From 80a2490889e21025796e021e307dba25a4c05e07 Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Sat, 8 Mar 2008 22:57:03 +0000 Subject: [PATCH] removed canonical.pl from test suite, do raw diff -u, many changes to test suite because of that git-svn-id: svn+ssh://foo-projects.org/var/svn/ferm/trunk@1139 887c3e53-ddf1-0310-8e39-e0d3fab4ed34 --- Makefile | 47 +++++----- src/ferm | 13 ++- test/canonical.pl | 185 -------------------------------------- test/ipv6/basic.result | 2 +- test/ipv6/icmpv6.result | 4 +- test/ipv6/mh.result | 2 +- test/misc/autovar.result | 1 - test/misc/backticks.result | 18 ++-- test/misc/base.result | 4 +- test/misc/chain.result | 4 +- test/misc/comments.result | 6 +- test/misc/def.result | 46 +++++----- test/misc/mod_unknown.result | 2 +- test/misc/negation.result | 4 +- test/misc/policy.result | 3 +- test/misc/policy2.result | 2 +- test/misc/stack.result | 6 +- test/misc/stringex.result | 10 +-- test/misc/subchain-domains.result | 4 +- test/misc/subchain.result | 36 ++++---- test/modules/account.result | 6 +- test/modules/addrtype.result | 10 +-- test/modules/ah.result | 16 ++-- test/modules/comment.result | 4 +- test/modules/connbytes.result | 4 +- test/modules/connlimit.result | 4 +- test/modules/conntrack.result | 24 ++--- test/modules/dscp.result | 6 +- test/modules/ecn.result | 10 +-- test/modules/esp.result | 10 +-- test/modules/hashlimit.result | 4 +- test/modules/hbh.result | 8 +- test/modules/helper.result | 8 +- test/modules/hl.result | 10 +-- test/modules/iprange.result | 8 +- test/modules/ipv6header.result | 4 +- test/modules/multiport.result | 12 +-- test/modules/owner.result | 10 +-- test/modules/physdev.result | 14 +-- test/modules/policy.result | 4 +- test/modules/quota.result | 1 - test/modules/random.result | 2 +- test/modules/realm.result | 8 +- test/modules/recent.result | 4 +- test/modules/rt.result | 10 +-- test/modules/state.result | 2 +- test/modules/string.result | 4 +- test/modules/time.result | 22 ++--- test/modules/tos.result | 12 +-- test/protocols/dccp.result | 10 +-- test/protocols/sctp.result | 6 +- test/protocols/tcp.result | 4 +- test/targets/balance.result | 2 +- test/targets/classify.result | 2 +- test/targets/dnat.result | 1 - test/targets/dscp.result | 2 +- test/targets/ecn.result | 2 +- test/targets/hl.result | 7 +- test/targets/log.result | 2 +- test/targets/mark.result | 1 - test/targets/nflog.result | 12 +-- test/targets/nfqueue.result | 2 +- test/targets/route.result | 2 +- test/targets/same.result | 6 +- test/targets/set.result | 1 - test/targets/snat.result | 6 +- 66 files changed, 264 insertions(+), 444 deletions(-) delete mode 100755 test/canonical.pl rewrite test/misc/backticks.result (100%) rewrite test/misc/def.result (100%) rewrite test/modules/ah.result (62%) rewrite test/modules/conntrack.result (99%) rewrite test/modules/multiport.result (100%) rewrite test/modules/time.result (95%) rewrite test/modules/tos.result (83%) diff --git a/Makefile b/Makefile index d523bbb..597a5f1 100644 --- a/Makefile +++ b/Makefile @@ -52,22 +52,37 @@ FERM_SCRIPTS = FERM_SCRIPTS += $(wildcard test/modules/*.ferm) $(wildcard test/targets/*.ferm) FERM_SCRIPTS += $(wildcard test/protocols/*.ferm) $(wildcard test/misc/*.ferm) FERM_SCRIPTS += $(wildcard test/ipv6/*.ferm) +FERM_SCRIPTS += $(wildcard test/arptables/*.ferm) $(wildcard test/ebtables/*.ferm) EXCLUDE_IMPORT = test/misc/subchain-domains.ferm -IMPORT_SCRIPTS = $(filter-out $(EXCLUDE_IMPORT),$(FERM_SCRIPTS)) - -FERM_20_SCRIPTS := $(wildcard test/arptables/*.ferm) $(wildcard test/ebtables/*.ferm) +IMPORT_SCRIPTS = $(filter-out $(EXCLUDE_IMPORT) test/arptables/% test/ebtables/%,$(FERM_SCRIPTS)) + +# just a hack +RESULT_SED += -e 's,--protocol tcp --match tcp,-p tcp,g' +RESULT_SED += -e 's,--protocol udp --match udp,-p udp,g' +RESULT_SED += -e 's,-p tcp -m tcp,-p tcp,g' +RESULT_SED += -e 's,-p udp -m udp,-p udp,g' +RESULT_SED += -e 's,--protocol,-p,g' +RESULT_SED += -e 's,--in-interface,-i,g' +RESULT_SED += -e 's,--out-interface,-o,g' +RESULT_SED += -e 's,--destination,-d,g' +RESULT_SED += -e 's,--source,-s,g' +RESULT_SED += -e 's,--match,-m,g' +RESULT_SED += -e 's,--jump,-j,g' +RESULT_SED += -e 's,--goto,-g,g' +RESULT_SED += -e 's,--fragment,-f,g' + +$(STAMPDIR)/test/arptables/%.result: test/arptables/%.ferm $(NEW_FERM) + @mkdir -p $(dir $@) + $(PERL) $(NEW_FERM) $(NEW_OPTIONS) $< |sed $(RESULT_SED) >$@ -$(STAMPDIR)/%.OLD: %.result test/canonical.pl +$(STAMPDIR)/test/ebtables/%.result: test/ebtables/%.ferm $(NEW_FERM) @mkdir -p $(dir $@) - $(PERL) test/canonical.pl <$< >$@ + $(PERL) $(NEW_FERM) $(NEW_OPTIONS) $< |sed $(RESULT_SED) >$@ $(STAMPDIR)/%.result: %.ferm $(NEW_FERM) @mkdir -p $(dir $@) - $(PERL) $(NEW_FERM) $(NEW_OPTIONS) $< >$@ - -$(STAMPDIR)/%.NEW: $(STAMPDIR)/%.result test/canonical.pl - $(PERL) test/canonical.pl <$< >$@ + $(PERL) $(NEW_FERM) --noflush $(NEW_OPTIONS) $< |sed $(RESULT_SED) >$@ $(STAMPDIR)/%.SAVE: %.ferm $(NEW_FERM) @mkdir -p $(dir $@) @@ -81,25 +96,17 @@ $(STAMPDIR)/%.IMPORT: $(STAMPDIR)/%.SAVE src/import-ferm $(STAMPDIR)/%.SAVE2: $(STAMPDIR)/%.IMPORT $(NEW_FERM) $(PERL) $(NEW_FERM) $(NEW_OPTIONS) --fast $< |grep -v '^#' >$@ -$(STAMPDIR)/%.check: $(STAMPDIR)/%.OLD $(STAMPDIR)/%.NEW - diff -u $^ +$(STAMPDIR)/%.check: %.result $(STAMPDIR)/%.result + sed $(RESULT_SED) $< |diff -u - $(STAMPDIR)/$< @touch $@ $(STAMPDIR)/%.check-import: $(STAMPDIR)/%.SAVE $(STAMPDIR)/%.SAVE2 diff -u $^ @touch $@ -$(STAMPDIR_20)/%.result: %.ferm $(NEW_FERM) - @mkdir -p $(dir $@) - $(PERL) $(NEW_FERM) $(NEW_OPTIONS) $< |sed -e 's,--jump,-j,g' >$@ - -$(STAMPDIR_20)/%.check: %.result $(STAMPDIR_20)/%.result - diff -u $^ - @touch $@ - .PHONY : check-ferm check-import check -check-ferm: $(patsubst %.ferm,$(STAMPDIR)/%.check,$(FERM_SCRIPTS)) $(patsubst %.ferm,$(STAMPDIR_20)/%.check,$(FERM_20_SCRIPTS)) +check-ferm: $(patsubst %.ferm,$(STAMPDIR)/%.check,$(FERM_SCRIPTS)) check-import: $(patsubst %.ferm,$(STAMPDIR)/%.check-import,$(IMPORT_SCRIPTS)) diff --git a/src/ferm b/src/ferm index 6d7023e..9563661 100755 --- a/src/ferm +++ b/src/ferm @@ -416,7 +416,7 @@ unshift @stack, {}; # Get command line stuff if ($has_getopt) { - my ($opt_noexec, $opt_flush, $opt_lines, $opt_interactive, + my ($opt_noexec, $opt_flush, $opt_noflush, $opt_lines, $opt_interactive, $opt_verbose, $opt_debug, $opt_help, $opt_version, $opt_test, $opt_fast, $opt_shell, @@ -440,6 +440,7 @@ if ($has_getopt) { local $SIG{__WARN__} = sub { die $_[0]; }; GetOptions('noexec|n' => \$opt_noexec, 'flush|F' => \$opt_flush, + 'noflush' => \$opt_noflush, 'lines|l' => \$opt_lines, 'interactive|i' => \$opt_interactive, 'verbose|v' => \$opt_verbose, @@ -466,6 +467,7 @@ if ($has_getopt) { $option{'noexec'} = (defined $opt_noexec); $option{flush} = defined $opt_flush; + $option{noflush} = defined $opt_noflush; $option{'lines'} = (defined $opt_lines); $option{interactive} = (defined $opt_interactive); $option{test} = (defined $opt_test); @@ -2193,12 +2195,15 @@ sub execute_slow($$) { next unless $chain_info->{builtin} or (not $table_info->{has_builtin} and is_netfilter_builtin_chain($table, $chain)); - $status ||= execute_command("$table_cmd -P $chain ACCEPT"); + $status ||= execute_command("$table_cmd -P $chain ACCEPT") + unless $option{noflush}; } # clear - $status ||= execute_command("$table_cmd -F"); - $status ||= execute_command("$table_cmd -X"); + unless ($option{noflush}) { + $status ||= execute_command("$table_cmd -F"); + $status ||= execute_command("$table_cmd -X"); + } next if $option{flush}; diff --git a/test/canonical.pl b/test/canonical.pl deleted file mode 100755 index 33d2446..0000000 --- a/test/canonical.pl +++ /dev/null @@ -1,185 +0,0 @@ -#!