tests: iptables-test: Properly assert rule deletion errors

Capture any non-zero return code, iptables not necessarily returns 1 on error. A known issue with trying to delete a rule by spec is the unsupported --set-counters option. Strip it before deleting the rule. Fixes: c8b7aaabbe1fc ("add iptables unit test infrastructure") Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2024-11-05 16:07:01 +0100
committer: Phil Sutter <phil@nwl.cc> 2024-11-05 23:58:03 +0100
commit: 6fbd211b48648a337d794ac1e1665d6ed3175a78 (patch)
tree: 47334ac17fe84f2ff82a8539943a5b6a578a080e
parent: 36d87cd8092edc1f256a0505e260cc8d5ccacb33 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/iptables-test.py b/iptables-test.py
index 0d2f30df..413e3fdc 100755
--- a/iptables-test.py
+++ b/iptables-test.py
@@ -58,10 +58,23 @@ def print_error(reason, filename=None, lineno=None, log_file=sys.stderr):
 def delete_rule(iptables, rule, filename, lineno, netns = None):
     '''
     Removes an iptables rule
+
+    Remove any --set-counters arguments, --delete rejects them.
     '''
+    delrule = rule.split()
+    for i in range(len(delrule)):
+        if delrule[i] in ['-c', '--set-counters']:
+            delrule.pop(i)
+            if ',' in delrule.pop(i):
+                break
+            if len(delrule) > i and delrule[i].isnumeric():
+                delrule.pop(i)
+            break
+    rule = " ".join(delrule)
+
     cmd = iptables + " -D " + rule
     ret = execute_cmd(cmd, filename, lineno, netns)
-    if ret == 1:
+    if ret != 0:
         reason = "cannot delete: " + iptables + " -I " + rule
         print_error(reason, filename, lineno)
         return -1
author	Phil Sutter <phil@nwl.cc>	2024-11-05 16:07:01 +0100
committer	Phil Sutter <phil@nwl.cc>	2024-11-05 23:58:03 +0100
commit	6fbd211b48648a337d794ac1e1665d6ed3175a78 (patch)
tree	47334ac17fe84f2ff82a8539943a5b6a578a080e
parent	36d87cd8092edc1f256a0505e260cc8d5ccacb33 (diff)