IPTables-Management/tests/test_integration.sh

#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/.." && pwd)
# shellcheck source=tests/lib/assert.sh
source "${ROOT_DIR}/tests/lib/assert.sh"

status_of() {
  set +e
  "$@" >/dev/null 2>&1
  local rc=$?
  set -e
  printf '%s\n' "${rc}"
}

maybe_enter_namespace() {
  if (( EUID == 0 )); then
    return 0
  fi

  if [[ ${IPF_IN_NAMESPACE:-0} == 1 ]]; then
    return 0
  fi

  if command -v unshare >/dev/null 2>&1 && unshare -Urn true >/dev/null 2>&1; then
    exec unshare -Urn env IPF_IN_NAMESPACE=1 bash "$0"
  fi

  printf 'SKIP: root 或 unshare 不可用，跳过集成测试。\n'
  exit 0
}

maybe_enter_namespace

if command -v ip >/dev/null 2>&1; then
  ip link set lo up >/dev/null 2>&1 || true
fi

if ! command -v iptables >/dev/null 2>&1; then
  printf 'SKIP: iptables 不可用，跳过集成测试。\n'
  exit 0
fi

TMP_DIR=$(mktemp -d)
BACKUP_V4="${TMP_DIR}/iptables.v4.bak"
BACKUP_V6="${TMP_DIR}/iptables.v6.bak"

cleanup() {
  if [[ -f ${BACKUP_V4} ]]; then
    iptables-restore <"${BACKUP_V4}" >/dev/null 2>&1 || true
  fi
  if [[ -f ${BACKUP_V6} ]]; then
    ip6tables-restore <"${BACKUP_V6}" >/dev/null 2>&1 || true
  fi
  rm -rf "${TMP_DIR}"
}
trap cleanup EXIT

iptables-save >"${BACKUP_V4}"
if command -v ip6tables-save >/dev/null 2>&1; then
  ip6tables-save >"${BACKUP_V6}"
fi

export IPF_STORAGE_DIR="${TMP_DIR}/storage"
export IPF_STORAGE_DB="${IPF_STORAGE_DIR}/rules.db"
export IPF_LOCK_FILE="${IPF_STORAGE_DIR}/.lock"
export IPF_SKIP_ENV_CHECK=1
export IPF_SKIP_PERSIST=1
export IPF_FORCE_PLAIN_UI=1

uuid_v4=$("${ROOT_DIR}/iptables-forward.sh" --batch add tcp 65432 127.0.0.1 22 4 'integration-v4')
assert_contains "$(iptables-save)" "MGMT:${uuid_v4}" 'IPv4 rule should appear in iptables-save output'
assert_contains "$("${ROOT_DIR}/iptables-forward.sh" --batch list)" "uuid=${uuid_v4}" 'batch list should include managed rule'

iptables -A FORWARD -p tcp --dport 65000 -j ACCEPT

"${ROOT_DIR}/iptables-forward.sh" --batch delete "${uuid_v4}"
assert_status 1 "$(status_of grep -F "MGMT:${uuid_v4}" <(iptables-save))" 'deleted IPv4 rule should disappear from iptables-save'
assert_status 0 "$(status_of grep -F -- '--dport 65000 -j ACCEPT' <(iptables-save))" 'unmanaged rule should remain after deleting managed rule'

if command -v ip6tables >/dev/null 2>&1; then
  uuid_v6=$("${ROOT_DIR}/iptables-forward.sh" --batch add tcp 65433 ::1 22 6 'integration-v6')
  assert_contains "$(ip6tables-save)" "MGMT:${uuid_v6}" 'IPv6 rule should appear in ip6tables-save output'
  "${ROOT_DIR}/iptables-forward.sh" --batch delete "${uuid_v6}"
  assert_status 1 "$(status_of grep -F "MGMT:${uuid_v6}" <(ip6tables-save))" 'deleted IPv6 rule should disappear from ip6tables-save'
fi

pass 'test_integration.sh'