• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0-or-later
3# Copyright (c) 2018-2019 Oracle and/or its affiliates. All Rights Reserved.
4# Copyright (c) International Business Machines  Corp., 2001
5#
6#  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
7#				       <hubertNOSPAAAM@symbio.com.tw>
8
9TST_CNT=6
10TST_TESTFUNC="test"
11TST_NEEDS_TMPDIR=1
12TST_NEEDS_ROOT=1
13TST_SETUP="${TST_SETUP:-init}"
14TST_CLEANUP="${TST_CLEANUP:-cleanup}"
15TST_NEEDS_CMDS="grep telnet"
16
17. tst_net.sh
18
19NFRUN()
20{
21	local rule
22
23	if [ "$use_iptables" = 1 ]; then
24		ip${TST_IPV6}tables $@
25	else
26		$(ip${TST_IPV6}tables-translate $@ | sed 's,\\,,g')
27	fi
28}
29
30NFRUN_REMOVE()
31{
32	if [ "$use_iptables" = 1 ]; then
33		ROD ip${TST_IPV6}tables -D INPUT 1
34	else
35		ROD nft flush chain ip${TST_IPV6} filter INPUT
36	fi
37}
38
39init()
40{
41	if [ "$use_iptables" = 1 ]; then
42		toolname=ip${TST_IPV6}tables
43		cmds="$toolname"
44		tst_require_drivers ip${TST_IPV6}_tables
45	else
46		toolname=nft
47		cmds="$toolname ip${TST_IPV6}tables-translate"
48	fi
49
50	if [ "$TST_IPV6" ];then
51		loc_addr="::1"
52		proto="icmpv6"
53	else
54		loc_addr="127.0.0.1"
55		proto="icmp"
56	fi
57
58	ping_cmd="ping$TST_IPV6"
59	tst_require_cmds $cmds $ping_cmd
60
61	tst_res TINFO "INIT: Flushing all rules"
62	NFRUN -F -t filter > tst_iptables.out 2>&1
63	NFRUN -F -t nat > tst_iptables.out 2>&1
64	NFRUN -F -t mangle > tst_iptables.out 2>&1
65}
66
67cleanup()
68{
69	if lsmod | grep -q "ip${TST_IPV6}_tables"; then
70		NFTRUN -F -t filter > /dev/null 2>&1
71		NFTRUN -F -t nat > /dev/null 2>&1
72		NFTRUN -F -t mangle > /dev/null 2>&1
73		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
74			 ip${TST_IPV6}table_mangle ip${TST_IPV6}table_nat ip_conntrack \
75			 ip${TST_IPV6}table_filter ip${TST_IPV6}_tables nf_nat_ipv${TST_IPVER} nf_nat \
76			 nf_log_ipv${TST_IPVER} nf_log_common nf_reject_ipv${TST_IPVER} \
77			 nf_conntrack_ipv${TST_IPVER} nf_defrag_ipv${TST_IPVER} nf_conntrack \
78			 > tst_iptables.out 2>&1
79	fi
80}
81
82test1()
83{
84	if [ "$use_iptables" != 1 ]; then
85		tst_res TCONF "$toolname not applicable for test $1"
86		return
87	fi
88	local chaincnt=0
89	local ipt_cmd="ip${TST_IPV6}tables"
90	local cmd="$ipt_cmd -L -t filter"
91	tst_res TINFO "$cmd will list all rules in table filter"
92	$cmd > tst_iptables.out 2>&1
93	if [ $? -ne 0 ]; then
94		tst_res TFAIL "$cmd failed to list rules"
95		cat tst_iptables.out
96		return
97	else
98		chaincnt=$(grep -c Chain tst_iptables.out)
99		if [ $chaincnt -lt 3 ]; then
100			tst_res TFAIL "$cmd failed to list rules"
101			cat tst_iptables.out
102			return
103		else
104			tst_res TINFO "$cmd lists rules"
105		fi
106	fi
107
108	local cmd="$ipt_cmd -L -t nat"
109	tst_res TINFO "$cmd will list all rules in table nat"
110	$cmd > tst_iptables.out 2>&1
111	if [ $? -ne 0 ]; then
112		tst_res TFAIL "$cmd failed to list rules"
113		cat tst_iptables.out
114		return
115	else
116		chaincnt=$(grep -c Chain tst_iptables.out)
117		if [ $chaincnt -lt 3 ]; then
118			tst_res TFAIL "$cmd failed to list rules"
119			cat tst_iptables.out
120			return
121		else
122			tst_res TINFO "$cmd lists rules"
123		fi
124	fi
125
126	local cmd="$ipt_cmd -L -t mangle"
127	tst_res TINFO "$cmd will list all rules in table mangle"
128	$cmd > tst_iptables.out 2>&1
129	if [ $? -ne 0 ]; then
130		tst_res TFAIL "$cmd failed to list rules"
131		cat tst_iptables.out
132		return
133	else
134		chaincnt=$(grep -c Chain tst_iptables.out)
135		if [ $chaincnt -lt 5 ]; then
136			tst_res TFAIL "$cmd failed to list rules"
137			cat tst_iptables.out
138		else
139			tst_res TINFO "$cmd lists rules"
140		fi
141	fi
142
143	tst_res TPASS "$ipt_cmd -L lists rules"
144}
145
146test2()
147{
148	tst_res TINFO "Use $toolname to DROP packets from particular IP"
149	tst_res TINFO "Rule to block icmp from $loc_addr"
150
151	NFRUN -A INPUT -s $loc_addr -p $proto -j DROP > tst_iptables.out 2>&1
152	if [ $? -ne 0 ]; then
153		tst_res TFAIL "$toolname command failed to append new rule"
154		cat tst_iptables.out
155		return
156	fi
157
158	tst_res TINFO "Pinging $loc_addr"
159	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
160	if [ $? -ne 0 ]; then
161		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
162		if [ $? -ne 0 ]; then
163			tst_res TFAIL \
164				 "$toolname did not block packets from loopback"
165			cat tst_iptables.err
166			return
167		else
168			tst_res TINFO "Ping $loc_addr not successful"
169		fi
170	else
171		tst_res TFAIL "$toolname did not block $proto from $loc_addr"
172		cat tst_iptables.out
173		return
174	fi
175
176	tst_res TINFO "Deleting $proto DROP from $loc_addr rule"
177	NFRUN_REMOVE
178
179	tst_res TINFO "Pinging $loc_addr again"
180	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
181	if [ $? -ne 0 ]; then
182		tst_res TFAIL "$toolname blocking loopback. This is expected" \
183			       "behaviour on certain distributions where" \
184			       "enabling firewall drops all packets by default"
185		cat tst_iptables.out
186		return
187	fi
188	tst_res TINFO "Ping succsess"
189	tst_res TPASS "$toolname can DROP packets from particular IP"
190}
191
192test3()
193{
194	tst_res TINFO "Use $toolname to REJECT ping request"
195	tst_res TINFO "Rule to reject ping request"
196
197	NFRUN -A INPUT -p $proto --${proto}-type echo-request -d $loc_addr -j \
198		 REJECT > tst_iptables.out 2>&1
199	if [ $? -ne 0 ]; then
200		tst_res TFAIL "$toolname command failed to append new rule"
201		cat tst_iptables.out
202		return
203	fi
204
205	tst_res TINFO "Pinging $loc_addr"
206	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
207	if [ $? -ne 0 ]; then
208		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
209		if [ $? -ne 0 ]; then
210			tst_res TFAIL "$toolname did not block ping request"
211			cat tst_iptables.err
212			return
213		else
214			tst_res TINFO "Ping $loc_addr not successful"
215		fi
216	else
217		tst_res TFAIL "$toolname did not reject ping request"
218		cat tst_iptables.out
219		return
220	fi
221
222	tst_res TINFO "Deleting icmp request REJECT rule"
223	NFRUN_REMOVE
224
225	tst_res TINFO "Pinging $loc_addr again"
226	$ping_cmd -c 2 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
227	if [ $? -ne 0 ]; then
228		tst_res TFAIL "$toolname blocking ping requests. This is" \
229			      "expected behaviour on certain distributions" \
230			      "where enabling firewall drops all packets by" \
231			      "default"
232		cat tst_iptables.out
233		return
234	fi
235	tst_res TINFO "Ping succsess"
236	tst_res TPASS "$toolname can REJECT ping requests"
237}
238
239test4()
240{
241	local dport=45886
242	local logprefix="${TCID}$(date +%m%d%H%M%S):"
243
244	tst_res TINFO "Use $toolname to log packets to particular port"
245	tst_res TINFO "Rule to log tcp packets to particular port"
246
247	NFRUN -A INPUT -p tcp -d $loc_addr --dport $dport -j LOG \
248		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
249	if [ $? -ne 0 ]; then
250		tst_res TFAIL "$toolname command failed to append new rule"
251		cat tst_iptables.out
252		return
253	fi
254
255	tst_res TINFO "telnet $loc_addr $dport"
256	telnet $loc_addr $dport > tst_iptables.out 2>&1
257	if [ $? -ne 0 ]; then
258		sleep 2
259		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
260		if [ $? -ne 0 ]; then
