iptables/tests/shell/testcases/iptables/0004-return-codes_0 - manifest_repos/iptables - Git at Google

 #!/bin/bash

 # make sure error return codes are as expected useful cases
 # (e.g. commands to check ruleset state)

 global_rc=0

 cmd() { # (rc, msg, cmd, [args ...])
 	rc_exp=$1; shift

 	msg_exp=""
 	[ $rc_exp != 0 ] && {
 		msg_exp="$1"; shift
 	}

 	for ipt in iptables ip6tables; do
 		msg="$($XT_MULTI $ipt "$@" 2>&1 >/dev/null)"
 		rc=$?

 		[ $rc -eq $rc_exp ] || {
 			echo "---> expected return code $rc_exp, got $rc for command '$ipt $@'"
 			global_rc=1
 		}

 		[ -n "$msg_exp" ] || continue
 		msg_exp_full="${ipt}$msg_exp"
 		grep -q "$msg_exp_full" <<< $msg || {
 			echo "---> expected error message '$msg_exp_full', got '$msg' for command '$ipt $@'"
 			global_rc=1
 		}
 	done
 }

 EEXIST_F=": File exists."
 EEXIST=": Chain already exists."
 ENOENT=": No chain/target/match by that name."
 E2BIG_I=": Index of insertion too big."
 E2BIG_D=": Index of deletion too big."
 E2BIG_R=": Index of replacement too big."
 EBADRULE=": Bad rule (does a matching rule exist in that chain?)."
 #ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory"
 ENOMTH=" v[0-9\.]* [^ ]*: Couldn't load match \`foobar':No such file or directory"
 ENOTBL=": can't initialize iptables table \`foobar': Table does not exist"

 # test chain creation
 cmd 0 -N foo
 cmd 1 "$EEXIST" -N foo
 # iptables-nft allows this - bug or feature?
 #cmd 2 -N "invalid name"

 # test chain flushing/zeroing
 cmd 0 -F foo
 cmd 0 -Z foo
 cmd 1 "$ENOENT" -F bar
 cmd 1 "$ENOENT" -Z bar

 # test chain rename
 cmd 0 -E foo bar
 cmd 1 "$EEXIST_F" -E foo bar
 cmd 1 "$ENOENT" -E foo bar2
 cmd 0 -N foo2
 cmd 1 "$EEXIST_F" -E foo2 bar

 # test rule adding
 cmd 0 -A INPUT -j ACCEPT
 cmd 1 "$ENOENT" -A noexist -j ACCEPT
 # next three differ:
 # legacy: Couldn't load target `foobar':No such file or directory
 # nft:    Chain 'foobar' does not exist
 cmd 2 "" -I INPUT -j foobar
 cmd 2 "" -R INPUT 1 -j foobar
 cmd 2 "" -D INPUT -j foobar
 cmd 1 "$EBADRULE" -D INPUT -p tcp --dport 22 -j ACCEPT

 # test rulenum commands
 cmd 1 "$E2BIG_I" -I INPUT 23 -j ACCEPT
 cmd 1 "$E2BIG_D" -D INPUT 23
 cmd 1 "$E2BIG_R" -R INPUT 23 -j ACCEPT
 cmd 1 "$ENOENT" -I nonexist 23 -j ACCEPT
 cmd 1 "$ENOENT" -D nonexist 23
 cmd 1 "$ENOENT" -R nonexist 23 -j ACCEPT

 # test rule checking
 cmd 0 -C INPUT -j ACCEPT
 cmd 1 "$EBADRULE" -C FORWARD -j ACCEPT
 cmd 1 "$BADRULE" -C nonexist -j ACCEPT
 cmd 2 "$ENOMTH" -C INPUT -m foobar -j ACCEPT
 # messages of those don't match, but iptables-nft ones are actually nicer.
 # legacy: Couldn't load target `foobar':No such file or directory
 # nft:    Chain 'foobar' does not exist
 cmd 2 "" -C INPUT -j foobar
 # legacy: can't initialize ip6tables table `foobar': Table does not exist (do you need to insmod?)
 # nft:    table 'foobar' does not exist
 cmd 3 "" -t foobar -C INPUT -j ACCEPT

 exit $global_rc
	#!/bin/bash

	# make sure error return codes are as expected useful cases
	# (e.g. commands to check ruleset state)

	global_rc=0

	cmd() { # (rc, msg, cmd, [args ...])
	rc_exp=$1; shift

	msg_exp=""
	[ $rc_exp != 0 ] && {
	msg_exp="$1"; shift
	}

	for ipt in iptables ip6tables; do
	msg="$($XT_MULTI $ipt "$@" 2>&1 >/dev/null)"
	rc=$?

	[ $rc -eq $rc_exp ] \|\| {
	echo "---> expected return code $rc_exp, got $rc for command '$ipt $@'"
	global_rc=1
	}

	[ -n "$msg_exp" ] \|\| continue
	msg_exp_full="${ipt}$msg_exp"
	grep -q "$msg_exp_full" <<< $msg \|\| {
	echo "---> expected error message '$msg_exp_full', got '$msg' for command '$ipt $@'"
	global_rc=1
	}
	done
	}

	EEXIST_F=": File exists."
	EEXIST=": Chain already exists."
	ENOENT=": No chain/target/match by that name."
	E2BIG_I=": Index of insertion too big."
	E2BIG_D=": Index of deletion too big."
	E2BIG_R=": Index of replacement too big."
	EBADRULE=": Bad rule (does a matching rule exist in that chain?)."
	#ENOTGT=" v[0-9\.]* [^ ]*: Couldn't load target \`foobar':No such file or directory"
	ENOMTH=" v[0-9\.]* [^ ]*: Couldn't load match \`foobar':No such file or directory"
	ENOTBL=": can't initialize iptables table \`foobar': Table does not exist"

	# test chain creation
	cmd 0 -N foo
	cmd 1 "$EEXIST" -N foo
	# iptables-nft allows this - bug or feature?
	#cmd 2 -N "invalid name"

	# test chain flushing/zeroing
	cmd 0 -F foo
	cmd 0 -Z foo
	cmd 1 "$ENOENT" -F bar
	cmd 1 "$ENOENT" -Z bar

	# test chain rename
	cmd 0 -E foo bar
	cmd 1 "$EEXIST_F" -E foo bar
	cmd 1 "$ENOENT" -E foo bar2
	cmd 0 -N foo2
	cmd 1 "$EEXIST_F" -E foo2 bar

	# test rule adding
	cmd 0 -A INPUT -j ACCEPT
	cmd 1 "$ENOENT" -A noexist -j ACCEPT
	# next three differ:
	# legacy: Couldn't load target `foobar':No such file or directory
	# nft: Chain 'foobar' does not exist
	cmd 2 "" -I INPUT -j foobar
	cmd 2 "" -R INPUT 1 -j foobar
	cmd 2 "" -D INPUT -j foobar
	cmd 1 "$EBADRULE" -D INPUT -p tcp --dport 22 -j ACCEPT

	# test rulenum commands
	cmd 1 "$E2BIG_I" -I INPUT 23 -j ACCEPT
	cmd 1 "$E2BIG_D" -D INPUT 23
	cmd 1 "$E2BIG_R" -R INPUT 23 -j ACCEPT
	cmd 1 "$ENOENT" -I nonexist 23 -j ACCEPT
	cmd 1 "$ENOENT" -D nonexist 23
	cmd 1 "$ENOENT" -R nonexist 23 -j ACCEPT

	# test rule checking
	cmd 0 -C INPUT -j ACCEPT
	cmd 1 "$EBADRULE" -C FORWARD -j ACCEPT
	cmd 1 "$BADRULE" -C nonexist -j ACCEPT
	cmd 2 "$ENOMTH" -C INPUT -m foobar -j ACCEPT
	# messages of those don't match, but iptables-nft ones are actually nicer.
	# legacy: Couldn't load target `foobar':No such file or directory
	# nft: Chain 'foobar' does not exist
	cmd 2 "" -C INPUT -j foobar
	# legacy: can't initialize ip6tables table `foobar': Table does not exist (do you need to insmod?)
	# nft: table 'foobar' does not exist
	cmd 3 "" -t foobar -C INPUT -j ACCEPT

	exit $global_rc