rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Sync tests/ from RHEL8.8

Browse Source 
Related: rhbz#2211063
This commit is contained in:
Phil Sutter 2023-07-15 02:19:44 +02:00
parent d0103a7c9d
commit 4109868d74
43 changed files with 1985 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
tests/NFQUEUE-queue-bypass/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
# Description: Test for "--queue-bypass" backport
# Author: Ales Zelinka <azelinka@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ales Zelinka <azelinka@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for \"--queue-bypass\" backport" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/NFQUEUE-queue-bypass/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
Description: Test for "--queue-bypass" backport
Author: Ales Zelinka <azelinka@redhat.com>
Bug summary: "--queue-bypass" backport

54
tests/NFQUEUE-queue-bypass/runtest.sh Executable file
View File

@ -0,0 +1,54 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
# Description: Test for "--queue-bypass" backport
# Author: Ales Zelinka <azelinka@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartTest control-ping
rlRun "ping -w 2 -c 2 127.0.0.1"
rlPhaseEnd
rlPhaseStartTest NFQUEUE-no-listener
rlRun "iptables -I INPUT -p icmp -j NFQUEUE" 0 "queue all icmp for userspace processing"
rlRun "ping -w 2 -c 2 127.0.0.1" 1-255 "ping 127.0.0.1 - none is listening on queue so packets will be dropped"
rlRun "iptables -D INPUT -p icmp -j NFQUEUE" 0 "removing the queue rule"
rlPhaseEnd
rlPhaseStartTest NFQUEUE-no-listener-bypass
rlRun "iptables -I INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "queue all icmp for userspace processing, bypass if no one is listening"
rlRun "ping -w 2 -c 2 127.0.0.1" 0 "ping 127.0.0.1 - none is listening on queue - bypass will make packets go through"
rlRun "iptables -D INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "removing the queue rule"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
# Description: Test for [RFE] Enable the missing IPv6 "SET" target
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for [RFE] Enable the missing IPv6 \"SET\" target" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables ipset" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
Description: Test for [RFE] Enable the missing IPv6 "SET" target
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: [RFE] Enable the missing IPv6 "SET" target userland ip6tables support to enable ipset to be usable with IPv6

65
tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh Executable file
View File

@ -0,0 +1,65 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
# Description: Test for [RFE] Enable the missing IPv6 "SET" target
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
IPSET=testset6
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
# rlAssertRpm kernel
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "ipset create $IPSET hash:ip family inet6"
rlRun "ipset add testset6 1234::3456"
rlRun "ip6tables-save -t filter > ipt6.save"
rlPhaseEnd
rlPhaseStartTest
RULE1="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j LOG --log-prefix 'LOG:IPSET added to $IPSET'"
RULE2="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j SET --add-set $IPSET src"
for op in -A -C -D; do #add, check, delete
rlRun "ip6tables $op $RULE1" 0 "do $op logrule"
rlRun "ip6tables $op $RULE2" 0 "do $op -j SET rule"
done
rlRun "ip6tables-save -t filter > ipt6.save2"
rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt6*" 0 "magically unify savefiles"
rlAssertNotDiffer ipt6.save ipt6.save2
diff -u ipt6.save ipt6.save2
rlPhaseEnd
rlPhaseStartCleanup
rlRun "ipset destroy $IPSET"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
# Description: Test for RFE iptables add -C option to iptables in RHEL6 to
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE rules.in
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for RFE iptables add -C option to iptables in RHEL6 to" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
Description: Test for RFE iptables add -C option to iptables in RHEL6 to
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: RFE: iptables: add -C option to iptables in RHEL6 to check for existing rules

50
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/rules.in Normal file
View File

@ -0,0 +1,50 @@
# vim: ft=sh
rules4=(
"-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
"-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"
"-A INPUT -p icmp -j ACCEPT"
"-A INPUT -i lo -j ACCEPT"
"-A INPUT -i ippp+ -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT"
"-A INPUT -p ah -j ACCEPT"
"-A INPUT -p esp -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"
"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
"-A FORWARD -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"
"-A FORWARD -p icmp -j ACCEPT"
"-A FORWARD -i lo -j ACCEPT"
"-A FORWARD -i ippp+ -j ACCEPT"
"-A FORWARD -o tun+ -j ACCEPT"
"-A INPUT -j REJECT --reject-with icmp-host-prohibited"
"-A FORWARD -j REJECT --reject-with icmp-host-prohibited"
)
rules6=(
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
"-A INPUT -p ipv6-icmp -j ACCEPT"
"-A INPUT -i lo -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT"
"-A INPUT -i ippp+ -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT"
"-A INPUT -m ipv6header --header ah -j ACCEPT"
"-A INPUT -m ipv6header --header esp -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"
"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
"-A FORWARD -p ipv6-icmp -j ACCEPT"
"-A FORWARD -i lo -j ACCEPT"
"-A FORWARD -i ippp+ -j ACCEPT"
"-A INPUT -j REJECT --reject-with icmp6-adm-prohibited"
"-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited"
)

73
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
# Description: Test for RFE iptables add -C option to iptables in RHEL6 to
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
TESTD=$PWD
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "source $TESTD/rules.in" 0 "read ruleset"
rlRun "iptables -F"
rlRun "ip6tables -F"
rlPhaseEnd
rlPhaseStartTest
declare -i sane=0
for i in ${!rules4[*]}; do
let sane++
rlRun "iptables ${rules4[$i]}"
testrule="${rules4[$i]/-A/-C}"
rlRun "iptables $testrule"
done
for i in ${!rules6[*]}; do
let sane++
rlRun "ip6tables ${rules6[$i]}"
testrule="${rules6[$i]/-A/-C}"
rlRun "ip6tables $testrule"
done
#check itercount
if [[ $sane -lt 40 ]]; then
rlFail "test insane, do inspect" # rules were not properly loaded!
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "iptables -F"
rlRun "iptables -t nat -F"
rlRun "ip6tables -F"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/TRACE-target-of-iptables-can-t-work-in/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
# Description: Test for TRACE target of iptables can't work in
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for TRACE target of iptables can't work in" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables iptables-services" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
Description: Test for TRACE target of iptables can't work in
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: TRACE target of iptables can't work in RHEL7.1/RHEL7.2

136
tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh Executable file
View File

@ -0,0 +1,136 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
# Description: Test for TRACE target of iptables can't work in
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
SERVICES="iptables ip6tables firewalld"
prepare_page() {
section=$1
name=$2
dest=${name}.manpage
zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest}
rlAssertExists ${dest}
}
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
# rlAssertRpm kernel
rlLogInfo $(uname -r)
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
prepare_page 8 iptables-extensions
for svc in $SERVICES; do
rlServiceStop $svc
done
rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface"
IFACE="$(< default-iface)"
rlAssertExists "/sys/class/net/$IFACE"
rlRun "ip route save > ip-route.save" 0 "save routing info"
rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info"
rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route"
rlRun "rmmod nf_log_ipv4" 0,1
rlRun "rmmod nf_log_ipv6" 0,1
rlPhaseEnd
rlPhaseStartTest "manpage check"
rlAssertGrep "nfnetlink_log" iptables-extensions.manpage
if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then
# RHEL version-specific libxt_TRACE man page patchs
rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage
rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei
fi
rlPhaseEnd
ipv4_ping() {
rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)"
}
ipv6_ping() {
rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)"
}
get_messages() {
if rlIsFedora; then
journalctl -qkb
else
cat /var/log/messages
fi
}
rlPhaseStartTest "iptables_TRACE"
rlRun "get_messages > messages.log-orig"
rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0
rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0
if rlTestVersion "$(uname -r)" "<" "4.6"; then
ipv4_ping; ipv6_ping
rlRun "get_messages > messages.current"
rlRun "diff messages.log-orig messages.current > diff.1" 0,1
echo --debug_START--
cat diff.1
echo --debug_END--
rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module"
rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module"
rlAssertNotGrep "TRACE" diff.1
else
rlLogInfo "new kernel detected: skipping loading modules and associated checks"
fi
ipv4_ping; ipv6_ping
rlRun "get_messages > messages.current"
rlRun "diff messages.log-orig messages.current > diff.2" 0,1
rlAssertGrep "TRACE" diff.2
rlAssertGrep "TRACE.*PROTO=ICMP " diff.2
rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2
echo --debug_START--
cat diff.2
echo --debug_END--
rlPhaseEnd
rlPhaseStartCleanup
rlRun "ip route flush default" 0 "flush ip route data"
rlRun "ip -6 route flush default" 0 "flush ipv6 route data"
rlRun "ip route restore < ip-route.save" 0 "restore routing info"
rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6"
rlRun "iptables -t raw -F"
rlRun "ip6tables -t raw -F"
rlRun "rmmod nf_log_ipv4"
rlRun "rmmod nf_log_ipv6"
rlRun "rmmod nf_log_common"
rlRun "rmmod nfnetlink_log" 0,1
rlLogInfo "restoring services"
for svc in $SERVICES; do
rlServiceRestore $svc
done
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/backport-iptables-add-libxt-cgroup-frontend/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
# Description: Test for backport iptables add libxt_cgroup frontend
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for backport iptables add libxt_cgroup frontend" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables libcgroup-tools" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/backport-iptables-add-libxt-cgroup-frontend/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
Description: Test for backport iptables add libxt_cgroup frontend
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: Backport: iptables: add libxt_cgroup frontend

111
tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh Executable file
View File

@ -0,0 +1,111 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
# Description: Test for backport iptables add libxt_cgroup frontend
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
CGNUM="15"
CGNAME="15"
CGDIR="/sys/fs/cgroup/net_cls/$CGNAME"
DEST_IP4="192.0.2.99" # TEST-NET-1
DEST_IP42="192.0.2.199" # TEST-NET-1
DEST_IP6="2001:0db8:0000:0000:0000:0000:0000:abc0" #has to be expanded due to matching !
DEST_IP62="2001:0db8:0000:0000:0000:0000:0000:abc1"
SKIP6=false
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
# rlAssertRpm kernel-$(uname -r)
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
if rlIsRHEL '>=7'; then
rlServiceStop firewalld
sleep 1
fi
rlLogInfo "check if net_cls cgroup is present"
rlAssertGrep "cgroup.*net_cls" /proc/mounts
rlRun "cgcreate -g net_cls:$CGNAME" 0 "create cgroup '15'"
rlRun "echo $CGNUM > $CGDIR/net_cls.classid" 0 "assign numerical id to cgroup"
rlPhaseEnd
rlPhaseStartTest
ping -W 1 -c 30 $DEST_IP4 &
PING4_P1=$! EC4=$?
ping -W 1 -c 30 $DEST_IP42 &
PING4_P2=$! EC42=$?
rlRun "[[ $EC4 -eq 0 && $EC42 -eq 0 ]]" 0 "ping ipv4 running to $DEST_IP4, $DEST_IP42"
ping6 -W 1 -c 30 $DEST_IP6 &
PING6_P1=$! EC6=$?
sleep 1
if [[ $EC6 -eq 2 ]] || ! kill -0 $PING6_P1 2>/dev/null; then
rlLogInfo "skipping ipv6 test, network stack unavailable"
SKIP6=true
else
ping6 -W 1 -c 30 $DEST_IP62 &
PING6_P2=$!
rlRun "kill -0 $PING6_P1 && kill -0 $PING6_P2" 0 "ping ipv6 running to $DEST_IP6, $DEST_IP62"
fi
journalctl -fkb > dmesg.out &
DMESG_P=$!
echo > dmesg.out # clear dmesg out
rlRun "iptables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"
rlRun "ip6tables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"
rlRun "echo $PING4_P2 >> $CGDIR/tasks" 0 "Add second ping to cgroup '15'"
$SKIP6 || rlRun "echo $PING6_P2 >> $CGDIR/tasks" 0 "Add second ping6 to cgroup '15'"
cat $CGDIR/tasks
sleep 10
cat dmesg.out
rlAssertGrep "$DEST_IP42" dmesg.out
$SKIP6 || rlAssertGrep "$DEST_IP62" dmesg.out
rlAssertNotGrep "$DEST_IP4" dmesg.out
rlAssertNotGrep "$DEST_IP6" dmesg.out
rlPhaseEnd
rlPhaseStartCleanup
kill $DMESG_P
# pings die after 30s of execution either way
kill $PING4_P1
kill $PING4_P2
$SKIP6 || kill $PING6_P1
$SKIP6 || kill $PING6_P2
sleep 1
rlRun "iptables -F" 0 "cleanup iptables"
rlRun "ip6tables -F" 0 "cleanup ip6tables"
rlServiceRestore firewalld
rlRun "cgdelete -g net_cls:$CGNAME" 0 "delete cgroup"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/initscript-sanity/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Sanity/initscript-sanity
# Description: initscript-sanity
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Sanity/initscript-sanity
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: initscript-sanity" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables iptables-services" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/initscript-sanity/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Sanity/initscript-sanity
Description: initscript-sanity
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: Can not "service iptables save": restorecon not found

