blob: dcd9dfd3c0806e03159c480e606270289f12fa60 [file] [log] [blame]
#!/bin/bash
# make sure error return codes are as expected useful cases
# (e.g. commands to check ruleset state)
global_rc=0
cmd() { # (rc, msg, cmd, [args ...])
rc_exp=$1; shift
msg_exp=""
[ $rc_exp != 0 ] && {
msg_exp="$1"; shift
}
for ipt in iptables ip6tables; do
msg="$($XT_MULTI $ipt "$@" 2>&1 >/dev/null)"
rc=$?
[ $rc -eq $rc_exp ] || {
echo "---> expected return code $rc_exp, got $rc for command '$ipt $@'"
global_rc=1
}
[ -n "$msg_exp" ] || continue
msg_exp_full="${ipt}$msg_exp"
grep -q "$msg_exp_full" <<< $msg || {
echo "---> expected error message '$msg_exp_full', got '$msg' for command '$ipt $@'"
global_rc=1
}
done
}
EEXIST_F=": File exists."
EEXIST=": Chain already exists."
ENOENT=": No chain/target/match by that name."
E2BIG_I=": Index of insertion too big."
E2BIG_D=": Index of deletion too big."
E2BIG_R=": Index of replacement too big."
EBADRULE=": Bad rule (does a matching rule exist in that chain?)."
#ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory"
ENOMTH=" v[0-9\.]* [^ ]*: Couldn't load match \`foobar':No such file or directory"
ENOTBL=": can't initialize iptables table \`foobar': Table does not exist"
# test chain creation
cmd 0 -N foo
cmd 1 "$EEXIST" -N foo
# iptables-nft allows this - bug or feature?
#cmd 2 -N "invalid name"
# test chain flushing/zeroing
cmd 0 -F foo
cmd 0 -Z foo
cmd 1 "$ENOENT" -F bar
cmd 1 "$ENOENT" -Z bar
# test chain rename
cmd 0 -E foo bar
cmd 1 "$EEXIST_F" -E foo bar
cmd 1 "$ENOENT" -E foo bar2
cmd 0 -N foo2
cmd 1 "$EEXIST_F" -E foo2 bar
# test rule adding
cmd 0 -A INPUT -j ACCEPT
cmd 1 "$ENOENT" -A noexist -j ACCEPT
# next three differ:
# legacy: Couldn't load target `foobar':No such file or directory
# nft: Chain 'foobar' does not exist
cmd 2 "" -I INPUT -j foobar
cmd 2 "" -R INPUT 1 -j foobar
cmd 2 "" -D INPUT -j foobar
cmd 1 "$EBADRULE" -D INPUT -p tcp --dport 22 -j ACCEPT
# test rulenum commands
cmd 1 "$E2BIG_I" -I INPUT 23 -j ACCEPT
cmd 1 "$E2BIG_D" -D INPUT 23
cmd 1 "$E2BIG_R" -R INPUT 23 -j ACCEPT
cmd 1 "$ENOENT" -I nonexist 23 -j ACCEPT
cmd 1 "$ENOENT" -D nonexist 23
cmd 1 "$ENOENT" -R nonexist 23 -j ACCEPT
# test rule checking
cmd 0 -C INPUT -j ACCEPT
cmd 1 "$EBADRULE" -C FORWARD -j ACCEPT
cmd 1 "$BADRULE" -C nonexist -j ACCEPT
cmd 2 "$ENOMTH" -C INPUT -m foobar -j ACCEPT
# messages of those don't match, but iptables-nft ones are actually nicer.
# legacy: Couldn't load target `foobar':No such file or directory
# nft: Chain 'foobar' does not exist
cmd 2 "" -C INPUT -j foobar
# legacy: can't initialize ip6tables table `foobar': Table does not exist (do you need to insmod?)
# nft: table 'foobar' does not exist
cmd 3 "" -t foobar -C INPUT -j ACCEPT
exit $global_rc