diff mbox series

[2/2] network/iptables: add new test for iptables-tranlsate and nft

Message ID 20191126115344.15926-2-alexey.kodanev@oracle.com
State Superseded
Delegated to: Petr Vorel
Headers show
Series [1/2] network/iptables: reduce ping timeouts | expand

Commit Message

Alexey Kodanev Nov. 26, 2019, 11:53 a.m. UTC 
* Reuse the test-cases from iptables_tests by moving them
  into iptables_lib.sh.

* create nft rules with iptables-translate.

Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
 runtest/net.tcp_cmds                          |   3 +-
 testcases/network/iptables/Makefile           |  23 +--
 testcases/network/iptables/iptables01.sh      |  18 ++
 .../{iptables_tests.sh => iptables_lib.sh}    | 163 +++++++++---------
 testcases/network/iptables/nft01.sh           |  18 ++
 5 files changed, 119 insertions(+), 106 deletions(-)
 create mode 100755 testcases/network/iptables/iptables01.sh
 rename testcases/network/iptables/{iptables_tests.sh => iptables_lib.sh} (65%)
 create mode 100755 testcases/network/iptables/nft01.sh

Comments

Petr Vorel Nov. 28, 2019, 10:46 a.m. UTC | #1 
Hi Alexey,

> * Reuse the test-cases from iptables_tests by moving them
>   into iptables_lib.sh.

> * create nft rules with iptables-translate.

> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>

Thanks for your patch.
Rewrite is ok, I'd just also drop dots from messages.

Also redirection to tst_iptables.out in cleanup() is pointless,
maybe we could just change:

cleanup()
{
	if lsmod | grep -q "ip_tables"; then
		NFRUN -F -t filter > /dev/null 2>&1
		NFRUN -F -t nat > /dev/null 2>&1
		NFRUN -F -t mangle > /dev/null 2>&1
		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
			 iptable_mangle iptable_nat ip_conntrack \
			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
			 nf_log_ipv4 nf_log_common nf_reject_ipv4 \
			 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \
			 > /dev/null 2>&1
	fi
}

For further work on iptables tests: I wonder if nc is more commonly installed in
distros than telnet (if yes, I'd be for using it).

But for nft01.sh I got error:

nft01 1 TINFO: INIT: Flushing all rules.
nft01 1 TCONF: nft not applicable for test 1
nft01 2 TINFO: Use nft to DROP packets from particular IP
nft01 2 TINFO: Rule to block icmp from 127.0.0.1
nft01 2 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip protocol icmp ip saddr 127.0.0.1 counter drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 3 TINFO: Use nft to REJECT ping request.
nft01 3 TINFO: Rule to reject ping request.
nft01 3 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request counter reject
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 4 TINFO: Use nft to log packets to particular port.
nft01 4 TINFO: Rule to log tcp packets to particular port.
nft01 4 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45886 counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 5 TINFO: Use nft to log packets to multiple ports.
nft01 5 TINFO: Rule to log tcp packets to port 45801 - 45803.
nft01 5 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45801-45803 counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nft01 6 TINFO: Use nft to log ping request with limited rate.
nft01 6 TINFO: Rule to log ping request.
nft01 6 TFAIL: nft command failed to append new rule.
Error: Could not process rule: No such file or directory
add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request limit rate 3/hour burst 5 packets counter log prefix "1128114107:"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Tested on openSUSE Tumbleweed (5.3.8-1-default, nftables v0.9.2 (Scram),
iptables v1.8.3 (legacy)) and Debian unstable (5.2.0-rc3+, nftables v0.9.0 (Fearless Fosdick), iptables v1.8.2 (nf_tables)). Am I missing something, have wrong version?

Kind regards,
Petr
Alexey Kodanev Nov. 28, 2019, 1:23 p.m. UTC | #2 
Hi Petr,
On 28.11.2019 13:46, Petr Vorel wrote:
> Hi Alexey,
> 
>> * Reuse the test-cases from iptables_tests by moving them
>>   into iptables_lib.sh.
> 
>> * create nft rules with iptables-translate.
> 
>> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
> 
> Thanks for your patch.
> Rewrite is ok, I'd just also drop dots from messages.
> 
> Also redirection to tst_iptables.out in cleanup() is pointless,
> maybe we could just change:
> 
> cleanup()
> {
> 	if lsmod | grep -q "ip_tables"; then
> 		NFRUN -F -t filter > /dev/null 2>&1
> 		NFRUN -F -t nat > /dev/null 2>&1
> 		NFRUN -F -t mangle > /dev/null 2>&1
> 		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
> 			 iptable_mangle iptable_nat ip_conntrack \
> 			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
> 			 nf_log_ipv4 nf_log_common nf_reject_ipv4 \
> 			 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \
> 			 > /dev/null 2>&1
> 	fi
> }
> 
> For further work on iptables tests: I wonder if nc is more commonly installed in
> distros than telnet (if yes, I'd be for using it).
> 

Agree.