56
tests/initscript-sanity/runtest.sh Executable file
View File

@ -0,0 +1,56 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Sanity/initscript-sanity
# Description: initscript-sanity
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlPhaseEnd
rlPhaseStartTest
rlLogInfo 'Can not "service iptables save": restorecon not found'
if rlIsRHEL 6 7 ; then
rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/iptables.init
rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/ip6tables.init
else
rlLogInfo 'skipping: test not applicable to this OS release'
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

3
tests/inventory Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
export TEST_DOCKER_EXTRA_ARGS="--privileged"
exec merge-standard-inventory "$@"

62
tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/Makefile Normal file
View File

@ -0,0 +1,62 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
# Description: Test for while adding iptables rules with ipv6 sets in
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for while adding iptables rules with ipv6 sets in" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables bridge-utils ipset" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
Description: Test for while adding iptables rules with ipv6 sets in
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: while adding iptables rules with ipv6 sets in destination direction, either individually or combined with source we see error messages.

85
tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh Executable file
View File

@ -0,0 +1,85 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
# Description: Test for while adding iptables rules with ipv6 sets in
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "ip6tables-save > ip6tables.backup"
rlRun "iptables-save > iptables.backup"
rlRun "ip link add dev testbr type bridge" 0 "create bridge iface"
rlPhaseEnd
rlPhaseStartTest
rlRun "ipset create ipsetv6 hash:net timeout 60 family inet6" 0 "Create hash:net ipset for ipv6"
rlRun "ipset create ipsetv4 hash:net timeout 60 family inet" 0 "Create hash:net ipset for ipv4"
rlRun "ipset list ipsetv6" 0 "verify ipsetv6 presence"
rlRun "ipset list ipsetv4" 0 "verify ipsetv4 presence"
# echo waiting; read; echo cont
checkRule() {
binary="$1"
comment="$2"
rlRun "$binary -t mangle $RULE" 0 "$comment"
rlRun "$binary-save | grep -qe '$RULE'" 0 "verify rule"
}
for i in dst src dst,src src,dst; do
# 6,4 (+)
RULE="-A PREROUTING -i testbr -m set --match-set ipsetv6 $i -j ACCEPT"
checkRule ip6tables "[ipv6] direction: $i. adding ip6tables rule to match set"
RULE="-A PREROUTING -i testbr -m set --match-set ipsetv4 $i -j ACCEPT"
checkRule iptables "[ipv4] direction: $i. adding iptables rule to match set"
# 6,4 (-)
RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv6 $i -j ACCEPT"
checkRule ip6tables "[ipv6] direction: $i. adding negated ip6tables rule to match set"
RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv4 $i -j ACCEPT"
checkRule iptables "[ipv4] direction: $i. adding negated iptables rule to match set"
done
ip6tables-save
rlPhaseEnd
rlPhaseStartCleanup
rlRun "ip6tables -t mangle -F"
rlRun "iptables -t mangle -F"
rlRun "ip6tables-restore < ip6tables.backup"
rlRun "iptables-restore < iptables.backup"
rlRun "ip link set down dev testbr"
rlRun "ip link del testbr " 0 "remove bridge iface"
rlRun "ipset destroy ipsetv6" 0 "remove ipv6 ipset"
rlRun "ipset destroy ipsetv4" 0 "remove ipv4 ipset"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/ip6tables-service-does-not-allow-dhcpv6-client-by/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
# Description: Test for ip6tables service does not allow dhcpv6-client by
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for ip6tables service does not allow dhcpv6-client by" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables iptables-services" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/ip6tables-service-does-not-allow-dhcpv6-client-by/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
Description: Test for ip6tables service does not allow dhcpv6-client by
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: ip6tables service does not allow dhcpv6-client by default