261			tst_res TFAIL \
262				 "$toolname did not log packets to port $dport"
263			cat tst_iptables.err
264			return
265		else
266			tst_res TINFO "Packets to port $dport logged"
267		fi
268	else
269		tst_res TFAIL "telnet to $loc_addr $dport should fail"
270		cat tst_iptables.out
271		return
272	fi
273
274	tst_res TINFO "Deleting the rule to log"
275	NFRUN_REMOVE
276
277	tst_res TINFO "$toolname logging succsess"
278	tst_res TPASS "$toolname can log packets to particular port"
279}
280
281test5()
282{
283	local dport=0
284	local logprefix="${TCID}$(date +%m%d%H%M%S):"
285
286	tst_res TINFO "Use $toolname to log packets to multiple ports"
287	tst_res TINFO "Rule to log tcp packets to port 45801 - 45803"
288	NFRUN -A INPUT -p tcp -d $loc_addr --dport 45801:45803 -j LOG \
289		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
290	if [ $? -ne 0 ]; then
291		tst_res TFAIL "$toolname command failed to append new rule"
292		cat tst_iptables.out
293		return
294	fi
295
296	tst_res TINFO "Rule to log tcp packets to port 45804 - 45806"
297	NFRUN -A INPUT -p tcp -d $loc_addr -m multiport --dports \
298		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
299		 > tst_iptables.out 2>&1
300	if [ $? -ne 0 ]; then
301		tst_res TFAIL "$toolname command failed to append new rule"
302		cat tst_iptables.out
303		return
304	fi
305
306	for dport in 45801 45802 45803 45804 45805 45806; do
307		tst_res TINFO "telnet $loc_addr $dport"
308		telnet $loc_addr $dport > tst_iptables.out 2>&1
309		if [ $? -ne 0 ]; then
310			sleep 2
311			dmesg | grep "$logprefix" | grep "=$dport " \
312				> tst_iptables.err 2>&1
313			if [ $? -ne 0 ]; then
314				tst_res TFAIL "$toolname did not log packets" \
315					       "to port $dport"
316				cat tst_iptables.err
317				return
318			else
319				tst_res TINFO "Packets to port $dport logged"
320			fi
321		else
322			tst_res TFAIL "telnet to $loc_addr $dport should fail"
323			cat tst_iptables.out
324			return
325		fi
326	done
327
328	tst_res TINFO "Flushing all rules"
329	NFRUN -F > tst_iptables.out 2>&1
330	if [ $? -ne 0 ]; then
331		tst_res TFAIL "$toolname did not flush all rules"
332		cat tst_iptables.out
333		return
334	fi
335	tst_res TINFO "$toolname logging succsess"
336	tst_res TPASS "$toolname can log packets to multiple ports"
337}
338
339test6()
340{
341	local logcnt=0
342	local logprefix="${TCID}$(date +%m%d%H%M%S):"
343
344	tst_res TINFO "Use $toolname to log ping request with limited rate"
345	tst_res TINFO "Rule to log ping request"
346
347	NFRUN -A INPUT -p $proto --$proto-type echo-request -d $loc_addr -m \
348		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
349	if [ $? -ne 0 ]; then
350		tst_res TFAIL "$toolname command failed to append new rule"
351		cat tst_iptables.out
352		return
353	fi
354
355	tst_res TINFO "Pinging $loc_addr"
356	$ping_cmd -c 10 $loc_addr -W 1 -i 0 > tst_iptables.out 2>&1
357	if [ $? -eq 0 ]; then
358		sleep 2
359		logcnt=$(dmesg | grep -c "$logprefix")
360		if [ $logcnt -ne 5 ]; then
361			tst_res TFAIL "$toolname did not log packets with" \
362				      "limited rate"
363			cat tst_iptables.out
364			return
365		else
366			tst_res TINFO "ping requests logged with limited rate"
367		fi
368	else
369		tst_res TFAIL "ping to $loc_addr failed. This is expected" \
370			      "behaviour on certain distributions where" \
371			      "enabling firewall drops all packets by default"
372		cat tst_iptables.out
373		return
374	fi
375
376	tst_res TINFO "Deleting the rule to log"
377	NFRUN_REMOVE
378
379	tst_res TINFO "$toolname limited logging succsess"
380	tst_res TPASS "$toolname can log packets with limited rate"
381}
382