> But for nft01.sh I got error:
> 
> nft01 1 TINFO: INIT: Flushing all rules.
> nft01 1 TCONF: nft not applicable for test 1
> nft01 2 TINFO: Use nft to DROP packets from particular IP
> nft01 2 TINFO: Rule to block icmp from 127.0.0.1
> nft01 2 TFAIL: nft command failed to append new rule.
> Error: Could not process rule: No such file or directory
> add rule ip filter INPUT ip protocol icmp ip saddr 127.0.0.1 counter drop
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It seems there is no ip filter table with INPUT chain? firewalld not installed?

Is it test running fine after these:

# nft add table ip filter
# nft add chain ip filter INPUT '{ type filter hook input priority 0; }'


> nft01 3 TINFO: Use nft to REJECT ping request.
> nft01 3 TINFO: Rule to reject ping request.
> nft01 3 TFAIL: nft command failed to append new rule.
> Error: Could not process rule: No such file or directory
> add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request counter reject
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> nft01 4 TINFO: Use nft to log packets to particular port.
> nft01 4 TINFO: Rule to log tcp packets to particular port.
> nft01 4 TFAIL: nft command failed to append new rule.
> Error: Could not process rule: No such file or directory
> add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45886 counter log prefix "1128114107:"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> nft01 5 TINFO: Use nft to log packets to multiple ports.
> nft01 5 TINFO: Rule to log tcp packets to port 45801 - 45803.
> nft01 5 TFAIL: nft command failed to append new rule.
> Error: Could not process rule: No such file or directory
> add rule ip filter INPUT ip daddr 127.0.0.1 tcp dport 45801-45803 counter log prefix "1128114107:"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> nft01 6 TINFO: Use nft to log ping request with limited rate.
> nft01 6 TINFO: Rule to log ping request.
> nft01 6 TFAIL: nft command failed to append new rule.
> Error: Could not process rule: No such file or directory
> add rule ip filter INPUT ip daddr 127.0.0.1 icmp type echo-request limit rate 3/hour burst 5 packets counter log prefix "1128114107:"
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> Tested on openSUSE Tumbleweed (5.3.8-1-default, nftables v0.9.2 (Scram),
> iptables v1.8.3 (legacy)) and Debian unstable (5.2.0-rc3+, nftables v0.9.0 (Fearless Fosdick), iptables v1.8.2 (nf_tables)). Am I missing something, have wrong version?
> 
> Kind regards,
> Petr
>
Petr Vorel Nov. 28, 2019, 3:34 p.m. UTC | #3 
Hi Alexey,

> > But for nft01.sh I got error:
> > nft01 1 TINFO: INIT: Flushing all rules.
> > nft01 1 TCONF: nft not applicable for test 1
> > nft01 2 TINFO: Use nft to DROP packets from particular IP
> > nft01 2 TINFO: Rule to block icmp from 127.0.0.1
> > nft01 2 TFAIL: nft command failed to append new rule.
> > Error: Could not process rule: No such file or directory
> > add rule ip filter INPUT ip protocol icmp ip saddr 127.0.0.1 counter drop
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

> It seems there is no ip filter table with INPUT chain? firewalld not installed?
No, firewalld it's installed on openSUSE (+ I'll test it for Debian, but I
expect the same result).

> Is it test running fine after these:

> # nft add table ip filter
> # nft add chain ip filter INPUT '{ type filter hook input priority 0; }'

Kind regards,
Petr
diff mbox series

Patch

diff --git a/runtest/net.tcp_cmds b/runtest/net.tcp_cmds
index 423a81756..afe6d7c71 100644
--- a/runtest/net.tcp_cmds
+++ b/runtest/net.tcp_cmds
@@ -17,7 +17,8 @@  rsh rsh01.sh
 sendfile sendfile01.sh
 tcpdump tcpdump01.sh
 telnet telnet01.sh
-iptables iptables_tests.sh
+iptables iptables01.sh
+nft nft01.sh
 dhcpd dhcpd_tests.sh
 dnsmasq dnsmasq_tests.sh
 iproute ip_tests.sh
diff --git a/testcases/network/iptables/Makefile b/testcases/network/iptables/Makefile
index afb96e9cb..1b42f25db 100644
--- a/testcases/network/iptables/Makefile
+++ b/testcases/network/iptables/Makefile
@@ -1,29 +1,12 @@ 
-#
-#    network/iptables testcases Makefile.
-#
-#    Copyright (C) 2009, Cisco Systems Inc.
-#
-#    This program is free software; you can redistribute it and/or modify
-#    it under the terms of the GNU General Public License as published by
-#    the Free Software Foundation; either version 2 of the License, or
-#    (at your option) any later version.
-#
-#    This program is distributed in the hope that it will be useful,
-#    but WITHOUT ANY WARRANTY; without even the implied warranty of
-#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-#    GNU General Public License for more details.
-#
-#    You should have received a copy of the GNU General Public License along
-#    with this program; if not, write to the Free Software Foundation, Inc.,
-#    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2009, Cisco Systems Inc.
 #
 # Ngie Cooper, July 2009
-#
 
 top_srcdir		?= ../../..
 
 include $(top_srcdir)/include/mk/env_pre.mk
 
-INSTALL_TARGETS		:= iptables_tests.sh
+INSTALL_TARGETS		:= *.sh
 
 include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/network/iptables/iptables01.sh b/testcases/network/iptables/iptables01.sh
new file mode 100755
index 000000000..de38272e1
--- /dev/null
+++ b/testcases/network/iptables/iptables01.sh
@@ -0,0 +1,18 @@ 
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2018-2019 Oracle and/or its affiliates. All Rights Reserved.
+
+TST_CNT=6
+TST_SETUP="init"
+TST_TESTFUNC="test"
+TST_CLEANUP="cleanup"
+TST_NEEDS_TMPDIR=1
+TST_NEEDS_ROOT=1
+TST_NEEDS_CMDS="iptables grep ping telnet"
+TST_NEEDS_DRIVERS="ip_tables"
+use_iptables=1
+
+. iptables_lib.sh
+. tst_test.sh
+
+tst_run
diff --git a/testcases/network/iptables/iptables_tests.sh b/testcases/network/iptables/iptables_lib.sh
similarity index 65%
rename from testcases/network/iptables/iptables_tests.sh
rename to testcases/network/iptables/iptables_lib.sh
index d8b23283f..35548d88e 100755
--- a/testcases/network/iptables/iptables_tests.sh
+++ b/testcases/network/iptables/iptables_lib.sh
@@ -6,41 +6,47 @@ 
 #  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
 #				       <hubertNOSPAAAM@symbio.com.tw>
 
-TST_CNT=6
-TST_SETUP="init"
-TST_TESTFUNC="test"
-TST_CLEANUP="cleanup"
-TST_NEEDS_TMPDIR=1
-TST_NEEDS_ROOT=1
-TST_NEEDS_CMDS="iptables grep ping telnet"
+if [ "$use_iptables" -eq 1 ]; then
+	toolname=iptables
+else
+	toolname=nft
+fi
 
-. tst_test.sh
-
-init()
+NFRUN()
 {
-	tst_res TINFO "INIT: Inititalizing tests."
+	local rule
 
-	modprobe ip_tables
-	if [ $? -ne 0 ]; then
-		iptables -L > tst_iptables.out 2>&1
-		if [ $? -ne 0 ]; then
-			tst_brk TCONF "no iptables support in kernel."
-		fi
+	if [ "$use_iptables" -eq 1 ]; then
+		iptables $@
+	else
+		$(iptables-translate $@ | sed 's,\\,,g')
 	fi
+}
 