53
tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
# Description: Test for ip6tables service does not allow dhcpv6-client by
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "cp /etc/sysconfig/ip6tables ."
rlPhaseEnd
rlPhaseStartTest
rlRun "sed -ie '/REJECT/,// d' ip6tables" 0 "remove all rejected rules"
echo --debug--; cat ip6tables
rlAssertGrep "-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT" ip6tables
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: ip6tables -t nat -A POSTROUTING/OUTPUT with DROP target can't filter packets

20
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
ip netns del cs_client >/dev/null 2>&1
ip link del veth0 >/dev/null 2>&1
ip netns add cs_client
ip link add type veth
ip link set veth1 name eth1 netns cs_client
export cs_client_if1=eth1
export cs_server_if1=veth0
export cs_client_ip1=2001:db8:ffff::1
export cs_server_ip1=2001:db8:ffff::2
ip netns exec cs_client ip link set $cs_client_if1 up
ip link set $cs_server_if1 up
ip netns exec cs_client ip -6 addr add $cs_client_ip1/64 dev $cs_client_if1
ip -6 addr add $cs_server_ip1/64 dev $cs_server_if1
ip netns exec cs_client ifconfig lo up
ifconfig lo up

83
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh Executable file
View File

@ -0,0 +1,83 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
SERVICES="iptables ip6tables firewalld"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
for svc in $SERVICES; do
rlServiceStop $svc
done
rlRun "iptables -t nat -F"
rlRun "ip6tables -t nat -F"
rlPhaseEnd
rlPhaseStartTest
table="nat"
assert_string="nat.*intended.*inhibited"
for chain in PREROUTING INPUT OUTPUT POSTROUTING; do
rlLogInfo "checking chain $chain"
rlRun "iptables -t $table -A $chain -p icmp -j DROP 2>iptables.stderr" 2 \
"iptables: Failure to accept DROP to '$table/$chain' chain"
rlRun "ip6tables -t $table -A $chain -p icmpv6 -j DROP 2>ip6tables.stderr" 2 \
"ip6tables: Failure to accept DROP to '$table/$chain' chain"
rlAssertGrep "$assert_string" iptables.stderr -E
rlAssertGrep "$assert_string" ip6tables.stderr -E
rm -f iptables.stderr ip6tables.stderr
echo --debug_START--
set -x
iptables-save | grep -E '\*|icmp'
ip6tables-save | grep -E '\*|icmp'
set +x
echo --debug_END--
done
rlRun "iptables-save > ipt4.out"
rlRun "ip6tables-save > ipt6.out"
rlAssertNotGrep "icmp" ipt4.out
rlAssertNotGrep "icmp" ipt6.out
rlPhaseEnd
rlPhaseStartCleanup
rlRun "iptables -t nat -F"
rlRun "ip6tables -t nat -F"
rlLogInfo "restoring services"
for svc in $SERVICES; do
rlServiceRestore $svc
done
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/iptables-rule-deletion-fails-for-rules-that-use/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
# Description: Test for iptables rule deletion fails for rules that use
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for iptables rule deletion fails for rules that use" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables ipset" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/iptables-rule-deletion-fails-for-rules-that-use/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
Description: Test for iptables rule deletion fails for rules that use
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: iptables rule deletion fails for rules that use ipset match "--match-set"

78
tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh Executable file
View File