/usr/bin/perl -w -# $Id$ -# -# Canonicalize ferm output. You can use this script to check whether -# the output from two ferm versions are functionally identical. This -# is used in the compatibility tests. -# -# Author: Max Kellermann (max@duempel.org) - -use strict; - -sub shell_unescape { - my $token = shift; - $token =~ s/\\'/'/g; - $token =~ s/^(["'])(.*)\1/$2/s; - return $token; -} - -my $data; - -while (<>) { - next if /^\s*(?:#.*)?$/s; - - # workaround: not supported in ipchains - next - if /cannot set the policy for non-built in chains, exiting|Cannot create new chains if using ipfwadm|Ipfwadm allows only accept, masq, deny and reject targets/; - - # execute backticks - s/`(.*?)`/`$1`/egs; - - if (s/^(ip6?)tables //) { - my $item; - - $item->{domain} = $1; - - # get table - my $table; - s/-t (\w+)/$table = $1; ''/eg; - $table = 'filter' - unless defined $table; - - # get command and chain - my ($command, $chain); - - if (s/-P (\w+) (\w+)//g) { - if ($2 eq 'ACCEPT') { - delete $data->{iptables}{$table}{$1}{policy} - if exists $data->{iptables}{$table} - and exists $data->{iptables}{$table}{$1}; - } else { - $data->{iptables}{$table}{$1}{policy} = $2; - } - next; - } - - s/-([ALFZNXE])(?: ([-\w]+))?/($command, $chain) = ($1, $2); ''/eg; - - next if $command eq 'F' or $command eq 'X'; - - if ($command eq 'N') { - if (defined $chain) { - push @{$data->{iptables}{$table}{$chain}{rules}}, $command; - } else { - push @{$data->{iptables}{$table}{rules}}, $command; - } - next; - } - - die 'no chain specified' - unless defined $chain; - - # module list - my %modules; - s/--match/-m/g; - s/-m (\w+)/$modules{$1} = 1; ''/eg; - $item->{modules} = [ grep { not /^(?:tcp|udp|icmp)$/ } keys %modules ]; - - # short to long - s/-j\b/--jump/g; - s/-g\b/--goto/g; - s/-i\b/--in-interface/g; - s/-o\b/--out-interface/g; - s/-p\b/--protocol/g; - s/-d\b/--destination/g; - s/-s\b/--source/g; - s/-f\b/--fragment/g; - - # evaluate options with name collisions - s/--set\s+(\w+)\s+([\w,]+)/$item->{ipset_set} = [$1, $2]; ''/eg - if exists $modules{set}; - - # evaluate options with zero, one, two parameters - s/(?:(!)\s*)?--(syn|clamp-mss-to-pmtu|set|rcheck|log-tcp-sequence|log-tcp-options|log-ip-options|continue|save-mark|restore-mark|save|restore|fragment|ecn-tcp-cwr|ecn-tcp-ece|physdev-is-(?:in|out|bridged)|strict|next|frag(res|first|more|last)|nodst|random|ssrr|lsrr|no-srr|rr|ts|ra|any-opt|ecn-tcp-remove|ahres|soft|rt-0-res|rt-0-not-strict|ashort|new|rttl|rsource|rdest|utc|localtz)(?:\s|$)/$item->{$2} = $1; ''/eg; - s/--(tcp-flags|chunk-types|add-set|del-set)\s+(?:(\!)\s+)?(\S+)\s+(\S+)/$item->{$1} = [ $2, $3, $4 ]; ''/eg; - s/(?:(!)\s*)?--(iplimit-above|src-range|dst-range|connlimit-above|connbytes|tos)\s+(\S+)/$item->{$2} = [ $1, $2 ]; ''/eg; - s/--(\w[-\w]*)\s+(!)?\s*(".*?"|'.*?'|\S+)/$item->{$1} = (defined $2 ? "$2\t" : "") . shell_unescape($3); ''/eg; - - # after we parsed everything we know, nothing must be left - die "unparsed rest from line $.: $_" - if /\S/; - - # add this item - push @{$data->{iptables}{$table}{$chain}{rules}}, $item; - } elsif (s/^ipchains //) { - my $item; - - # get command and chain - my ($command, $chain); - - if (s/-P (\w+) (\w+)//g) { - $data->{ipchains}{$1}{policy} = $2; - next; - } - - s/-([AFZNX])(?: (\w+))?/($command, $chain) = ($1, $2); ''/eg; - - if ($command eq 'F' or $command eq 'N' or $command eq 'X') { - if (defined $chain) { - delete $data->{ipchains}{$chain}{rules}; - } else { - delete $data->{ipchains}; - } - next; - } - - die 'no chain specified' - unless defined $chain; - - # short to long - s/-j\b/--jump/g; - s/-i\b/--interface/g; - s/-d\b/--destination/g; - s/-s\b/--source/g; - s/-l\b/--log/g; - s/-p\b/--protocol/g; - s/-y\b/--syn/g; - - # evaluate options with zero, one parameter - s/(!\s*)?--(log|syn)\b/$item->{$2} = $1; ''/eg; - s/--(jump|protocol|interface|destination|source|protocol| - dport|destination-port|sport|source-port - )\s+(".*?"|(?:!\s*)?\S+)/$item->{$1} = $2; ''/egx; - - # after we parsed everything we know, nothing must be left - die "unparsed rest from line $.: $_" - if /\S/; - - # add this item - push @{$data->{ipchains}{$chain}{rules}}, $item; - } elsif (s/^ipfwadm //) { - my $item; - - # get chain - s/-([IOF])// - or die "No chain in line $."; - - my $chain = $1; - - # handle command - if (s/-p (\w+)//) { - $data->{ipfwadm}{$chain}{policy} = $1; - next; - } - - $item->{policy} = $1 - if s/-a (\w+)//; - - # evaluate options - s/-([m])/$item->{$1} = 1; ''/eg; - s/-([PVW])\s+((?:!\s*)?\S+)/$item->{$1} = $2; ''/egx; - - # after we parsed everything we know, nothing must be left - die "unparsed rest from line $.: $_" - if /\S/; - - # add this item - push @{$data->{ipfwadm}{$chain}{rules}}, $item; - } else { - die "syntax error line $."; - } -} - -use Data::Dumper; -$Data::Dumper::Sortkeys = 1; -print Dumper($data); diff --git a/test/ipv6/basic.result b/test/ipv6/basic.result index 3d56be7..32d025d 100644 --- a/test/ipv6/basic.result +++ b/test/ipv6/basic.result @@ -1 +1 @@ -ip6tables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT +ip6tables -t filter -A INPUT -p tcp --dport ssh -j ACCEPT diff --git a/test/ipv6/icmpv6.result b/test/ipv6/icmpv6.result index 22bbfb8..f069ec3 100644 --- a/test/ipv6/icmpv6.result +++ b/test/ipv6/icmpv6.result @@ -1,2 +1,2 @@ -ip6tables -t filter -A INPUT -p icmpv6 -m icmp6 --icmpv6-type router-solicitation -j ACCEPT -ip6tables -t filter -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j DROP +ip6tables -t filter -A INPUT -p icmpv6 -m icmp6 --icmpv6-type router-solicitation -j ACCEPT +ip6tables -t filter -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type neighbour-advertisement -j DROP diff --git a/test/ipv6/mh.result b/test/ipv6/mh.result index 85e0a70..df315ab 100644 --- a/test/ipv6/mh.result +++ b/test/ipv6/mh.result @@ -1,4 +1,4 @@ ip6tables -t filter -A INPUT -p mh -m mh --mh-type home-test -j ACCEPT -ip6tables -t filter -A INPUT -p mh -m mh --mh-type !binding-update -j DROP +ip6tables -t filter -A INPUT -p mh -m mh --mh-type ! binding-update -j DROP ip6tables -t filter -A INPUT -p ipv6-mh -m mh --mh-type binding-acknowledgement -j REJECT ip6tables -t filter -A INPUT -p ipv6-mh -m mh --mh-type binding-error -j REJECT diff --git a/test/misc/autovar.result b/test/misc/autovar.result index f57db0f..c8bbada 100644 --- a/test/misc/autovar.result +++ b/test/misc/autovar.result @@ -1,4 +1,3 @@ iptables -t filter -A INPUT -j LOG --log-prefix 'in filter ' iptables -t filter -A INPUT -j LOG --log-prefix 'in INPUT ' iptables -t filter -A INPUT -j LOG --log-prefix 'in filter/INPUT ' - diff --git a/test/misc/backticks.result b/test/misc/backticks.result dissimilarity index 100% index 1815717..e3b6a1e 100644 --- a/test/misc/backticks.result +++ b/test/misc/backticks.result @@ -1,9 +1,9 @@ -iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT -iptables -t filter -A INPUT -p tcp --dport 8081 -j ACCEPT -iptables -t filter -A INPUT -p tcp --dport 8082 -j ACCEPT -iptables -t filter -A INPUT -p tcp --sport http -j REJECT -iptables -t filter -A INPUT -p tcp --sport https -j REJECT -iptables -t filter -A INPUT -p tcp --sport ftp -j REJECT -iptables -t filter -A INPUT -p udp -j DROP -iptables -t filter -A INPUT -p ah -j ACCEPT -iptables -t filter -A INPUT -p esp -j ACCEPT +iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT +iptables -t filter -A INPUT -p tcp --dport 8081 -j ACCEPT +iptables -t filter -A INPUT -p tcp --dport 8082 -j ACCEPT +iptables -t filter -A INPUT -p tcp --sport http -j REJECT +iptables -t filter -A INPUT -p tcp --sport https -j REJECT +iptables -t filter -A INPUT -p tcp --sport ftp -j REJECT +iptables -t filter -A INPUT -p udp -j DROP +iptables -t filter -A INPUT -p ah -j ACCEPT +iptables -t filter -A INPUT -p esp -j ACCEPT diff --git a/test/misc/base.result b/test/misc/base.result index 6690cbd..4864e15 100644 --- a/test/misc/base.result +++ b/test/misc/base.result @@ -1,5 +1,5 @@ -iptables -t filter -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT -iptables -t filter -A INPUT -d 195.0.0.0/8 -o ppp0 -p esp -j DROP +iptables -t filter -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT +iptables -t filter -A INPUT -o ppp0 -p esp -d 195.0.0.0/8 -j DROP iptables -t filter -A INPUT -f -j LOG iptables -t filter -A INPUT -p ah ! -f -j ACCEPT iptables -t filter -A INPUT -p ! udp -j DROP diff --git a/test/misc/chain.result b/test/misc/chain.result index 764920e..4bd877b 100644 --- a/test/misc/chain.result +++ b/test/misc/chain.result @@ -1,6 +1,6 @@ +iptables -t filter -N BAR iptables -t filter -N FOO -iptables -t filter -A FOO -j ACCEPT iptables -t filter -A INPUT -p tcp -j FOO -iptables -t filter -N BAR iptables -t filter -A INPUT -p udp -j BAR iptables -t filter -A BAR -j DROP +iptables -t filter -A FOO -j ACCEPT diff --git a/test/misc/comments.result b/test/misc/comments.result index 8ee0800..843f6da 100644 --- a/test/misc/comments.result +++ b/test/misc/comments.result @@ -1,3 +1,3 @@ -iptables -t filter -A INPUT -s 192.168.0.3 -j ACCEPT -iptables -t filter -A INPUT -s 192.168.0.1 -j REJECT -iptables -t filter -A INPUT -d 192.168.0.2 -j ACCEPT +iptables -t filter -A INPUT -s 192.168.0.3 -j ACCEPT +iptables -t filter -A INPUT -s 192.168.0.1 -j REJECT +iptables -t filter -A INPUT -d 192.168.0.2 -j ACCEPT diff --git a/test/misc/def.result b/test/misc/def.result dissimilarity index 100% index 4b726aa..0ad8178 100644 --- a/test/misc/def.result +++ b/test/misc/def.result @@ -1,23 +1,23 @@ -iptables -t filter -A INPUT -p http -j ACCEPT -iptables -t filter -A INPUT -p ftp -j ACCEPT -iptables -t filter -A INPUT -p ah -j DROP -iptables -t filter -A OUTPUT -p tcp --dport https -j REJECT -iptables -t filter -A OUTPUT -p tcp --dport http -j REJECT -iptables -t filter -A OUTPUT -p tcp --dport ftp -j REJECT -iptables -t filter -A OUTPUT -p tcp --dport ntp -j REJECT -iptables -t filter -A OUTPUT -p ah -j ACCEPT -iptables -t filter -A OUTPUT -p esp -j ACCEPT -iptables -t filter -A FORWARD -p tcp --dport http -j ACCEPT -iptables -t filter -A FORWARD -p udp --dport domain -j ACCEPT -iptables -t filter -A FORWARD -p tcp --dport 8080 -j REJECT -iptables -t filter -A FORWARD -p tcp --dport 3128 -j REJECT -iptables -t filter -A FORWARD -p tcp --dport http -j ACCEPT -iptables -t filter -A FORWARD -p tcp --dport ftp -j ACCEPT -iptables -t filter -A FORWARD -i ppp0 -o eth0 -p tcp -d 192.168.1.33 --dport http -j ACCEPT -iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 1.2.3.4 --dport http -j DNAT --to-destination 192.168.1.33 -iptables -t filter -A FORWARD -i ppp0 -o eth0 -p tcp -d 192.168.1.30 --dport ftp -j ACCEPT -iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 1.2.3.4 --dport ftp -j DNAT --to-destination 192.168.1.30 -iptables -t filter -A FORWARD -i ppp0 -o eth0 -p tcp -d 192.168.1.2 --dport ssh -j ACCEPT -iptables -t filter -A FORWARD -i ppp0 -o eth0 -p tcp -d 192.168.1.2 --dport smtp -j ACCEPT -iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 1.2.3.4 --dport ssh -j DNAT --to-destination 192.168.1.2 -iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 1.2.3.4 --dport smtp -j DNAT --to-destination 192.168.1.2 +iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport http -d 1.2.3.4 -j DNAT --to-destination 192.168.1.33 +iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ftp -d 1.2.3.4 -j DNAT --to-destination 192.168.1.30 +iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ssh -d 1.2.3.4 -j DNAT --to-destination 192.168.1.2 +iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport smtp -d 1.2.3.4 -j DNAT --to-destination 192.168.1.2 +iptables -t filter -A FORWARD -p tcp --dport http -j ACCEPT +iptables -t filter -A FORWARD -p udp --dport domain -j ACCEPT +iptables -t filter -A FORWARD -p tcp --dport 8080 -j REJECT +iptables -t filter -A FORWARD -p tcp --dport 3128 -j REJECT +iptables -t filter -A FORWARD -p tcp --dport http -j ACCEPT +iptables -t filter -A FORWARD -p tcp --dport ftp -j ACCEPT +iptables -t filter -A FORWARD -i ppp0 -p tcp --dport http -d 192.168.1.33 -o eth0 -j ACCEPT +iptables -t filter -A FORWARD -i ppp0 -p tcp --dport ftp -d 192.168.1.30 -o eth0 -j ACCEPT +iptables -t filter -A FORWARD -i ppp0 -p tcp --dport ssh -d 192.168.1.2 -o eth0 -j ACCEPT +iptables -t filter -A FORWARD -i ppp0 -p tcp --dport smtp -d 192.168.1.2 -o eth0 -j ACCEPT +iptables -t filter -A INPUT -p http -j ACCEPT +iptables -t filter -A INPUT -p ftp -j ACCEPT +iptables -t filter -A INPUT -p ah -j DROP +iptables -t filter -A OUTPUT -p tcp --dport https -j REJECT +iptables -t filter -A OUTPUT -p tcp --dport http -j REJECT +iptables -t filter -A OUTPUT -p tcp --dport ftp -j REJECT +iptables -t filter -A OUTPUT -p tcp --dport ntp -j REJECT +iptables -t filter -A OUTPUT -j ACCEPT -p ah +iptables -t filter -A OUTPUT -j ACCEPT -p esp diff --git a/test/misc/mod_unknown.result b/test/misc/mod_unknown.result index 1db71e1..382b51d 100644 --- a/test/misc/mod_unknown.result +++ b/test/misc/mod_unknown.result @@ -1 +1 @@ -iptables -A INPUT -m xyz -j ACCEPT +iptables -t filter -A INPUT -m xyz -j ACCEPT diff --git a/test/misc/negation.result b/test/misc/negation.result index 775dbbd..2cf0ab2 100644 --- a/test/misc/negation.result +++ b/test/misc/negation.result @@ -1,2 +1,2 @@ -iptables -t filter -A INPUT -p ! tcp -j DROP -iptables -t filter -A INPUT -p ! udp -j ACCEPT +iptables -t filter -A INPUT -p ! tcp -j DROP +iptables -t filter -A INPUT -p ! udp -j ACCEPT diff --git a/test/misc/policy.result b/test/misc/policy.result index 2b657ed..741930f 100644 --- a/test/misc/policy.result +++ b/test/misc/policy.result @@ -1,5 +1,4 @@ iptables -t nat -P FORWARD DROP iptables -t nat -A FORWARD -j ACCEPT -iptables -t filter -P INPUT DROP -iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD DROP +iptables -t filter -P INPUT DROP diff --git a/test/misc/policy2.result b/test/misc/policy2.result index 9ac8aa1..dcc90e4 100644 --- a/test/misc/policy2.result +++ b/test/misc/policy2.result @@ -1,2 +1,2 @@ iptables -t filter -P INPUT DROP -iptables -t filter -A INPUT -p tcp -m tcp --dport http -j ACCEPT +iptables -t filter -A INPUT -p tcp -m tcp --dport http -j ACCEPT diff --git a/test/misc/stack.result b/test/misc/stack.result index 45120cb..a9cd50f 100644 --- a/test/misc/stack.result +++ b/test/misc/stack.result @@ -1,3 +1,3 @@ -iptables -t filter -A INPUT -p tcp -j ACCEPT -iptables -t filter -A INPUT -i eth0 -p udp -j DROP -iptables -t filter -A INPUT -p tcp -j ACCEPT +iptables -t filter -A INPUT -p tcp -j ACCEPT +iptables -t filter -A INPUT -i eth0 -p udp -j DROP +iptables -t filter -A INPUT -p tcp -j ACCEPT diff --git a/test/misc/stringex.result b/test/misc/stringex.result index 7c7b71f..e8e7edc 100644 --- a/test/misc/stringex.result +++ b/test/misc/stringex.result @@ -1,8 +1,8 @@ -iptables -t filter -A INPUT -j LOG --log-prefix foo -iptables -t filter -A INPUT -j LOG --log-prefix foo -iptables -t filter -A INPUT -j LOG --log-prefix $A -iptables -t filter -A INPUT -j LOG --log-prefix foo -iptables -t filter -A INPUT -j LOG --log-prefix 'pre foo post' +iptables -t filter -A INPUT -j LOG --log-prefix foo +iptables -t filter -A INPUT -j LOG --log-prefix foo +iptables -t filter -A INPUT -j LOG --log-prefix $A +iptables -t filter -A INPUT -j LOG --log-prefix foo +iptables -t filter -A INPUT -j LOG --log-prefix 'pre foo post' iptables -t filter -A INPUT -j LOG --log-prefix 'another $A one' iptables -t filter -A INPUT -j LOG --log-prefix 'foo double $A' iptables -t filter -A INPUT -j LOG --log-prefix foo:abc:bar diff --git a/test/misc/subchain-domains.result b/test/misc/subchain-domains.result index d404ccd..ea15dbe 100644 --- a/test/misc/subchain-domains.result +++ b/test/misc/subchain-domains.result @@ -1,6 +1,6 @@ iptables -t filter -N ferm_auto_1 -iptables -t filter -A ferm_auto_1 -p udp -m udp --dport domain -j ACCEPT iptables -t filter -A INPUT -p udp -j ferm_auto_1 +iptables -t filter -A ferm_auto_1 -p udp -m udp --dport domain -j ACCEPT ip6tables -t filter -N ferm_auto_1 -ip6tables -t filter -A ferm_auto_1 -p udp -m udp --dport domain -j ACCEPT ip6tables -t filter -A INPUT -p udp -j ferm_auto_1 +ip6tables -t filter -A ferm_auto_1 -p udp -m udp --dport domain -j ACCEPT diff --git a/test/misc/subchain.result b/test/misc/subchain.result index 68ef826..c34219d 100644 --- a/test/misc/subchain.result +++ b/test/misc/subchain.result @@ -1,21 +1,21 @@ +iptables -t nat -N ferm_auto_4 +iptables -t nat -A ferm_auto_4 -s 192.168.1.0/24 -j MASQUERADE +iptables -t nat -A POSTROUTING -o ppp0 -j ferm_auto_4 +iptables -t filter -N ferm_auto_3 iptables -t filter -N my-udp_subchain -iptables -t filter -A my-udp_subchain -p udp -d 192.168.1.0/24 -j ACCEPT +iptables -t filter -N ferm_auto_2 iptables -t filter -N ferm_auto_1 -iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport http -j ACCEPT -iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport https -j ACCEPT -iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport 445 -j TARPIT -iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport 137:139 -j TARPIT -iptables -t filter -A ferm_auto_1 -p tcp -j DROP iptables -t filter -A INPUT -p udp -j my-udp_subchain -iptables -t filter -A INPUT -p tcp -j ferm_auto_1 -iptables -t filter -N ferm_auto_3 -iptables -t filter -A ferm_auto_3 -p tcp -m tcp --dport ssh -j ACCEPT -iptables -t filter -A ferm_auto_3 -p tcp -j REJECT -iptables -t filter -N ferm_auto_2 -iptables -t filter -A ferm_auto_2 -p tcp -j ferm_auto_3 -iptables -t filter -A INPUT -s 1.2.3.4 -i eth1 -j ferm_auto_2 -iptables -t filter -A INPUT -s 1.2.3.5 -i eth1 -j ferm_auto_2 -iptables -t filter -A INPUT -s 2.3.4.5 -i eth1 -j ferm_auto_2 -iptables -t nat -N ferm_auto_4 -iptables -t nat -A ferm_auto_4 -s 192.168.1.0/24 -j MASQUERADE -iptables -t nat -A POSTROUTING -o ppp0 -j ferm_auto_4 +iptables -t filter -A INPUT -p tcp -j ferm_auto_1 +iptables -t filter -A INPUT -i eth1 -s 1.2.3.4 -j ferm_auto_2 +iptables -t filter -A INPUT -i eth1 -s 1.2.3.5 -j ferm_auto_2 +iptables -t filter -A INPUT -i eth1 -s 2.3.4.5 -j ferm_auto_2 +iptables -t filter -A ferm_auto_3 -p tcp -m tcp --dport ssh -j ACCEPT +iptables -t filter -A ferm_auto_3 -p tcp -j REJECT +iptables -t filter -A my-udp_subchain -p udp -d 192.168.1.0/24 -j ACCEPT +iptables -t filter -A ferm_auto_2 -p tcp -j ferm_auto_3 +iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport http -j ACCEPT +iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport https -j ACCEPT +iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport 445 -j TARPIT +iptables -t filter -A ferm_auto_1 -p tcp -m tcp --dport 137:139 -j TARPIT +iptables -t filter -A ferm_auto_1 -p tcp -j DROP diff --git a/test/modules/account.result b/test/modules/account.result index 077067a..520469b 100644 --- a/test/modules/account.result +++ b/test/modules/account.result @@ -1,3 +1,3 @@ -iptables -A INPUT -m account --aname mynetwork --aaddr 192.168.0.0/24 -iptables -A INPUT -p tcp --dport 80 -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort -iptables -A INPUT -p tcp --sport 80 -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort +iptables -t filter -A INPUT -m account --aname mynetwork --aaddr 192.168.0.0/24 +iptables -t filter -A INPUT -m account -p tcp --dport 80 --aname mywwwserver --aaddr 192.168.0.0/24 --ashort +iptables -t filter -A INPUT -m account -p tcp --sport 80 --aname mywwwserver --aaddr 192.168.0.0/24 --ashort diff --git a/test/modules/addrtype.result b/test/modules/addrtype.result index 5d7823c..8426c1a 100644 --- a/test/modules/addrtype.result +++ b/test/modules/addrtype.result @@ -1,5 +1,5 @@ -iptables -t filter -A INPUT -m addrtype -j ACCEPT --src-type UNSPEC -iptables -t filter -A INPUT -m addrtype -j ACCEPT --src-type BLACKHOLE -iptables -t filter -A INPUT -m addrtype -j ACCEPT --src-type PROHIBIT -iptables -t filter -A INPUT -m addrtype -j ACCEPT --src-type UNICAST -iptables -t filter -A INPUT -m addrtype -j ACCEPT --src-type BROADCAST +iptables -t filter -A INPUT -m addrtype --src-type UNSPEC -j ACCEPT +iptables -t filter -A INPUT -m addrtype --src-type BLACKHOLE -j ACCEPT +iptables -t filter -A INPUT -m addrtype --src-type PROHIBIT -j ACCEPT +iptables -t filter -A INPUT -m addrtype --src-type UNICAST -j ACCEPT +iptables -t filter -A INPUT -m addrtype --src-type BROADCAST -j ACCEPT diff --git a/test/modules/ah.result b/test/modules/ah.result dissimilarity index 62% index 808fa32..c5f793a 100644 --- a/test/modules/ah.result +++ b/test/modules/ah.result @@ -1,8 +1,8 @@ -iptables -t filter -A INPUT -m ah -j ACCEPT --ahspi 0x100 -iptables -t filter -A INPUT -m ah -j DROP --ahspi ! 0x101 -iptables -t filter -A INPUT -m ah -j REJECT --ahspi 0x102 -iptables -t filter -A INPUT -m ah -j REJECT --ahspi 0x105 -iptables -t filter -A INPUT -m ah -j REJECT --ahspi 0x200:0x2ff -iptables -t filter -A INPUT -m ah --ahlen 32 --ahres -j ACCEPT -iptables -t filter -A INPUT -m ah --ahlen 16 --ahres -j ACCEPT -iptables -t filter -A INPUT -m ah --ahlen ! 32 -j DROP +iptables -t filter -A INPUT -m ah --ahspi 0x100 -j ACCEPT +iptables -t filter -A INPUT -m ah --ahspi ! 0x101 -j DROP +iptables -t filter -A INPUT -m ah --ahspi 0x102 -j REJECT +iptables -t filter -A INPUT -m ah --ahspi 0x105 -j REJECT +iptables -t filter -A INPUT -m ah --ahspi 0x200:0x2ff -j REJECT +iptables -t filter -A INPUT -m ah --ahlen 32 --ahres -j ACCEPT +iptables -t filter -A INPUT -m ah --ahlen 16 --ahres -j ACCEPT +iptables -t filter -A INPUT -m ah --ahlen ! 32 -j DROP diff --git a/test/modules/comment.result b/test/modules/comment.result index b036d0c..09dc5e7 100644 --- a/test/modules/comment.result +++ b/test/modules/comment.result @@ -1,2 +1,2 @@ -iptables -t filter -A INPUT -m comment --comment "This is a comment" -j ACCEPT -iptables -t filter -A INPUT -m comment --comment " funny whitespaces " -j DROP +iptables -t filter -A INPUT -m comment --comment 'This is a comment' -j ACCEPT +iptables -t filter -A INPUT -m comment --comment ' funny whitespaces ' -j DROP diff --git a/test/modules/connbytes.result b/test/modules/connbytes.result index 1256ff0..44f3f2b 100644 --- a/test/modules/connbytes.result +++ b/test/modules/connbytes.result @@ -1,2 +1,2 @@ -iptables -t filter -A INPUT -m connbytes -j ACCEPT --connbytes 1024:4096 --connbytes-dir both --connbytes-mode packets -iptables -t filter -A INPUT -m connbytes -j DROP ! --connbytes 2048: --connbytes-dir original --connbytes-mode bytes +iptables -t filter -A INPUT -m connbytes --connbytes 1024:4096 --connbytes-dir both --connbytes-mode packets -j ACCEPT +iptables -t filter -A INPUT -m connbytes ! --connbytes 2048: --connbytes-dir original --connbytes-mode bytes -j DROP diff --git a/test/modules/connlimit.result b/test/modules/connlimit.result index 6986c99..cf8a447 100644 --- a/test/modules/connlimit.result +++ b/test/modules/connlimit.result @@ -1,2 +1,2 @@ -iptables -t filter -A INPUT -m connlimit -j REJECT --connlimit-mask 24 --connlimit-above 4 -iptables -t filter -A INPUT -m connlimit -j DROP ! --connlimit-above 2 +iptables -t filter -A INPUT -m connlimit --connlimit-mask 24 --connlimit-above 4 -j REJECT +iptables -t filter -A INPUT -m connlimit ! --connlimit-above 2 -j DROP diff --git a/test/modules/conntrack.result b/test/modules/conntrack.result dissimilarity index 99% index cd41d34..d17ed49 100644 --- a/test/modules/conntrack.result +++ b/test/modules/conntrack.result @@ -1,12 +1,12 @@ -iptables -t filter -A INPUT -m conntrack -j DROP --ctstate INVALID -iptables -t filter -A INPUT -m conntrack -j REJECT --ctstate DNAT,SNAT -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctproto ftp -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctorigsrc 10.0.0.0/8 -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctorigdst 127.0.0.01 -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctreplsrc ! 1.2.3.3 -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctreplsrc ! 1.2.3.4 -iptables -t filter -A INPUT -m conntrack -j REJECT --ctrepldst 1.2.3.5 -iptables -t filter -A INPUT -m conntrack -j REJECT --ctrepldst 1.2.3.6 -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstatus ASSURED -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstatus EXPECTED -iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctexpire 10 +iptables -t filter -A INPUT -m conntrack --ctstate INVALID -j DROP +iptables -t filter -A INPUT -m conntrack --ctstate DNAT,SNAT -j REJECT +iptables -t filter -A INPUT -m conntrack --ctproto ftp -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctorigsrc 10.0.0.0/8 -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctorigdst 127.0.0.01 -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctreplsrc ! 1.2.3.3 -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctreplsrc ! 1.2.3.4 -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctrepldst 1.2.3.5 -j REJECT +iptables -t filter -A INPUT -m conntrack --ctrepldst 1.2.3.6 -j REJECT +iptables -t filter -A INPUT -m conntrack --ctstatus ASSURED -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT +iptables -t filter -A INPUT -m conntrack --ctexpire 10 -j ACCEPT diff --git a/test/modules/dscp.result b/test/modules/dscp.result index de31be3..9208419 100644 --- a/test/modules/dscp.result +++ b/test/modules/dscp.result @@ -1,3 +1,3 @@ -iptables -t filter -A INPUT -j ACCEPT -m dscp --dscp 1 -iptables -t filter -A INPUT -j ACCEPT -m dscp --dscp 2 -iptables -t filter -A INPUT -j DROP -m dscp --dscp-class AF41 +iptables -t filter -A INPUT -m dscp --dscp 1 -j ACCEPT +iptables -t filter -A INPUT -m dscp --dscp 2 -j ACCEPT +iptables -t filter -A INPUT -m dscp --dscp-class AF41 -j DROP diff --git a/test/modules/ecn.result b/test/modules/ecn.result index 9570547..8f46dc0 100644 --- a/test/modules/ecn.result +++ b/test/modules/ecn.result @@ -1,5 +1,5 @@ -iptables -t filter -A INPUT -j ACCEPT -m ecn --ecn-tcp-cwr -iptables -t filter -A INPUT -j DROP -m ecn --ecn-tcp-cwr --ecn-tcp-ece -iptables -t filter -A INPUT -j ACCEPT -m ecn --ecn-ip-ect 0 -iptables -t filter -A INPUT -j DROP -m ecn --ecn-ip-ect 1 -iptables -t filter -A INPUT -j DROP -m ecn --ecn-ip-ect 3 +iptables -t filter -A INPUT -m ecn --ecn-tcp-cwr -j ACCEPT +iptables -t filter -A INPUT -m ecn --ecn-tcp-cwr --ecn-tcp-ece -j DROP +iptables -t filter -A INPUT -m ecn --ecn-ip-ect 0 -j ACCEPT +iptables -t filter -A INPUT -m ecn --ecn-ip-ect 1 -j DROP +iptables -t filter -A INPUT -m ecn --ecn-ip-ect 3 -j DROP diff --git a/test/modules/esp.result b/test/modules/esp.result index 3f4b44b..9122450 100644 --- a/test/modules/esp.result +++ b/test/modules/esp.result @@ -1,5 +1,5 @@ -iptables -t filter -A INPUT -m esp -j ACCEPT --espspi 0x100 -iptables -t filter -A INPUT -m esp -j DROP --espspi ! 0x101 -iptables -t filter -A INPUT -m esp -j REJECT --espspi 0x102 -iptables -t filter -A INPUT -m esp -j REJECT --espspi 0x105 -iptables -t filter -A INPUT -m esp -j REJECT --espspi 0x200:0x2ff +iptables -t filter -A INPUT -m esp --espspi 0x100 -j ACCEPT +iptables -t filter -A INPUT -m esp --espspi ! 0x101 -j DROP +iptables -t filter -A INPUT -m esp --espspi 0x102 -j REJECT +iptables -t filter -A INPUT -m esp --espspi 0x105 -j REJECT +iptables -t filter -A INPUT -m esp --espspi 0x200:0x2ff -j REJECT diff --git a/test/modules/hashlimit.result b/test/modules/hashlimit.result index 2158b72..0cc098e 100644 --- a/test/modules/hashlimit.result +++ b/test/modules/hashlimit.result @@ -1,2 +1,2 @@ -iptables -t filter -A INPUT -m hashlimit -j DROP --hashlimit 10/minute --hashlimit-burst 30/minute --hashlimit-mode dstip --hashlimit-name foobar -iptables -t filter -A INPUT -m hashlimit -j ACCEPT --hashlimit-htable-size 1024 --hashlimit-htable-max 4096 --hashlimit-htable-expire 600 --hashlimit-htable-gcinterval 180 +iptables -t filter -A INPUT -m hashlimit --hashlimit 10/minute --hashlimit-burst 30/minute --hashlimit-mode dstip --hashlimit-name foobar -j DROP +iptables -t filter -A INPUT -m hashlimit --hashlimit-htable-size 1024 --hashlimit-htable-max 4096 --hashlimit-htable-expire 600 --hashlimit-htable-gcinterval 180 -j ACCEPT diff --git a/test/modules/hbh.result b/test/modules/hbh.result index 13d8769..a1ceb06 100644 --- a/test/modules/hbh.result +++ b/test/modules/hbh.result @@ -1,4 +1,4 @@ -iptables -A INPUT -m hbh --hbh-len 5 -j ACCEPT -iptables -A INPUT -m hbh --hbh-len ! 7 -j DROP -iptables -A INPUT -m hbh --hbh-opts 4:5 -j REJECT -iptables -A INPUT -m hbh --hbh-opts 6:7,8:9,10:11 -j ACCEPT +iptables -t filter -A INPUT -m hbh --hbh-len 5 -j ACCEPT +iptables -t filter -A INPUT -m hbh --hbh-len ! 7 -j DROP +iptables -t filter -A INPUT -m hbh --hbh-opts 4:5 -j REJECT +iptables -t filter -A INPUT -m hbh --hbh-opts 6:7,8:9,10:11 -j ACCEPT diff --git a/test/modules/helper.result b/test/modules/helper.result index f234db6..7239ec3 100644 --- a/test/modules/helper.result +++ b/test/modules/helper.result @@ -1,4 +1,4 @@ -iptables -t filter -A INPUT -m helper -j ACCEPT --helper irc -iptables -t filter -A INPUT -m helper -j DROP --helper ftp-21 -iptables -t filter -A INPUT -m helper -j REJECT --helper irc -iptables -t filter -A INPUT -m helper -j REJECT --helper h323 +iptables -t filter -A INPUT -m helper --helper irc -j ACCEPT +iptables -t filter -A INPUT -m helper --helper ftp-21 -j DROP +iptables -t filter -A INPUT -m helper --helper irc -j REJECT +iptables -t filter -A INPUT -m helper --helper h323 -j REJECT diff --git a/test/modules/hl.result b/test/modules/hl.result index 0c568fc..3079862 100644 --- a/test/modules/hl.result +++ b/test/modules/hl.result @@ -1,5 +1,5 @@ -iptables -A INPUT -m hl --hl-eq 8 -j ACCEPT -iptables -A INPUT -m hl --hl-eq 10 -j ACCEPT -iptables -A INPUT -m hl --hl-eq ! 5 -j ACCEPT -iptables -A INPUT -m hl --hl-gt 15 -j DROP -iptables -A INPUT -m hl --hl-lt 2 -j REJECT +iptables -t filter -A INPUT -m hl --hl-eq 8 -j ACCEPT +iptables -t filter -A INPUT -m hl --hl-eq 10 -j ACCEPT +iptables -t filter -A INPUT -m hl --hl-eq ! 5 -j ACCEPT +iptables -t filter -A INPUT -m hl --hl-gt 15 -j DROP +iptables -t filter -A INPUT -m hl --hl-lt 2 -j REJECT diff --git a/test/modules/iprange.result b/test/modules/iprange.result index dbe8799..63e7ff8 100644 --- a/test/modules/iprange.result +++ b/test/modules/iprange.result @@ -1,4 +1,4 @@ -iptables -t filter -A INPUT -m iprange -j ACCEPT --src-range 10.0.0.0-10.1.0.0 -iptables -t filter -A INPUT -m iprange -j ACCEPT ! --dst-range 10.2.0.0-10.3.0.0 -iptables -t filter -A INPUT -m iprange -j DROP --dst-range 10.2.0.0-10.3.0.0 -iptables -t filter -A INPUT -m iprange -j DROP --dst-range 172.16.0.0-172.16.15.0 +iptables -t filter -A INPUT -m iprange --src-range 10.0.0.0-10.1.0.0 -j ACCEPT +iptables -t filter -A INPUT -m iprange ! --dst-range 10.2.0.0-10.3.0.0 -j ACCEPT +iptables -t filter -A INPUT -m iprange --dst-range 10.2.0.0-10.3.0.0 -j DROP +iptables -t filter -A INPUT -m iprange --dst-range 172.16.0.0-172.16.15.0 -j DROP diff --git a/test/modules/ipv6header.result b/test/modules/ipv6header.result index c4b3665..3610920 100644 --- a/test/modules/ipv6header.result +++ b/test/modules/ipv6header.result @@ -1,2 +1,2 @@ -iptables -A INPUT -m ipv6header --header ! hop,frag -j ACCEPT -iptables -A INPUT -m ipv6header --header auth,dst --soft -j ACCEPT +iptables -t filter -A INPUT -m ipv6header --header ! hop,frag -j ACCEPT +iptables -t filter -A INPUT -m ipv6header --header auth,dst --soft -j ACCEPT diff --git a/test/modules/multiport.result b/test/modules/multiport.result dissimilarity index 100% index d7a327c..5d40274 100644 --- a/test/modules/multiport.result +++ b/test/modules/multiport.result @@ -1,6 +1,6 @@ -iptables -t filter -A INPUT -m multiport -p tcp -j ACCEPT --source-ports 1,2,3 -iptables -t filter -A INPUT -m multiport -p udp -j ACCEPT --destination-ports 3,5,6,7,8,9 -iptables -t filter -A INPUT -m multiport -p tcp -j ACCEPT --ports 1024,1234 -iptables -t filter -A INPUT -m multiport -p tcp -j ACCEPT --destination-ports 100,101,102,103,104,105,106,107,108,109,110,111,112,113,114 -iptables -t filter -A INPUT -m multiport -p tcp -j ACCEPT --destination-ports 115 -iptables -t filter -A INPUT -m multiport -p tcp -j DROP --destination-ports ! 200,201,202 +iptables -t filter -A INPUT -m multiport -p tcp --source-ports 1,2,3 -j ACCEPT +iptables -t filter -A INPUT -m multiport -p udp --destination-ports 3,5,6,7,8,9 -j ACCEPT +iptables -t filter -A INPUT -m multiport -p tcp --ports 1024,1234 -j ACCEPT +iptables -t filter -A INPUT -m multiport -p tcp --destination-ports 100,101,102,103,104,105,106,107,108,109,110,111,112,113,114 -j ACCEPT +iptables -t filter -A INPUT -m multiport -p tcp --destination-ports 115 -j ACCEPT +iptables -t filter -A INPUT -m multiport -p tcp --destination-ports ! 200,201,202 -j DROP diff --git a/test/modules/owner.result b/test/modules/owner.result index fe9a4f2..329b8af 100644 --- a/test/modules/owner.result +++ b/test/modules/owner.result @@ -1,5 +1,5 @@ -iptables -t filter -A OUTPUT -m owner -j REJECT --reject-with icmp-net-prohibited --uid-owner 500 -iptables -t filter -A OUTPUT -m owner -j ACCEPT --gid-owner 100 -iptables -t filter -A OUTPUT -m owner -j ACCEPT --pid-owner 16000 -iptables -t filter -A OUTPUT -m owner -j DROP --sid-owner 15000 -iptables -t filter -A OUTPUT -m owner -j ACCEPT --cmd-owner perl +iptables -t filter -A OUTPUT -m owner --uid-owner 500 -j REJECT --reject-with icmp-net-prohibited +iptables -t filter -A OUTPUT -m owner --gid-owner 100 -j ACCEPT +iptables -t filter -A OUTPUT -m owner --pid-owner 16000 -j ACCEPT +iptables -t filter -A OUTPUT -m owner --sid-owner 15000 -j DROP +iptables -t filter -A OUTPUT -m owner --cmd-owner perl -j ACCEPT diff --git a/test/modules/physdev.result b/test/modules/physdev.result index 718ae8b..489f79a 100644 --- a/test/modules/physdev.result +++ b/test/modules/physdev.result @@ -1,11 +1,11 @@ -iptables -t filter -A INPUT -m physdev -j DROP --physdev-in eth0 -iptables -t filter -A INPUT -m physdev -j DROP --physdev-in ppp0 +iptables -t filter -A INPUT -m physdev --physdev-in eth0 -j DROP +iptables -t filter -A INPUT -m physdev --physdev-in ppp0 -j DROP iptables -t filter -A INPUT -m physdev --physdev-in ! eth1 -j ACCEPT -iptables -t filter -A INPUT -m physdev -j ACCEPT --physdev-out ppp1 +iptables -t filter -A INPUT -m physdev --physdev-out ppp1 -j ACCEPT iptables -t filter -A INPUT -m physdev --physdev-out ! ppp2 -j ACCEPT -iptables -t filter -A INPUT -m physdev -j DROP --physdev-is-in -iptables -t filter -A INPUT -m physdev ! --physdev-is-in -j ACCEPT -iptables -t filter -A INPUT -m physdev -j ACCEPT --physdev-is-out +iptables -t filter -A INPUT -m physdev --physdev-is-in -j DROP +iptables -t filter -A INPUT -m physdev ! --physdev-is-in -j ACCEPT +iptables -t filter -A INPUT -m physdev --physdev-is-out -j ACCEPT iptables -t filter -A INPUT -m physdev ! --physdev-is-out -j DROP -iptables -t filter -A INPUT -m physdev -j REJECT --physdev-is-bridged +iptables -t filter -A INPUT -m physdev --physdev-is-bridged -j REJECT iptables -t filter -A INPUT -m physdev ! --physdev-is-bridged -j ACCEPT diff --git a/test/modules/policy.result b/test/modules/policy.result index 8b53bc7..496e5be 100644 --- a/test/modules/policy.result +++ b/test/modules/policy.result @@ -1,3 +1,3 @@ -iptables -t filter -A INPUT -m policy --proto esp --strict --mode transport --dir out --spi 0xbeef -j ACCEPT -iptables -t filter -A INPUT -m policy --mode tunnel --tunnel-src 192.168.1.2 --tunnel-dst 192.168.2.1 -j ACCEPT +iptables -t filter -A INPUT -m policy --dir out --strict --spi 0xbeef --proto esp --mode transport -j ACCEPT +iptables -t filter -A INPUT -m policy --mode tunnel --tunnel-src 192.168.1.2 --tunnel-dst 192.168.2.1 -j ACCEPT iptables -t filter -A INPUT -m policy --next -j DROP diff --git a/test/modules/quota.result b/test/modules/quota.result index be46317..43deecf 100644 --- a/test/modules/quota.result +++ b/test/modules/quota.result @@ -1,2 +1 @@ iptables -t filter -A INPUT -m quota --quota 1024 -j ACCEPT - diff --git a/test/modules/random.result b/test/modules/random.result index 011d455..c0d8664 100644 --- a/test/modules/random.result +++ b/test/modules/random.result @@ -1 +1 @@ -iptables -t filter -A INPUT -m random -j ACCEPT --average 90 +iptables -t filter -A INPUT -m random --average 90 -j ACCEPT diff --git a/test/modules/realm.result b/test/modules/realm.result index c4660de..cc1c478 100644 --- a/test/modules/realm.result +++ b/test/modules/realm.result @@ -1,4 +1,4 @@ -iptables -t filter -A INPUT -m realm -j ACCEPT --realm 5 -iptables -t filter -A INPUT -m realm -j DROP --realm ! 