+NFRUN_REMOVE()
+{
+	if [ "$use_iptables" -eq 1 ]; then
+		ROD iptables -D INPUT 1
+	else
+		ROD nft flush chain ip filter INPUT
+	fi
+}
+
+init()
+{
 	tst_res TINFO "INIT: Flushing all rules."
-	iptables -F -t filter > tst_iptables.out 2>&1
-	iptables -F -t nat > tst_iptables.out 2>&1
-	iptables -F -t mangle > tst_iptables.out 2>&1
+	NFRUN -F -t filter > tst_iptables.out 2>&1
+	NFRUN -F -t nat > tst_iptables.out 2>&1
+	NFRUN -F -t mangle > tst_iptables.out 2>&1
 }
 
 cleanup()
 {
 	lsmod | grep "ip_tables" > tst_iptables.out 2>&1
 	if [ $? -eq 0 ]; then
-		iptables -F -t filter > tst_iptables.out 2>&1
-		iptables -F -t nat > tst_iptables.out 2>&1
-		iptables -F -t mangle > tst_iptables.out 2>&1
+		NFRUN -F -t filter > tst_iptables.out 2>&1
+		NFRUN -F -t nat > tst_iptables.out 2>&1
+		NFRUN -F -t mangle > tst_iptables.out 2>&1
 		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
 			 iptable_mangle iptable_nat ip_conntrack \
 			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
@@ -52,6 +58,11 @@  cleanup()
 
 test1()
 {
+
+	if [ "$use_iptables" -ne 1 ]; then
+		tst_res TCONF "$toolname not applicable for test $1"
+		return
+	fi
 	local chaincnt=0
 
 	local cmd="iptables -L -t filter"
@@ -112,12 +123,12 @@  test1()
 
 test2()
 {
-	tst_res TINFO "Use iptables to DROP packets from particular IP"
+	tst_res TINFO "Use $toolname to DROP packets from particular IP"
 	tst_res TINFO "Rule to block icmp from 127.0.0.1"
 
-	iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
+	NFRUN -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -128,47 +139,43 @@  test2()
 		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
 			tst_res TFAIL \
-				 "iptables did not block packets from loopback"
+				 "$toolname did not block packets from loopback"
 			cat tst_iptables.err
 			return
 		else
 			tst_res TINFO "Ping 127.0.0.1 not successful."
 		fi
 	else
-		tst_res TFAIL "iptables did not block icmp from 127.0.0.1"
+		tst_res TFAIL "$toolname did not block icmp from 127.0.0.1"
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
+	NFRUN_REMOVE
+
 	tst_res TINFO "Pinging 127.0.0.1 again"
 	ping -c 2 127.0.0.1 -W 1 -i 0 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables blocking loopback. This is expected" \
+		tst_res TFAIL "$toolname blocking loopback. This is expected" \
 			       "behaviour on certain distributions where" \
 			       "enabling firewall drops all packets by default."
 		cat tst_iptables.out
 		return
 	fi
 	tst_res TINFO "Ping succsess"
-	tst_res TPASS "iptables can DROP packets from particular IP."
+	tst_res TPASS "$toolname can DROP packets from particular IP."
 }
 
 test3()
 {
-	tst_res TINFO "Use iptables to REJECT ping request."
+	tst_res TINFO "Use $toolname to REJECT ping request."
 	tst_res TINFO "Rule to reject ping request."
 
-	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
+	NFRUN -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
 		 REJECT > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -178,29 +185,25 @@  test3()
 	if [ $? -ne 0 ]; then
 		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
-			tst_res TFAIL "iptables did not block ping request."
+			tst_res TFAIL "$toolname did not block ping request."
 			cat tst_iptables.err
 			return
 		else
 			tst_res TINFO "Ping 127.0.0.1 not successful."
 		fi
 	else
-		tst_res TFAIL "iptables did not reject ping request."
+		tst_res TFAIL "$toolname did not reject ping request."
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Deleting icmp request REJECT rule."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
+	NFRUN_REMOVE
+
 	tst_res TINFO "Pinging 127.0.0.1 again"
 	ping -c 2 127.0.0.1 -W 1 -i 0 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables blocking ping requests. This is" \
+		tst_res TFAIL "$toolname blocking ping requests. This is" \
 			      "expected behaviour on certain distributions" \
 			      "where enabling firewall drops all packets by" \
 			      "default."
@@ -208,7 +211,7 @@  test3()
 		return
 	fi
 	tst_res TINFO "Ping succsess"
-	tst_res TPASS "iptables can REJECT ping requests."
+	tst_res TPASS "$toolname can REJECT ping requests."
 }
 
 test4()
@@ -216,13 +219,13 @@  test4()
 	local dport=45886
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log packets to particular port."
+	tst_res TINFO "Use $toolname to log packets to particular port."
 	tst_res TINFO "Rule to log tcp packets to particular port."
 