@ -0,0 +1,78 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
# Description: Test for iptables rule deletion fails for rules that use
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
IPSET4="ipsetv4"
IPSET6="ipsetv6"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "ipset create $IPSET4 hash:ip"
rlRun "ipset create $IPSET6 hash:ip family inet6"
rlRun "iptables-save -t mangle > ipt4.save"
rlRun "ip6tables-save -t mangle > ipt6.save"
rlPhaseEnd
rlPhaseStartTest
RULE40="-A PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT"
RULE40d="-D PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT"
RULE41="-A PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src"
RULE41d="-D PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src"
RULE60="-A PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT"
RULE60d="-D PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT"
RULE61="-A PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src"
RULE61d="-D PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src"
for RULE in "$RULE40" "$RULE40d" "$RULE41" "$RULE41d"; do
rlRun "iptables -t mangle $RULE"
done
for RULE in "$RULE60" "$RULE60d" "$RULE61" "$RULE61d"; do
rlRun "ip6tables -t mangle $RULE"
done
rlRun "iptables-save -t mangle > ipt4.save2"
rlRun "ip6tables-save -t mangle > ipt6.save2"
rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt4* ipt6*" 0 "magically unify savefiles"
rlAssertNotDiffer ipt4.save ipt4.save2
rlAssertNotDiffer ipt6.save ipt6.save2
diff -u ipt4.save ipt4.save2
diff -u ipt6.save ipt6.save2
rlPhaseEnd
rlPhaseStartCleanup
rlRun "ipset destroy $IPSET4"
rlRun "ipset destroy $IPSET6"
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/iptables-save-cuts-space-before-j/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
# Description: Test for iptables-save cuts space before -j
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for iptables-save cuts space before -j" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/iptables-save-cuts-space-before-j/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
Description: Test for iptables-save cuts space before -j
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: iptables-save cuts space before -j

61
tests/iptables-save-cuts-space-before-j/runtest.sh Executable file
View File

@ -0,0 +1,61 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
# Description: Test for iptables-save cuts space before -j
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlServiceStart iptables
rlPhaseEnd
rlPhaseStartTest
RULE="-A INPUT -p dccp -m dccp --dccp-type RESET,INVALID -j LOG"
if rlIsRHEL '>6' || rlIsFedora; then
RULE="${RULE/type/types}" # it is exported under other name
fi
rlLogInfo "using rule '$RULE'"
rlRun "iptables $RULE" 0 "add rule for ipv4"
rlRun "ip6tables $RULE" 0 "add rule for ipv6"
rlRun "iptables-save | grep -- '$RULE'" 0 "check rule for ipv4"
rlRun "ip6tables-save | grep -- '$RULE'" 0 "check rule for ipv6"
rlPhaseEnd
rlPhaseStartCleanup
rlServiceStop iptables
rlServiceRestore iptables
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

63
tests/iptables-save-modprobe-option/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/iptables-save-modprobe-option
# Description: Test for iptables-save man page completely wrong - which
# Author: Ales Zelinka <azelinka@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/iptables-save-modprobe-option
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ales Zelinka <azelinka@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for iptables-save man page completely wrong - which" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/iptables-save-modprobe-option/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/iptables-save-modprobe-option
Description: Test for iptables-save man page completely wrong - which
Author: Ales Zelinka <azelinka@redhat.com>
Bug summary: iptables-save man page completely wrong - which conflicting arguments should work?

42
tests/iptables-save-modprobe-option/runtest.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/iptables-save-modprobe-option
# Description: Test for iptables-save man page completely wrong - which
# Author: Ales Zelinka <azelinka@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartTest
rlAssertRpm $PACKAGE
rlRun "iptables-save -M /dev/null" 0 "iptables-save -M ... supported"
rlRun "iptables-save --modprobe /dev/null" 0 "iptables-save --modprobe ... supported"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

91
tests/tests.yml Normal file
View File

@ -0,0 +1,91 @@
---
- hosts: localhost
tags: [ always ]
tasks:
- set_fact:
our_required_packages:
- firewalld # multiple tests need firewalld
- iproute # multiple tests need ip command
- iputils # multiple tests need ping/ping6 commands
- iptables # multiple tests need iptables/ip6tables commands
- iptables-services # multiple tests need iptables/ip6tables config files
- initscripts # multiple tests need system command
- libcgroup-tools # backport-iptables-add-libxt-cgroup-frontend needs cg* commands
- ipset # multiple tests need ipset command
- strace # xtables-tools-locking-vulnerable-to-local-DoS needs strace command
- policycoreutils # initscript-sanity needs restorecon command
- hosts: localhost
tags:
- rhts-all
roles:
- role: standard-test-rhts
tests:
- backport-iptables-add-libxt-cgroup-frontend
- initscript-sanity
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
- ip6tables-service-does-not-allow-dhcpv6-client-by
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
- iptables-rule-deletion-fails-for-rules-that-use
- iptables-save-cuts-space-before-j
- iptables-save-modprobe-option
- NFQUEUE-queue-bypass
- RFE-Enable-the-missing-IPv6-SET-target
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
- TRACE-target-of-iptables-can-t-work-in
- xtables-tools-locking-vulnerable-to-local-DoS
required_packages: "{{ our_required_packages }}"
- hosts: localhost
tags:
- classic
- beakerlib-all
roles:
- role: standard-test-beakerlib
tests:
- backport-iptables-add-libxt-cgroup-frontend
- initscript-sanity
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
- ip6tables-service-does-not-allow-dhcpv6-client-by
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
- iptables-rule-deletion-fails-for-rules-that-use
- iptables-save-cuts-space-before-j
- iptables-save-modprobe-option
- NFQUEUE-queue-bypass
- RFE-Enable-the-missing-IPv6-SET-target
# - RFE-iptables-add-C-option-to-iptables-in-RHEL6 # Test is not working on rhel8
# - TRACE-target-of-iptables-can-t-work-in # Test is not working on rhel8
# - xtables-tools-locking-vulnerable-to-local-DoS # Test is not working on rhel8
required_packages: "{{ our_required_packages }}"
- hosts: localhost
tags:
- container
roles:
- role: standard-test-beakerlib
tests:
#- backport-iptables-add-libxt-cgroup-frontend # journaling/logging issues?
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
- ip6tables-service-does-not-allow-dhcpv6-client-by
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
- iptables-rule-deletion-fails-for-rules-that-use
- iptables-save-cuts-space-before-j
- iptables-save-modprobe-option
- NFQUEUE-queue-bypass
- RFE-Enable-the-missing-IPv6-SET-target
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
- xtables-tools-locking-vulnerable-to-local-DoS
required_packages: "{{ our_required_packages }}"
- hosts: localhost
tags:
- atomic
roles:
- role: standard-test-beakerlib
tests:
- ip6tables-service-does-not-allow-dhcpv6-client-by
- iptables-save-cuts-space-before-j
- iptables-save-modprobe-option
- NFQUEUE-queue-bypass
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
- xtables-tools-locking-vulnerable-to-local-DoS

63
tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile Normal file
View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
# Description: Test for xtables tools locking vulnerable to local DoS
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test for xtables tools locking vulnerable to local DoS" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: iptables" >> $(METADATA)
@echo "Requires: iptables strace" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/xtables-tools-locking-vulnerable-to-local-DoS/PURPOSE Normal file
View File

@ -0,0 +1,4 @@
PURPOSE of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
Description: Test for xtables tools locking vulnerable to local DoS
Author: Tomas Dolezal <todoleza@redhat.com>
Bug summary: xtables tools locking vulnerable to local DoS

54
tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh Executable file
View File

@ -0,0 +1,54 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
# Description: Test for xtables tools locking vulnerable to local DoS
# Author: Tomas Dolezal <todoleza@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="iptables"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlPhaseEnd
rlPhaseStartTest
rlRun "strace -fe flock,bind,open,openat -o strace.out iptables -w -L" 0 "execute iptables in strace"
echo --debug--; cat strace.out
rlAssertNotGrep "bind.*xtables" strace.out -E
rlAssertGrep " flock(" strace.out
rlAssertGrep "/run/xtables.lock" strace.out
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd