• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0-or-later
3# Copyright (c) Linux Test Project, 2019-2022
4# Copyright (c) 2018-2019 Oracle and/or its affiliates. All Rights Reserved.
5# Copyright (c) International Business Machines  Corp., 2001
6#
7#  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
8#				       <hubertNOSPAAAM@symbio.com.tw>
9
10TST_CNT=6
11TST_TESTFUNC="test"
12TST_NEEDS_TMPDIR=1
13TST_NEEDS_ROOT=1
14TST_SETUP="${TST_SETUP:-init}"
15TST_CLEANUP="${TST_CLEANUP:-cleanup}"
16TST_NEEDS_CMDS="grep telnet"
17
18NFRUN()
19{
20	local rule
21
22	if [ "$use_iptables" = 1 ]; then
23		ip${TST_IPV6}tables $@
24	else
25		$(ip${TST_IPV6}tables-translate $@ | sed "s/[\']//g")
26	fi
27}
28
29NFRUN_REMOVE()
30{
31	if [ "$use_iptables" = 1 ]; then
32		ROD ip${TST_IPV6}tables -D INPUT 1
33	else
34		ROD nft flush chain ip${TST_IPV6} filter INPUT
35	fi
36}
37
38init()
39{
40	if [ "$use_iptables" = 1 ]; then
41		toolname=ip${TST_IPV6}tables
42		cmds="$toolname"
43		tst_require_drivers ip${TST_IPV6}_tables
44	else
45		toolname=nft
46		cmds="$toolname ip${TST_IPV6}tables-translate"
47	fi
48
49	if [ "$TST_IPV6" ];then
50		loc_addr="::1"
51		proto="icmpv6"
52	else
53		loc_addr="127.0.0.1"
54		proto="icmp"
55	fi
56
57	ping_cmd="ping$TST_IPV6"
58	tst_require_cmds $cmds $ping_cmd
59
60	tst_res TINFO "INIT: Flushing all rules"
61	NFRUN -F -t filter > tst_iptables.out 2>&1
62	NFRUN -F -t nat > tst_iptables.out 2>&1
63	NFRUN -F -t mangle > tst_iptables.out 2>&1
64}
65
66cleanup()
67{
68	if lsmod | grep -q "ip${TST_IPV6}_tables"; then
69		NFRUN -F -t filter > /dev/null 2>&1
70		NFRUN -F -t nat > /dev/null 2>&1
71		NFRUN -F -t mangle > /dev/null 2>&1
72		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
73			 ip${TST_IPV6}table_mangle ip${TST_IPV6}table_nat ip_conntrack \
74			 ip${TST_IPV6}table_filter ip${TST_IPV6}_tables nf_nat_ipv${TST_IPVER} nf_nat \
75			 nf_log_ipv${TST_IPVER} nf_log_common nf_reject_ipv${TST_IPVER} \
76			 nf_conntrack_ipv${TST_IPVER} nf_defrag_ipv${TST_IPVER} nf_conntrack \
77			 > tst_iptables.out 2>&1
78	fi
79}
80
81test1()
82{
83	if [ "$use_iptables" != 1 ]; then
84		tst_res TCONF "$toolname not applicable for test $1"
85		return
86	fi
87	local chaincnt=0
88	local ipt_cmd="ip${TST_IPV6}tables"
89	local cmd="$ipt_cmd -L -t filter"
90	tst_res TINFO "$cmd will list all rules in table filter"
91	$cmd > tst_iptables.out 2>&1
92	if [ $? -ne 0 ]; then
93		tst_res TFAIL "$cmd failed to list rules"
94		cat tst_iptables.out
95		return
96	else
97		chaincnt=$(grep -c Chain tst_iptables.out)
98		if [ $chaincnt -lt 3 ]; then
99			tst_res TFAIL "$cmd failed to list rules"
100			cat tst_iptables.out
101			return
102		else
103			tst_res TINFO "$cmd lists rules"
104		fi
105	fi
106
107	local cmd="$ipt_cmd -L -t nat"
108	tst_res TINFO "$cmd will list all rules in table nat"
109	$cmd > tst_iptables.out 2>&1
110	if [ $? -ne 0 ]; then
111		tst_res TFAIL "$cmd failed to list rules"
112		cat tst_iptables.out
113		return
114	else
115		chaincnt=$(grep -c Chain tst_iptables.out)
116		if [ $chaincnt -lt 3 ]; then
117			tst_res TFAIL "$cmd failed to list rules"
118			cat tst_iptables.out
119			return
120		else
121			tst_res TINFO "$cmd lists rules"
122		fi
123	fi
124
125	local cmd="$ipt_cmd -L -t mangle"
126	tst_res TINFO "$cmd will list all rules in table mangle"
127	$cmd > tst_iptables.out 2>&1
128	if [ $? -ne 0 ]; then
129		tst_res TFAIL "$cmd failed to list rules"
130		cat tst_iptables.out
131		return
132	else
133		chaincnt=$(grep -c Chain tst_iptables.out)
134		if [ $chaincnt -lt 5 ]; then
135			tst_res TFAIL "$cmd failed to list rules"
136			cat tst_iptables.out
137		else
138			tst_res TINFO "$cmd lists rules"
139		fi
140	fi
141
142	tst_res TPASS "$ipt_cmd -L lists rules"
143}
144
145test2()
146{
147	tst_res TINFO "Use $toolname to DROP packets from particular IP"
148	tst_res TINFO "Rule to block icmp from $loc_addr"
149
150	NFRUN -A INPUT -s $loc_addr -p $proto -j DROP > tst_iptables.out 2>&1
151	if [ $? -ne 0 ]; then
152		tst_res TFAIL "$toolname command failed to append new rule"
153		cat tst_iptables.out
154		return
155	fi
156
157	tst_res TINFO "Pinging $loc_addr"
158	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
159	if [ $? -ne 0 ]; then
160		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
161		if [ $? -ne 0 ]; then
162			tst_res TFAIL \
163				 "$toolname did not block packets from loopback"
164			cat tst_iptables.err
165			return
166		else
167			tst_res TINFO "Ping $loc_addr not successful"
168		fi
169	else
170		tst_res TFAIL "$toolname did not block $proto from $loc_addr"
171		cat tst_iptables.out
172		return
173	fi
174
175	tst_res TINFO "Deleting $proto DROP from $loc_addr rule"
176	NFRUN_REMOVE
177
178	tst_res TINFO "Pinging $loc_addr again"
179	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
180	if [ $? -ne 0 ]; then
181		tst_res TFAIL "$toolname blocking loopback. This is expected" \
182			       "behaviour on certain distributions where" \
183			       "enabling firewall drops all packets by default"
184		cat tst_iptables.out
185		return
186	fi
187	tst_res TINFO "Ping succsess"
188	tst_res TPASS "$toolname can DROP packets from particular IP"
189}
190
191test3()
192{
193	tst_res TINFO "Use $toolname to REJECT ping request"
194	tst_res TINFO "Rule to reject ping request"
195
196	NFRUN -A INPUT -p $proto --${proto}-type echo-request -d $loc_addr -j \
197		 REJECT > tst_iptables.out 2>&1
198	if [ $? -ne 0 ]; then
199		tst_res TFAIL "$toolname command failed to append new rule"
200		cat tst_iptables.out
201		return
202	fi
203
204	tst_res TINFO "Pinging $loc_addr"
205	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
206	if [ $? -ne 0 ]; then
207		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
208		if [ $? -ne 0 ]; then
209			tst_res TFAIL "$toolname did not block ping request"
210			cat tst_iptables.err
211			return
212		else
213			tst_res TINFO "Ping $loc_addr not successful"
214		fi
215	else
216		tst_res TFAIL "$toolname did not reject ping request"
217		cat tst_iptables.out
218		return
219	fi
220
221	tst_res TINFO "Deleting icmp request REJECT rule"
222	NFRUN_REMOVE
223
224	tst_res TINFO "Pinging $loc_addr again"
225	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
226	if [ $? -ne 0 ]; then
227		tst_res TFAIL "$toolname blocking ping requests. This is" \
228			      "expected behaviour on certain distributions" \
229			      "where enabling firewall drops all packets by" \
230			      "default"
231		cat tst_iptables.out
232		return
233	fi
234	tst_res TINFO "Ping succsess"
235	tst_res TPASS "$toolname can REJECT ping requests"
236}
237
238test4()
239{
240	local dport=45886
241	local logprefix="${TCID}$(date +%m%d%H%M%S):"
242
243	tst_res TINFO "Use $toolname to log packets to particular port"
244	tst_res TINFO "Rule to log tcp packets to particular port"
245
246	NFRUN -A INPUT -p tcp -d $loc_addr --dport $dport -j LOG \
247		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
248	if [ $? -ne 0 ]; then
249		tst_res TFAIL "$toolname command failed to append new rule"
250		cat tst_iptables.out
251		return
252	fi
253
254	tst_res TINFO "telnet $loc_addr $dport"
255	telnet $loc_addr $dport > tst_iptables.out 2>&1
256	if [ $? -ne 0 ]; then
257		sleep 2
258		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
259		if [ $? -ne 0 ]; then
