======================================================
Manas K. Nayak <maknayak@in.ibm.com> reported:
======================================================
Ltp iptables testcases failed against sles with following ping failures. Looks like iptables chain rules set to block ping from loopback address.
Test results:
[iptables]# ./iptables_tests.sh
iptables 0 INFO : INIT: Inititalizing tests.
iptables 0 INFO : INIT: Flushing all rules.
iptables01 0 INFO : iptables01: iptables -L -t filter will list all rules in table filter.
iptables01 0 INFO : iptables01: iptables -L -t filter lists rules.
iptables01 0 INFO : iptables01: iptables -L -t nat will list all rules in table nat.
iptables01 0 INFO : iptables01: iptables -L -t nat lists rules.
iptables01 0 INFO : iptables01: iptables -L -t mangle will list all rules in table mangle.
iptables01 0 INFO : iptables01: iptables -L -t mangle lists rules.
iptables01 1 PASS : iptables01: iptables -L lists rules.
iptables02 0 INFO : iptables02: Use iptables to DROP packets from particular IP
iptables02 0 INFO : iptables02: Rule to block icmp from 127.0.0.1
iptables02 0 INFO : iptables02: Pinging 127.0.0.1
iptables02 0 INFO : iptables02: Ping 127.0.0.1 not successful.
iptables02 0 INFO : iptables02: Deleting icmp DROP from 127.0.0.1 rule.
iptables02 0 INFO : iptables02: Pinging 127.0.0.1 again
iptables02 2 FAIL : iptables02: iptables blocking loopback. Reason:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1013ms
iptables03 0 INFO : iptables03: Use iptables to REJECT ping request.
iptables03 0 INFO : iptables03: Rule to reject ping request.
iptables03 0 INFO : iptables03: Pinging 127.0.0.1
iptables03 0 INFO : iptables03: Ping 127.0.0.1 not successful.
iptables03 0 INFO : iptables03: Deleting icmp request REJECT rule.
iptables03 0 INFO : iptables03: Pinging 127.0.0.1 again
iptables03 3 FAIL : iptables03: iptables blocking ping requests. Reason:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1013ms
iptables04 0 INFO : iptables04: Use iptables to log packets to particular port.
iptables04 0 INFO : iptables04: Rule to log tcp packets to particular port.
iptables04 0 INFO : iptables04: telnet 127.0.0.1 45886
iptables04 0 INFO : iptables04: Packets to port 45886 logged.
iptables04 0 INFO : iptables04: Deleting the rule to log.
iptables04 0 INFO : iptables04: iptables logging succsess
iptables04 4 PASS : iptables04: iptables can log packets to particular port.
iptables05 0 INFO : iptables05: Use iptables to log packets to multiple ports.
iptables05 0 INFO : iptables05: Rule to log tcp packets to port 45801 - 45803.
iptables05 0 INFO : iptables05: Rule to log tcp packets to port 45804 - 45806.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45801
iptables05 0 INFO : iptables05: Packets to port 45801 logged.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45802
iptables05 0 INFO : iptables05: Packets to port 45802 logged.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45803
iptables05 0 INFO : iptables05: Packets to port 45803 logged.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45804
iptables05 0 INFO : iptables05: Packets to port 45804 logged.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45805
iptables05 0 INFO : iptables05: Packets to port 45805 logged.
iptables05 0 INFO : iptables05: telnet 127.0.0.1 45806
iptables05 0 INFO : iptables05: Packets to port 45806 logged.
iptables05 0 INFO : iptables05: Flushing all rules.
iptables05 0 INFO : iptables05: iptables logging succsess
iptables05 5 PASS : iptables05: iptables can log packets to multiple ports.
iptables06 0 INFO : iptables06: Use iptables to log ping request with limited rate.
iptables06 0 INFO : iptables06: Rule to log ping request.
iptables06 0 INFO : iptables06: ping 127.0.0.1
iptables06 6 FAIL : iptables06: ping to 127.0.0.1 failed.
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
--- 127.0.0.1 ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9012ms
uname -a output:
Linux 2.6.27.7-4-default #1 SMP 2008-11-25 00:02:37 +0100 x86_64 x86_64 x86_64 GNU/Linux
======================================================
Sridhar Vinay Replied:
======================================================
Manas, This looks like default SLES behaviour. When all rules are flushed, the default behaviour for SUSE firewall is to drop all packets. This is not the case with RH where absence of any rule results in all packets accepted. So we may need to adjust the test accordingly. Modification to test case to indicate certain distributions dropping all packets when firewall is enabled and no rule is present.
======================================================
Manas K. Nayak <maknayak@in.ibm.com> reverted back:
======================================================
I verified the patch using ltp release "ltp-full-20081130" on SLES and it is generating expected information as mentioned. Subrata you can make this patch available in coming ltp release. Signed-Off-By: Vinay Sridhar <vinay@linux.vnet.ibm.com>.
1 file changed