2 -iptables -t filter -A INPUT -m realm -j REJECT --realm 8 -iptables -t filter -A INPUT -m realm -j REJECT --realm 9 +iptables -t filter -A INPUT -m realm --realm 5 -j ACCEPT +iptables -t filter -A INPUT -m realm --realm ! 2 -j DROP +iptables -t filter -A INPUT -m realm --realm 8 -j REJECT +iptables -t filter -A INPUT -m realm --realm 9 -j REJECT diff --git a/test/modules/recent.result b/test/modules/recent.result index 751dc7c..86ed2d0 100644 --- a/test/modules/recent.result +++ b/test/modules/recent.result @@ -1,3 +1,3 @@ -iptables -t filter -A INPUT -m recent -j DROP --seconds 60 --rcheck -iptables -t filter -A INPUT -i eth0 -m recent -d 127.0.0.0/8 -j DROP --set +iptables -t filter -A INPUT -m recent --rcheck --seconds 60 -j DROP +iptables -t filter -A INPUT -m recent -i eth0 -d 127.0.0.0/8 --set -j DROP iptables -t filter -A INPUT -m recent --rsource --rdest -j ACCEPT diff --git a/test/modules/rt.result b/test/modules/rt.result index a4a98d5..1a1f005 100644 --- a/test/modules/rt.result +++ b/test/modules/rt.result @@ -1,5 +1,5 @@ -iptables -A INPUT -m rt --rt-type 2 --rt-len 20 -j ACCEPT -iptables -A INPUT -m rt --rt-type ! 2 --rt-len ! 20 -j ACCEPT -iptables -A INPUT -m rt --rt-segsleft 2:3 -j ACCEPT -iptables -A INPUT -m rt --rt-segsleft ! 4:5 -j ACCEPT -iptables -A INPUT -m rt --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict -j ACCEPT +iptables -t filter -A INPUT -m rt --rt-type 2 --rt-len 20 -j ACCEPT +iptables -t filter -A INPUT -m rt --rt-type ! 2 --rt-len ! 20 -j ACCEPT +iptables -t filter -A INPUT -m rt --rt-segsleft 2:3 -j ACCEPT +iptables -t filter -A INPUT -m rt --rt-segsleft ! 4:5 -j ACCEPT +iptables -t filter -A INPUT -m rt --rt-0-res --rt-0-addrs ::1,::2 --rt-0-not-strict -j ACCEPT diff --git a/test/modules/state.result b/test/modules/state.result index fb63a10..ee6ae8a 100644 --- a/test/modules/state.result +++ b/test/modules/state.result @@ -1,5 +1,5 @@ iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -iptables -t filter -A INPUT -m state -p tcp -m tcp --dport ssh --state NEW -j ACCEPT +iptables -t filter -A INPUT -m state -p tcp --state NEW --dport ssh -j ACCEPT iptables -t filter -A INPUT -m state -p tcp --state RELATED,INVALID -j DROP iptables -t filter -A INPUT -m state -p tcp -j REJECT iptables -t filter -A INPUT -m state -j DROP diff --git a/test/modules/string.result b/test/modules/string.result index 75a5d51..45a7267 100644 --- a/test/modules/string.result +++ b/test/modules/string.result @@ -1,2 +1,2 @@ -iptables -A INPUT -m string --string "foo bar" -j ACCEPT -iptables -A INPUT -m string --algo kmp --from 64 --to 128 --hex-string "deadbeef" -j ACCEPT +iptables -t filter -A INPUT -m string --string 'foo bar' -j ACCEPT +iptables -t filter -A INPUT -m string --algo kmp --from 64 --to 128 --hex-string deadbeef -j ACCEPT diff --git a/test/modules/time.result b/test/modules/time.result dissimilarity index 95% index 5a258c2..f949e70 100644 --- a/test/modules/time.result +++ b/test/modules/time.result @@ -1,11 +1,11 @@ -iptables -t filter -A INPUT -p tcp -m time --dport ssh -j ACCEPT --timestart 09:00 --timestop 18:00 -iptables -t filter -A INPUT -p tcp -m time --dport ssh -j REJECT --reject-with icmp-host-prohibited -iptables -t filter -A INPUT -m time -j DROP --days Sun -iptables -t filter -A INPUT -m time -j REJECT --days Fri,Sat -iptables -t filter -A INPUT -p tcp -m time --dport http -j ACCEPT --datestart 2005/02/01 -iptables -t filter -A INPUT -p tcp -m time --dport http -j REJECT -iptables -t filter -A INPUT -m time -j DROP --datestop 2004/12/31 -iptables -t filter -A INPUT -m time -j DROP --datestop 2004/12/31 --timestart 09:00 --utc -iptables -t filter -A INPUT -m time -j DROP --datestop 2004/12/31 --timestart 18:00 --localtz -iptables -t filter -A INPUT -m time -j ACCEPT --monthday 1,2,3 -iptables -t filter -A INPUT -m time -j ACCEPT --weekdays Mon,Tue,Wed +iptables -t filter -A INPUT -m time -p tcp --dport ssh --timestart 09:00 --timestop 18:00 -j ACCEPT +iptables -t filter -A INPUT -m time -p tcp --dport ssh -j REJECT --reject-with icmp-host-prohibited +iptables -t filter -A INPUT -m time --days Sun -j DROP +iptables -t filter -A INPUT -m time --days Fri,Sat -j REJECT +iptables -t filter -A INPUT -m time -p tcp --dport http --datestart 2005/02/01 -j ACCEPT +iptables -t filter -A INPUT -m time -p tcp --dport http -j REJECT +iptables -t filter -A INPUT -m time --datestop 2004/12/31 -j DROP +iptables -t filter -A INPUT -m time --datestop 2004/12/31 --timestart 09:00 --utc -j DROP +iptables -t filter -A INPUT -m time --datestop 2004/12/31 --timestart 18:00 --localtz -j DROP +iptables -t filter -A INPUT -m time --monthday 1,2,3 -j ACCEPT +iptables -t filter -A INPUT -m time --weekdays Mon,Tue,Wed -j ACCEPT diff --git a/test/modules/tos.result b/test/modules/tos.result dissimilarity index 83% index e71d1cf..3024b0a 100644 --- a/test/modules/tos.result +++ b/test/modules/tos.result @@ -1,6 +1,6 @@ -iptables -t filter -A INPUT -m tos -j ACCEPT --tos Minimize-Delay -iptables -t filter -A INPUT -m tos -j ACCEPT --tos Maximize-Throughput -iptables -t filter -A INPUT -m tos -j ACCEPT --tos Maximize-Reliability -iptables -t filter -A INPUT -m tos -j ACCEPT --tos Minimize-Cost -iptables -t filter -A INPUT -m tos -j ACCEPT --tos Normal-Service -iptables -t filter -A INPUT -m tos ! --tos Normal-Service -j DROP +iptables -t filter -A INPUT -m tos --tos Minimize-Delay -j ACCEPT +iptables -t filter -A INPUT -m tos --tos Maximize-Throughput -j ACCEPT +iptables -t filter -A INPUT -m tos --tos Maximize-Reliability -j ACCEPT +iptables -t filter -A INPUT -m tos --tos Minimize-Cost -j ACCEPT +iptables -t filter -A INPUT -m tos --tos Normal-Service -j ACCEPT +iptables -t filter -A INPUT -m tos ! --tos Normal-Service -j DROP diff --git a/test/protocols/dccp.result b/test/protocols/dccp.result index 689f8d4..c766894 100644 --- a/test/protocols/dccp.result +++ b/test/protocols/dccp.result @@ -1,5 +1,5 @@ -iptables -A INPUT -p dccp -m dccp --sport 1234 --dport 5678 -j ACCEPT -iptables -A INPUT -p dccp -m dccp --dccp-types DATA,CLOSEREQ -j DROP -iptables -A INPUT -p dccp -m dccp --dccp-types ! RESET,SYNC -j REJECT -iptables -A INPUT -p dccp -m dccp --dccp-option 100 -j ACCEPT -iptables -A INPUT -p dccp -m dccp --dccp-option ! 99 -j DROP +iptables -t filter -A INPUT -p dccp -m dccp --sport 1234 --dport 5678 -j ACCEPT +iptables -t filter -A INPUT -p dccp -m dccp --dccp-types DATA,CLOSEREQ -j DROP +iptables -t filter -A INPUT -p dccp -m dccp --dccp-types ! RESET,SYNC -j REJECT +iptables -t filter -A INPUT -p dccp -m dccp --dccp-option 100 -j ACCEPT +iptables -t filter -A INPUT -p dccp -m dccp --dccp-option ! 99 -j DROP diff --git a/test/protocols/sctp.result b/test/protocols/sctp.result index 9f4690b..10e077d 100644 --- a/test/protocols/sctp.result +++ b/test/protocols/sctp.result @@ -1,3 +1,3 @@ -iptables -A INPUT -p sctp -m sctp --sport 1234 --dport 5678 -j ACCEPT -iptables -A INPUT -p sctp -m sctp --chunk-types any DATA,INIT -j DROP -iptables -A INPUT -p sctp -m sctp --chunk-types all DATA:Be -j ACCEPT +iptables -t filter -A INPUT -p sctp -m sctp --sport 1234 --dport 5678 -j ACCEPT +iptables -t filter -A INPUT -p sctp -m sctp --chunk-types any DATA,INIT -j DROP +iptables -t filter -A INPUT -p sctp -m sctp --chunk-types all DATA:Be -j ACCEPT diff --git a/test/protocols/tcp.result b/test/protocols/tcp.result index b1cbade..c3c2aa7 100644 --- a/test/protocols/tcp.result +++ b/test/protocols/tcp.result @@ -1,8 +1,8 @@ iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport ! 22 -j DROP iptables -t filter -A INPUT -p tcp --tcp-flags SYN,FIN,RST SYN -j DROP -iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ! SYN,RST RST -j ACCEPT -iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ! RST RST -j REJECT +iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ! SYN,RST RST -j ACCEPT +iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags ! RST RST -j REJECT iptables -t filter -A INPUT -p tcp --syn -j REJECT iptables -t filter -A INPUT -p tcp ! --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --tcp-option 2 -j ACCEPT diff --git a/test/targets/balance.result b/test/targets/balance.result index 0216146..b832cc2 100644 --- a/test/targets/balance.result +++ b/test/targets/balance.result @@ -1 +1 @@ -iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j BALANCE --to-destination 192.168.1.10-19 +iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j BALANCE --to-destination 192.168.1.10-19 diff --git a/test/targets/classify.result b/test/targets/classify.result index 6669992..b646030 100644 --- a/test/targets/classify.result +++ b/test/targets/classify.result @@ -1 +1 @@ -iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 2:10 +iptables -t filter -A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j CLASSIFY --set-class 2:10 diff --git a/test/targets/dnat.result b/test/targets/dnat.result index 4b706ca..37ba23f 100644 --- a/test/targets/dnat.result +++ b/test/targets/dnat.result @@ -1,4 +1,3 @@ iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.0.0.1 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2 --to-destination 10.0.0.3 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.1 --random - diff --git a/test/targets/dscp.result b/test/targets/dscp.result index 790df48..50bd5f7 100644 --- a/test/targets/dscp.result +++ b/test/targets/dscp.result @@ -1 +1 @@ -iptables -A INPUT -j DSCP --set-dscp 2 --set-dscp-class 3 +iptables -t filter -A INPUT -j DSCP --set-dscp 2 --set-dscp-class 3 diff --git a/test/targets/ecn.result b/test/targets/ecn.result index cc5a82d..a329235 100644 --- a/test/targets/ecn.result +++ b/test/targets/ecn.result @@ -1 +1 @@ -iptables -A INPUT -j ECN --ecn-tcp-remove +iptables -t filter -A INPUT -j ECN --ecn-tcp-remove diff --git a/test/targets/hl.result b/test/targets/hl.result index 749ff43..25d1823 100644 --- a/test/targets/hl.result +++ b/test/targets/hl.result @@ -1,4 +1,3 @@ -iptables -A INPUT -j HL --hl-set 5 -iptables -A INPUT -j HL --hl-dec 2 -iptables -A INPUT -j HL --hl-inc 1 - +iptables -t filter -A INPUT -j HL --hl-set 5 +iptables -t filter -A INPUT -j HL --hl-dec 2 +iptables -t filter -A INPUT -j HL --hl-inc 1 diff --git a/test/targets/log.result b/test/targets/log.result index 2841666..854e331 100644 --- a/test/targets/log.result +++ b/test/targets/log.result @@ -2,4 +2,4 @@ iptables -t filter -A INPUT -j LOG iptables -t filter -A INPUT -j LOG --log-prefix 'foo bar' iptables -t filter -A INPUT -j LOG --log-prefix 'foo;bar' iptables -t filter -A INPUT -j LOG --log-prefix foo{}bar -iptables -t filter -A INPUT -j LOG --log-ip-options --log-tcp-sequence --log-tcp-options +iptables -t filter -A INPUT -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options diff --git a/test/targets/mark.result b/test/targets/mark.result index 70a1422..c4e3dd5 100644 --- a/test/targets/mark.result +++ b/test/targets/mark.result @@ -3,4 +3,3 @@ iptables -t filter -A INPUT -p udp -j MARK --set-xmark 7/3 iptables -t filter -A INPUT -p udp -j MARK --and-mark 31 iptables -t filter -A INPUT -p udp -j MARK --or-mark 1 iptables -t filter -A INPUT -p udp -j MARK --xor-mark 12 - diff --git a/test/targets/nflog.result b/test/targets/nflog.result index 91cd97c..0e4498c 100644 --- a/test/targets/nflog.result +++ b/test/targets/nflog.result @@ -1,6 +1,6 @@ -iptables -A INPUT -j NFLOG -iptables -A INPUT -j NFLOG --nflog-group 1 -iptables -A INPUT -j NFLOG --nflog-prefix "foo;bar" -iptables -A INPUT -j NFLOG --nflog-prefix "foo{}bar" -iptables -A INPUT -j NFLOG --nflog-range 100 -iptables -A INPUT -j NFLOG --nflog-threshold 200 +iptables -t filter -A INPUT -j NFLOG +iptables -t filter -A INPUT -j NFLOG --nflog-group 1 +iptables -t filter -A INPUT -j NFLOG --nflog-prefix 'foo;bar' +iptables -t filter -A INPUT -j NFLOG --nflog-prefix foo{}bar +iptables -t filter -A INPUT -j NFLOG --nflog-range 100 +iptables -t filter -A INPUT -j NFLOG --nflog-threshold 200 diff --git a/test/targets/nfqueue.result b/test/targets/nfqueue.result index 03d7efa..43130bc 100644 --- a/test/targets/nfqueue.result +++ b/test/targets/nfqueue.result @@ -1 +1 @@ -iptables -A INPUT -j NFQUEUE --queue-num 65535 +iptables -t filter -A INPUT -j NFQUEUE --queue-num 65535 diff --git a/test/targets/route.result b/test/targets/route.result index 542fbe6..9476374 100644 --- a/test/targets/route.result +++ b/test/targets/route.result @@ -1,4 +1,4 @@ iptables -t mangle -A PREROUTING -s 1.2.3.4 -j ROUTE --oif eth1 -iptables -t mangle -A PREROUTING -s 1.2.3.5 -j ROUTE --oif eth2 --iif eth0 +iptables -t mangle -A PREROUTING -s 1.2.3.5 -j ROUTE --iif eth0 --oif eth2 iptables -t mangle -A PREROUTING -s 1.2.3.6 -j ROUTE --oif eth2 --continue iptables -t mangle -A PREROUTING -j ACCEPT diff --git a/test/targets/same.result b/test/targets/same.result index e5aa74a..e583b6d 100644 --- a/test/targets/same.result +++ b/test/targets/same.result @@ -1,3 +1,3 @@ -iptables -A INPUT -j SAME --to 192.168.1.1-192.168.1.254 -iptables -A INPUT -j SAME --to 192.168.2.1-192.168.2.254 --nodst -iptables -A INPUT -j SAME --to 192.168.3.1-192.168.3.254 --random +iptables -t filter -A INPUT -j SAME --to 192.168.1.1-192.168.1.254 +iptables -t filter -A INPUT -j SAME --to 192.168.2.1-192.168.2.254 --nodst +iptables -t filter -A INPUT -j SAME --to 192.168.3.1-192.168.3.254 --random diff --git a/test/targets/set.result b/test/targets/set.result index 1c784f8..dc9aace 100644 --- a/test/targets/set.result +++ b/test/targets/set.result @@ -1,3 +1,2 @@ iptables -t filter -A INPUT -p tcp -j SET --add-set foo src,dst iptables -t filter -A INPUT -p udp -j SET --del-set bar src - diff --git a/test/targets/snat.result b/test/targets/snat.result index 1bd8e59..59e208f 100644 --- a/test/targets/snat.result +++ b/test/targets/snat.result @@ -1,6 +1,6 @@ -iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 172.16.0.1 --to-source 172.16.0.1 -iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.17.0.1-172.17.0.10 --to-source 172.17.0.1-172.17.0.10 -iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.17.0.1-172.17.0.10:10000-20000 --to-source 172.17.0.1-172.17.0.10:10000-20000 +iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source 172.16.0.1 +iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.17.0.1-172.17.0.10 +iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 172.17.0.1-172.17.0.10:10000-20000 iptables -t nat -A POSTROUTING -o ethe -j SNAT --to-source 172.17.0.1 --to-source 172.17.0.1:20000-30000 iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source 192.168.1.1 iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 192.168.2.1 --random -- 2.11.4.GIT