-	iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
 		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -234,7 +237,7 @@  test4()
 		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
 		if [ $? -ne 0 ]; then
 			tst_res TFAIL \
-				 "iptables did not log packets to port $dport"
+				 "$toolname did not log packets to port $dport"
 			cat tst_iptables.err
 			return
 		else
@@ -247,14 +250,10 @@  test4()
 	fi
 
 	tst_res TINFO "Deleting the rule to log."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
-	tst_res TINFO "iptables logging succsess"
-	tst_res TPASS "iptables can log packets to particular port."
+	NFRUN_REMOVE
+
+	tst_res TINFO "$toolname logging succsess"
+	tst_res TPASS "$toolname can log packets to particular port."
 }
 
 test5()
@@ -262,22 +261,22 @@  test5()
 	local dport=0
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log packets to multiple ports."
+	tst_res TINFO "Use $toolname to log packets to multiple ports."
 	tst_res TINFO "Rule to log tcp packets to port 45801 - 45803."
-	iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
 		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
 
 	tst_res TINFO "Rule to log tcp packets to port 45804 - 45806."
-	iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
+	NFRUN -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
 		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
 		 > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -290,7 +289,7 @@  test5()
 			dmesg | grep "$logprefix" | grep "=$dport " \
 				> tst_iptables.err 2>&1
 			if [ $? -ne 0 ]; then
-				tst_res TFAIL "iptables did not log packets" \
+				tst_res TFAIL "$toolname did not log packets" \
 					       "to port $dport"
 				cat tst_iptables.err
 				return
@@ -305,14 +304,14 @@  test5()
 	done
 
 	tst_res TINFO "Flushing all rules."
-	iptables -F > tst_iptables.out 2>&1
+	NFRUN -F > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not flush all rules."
+		tst_res TFAIL "$toolname did not flush all rules."
 		cat tst_iptables.out
 		return
 	fi
-	tst_res TINFO "iptables logging succsess"
-	tst_res TPASS "iptables can log packets to multiple ports."
+	tst_res TINFO "$toolname logging succsess"
+	tst_res TPASS "$toolname can log packets to multiple ports."
 }
 
 test6()
@@ -320,13 +319,13 @@  test6()
 	local logcnt=0
 	local logprefix="${TCID}$(date +%m%d%H%M%S):"
 
-	tst_res TINFO "Use iptables to log ping request with limited rate."
+	tst_res TINFO "Use $toolname to log ping request with limited rate."
 	tst_res TINFO "Rule to log ping request."
 
-	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
+	NFRUN -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
 		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
 	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables command failed to append new rule."
+		tst_res TFAIL "$toolname command failed to append new rule."
 		cat tst_iptables.out
 		return
 	fi
@@ -337,7 +336,7 @@  test6()
 		sleep 2
 		logcnt=$(dmesg | grep -c "$logprefix")
 		if [ $logcnt -ne 5 ]; then
-			tst_res TFAIL "iptables did not log packets with" \
+			tst_res TFAIL "$toolname did not log packets with" \
 				      "limited rate."
 			cat tst_iptables.out
 			return
@@ -353,14 +352,8 @@  test6()
 	fi
 
 	tst_res TINFO "Deleting the rule to log."
-	iptables -D INPUT 1 > tst_iptables.out 2>&1
-	if [ $? -ne 0 ]; then
-		tst_res TFAIL "iptables did not remove the rule."
-		cat tst_iptables.out
-		return
-	fi
-	tst_res TINFO "iptables limited logging succsess"
-	tst_res TPASS "iptables can log packets with limited rate."
-}
+	NFRUN_REMOVE
 
-tst_run
+	tst_res TINFO "$toolname limited logging succsess"
+	tst_res TPASS "$toolname can log packets with limited rate."
+}
diff --git a/testcases/network/iptables/nft01.sh b/testcases/network/iptables/nft01.sh
new file mode 100755
index 000000000..1d378b2b7
--- /dev/null
+++ b/testcases/network/iptables/nft01.sh
@@ -0,0 +1,18 @@ 
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2019 Oracle and/or its affiliates. All Rights Reserved.
+
+TST_CNT=6
+TST_SETUP="init"
+TST_TESTFUNC="test"
+TST_CLEANUP="cleanup"
+TST_NEEDS_TMPDIR=1
+TST_NEEDS_ROOT=1
+TST_NEEDS_CMDS="nft iptables-translate grep ping telnet"
+TST_NEEDS_DRIVERS="nf_tables"
+use_iptables=0
+
+. iptables_lib.sh
+. tst_test.sh
+
+tst_run