Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2224905/?format=api
{ "id": 2224905, "url": "http://patchwork.ozlabs.org/api/patches/2224905/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260419133803.46227-1-fw@strlen.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260419133803.46227-1-fw@strlen.de>", "list_archive_url": null, "date": "2026-04-19T13:37:47", "name": "[iptables] tests: shell: add test case for checkentry hook validations", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "c1253de578cdc8674db1b4506a9680a6589eabe4", "submitter": { "id": 1025, "url": "http://patchwork.ozlabs.org/api/people/1025/?format=api", "name": "Florian Westphal", "email": "fw@strlen.de" }, "delegate": { "id": 11902, "url": "http://patchwork.ozlabs.org/api/users/11902/?format=api", "username": "strlen", "first_name": "Florian", "last_name": "Westphal", "email": "fw@strlen.de" }, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260419133803.46227-1-fw@strlen.de/mbox/", "series": [ { "id": 500503, "url": "http://patchwork.ozlabs.org/api/series/500503/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500503", "date": "2026-04-19T13:37:47", "name": "[iptables] tests: shell: add test case for checkentry hook validations", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/500503/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2224905/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2224905/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-12031-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12031-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fz8pR45f3z1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 19 Apr 2026 23:38:39 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 4D279300E3A2\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 19 Apr 2026 13:38:14 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B8A7A37BE74;\n\tSun, 19 Apr 2026 13:38:13 +0000 (UTC)", "from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id BD3DB37BE87\n\tfor <netfilter-devel@vger.kernel.org>; Sun, 19 Apr 2026 13:38:11 +0000 (UTC)", "by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 6930060681; Sun, 19 Apr 2026 15:38:09 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776605893; cv=none;\n b=qwtOxA9arGNOzY77OUNLI9axwsRZzIBjAkxehBrjABlDJChsVosmdAW12oZFge37VTIhu9G8wf4O3ibcu5Pk+sZoB6lrymjjIqh0L0DfiNlkjf/6bsHQCtCde6FDS5VloA78AJJXAMd4tvqg9dShcRQRe/4QGUMQ2X+waQ48OHU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776605893; c=relaxed/simple;\n\tbh=RBsrRCkgzv3ZIjXHHOPbj8oY3UIhHlnafgODE+J/thk=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=TKCPBtPBObGDftGKOywcpq2zjd6Uq9lzqtO9UHcuvS2yL8L1Aupu2LXB42Xf8l5arfGygGsDJ4HJPVVmfVl8Gg8Soc4PLA/sIZT9dlfhSEAD48lCc21C6l4Z0UaeOtTAJfOmokg4caiI/agX7qtM+iOABpi+B/WpbGT/VOIaiSI=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30", "From": "Florian Westphal <fw@strlen.de>", "To": "<netfilter-devel@vger.kernel.org>", "Cc": "Florian Westphal <fw@strlen.de>", "Subject": "[PATCH iptables] tests: shell: add test case for checkentry hook\n validations", "Date": "Sun, 19 Apr 2026 15:37:47 +0200", "Message-ID": "<20260419133803.46227-1-fw@strlen.de>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "A few matches/targets reject based on the calling hook mask\nfrom their checkentry functions. Some are cosmetic (reject\nnonsensical rule that would not work, but others are mandatory\nrejects, in particular TCPMSS which may need skb_dst()\ndepending on the requested mode of operation.\n\nFor -legacy this yields:\nxt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\nxt_addrtype: output interface limitation not valid in PREROUTING and INPUT\nxt_addrtype: input interface limitation not valid in POSTROUTING and OUTPUT\nxt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\nxt_physdev: --physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\nxt_policy: input policy not valid in POSTROUTING and OUTPUT\nxt_policy: output policy not valid in PREROUTING and INPUT\n\n... in dmesg. -j SET is currently missing, could be added\nlater (needs an existing ipset).\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n .../iptables/0012-bad-matches-and-targets_0 | 102 ++++++++++++++++++\n 1 file changed, 102 insertions(+)\n create mode 100755 iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0", "diff": "diff --git a/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0 b/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0\nnew file mode 100755\nindex 000000000000..08a1411ecddc\n--- /dev/null\n+++ b/iptables/tests/shell/testcases/iptables/0012-bad-matches-and-targets_0\n@@ -0,0 +1,102 @@\n+#!/bin/sh\n+\n+set -x\n+\n+die() {\n+\n+\techo \"$1: $2 was accepted\"\n+\t$XT_MULTI \"$flavor-save\"\n+\texit 1\n+}\n+\n+die_err() {\n+\techo \"$1: $2 should work\"\n+\t$XT_MULTI \"$flavor-save\"\n+\texit 1\n+}\n+\n+do_link() {\n+\tlocal flavor=\"$1\"\n+\tlocal chain=\"$2\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A \"$chain\" -j USERCHAIN && die \"$flavor\" \"PREROUTING -j USERCHAIN\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -F USERCHAIN || die_err \"$flavor\" \"flush USERCHAIN\"\n+}\n+\n+do_link_prerouting() {\n+\tdo_link \"$1\" \"PREROUTING\"\n+}\n+\n+do_link_output() {\n+\tdo_link \"$1\" \"OUTPUT\"\n+}\n+\n+check_TCPMSS() {\n+\tlocal flavor=\"$1\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A PREROUTING -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu && die \"$flavor\" \"TCPMSS in PREROUTING\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -p tcp --syn -j TCPMSS --clamp-mss-to-pmtu || die_err \"$flavor\" \"TCPMSS in USERCHAIN\"\n+\tdo_link_prerouting \"$flavor\"\n+}\n+\n+check_addrtype() {\n+\tlocal flavor=\"$1\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A PREROUTING -m addrtype --limit-iface-out --src-type UNICAST && die \"$flavor\" \"addrtype iface-out in PREROUTING\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A OUTPUT -m addrtype --limit-iface-in --src-type UNICAST && die \"$flavor\" \"addrtype in iface-in OUTPUT\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m addrtype --limit-iface-out --src-type UNICAST || die_err \"$flavor\" \"addrtype iface-out in USERCHAIN\"\n+\tdo_link_prerouting \"$flavor\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m addrtype --limit-iface-in --src-type UNICAST || die_err \"$flavor\" \"addrtype iface-in in USERCHAIN\"\n+\tdo_link_output \"$flavor\"\n+}\n+\n+check_devgroup() {\n+\tlocal flavor=\"$1\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A PREROUTING -m devgroup --dst-group 1 && die \"$flavor\" \"dst-group in PREROUTING\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m devgroup --dst-group 1 || die_err \"$flavor\" \"dst-group in USERCHAIN\"\n+\tdo_link_prerouting \"$flavor\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A OUTPUT -m devgroup --src-group 1 && die \"$flavor\" \"src-group in PREROUTING\"\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m devgroup --src-group 1 || die_err \"$flavor\" \"src-group in USERCHAIN\"\n+\tdo_link_output \"$flavor\"\n+}\n+\n+check_physdev() {\n+\tlocal flavor=\"$1\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A OUTPUT -m physdev --physdev-out \"foo\" && die \"$flavor\" \"physdev-out in OUTPUT\"\n+\t$XT_MULTI \"$flavor\" -t mangle -A OUTPUT -m physdev --physdev-out \"foo\" --physdev-is-out && die \"$flavor\" \"physdev-out in OUTPUT\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m physdev --physdev-out \"foo\" || die_err \"$flavor\" \"physdev-out in USERCHAIN\"\n+\tdo_link_output \"$flavor\"\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m physdev --physdev-out \"foo\" --physdev-is-out || die_err \"$flavor\" \"physdev-out in USERCHAIN\"\n+\tdo_link_output \"$flavor\"\n+}\n+\n+check_policy() {\n+\tlocal flavor=\"$1\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A OUTPUT -m policy --dir in --pol none && die \"$flavor\" \"policy dir in OUTPUT\"\n+\t$XT_MULTI \"$flavor\" -t mangle -A PREROUTING -m policy --dir out --pol none && die \"$flavor\" \"policy dir out PREROUTING\"\n+\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m policy --dir in --pol none || die_err \"$flavor\" \"policy dir in USERCHAIN\"\n+\tdo_link_output \"$flavor\"\n+\t$XT_MULTI \"$flavor\" -t mangle -A USERCHAIN -m policy --dir out --pol none || die_err \"$flavor\" \"policy dir out USERCHAIN\"\n+\tdo_link_prerouting \"$flavor\"\n+}\n+\n+for f in \"iptables\" \"ip6tables\";do\n+\t$XT_MULTI \"$f\" -t mangle -N USERCHAIN || die_err \"$f\" \"cannot create USERCHAIN\"\n+\tcheck_TCPMSS \"$f\"\n+\tcheck_addrtype \"$f\"\n+\tcheck_devgroup \"$f\"\n+\tcheck_physdev \"$f\"\n+\tcheck_policy \"$f\"\n+done\n", "prefixes": [ "iptables" ] }