From ba52fc13241a72ad26b7ea0cd38a1e8ded693961 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 14 Aug 2024 14:30:11 +0200 Subject: [PATCH] tests: shell: New xtables-monitor test JIRA: https://issues.redhat.com/browse/RHEL-47264 Upstream Status: iptables commit 876a71bf7ad573dea998ca61a03fd35f2b04557b commit 876a71bf7ad573dea998ca61a03fd35f2b04557b Author: Phil Sutter Date: Fri Jul 12 13:10:08 2024 +0200 tests: shell: New xtables-monitor test Only events monitoring for now. Signed-off-by: Phil Sutter Signed-off-by: Phil Sutter --- .../testcases/nft-only/0012-xtables-monitor_0 | 149 ++++++++++++++++++ 1 file changed, 149 insertions(+) create mode 100755 iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 new file mode 100755 index 0000000..7b028ba --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 @@ -0,0 +1,149 @@ +#!/bin/bash + +[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } + +log=$(mktemp) +trap "rm -f $log" EXIT +echo "logging into file $log" +rc=0 + +# Filter monitor output: +# - NEWGEN event is moot: +# - GENID/PID are arbitrary, +# - NAME always "xtables-nft-mul" +# - handle is arbitrary as well +logfilter() { # (logfile) + grep -v '^NEWGEN:' "$1" | sed -e 's/handle [0-9]\+/handle 0/' +} + +# Compare monitor output for given command against content of the global $EXP +monitorcheck() { # (cmd ...) + $XT_MULTI xtables-monitor -e >"$log"& + monpid=$! + sleep 0.5 + + $XT_MULTI "$@" || { + echo "Error: command failed: $@" + let "rc++" + kill $monpid + wait + return + } + sleep 0.5 + kill $monpid + wait + diffout=$(diff -u <(echo "$EXP") <(logfilter "$log")) || { + echo "Fail: unexpected result for command: '$@':" + grep -v '^\(---\|+++\|@@\)' <<< "$diffout" + let "rc++" + } +} + +EXP="\ + EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -4 -t filter -A FORWARD -j ACCEPT" +monitorcheck iptables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0 + EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -6 -t filter -A FORWARD -j ACCEPT" +monitorcheck ip6tables -A FORWARD -j ACCEPT + +# FIXME +EXP="\ + EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0 + EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1 + EVENT: " +monitorcheck ebtables -A FORWARD -j ACCEPT + +EXP="\ + EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0 + EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1 + EVENT: -0 -t filter -A INPUT -j ACCEPT" +monitorcheck arptables -A INPUT -j ACCEPT + +EXP=" EVENT: -4 -t filter -N foo" +monitorcheck iptables -N foo + +EXP=" EVENT: -6 -t filter -N foo" +monitorcheck ip6tables -N foo + +# FIXME +EXP="\ + EVENT: nft: NEW chain: bridge filter foo use 1 + EVENT: " +monitorcheck ebtables -N foo + +EXP=" EVENT: -0 -t filter -N foo" +monitorcheck arptables -N foo + +# meta l4proto matches require proper nft_handle:family value +EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT" +monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT + +EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT" +monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT + +EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06" +monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT + +EXP=" EVENT: -4 -t filter -X foo" +monitorcheck iptables -X foo + +EXP=" EVENT: -6 -t filter -X foo" +monitorcheck ip6tables -X foo + +# FIXME +EXP="\ + EVENT: + EVENT: nft: DEL chain: bridge filter foo use 0" +monitorcheck ebtables -X foo + +EXP=" EVENT: -0 -t filter -X foo" +monitorcheck arptables -X foo + +EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT" +monitorcheck iptables -F FORWARD + +EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT" +monitorcheck ip6tables -F FORWARD + +# FIXME +EXP=" EVENT: " +monitorcheck ebtables -F FORWARD + +EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT" +monitorcheck arptables -F INPUT + +EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck iptables -X FORWARD + +EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck ip6tables -X FORWARD + +EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1" +monitorcheck ebtables -X FORWARD + +EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1" +monitorcheck arptables -X INPUT + +exit $rc