Project

General

Profile

Feature #2111

Use iptables-save in test scenarios

Added by Noel Kuntze about 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
testing
Target version:
5.5.1
Start date:
09.09.2016
Due date:
Estimated time:
Resolution:
Fixed

Description

The output of iptables -L that is shown in the test scenarios is not helpful when figuring out how the test scenarios work, as iptables -L only shows the filter table
and the output of it is not deserializable into an iptables rule set. The output iptables-save has those two nice properties.

iptables-save by default shows all tables and can be used to load the rules into the kernel by using the iptables-restore tool.
Those two tools are included in the xtables-multi binary, which all distributions ship. It is implemented as a symlink.

Associated revisions

Revision fa36699b (diff)
Added by Tobias Brunner about 4 years ago

testing: List `nat` and `mangle` tables in addition to the `filter` table

This is useful in scenarios that e.g. use NAT and/or marks.

References #2111.

Revision ac67aeb1 (diff)
Added by Tobias Brunner about 4 years ago

testing: Add output of iptables-save

This might be helpful to get the complete picture of the installed
rules. `-c` is currently not used as the counters that are added in
front of every rule make the output quite hard to read and the counters
are already provided in the accompanying `iptables -v -L` output.

Fixes #2111.

History

#1 Updated by Tobias Brunner about 4 years ago

  • Tracker changed from Issue to Feature
  • Category set to testing
  • Status changed from New to Feedback

Yes, this is a known issue. Some tests explicitly list rules from other tables in console.log but not all do so.

The problem with iptables-save -c is that its output is just not as readable as that of iptables -v -L. If a scenario fails a quick glance at the stats in the current output often gives you some hints where to look further.

So perhaps we could streamline the output of the other tables, for instance, just add the nat and mangle tables after the filter table in the current file:

Or we could add the output of iptables-save -c in addition to the current output, or that above (optionally as separate file, but that's more work):

I think I prefer the first option. The output of iptables-save could perhaps be added as a separate file later.

#2 Updated by Noel Kuntze about 4 years ago

I'm pretty sure there's a rather big opposition to just having iptables-save output in the scenarios.
As I like readable output as well, I'd like to actually see both: Supply iptables -v -L for all the tables, as well as iptables-save.
The latter for people so they can actually read the rules and the first for people that (for some reason) like iptables -L -v better.

I see that it is more work. If it's not easily solvable (just running a script over all the scenario files to add the tables is not enough?),
I'd vote for complete output of iptables-save -c.

#3 Updated by Tobias Brunner about 4 years ago

The latter for people so they can actually read the rules

One problem with that is that people might just blindly copy-n-paste the stuff (as they always seem to be doing), as it is e.g. hard to tell which rules are added manually (and required to be added) and which e.g. automatically by the updown script or a plugin.

I see that it is more work. If it's not easily solvable (just running a script over all the scenario files to add the tables is not enough?),

It's just in a single script that generates that stuff. Anyway, I pushed a couple of patches to the 2111-testing-iptables branch (currently does not use -c, so the rules are properly aligned and more readable).

#4 Updated by Noel Kuntze about 4 years ago

One problem with that is that people might just blindly copy-n-paste the stuff (as they always seem to be doing), as it is e.g. hard to tell which rules are added manually (and required to be added) and which e.g. automatically by the updown script or a plugin.

One could use the comment module to add comments to the rules that are added by the updown script or the plugin. And for the rules in the examples, the same can be done.
Like this: -m comment --comment "This is a comment."

It's just in a single script that generates that stuff. Anyway, I pushed a couple of patches to the 2111-testing-iptables branch (currently does not use -c, so the rules are properly aligned and more readable).

That's pretty neat, thanks!

#5 Updated by Tobias Brunner about 4 years ago

One could use the comment module to add comments to the rules that are added by the updown script or the plugin. And for the rules in the examples, the same can be done.
Like this: -m comment --comment "This is a comment."

Yeah, thought about that too. But I don't think it's a good idea to have a dependency on that module for plugins or the default updown script (while it is probably enabled on common distro kernels it is still an optional module).

#6 Updated by Noel Kuntze about 4 years ago

Tobias Brunner wrote:

One could use the comment module to add comments to the rules that are added by the updown script or the plugin. And for the rules in the examples, the same can be done.
Like this: -m comment --comment "This is a comment."

Yeah, thought about that too. But I don't think it's a good idea to have a dependency on that module for plugins or the default updown script (while it is probably enabled on common distro kernels it is still an optional module).

Understandable. Adding shell code into the updown script to detect if the comment module is supported would not be excusable, as it's considered a legacy.

#7 Updated by Tobias Brunner about 4 years ago

  • Assignee set to Tobias Brunner
  • Target version set to 5.5.1
  • Resolution set to Fixed

#8 Updated by Tobias Brunner almost 4 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF