Testsuite checks added

- check iptables match/target extensions with invalid number of
  dir parameters
- check SET target with --del-set option

diff --git a/tests/iptables.sh b/tests/iptables.sh
index 1bf96df5b9dcfbf5afedb2bab9c65a09f9054f21..b5b82e466e66ac95f3a55af434a6dceb78f8a42a 100755 (executable)
--- a/tests/iptables.sh
+++ b/tests/iptables.sh
@@ -60,6 +60,10 @@ start)
        $cmd -A OUTPUT -d $NET -j DROP
        cat /dev/null > .foo.err
        ;;
+del)
+       $cmd -F INPUT
+       $cmd -A INPUT -j SET --del-set ipport src,src
+       ;;
 stop)
        $cmd -F
        $cmd -X

diff --git a/tests/match_target.t b/tests/match_target.t
index 6756be14f778cadad96c7e0ed1b77e53fee91e69..0c6e7e7a81a202dcf5266bc19e2d59fe2139dac8 100644 (file)
--- a/tests/match_target.t
+++ b/tests/match_target.t
@@ -1,3 +1,15 @@
+# Create test set
+0 ipset create test hash:ip
+# Check that iptables set match catches invalid number of dir parameters
+2 iptables -m set --match-set test src,dst,src,dst,src,dst,src
+# Check reference number of test set
+0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0
+# Check that iptables SET target catches invalid number of dir parameters
+2 iptables -j SET --add-set test src,dst,src,dst,src,dst,src
+# Check reference number of test set
+0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0
+# Destroy test set
+0 ipset destroy test
 # Create sets and inet rules which call set match and SET target
 0 ./iptables.sh inet start
 # Check that 10.255.255.64,tcp:1025 is not in ipport set
@@ -38,6 +50,12 @@
 0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
 # Check that 10.255.255.64,icmp:3/10 is in ipport set now
 0 ipset test ipport 10.255.255.64,icmp:host-prohibited
+# Modify rules to check target and deletion
+0 ./iptables.sh inet del
+# Send probe packet 10.255.255.64,icmp:host-prohibited
+0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1
+# Check that 10.255.255.64,icmp:3/10 isn't in ipport
+1 ipset test ipport 10.255.255.64,icmp:host-prohibited
 # Destroy sets and rules
 0 ./iptables.sh inet stop
 # eof

diff --git a/tests/match_target6.t b/tests/match_target6.t
index 6f1fc3d83290c8b00db8d9a7f8abd530c5bbb5b8..15a3b9e802d1abb120832913ca024318cf21ddeb 100644 (file)
--- a/tests/match_target6.t
+++ b/tests/match_target6.t
@@ -1,3 +1,15 @@
+# Create test set
+0 ipset create test hash:ip family inet6
+# Check that iptables set match catches invalid number of dir parameters
+2 ip6tables -m set --match-set test src,dst,src,dst,src,dst,src
+# Check reference number of test set
+0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0
+# Check that iptables SET target catches invalid number of dir parameters
+2 ip6tables -j SET --del-set test src,dst,src,dst,src,dst,src
+# Check reference number of test set
+0 ref=`ipset list test|grep References|sed 's/References: //'` && test $ref -eq 0
+# Destroy test set
+0 ipset destroy test
 # Create sets and inet6 rules which call set match and SET target
 0 ./iptables.sh inet6 start
 # Check that 1002:1002:1002:1002::64,tcp:1025 is not in ipport set
@@ -38,6 +50,12 @@
 0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
 # Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is in ipport set now
 0 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
+# Modify rules to check target and deletion
+0 ./iptables.sh inet6 del
+# Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
+0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1
+# Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly isn't in ipport set
+1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly
 # Destroy sets and rules
 0 ./iptables.sh inet6 stop
 # eof