|
| 1 | +# AGENTS.md |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +This repository contains a .NET 8 solution for working with Linux iptables from C#. The managed code lives under `IPTables.Net/`, the NUnit tests live under `IPTables.Net.Tests/`, and the native helper library used by the libiptc-based adapter lives under `ipthelper/`. |
| 6 | + |
| 7 | +## Build And Test |
| 8 | + |
| 9 | +- Use `./build.sh` for a full solution build. |
| 10 | +- Use `./test.sh` to build and run tests. |
| 11 | +- Use `./test.sh --fast` for the managed-heavy test pass that sets `SKIP_SYSTEM_TESTS=1`. |
| 12 | +- Use `./test.sh --full` on Linux when root or passwordless `sudo` is available to run the stable native and system iptables tests. |
| 13 | +- Set `RUN_UNSTABLE_SYSTEM_TESTS=1` with `./test.sh --full` to include tests marked `NotWorkingOnTravis`, including the conntrack coverage that can crash on some containerized hosts. |
| 14 | + |
| 15 | +Both scripts will bootstrap a usable .NET SDK if `dotnet` is missing. By default they infer the needed SDK channel from the highest `TargetFramework` declared in the repo's `.csproj` files. On Linux they also build `libipthelper` and install missing native build dependencies through a supported package manager when needed. |
| 16 | + |
| 17 | +## Native Helper Notes |
| 18 | + |
| 19 | +- `ipthelper/` builds `libipthelper.so`, which is required for `IPTablesLibAdapter`, `IptcInterface`, and the conntrack/native tests. |
| 20 | +- The helper links against the system iptables development libraries, `libnl3`, and `libpcap`. |
| 21 | +- The scripts first try a normal helper build and then retry with `-DOLD_IPTABLES` if the local iptables headers are older. |
| 22 | +- `test.sh --full` prefers the `iptables-legacy` / `ip6tables-legacy` alternatives when they are available because that matches the native test expectations more closely. |
| 23 | + |
| 24 | +## Testing Guidance |
| 25 | + |
| 26 | +- Fast mode is the safest default when you only need parser, model, or mocked adapter coverage. |
| 27 | +- Full mode touches the real machine state. The system tests create and mutate chains like `test`, `test2`, and `test3`, and the opt-in conntrack tests hit kernel networking APIs directly. |
| 28 | +- If full mode fails because the host lacks privileges, kernel modules, or compatible iptables backends, rerun with `./test.sh --fast` unless you are specifically changing native or system behavior. |
| 29 | + |
| 30 | +## Development Guidance |
| 31 | + |
| 32 | +- Keep changes narrow and add or update NUnit coverage in `IPTables.Net.Tests/` when behavior changes. |
| 33 | +- Prefer following the existing project layout instead of introducing new abstractions unless the current design is clearly blocking the work. |
| 34 | +- When changing native interop behavior, verify both the managed call sites in `IPTables.Net/Iptables/NativeLibrary/` and the corresponding code in `ipthelper/`. |
| 35 | +- The tests project is also the best source of usage examples for the public API. |
0 commit comments