127.0.0.1 not successful."
 		fi
 	else
-		tst_res TFAIL "iptables did not block icmp from 127.0.0.1"
+		tst_res TFAIL "$toolname did not block icmp from 127.0.0.1"
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
+	NFRUN_REMOVE
+
 	tst_res TINFO "Pinging 127.0.0.1 again"
 	ping -c 2 127.0.0.1 -W 1 -i 0 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables blocking loopback. This is expected" \
+		tst_res TFAIL "$toolname blocking loopback. This is expected" \
 			       "behaviour on certain distributions where" \
 			       "enabling firewall drops all packets by default."
 		cat tst_iptables.out
 		return
 	fi
 	tst_res TINFO "Ping succsess"
-	tst_res TPASS "iptables can DROP packets from particular IP."
+	tst_res TPASS "$toolname can DROP packets from particular IP."
 }
 
 test3()
 {
-	tst_res TINFO "Use iptables to REJECT ping request."
+	tst_res TINFO "Use $toolname to REJECT ping request."
 	tst_res TINFO "Rule to reject ping request."
 
-	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
+	NFRUN -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
 		 REJECT > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -178,29 +185,25 @@ test3()
 	if [ $? -ne 0 ]; then
 		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
-			tst_res TFAIL "iptables did not block ping request."
+			tst_res TFAIL "$toolname did not block ping request."
 			cat tst_iptables.err
 			return
 		else
 			tst_res TINFO "Ping 127.0.0.1 not successful."
 		fi
 	else
-		tst_res TFAIL "iptables did not reject ping request."
+		tst_res TFAIL "$toolname did not reject ping request."
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Deleting icmp request REJECT rule."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
+	NFRUN_REMOVE
+
 	tst_res TINFO "Pinging 127.0.0.1 again"
 	ping -c 2 127.0.0.1 -W 1 -i 0 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables blocking ping requests. This is" \
+		tst_res TFAIL "$toolname blocking ping requests. This is" \
 			      "expected behaviour on certain distributions" \
 			      "where enabling firewall drops all packets by" \
 			      "default."
@@ -208,7 +211,7 @@ test3()
 		return
 	fi
 	tst_res TINFO "Ping succsess"
-	tst_res TPASS "iptables can REJECT ping requests."
+	tst_res TPASS "$toolname can REJECT ping requests."
 }
 
 test4()
@@ -216,13 +219,13 @@ test4()
 	local dport=45886
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log packets to particular port."
+	tst_res TINFO "Use $toolname to log packets to particular port."
 	tst_res TINFO "Rule to log tcp packets to particular port."
 
-	iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
 		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -234,7 +237,7 @@ test4()
 		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
 			tst_res TFAIL \
-				 "iptables did not log packets to port $dport"
+				 "$toolname did not log packets to port $dport"
 			cat tst_iptables.err
 			return
 		else
@@ -247,14 +250,10 @@ test4()
 	fi
 
 	tst_res TINFO "Deleting the rule to log."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
-	tst_res TINFO "iptables logging succsess"
-	tst_res TPASS "iptables can log packets to particular port."
+	NFRUN_REMOVE
+
+	tst_res TINFO "$toolname logging succsess"
+	tst_res TPASS "$toolname can log packets to particular port."
 }
 
 test5()
@@ -262,22 +261,22 @@ test5()
 	local dport=0
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log packets to multiple ports."
+	tst_res TINFO "Use $toolname to log packets to multiple ports."
 	tst_res TINFO "Rule to log tcp packets to port 45801 - 45803."
-	iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
 		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Rule to log tcp packets to port 45804 - 45806."
-	iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
 		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
 		 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -290,7 +289,7 @@ test5()
 			dmesg | grep "$logprefix" | grep "=$dport " \
 				> tst_iptables.err 2>&1
 			if [ $? -ne 0 ]; then
-				tst_res TFAIL "iptables did not log packets" \
+				tst_res TFAIL "$toolname did not log packets" \
 					       "to port $dport"
 				cat tst_iptables.err
 				return
@@ -305,14 +304,14 @@ test5()
 	done
 
 	tst_res TINFO "Flushing all rules."
-	iptables -F > tst_iptables.out 2>&1
+	NFRUN -F > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not flush all rules."
+		tst_res TFAIL "$toolname did not flush all rules."
 		cat tst_iptables.out
 		return
 	fi
-	tst_res TINFO "iptables logging succsess"
-	tst_res TPASS "iptables can log packets to multiple ports."
+	tst_res TINFO "$toolname logging succsess"
+	tst_res TPASS "$toolname can log packets to multiple ports."
 }
 
 test6()
@@ -320,13 +319,13 @@ test6()
 	local logcnt=0
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log ping request with limited rate."
+	tst_res TINFO "Use $toolname to log ping request with limited rate."
 	tst_res TINFO "Rule to log ping request."
 
-	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
+	NFRUN -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
 		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -337,7 +336,7 @@ test6()
 		sleep 2
 		logcnt=$(dmesg | grep -c "$logprefix")
 		if [ $logcnt -ne 5 ]; then
-			tst_res TFAIL "iptables did not log packets with" \
+			tst_res TFAIL "$toolname did not log packets with" \
 				      "limited rate."
 			cat tst_iptables.out
 			return
@@ -353,14 +352,8 @@ test6()
 	fi
 
 	tst_res TINFO "Deleting the rule to log."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
-	tst_res TINFO "iptables limited logging succsess"
-	tst_res TPASS "iptables can log packets with limited rate."
-}
+	NFRUN_REMOVE
 
-tst_run
+	tst_res TINFO "$toolname limited logging succsess"
+	tst_res TPASS "$toolname can log packets with limited rate."
+}
diff --git a/testcases/network/iptables/nft01.sh b/testcases/network/iptables/nft01.sh
new file mode 100755
index 000000000..1d378b2b7
--- /dev/null
+++ b/testcases/network/iptables/nft01.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2019 Oracle and/or its affiliates. All Rights Reserved.
+
+TST_CNT=6
+TST_SETUP="init"
+TST_TESTFUNC="test"
+TST_CLEANUP="cleanup"
+TST_NEEDS_TMPDIR=1
+TST_NEEDS_ROOT=1
+TST_NEEDS_CMDS="nft iptables-translate grep ping telnet"
+TST_NEEDS_DRIVERS="nf_tables"
+use_iptables=0
+
+. iptables_lib.sh
+. tst_test.sh
+
+tst_run
-- 
2.20.1



More information about the ltp mailing list