260			tst_res TFAIL \
261				 "$toolname did not log packets to port $dport"
262			cat tst_iptables.err
263			return
264		else
265			tst_res TINFO "Packets to port $dport logged"
266		fi
267	else
268		tst_res TFAIL "telnet to $loc_addr $dport should fail"
269		cat tst_iptables.out
270		return
271	fi
272
273	tst_res TINFO "Deleting the rule to log"
274	NFRUN_REMOVE
275
276	tst_res TINFO "$toolname logging succsess"
277	tst_res TPASS "$toolname can log packets to particular port"
278}
279
280test5()
281{
282	local dport=0
283	local logprefix="${TCID}$(date +%m%d%H%M%S):"
284
285	tst_res TINFO "Use $toolname to log packets to multiple ports"
286	tst_res TINFO "Rule to log tcp packets to port 45801 - 45803"
287	NFRUN -A INPUT -p tcp -d $loc_addr --dport 45801:45803 -j LOG \
288		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
289	if [ $? -ne 0 ]; then
290		tst_res TFAIL "$toolname command failed to append new rule"
291		cat tst_iptables.out
292		return
293	fi
294
295	tst_res TINFO "Rule to log tcp packets to port 45804 - 45806"
296	NFRUN -A INPUT -p tcp -d $loc_addr -m multiport --dports \
297		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
298		 > tst_iptables.out 2>&1
299	if [ $? -ne 0 ]; then
300		tst_res TFAIL "$toolname command failed to append new rule"
301		cat tst_iptables.out
302		return
303	fi
304
305	for dport in 45801 45802 45803 45804 45805 45806; do
306		tst_res TINFO "telnet $loc_addr $dport"
307		telnet $loc_addr $dport > tst_iptables.out 2>&1
308		if [ $? -ne 0 ]; then
309			sleep 2
310			dmesg | grep "$logprefix" | grep "=$dport " \
311				> tst_iptables.err 2>&1
312			if [ $? -ne 0 ]; then
313				tst_res TFAIL "$toolname did not log packets" \
314					       "to port $dport"
315				cat tst_iptables.err
316				return
317			else
318				tst_res TINFO "Packets to port $dport logged"
319			fi
320		else
321			tst_res TFAIL "telnet to $loc_addr $dport should fail"
322			cat tst_iptables.out
323			return
324		fi
325	done
326
327	tst_res TINFO "Flushing all rules"
328	NFRUN -F > tst_iptables.out 2>&1
329	if [ $? -ne 0 ]; then
330		tst_res TFAIL "$toolname did not flush all rules"
331		cat tst_iptables.out
332		return
333	fi
334	tst_res TINFO "$toolname logging succsess"
335	tst_res TPASS "$toolname can log packets to multiple ports"
336}
337
338test6()
339{
340	local logcnt=0
341	local logprefix="${TCID}$(date +%m%d%H%M%S):"
342
343	tst_res TINFO "Use $toolname to log ping request with limited rate"
344	tst_res TINFO "Rule to log ping request"
345
346	NFRUN -A INPUT -p $proto --$proto-type echo-request -d $loc_addr -m \
347		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
348	if [ $? -ne 0 ]; then
349		tst_res TFAIL "$toolname command failed to append new rule"
350		cat tst_iptables.out
351		return
352	fi
353
354	tst_res TINFO "Pinging $loc_addr"
355	$ping_cmd -c 10 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
356	if [ $? -eq 0 ]; then
357		sleep 2
358		logcnt=$(dmesg | grep -c "$logprefix")
359		if [ $logcnt -ne 5 ]; then
360			tst_res TFAIL "$toolname did not log packets with" \
361				      "limited rate"
362			cat tst_iptables.out
363			return
364		else
365			tst_res TINFO "ping requests logged with limited rate"
366		fi
367	else
368		tst_res TFAIL "ping to $loc_addr failed. This is expected" \
369			      "behaviour on certain distributions where" \
370			      "enabling firewall drops all packets by default"
371		cat tst_iptables.out
372		return
373	fi
374
375	tst_res TINFO "Deleting the rule to log"
376	NFRUN_REMOVE
377
378	tst_res TINFO "$toolname limited logging succsess"
379	tst_res TPASS "$toolname can log packets with limited rate"
380}
381
382. tst_net.sh
383