Merge #1 Initial checkin of tests from upstreamfirst project
This commit is contained in:
commit
8375340a72
63
tests/NFQUEUE-queue-bypass/Makefile
Normal file
63
tests/NFQUEUE-queue-bypass/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
|
||||||
|
# Description: Test for "--queue-bypass" backport
|
||||||
|
# Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Ales Zelinka <azelinka@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for \"--queue-bypass\" backport" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/NFQUEUE-queue-bypass/PURPOSE
Normal file
4
tests/NFQUEUE-queue-bypass/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
|
||||||
|
Description: Test for "--queue-bypass" backport
|
||||||
|
Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
Bug summary: "--queue-bypass" backport
|
54
tests/NFQUEUE-queue-bypass/runtest.sh
Executable file
54
tests/NFQUEUE-queue-bypass/runtest.sh
Executable file
@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass
|
||||||
|
# Description: Test for "--queue-bypass" backport
|
||||||
|
# Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
|
||||||
|
rlPhaseStartTest control-ping
|
||||||
|
rlRun "ping -w 2 -c 2 127.0.0.1"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest NFQUEUE-no-listener
|
||||||
|
rlRun "iptables -I INPUT -p icmp -j NFQUEUE" 0 "queue all icmp for userspace processing"
|
||||||
|
rlRun "ping -w 2 -c 2 127.0.0.1" 1-255 "ping 127.0.0.1 - none is listening on queue so packets will be dropped"
|
||||||
|
rlRun "iptables -D INPUT -p icmp -j NFQUEUE" 0 "removing the queue rule"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest NFQUEUE-no-listener-bypass
|
||||||
|
rlRun "iptables -I INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "queue all icmp for userspace processing, bypass if no one is listening"
|
||||||
|
rlRun "ping -w 2 -c 2 127.0.0.1" 0 "ping 127.0.0.1 - none is listening on queue - bypass will make packets go through"
|
||||||
|
rlRun "iptables -D INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "removing the queue rule"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile
Normal file
63
tests/RFE-Enable-the-missing-IPv6-SET-target/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
# Description: Test for [RFE] Enable the missing IPv6 "SET" target
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for [RFE] Enable the missing IPv6 \"SET\" target" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables ipset" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE
Normal file
4
tests/RFE-Enable-the-missing-IPv6-SET-target/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
Description: Test for [RFE] Enable the missing IPv6 "SET" target
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: [RFE] Enable the missing IPv6 "SET" target userland ip6tables support to enable ipset to be usable with IPv6
|
65
tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh
Executable file
65
tests/RFE-Enable-the-missing-IPv6-SET-target/runtest.sh
Executable file
@ -0,0 +1,65 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
# Description: Test for [RFE] Enable the missing IPv6 "SET" target
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
IPSET=testset6
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
# rlAssertRpm kernel
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "ipset create $IPSET hash:ip family inet6"
|
||||||
|
rlRun "ipset add testset6 1234::3456"
|
||||||
|
rlRun "ip6tables-save -t filter > ipt6.save"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
RULE1="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j LOG --log-prefix 'LOG:IPSET added to $IPSET'"
|
||||||
|
RULE2="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j SET --add-set $IPSET src"
|
||||||
|
for op in -A -C -D; do #add, check, delete
|
||||||
|
rlRun "ip6tables $op $RULE1" 0 "do $op logrule"
|
||||||
|
rlRun "ip6tables $op $RULE2" 0 "do $op -j SET rule"
|
||||||
|
done
|
||||||
|
rlRun "ip6tables-save -t filter > ipt6.save2"
|
||||||
|
rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt6*" 0 "magically unify savefiles"
|
||||||
|
rlAssertNotDiffer ipt6.save ipt6.save2
|
||||||
|
diff -u ipt6.save ipt6.save2
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "ipset destroy $IPSET"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
# Description: Test for RFE iptables add -C option to iptables in RHEL6 to
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE rules.in
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for RFE iptables add -C option to iptables in RHEL6 to" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
Description: Test for RFE iptables add -C option to iptables in RHEL6 to
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: RFE: iptables: add -C option to iptables in RHEL6 to check for existing rules
|
@ -0,0 +1,50 @@
|
|||||||
|
# vim: ft=sh
|
||||||
|
rules4=(
|
||||||
|
"-t nat -A POSTROUTING -o tun+ -j MASQUERADE"
|
||||||
|
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||||
|
"-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"
|
||||||
|
"-A INPUT -p icmp -j ACCEPT"
|
||||||
|
"-A INPUT -i lo -j ACCEPT"
|
||||||
|
"-A INPUT -i ippp+ -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT"
|
||||||
|
"-A INPUT -p ah -j ACCEPT"
|
||||||
|
"-A INPUT -p esp -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"
|
||||||
|
"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||||
|
"-A FORWARD -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"
|
||||||
|
"-A FORWARD -p icmp -j ACCEPT"
|
||||||
|
"-A FORWARD -i lo -j ACCEPT"
|
||||||
|
"-A FORWARD -i ippp+ -j ACCEPT"
|
||||||
|
"-A FORWARD -o tun+ -j ACCEPT"
|
||||||
|
"-A INPUT -j REJECT --reject-with icmp-host-prohibited"
|
||||||
|
"-A FORWARD -j REJECT --reject-with icmp-host-prohibited"
|
||||||
|
)
|
||||||
|
|
||||||
|
rules6=(
|
||||||
|
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||||
|
"-A INPUT -p ipv6-icmp -j ACCEPT"
|
||||||
|
"-A INPUT -i lo -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT"
|
||||||
|
"-A INPUT -i ippp+ -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT"
|
||||||
|
"-A INPUT -m ipv6header --header ah -j ACCEPT"
|
||||||
|
"-A INPUT -m ipv6header --header esp -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
|
||||||
|
"-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"
|
||||||
|
"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
||||||
|
"-A FORWARD -p ipv6-icmp -j ACCEPT"
|
||||||
|
"-A FORWARD -i lo -j ACCEPT"
|
||||||
|
"-A FORWARD -i ippp+ -j ACCEPT"
|
||||||
|
"-A INPUT -j REJECT --reject-with icmp6-adm-prohibited"
|
||||||
|
"-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited"
|
||||||
|
)
|
73
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh
Executable file
73
tests/RFE-iptables-add-C-option-to-iptables-in-RHEL6/runtest.sh
Executable file
@ -0,0 +1,73 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
# Description: Test for RFE iptables add -C option to iptables in RHEL6 to
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
TESTD=$PWD
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "source $TESTD/rules.in" 0 "read ruleset"
|
||||||
|
rlRun "iptables -F"
|
||||||
|
rlRun "ip6tables -F"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
declare -i sane=0
|
||||||
|
for i in ${!rules4[*]}; do
|
||||||
|
let sane++
|
||||||
|
rlRun "iptables ${rules4[$i]}"
|
||||||
|
testrule="${rules4[$i]/-A/-C}"
|
||||||
|
rlRun "iptables $testrule"
|
||||||
|
done
|
||||||
|
for i in ${!rules6[*]}; do
|
||||||
|
let sane++
|
||||||
|
rlRun "ip6tables ${rules6[$i]}"
|
||||||
|
testrule="${rules6[$i]/-A/-C}"
|
||||||
|
rlRun "ip6tables $testrule"
|
||||||
|
done
|
||||||
|
#check itercount
|
||||||
|
if [[ $sane -lt 40 ]]; then
|
||||||
|
rlFail "test insane, do inspect" # rules were not properly loaded!
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "iptables -F"
|
||||||
|
rlRun "iptables -t nat -F"
|
||||||
|
rlRun "ip6tables -F"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/TRACE-target-of-iptables-can-t-work-in/Makefile
Normal file
63
tests/TRACE-target-of-iptables-can-t-work-in/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
|
||||||
|
# Description: Test for TRACE target of iptables can't work in
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for TRACE target of iptables can't work in" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables iptables-services" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE
Normal file
4
tests/TRACE-target-of-iptables-can-t-work-in/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
|
||||||
|
Description: Test for TRACE target of iptables can't work in
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: TRACE target of iptables can't work in RHEL7.1/RHEL7.2
|
136
tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh
Executable file
136
tests/TRACE-target-of-iptables-can-t-work-in/runtest.sh
Executable file
@ -0,0 +1,136 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in
|
||||||
|
# Description: Test for TRACE target of iptables can't work in
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
SERVICES="iptables ip6tables firewalld"
|
||||||
|
|
||||||
|
prepare_page() {
|
||||||
|
section=$1
|
||||||
|
name=$2
|
||||||
|
dest=${name}.manpage
|
||||||
|
zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest}
|
||||||
|
rlAssertExists ${dest}
|
||||||
|
}
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
# rlAssertRpm kernel
|
||||||
|
rlLogInfo $(uname -r)
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
prepare_page 8 iptables-extensions
|
||||||
|
for svc in $SERVICES; do
|
||||||
|
rlServiceStop $svc
|
||||||
|
done
|
||||||
|
rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface"
|
||||||
|
IFACE="$(< default-iface)"
|
||||||
|
rlAssertExists "/sys/class/net/$IFACE"
|
||||||
|
rlRun "ip route save > ip-route.save" 0 "save routing info"
|
||||||
|
rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info"
|
||||||
|
rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route"
|
||||||
|
rlRun "rmmod nf_log_ipv4" 0,1
|
||||||
|
rlRun "rmmod nf_log_ipv6" 0,1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "manpage check"
|
||||||
|
rlAssertGrep "nfnetlink_log" iptables-extensions.manpage
|
||||||
|
if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then
|
||||||
|
# RHEL version-specific libxt_TRACE man page patchs
|
||||||
|
rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage
|
||||||
|
rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
ipv4_ping() {
|
||||||
|
rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)"
|
||||||
|
}
|
||||||
|
ipv6_ping() {
|
||||||
|
rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)"
|
||||||
|
}
|
||||||
|
get_messages() {
|
||||||
|
if rlIsFedora; then
|
||||||
|
journalctl -qkb
|
||||||
|
else
|
||||||
|
cat /var/log/messages
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
rlPhaseStartTest "iptables_TRACE"
|
||||||
|
rlRun "get_messages > messages.log-orig"
|
||||||
|
rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0
|
||||||
|
rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0
|
||||||
|
if rlTestVersion "$(uname -r)" "<" "4.6"; then
|
||||||
|
ipv4_ping; ipv6_ping
|
||||||
|
rlRun "get_messages > messages.current"
|
||||||
|
|
||||||
|
rlRun "diff messages.log-orig messages.current > diff.1" 0,1
|
||||||
|
echo --debug_START--
|
||||||
|
cat diff.1
|
||||||
|
echo --debug_END--
|
||||||
|
rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module"
|
||||||
|
rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module"
|
||||||
|
rlAssertNotGrep "TRACE" diff.1
|
||||||
|
else
|
||||||
|
rlLogInfo "new kernel detected: skipping loading modules and associated checks"
|
||||||
|
fi
|
||||||
|
ipv4_ping; ipv6_ping
|
||||||
|
rlRun "get_messages > messages.current"
|
||||||
|
|
||||||
|
rlRun "diff messages.log-orig messages.current > diff.2" 0,1
|
||||||
|
rlAssertGrep "TRACE" diff.2
|
||||||
|
rlAssertGrep "TRACE.*PROTO=ICMP " diff.2
|
||||||
|
rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2
|
||||||
|
echo --debug_START--
|
||||||
|
cat diff.2
|
||||||
|
echo --debug_END--
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "ip route flush default" 0 "flush ip route data"
|
||||||
|
rlRun "ip -6 route flush default" 0 "flush ipv6 route data"
|
||||||
|
rlRun "ip route restore < ip-route.save" 0 "restore routing info"
|
||||||
|
rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6"
|
||||||
|
rlRun "iptables -t raw -F"
|
||||||
|
rlRun "ip6tables -t raw -F"
|
||||||
|
rlRun "rmmod nf_log_ipv4"
|
||||||
|
rlRun "rmmod nf_log_ipv6"
|
||||||
|
rlRun "rmmod nf_log_common"
|
||||||
|
rlRun "rmmod nfnetlink_log" 0,1
|
||||||
|
rlLogInfo "restoring services"
|
||||||
|
for svc in $SERVICES; do
|
||||||
|
rlServiceRestore $svc
|
||||||
|
done
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/backport-iptables-add-libxt-cgroup-frontend/Makefile
Normal file
63
tests/backport-iptables-add-libxt-cgroup-frontend/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
# Description: Test for backport iptables add libxt_cgroup frontend
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for backport iptables add libxt_cgroup frontend" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables libcgroup-tools" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
Description: Test for backport iptables add libxt_cgroup frontend
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: Backport: iptables: add libxt_cgroup frontend
|
111
tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh
Executable file
111
tests/backport-iptables-add-libxt-cgroup-frontend/runtest.sh
Executable file
@ -0,0 +1,111 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
# Description: Test for backport iptables add libxt_cgroup frontend
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
CGNUM="15"
|
||||||
|
CGNAME="15"
|
||||||
|
CGDIR="/sys/fs/cgroup/net_cls/$CGNAME"
|
||||||
|
DEST_IP4="192.0.2.99" # TEST-NET-1
|
||||||
|
DEST_IP42="192.0.2.199" # TEST-NET-1
|
||||||
|
DEST_IP6="2001:0db8:0000:0000:0000:0000:0000:abc0" #has to be expanded due to matching !
|
||||||
|
DEST_IP62="2001:0db8:0000:0000:0000:0000:0000:abc1"
|
||||||
|
SKIP6=false
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
# rlAssertRpm kernel-$(uname -r)
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
if rlIsRHEL '>=7'; then
|
||||||
|
rlServiceStop firewalld
|
||||||
|
sleep 1
|
||||||
|
fi
|
||||||
|
rlLogInfo "check if net_cls cgroup is present"
|
||||||
|
rlAssertGrep "cgroup.*net_cls" /proc/mounts
|
||||||
|
rlRun "cgcreate -g net_cls:$CGNAME" 0 "create cgroup '15'"
|
||||||
|
rlRun "echo $CGNUM > $CGDIR/net_cls.classid" 0 "assign numerical id to cgroup"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
ping -W 1 -c 30 $DEST_IP4 &
|
||||||
|
PING4_P1=$! EC4=$?
|
||||||
|
ping -W 1 -c 30 $DEST_IP42 &
|
||||||
|
PING4_P2=$! EC42=$?
|
||||||
|
rlRun "[[ $EC4 -eq 0 && $EC42 -eq 0 ]]" 0 "ping ipv4 running to $DEST_IP4, $DEST_IP42"
|
||||||
|
|
||||||
|
ping6 -W 1 -c 30 $DEST_IP6 &
|
||||||
|
PING6_P1=$! EC6=$?
|
||||||
|
sleep 1
|
||||||
|
if [[ $EC6 -eq 2 ]] || ! kill -0 $PING6_P1 2>/dev/null; then
|
||||||
|
rlLogInfo "skipping ipv6 test, network stack unavailable"
|
||||||
|
SKIP6=true
|
||||||
|
else
|
||||||
|
ping6 -W 1 -c 30 $DEST_IP62 &
|
||||||
|
PING6_P2=$!
|
||||||
|
rlRun "kill -0 $PING6_P1 && kill -0 $PING6_P2" 0 "ping ipv6 running to $DEST_IP6, $DEST_IP62"
|
||||||
|
fi
|
||||||
|
journalctl -fkb > dmesg.out &
|
||||||
|
DMESG_P=$!
|
||||||
|
echo > dmesg.out # clear dmesg out
|
||||||
|
|
||||||
|
rlRun "iptables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"
|
||||||
|
rlRun "ip6tables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"
|
||||||
|
|
||||||
|
rlRun "echo $PING4_P2 >> $CGDIR/tasks" 0 "Add second ping to cgroup '15'"
|
||||||
|
$SKIP6 || rlRun "echo $PING6_P2 >> $CGDIR/tasks" 0 "Add second ping6 to cgroup '15'"
|
||||||
|
cat $CGDIR/tasks
|
||||||
|
sleep 10
|
||||||
|
cat dmesg.out
|
||||||
|
rlAssertGrep "$DEST_IP42" dmesg.out
|
||||||
|
$SKIP6 || rlAssertGrep "$DEST_IP62" dmesg.out
|
||||||
|
rlAssertNotGrep "$DEST_IP4" dmesg.out
|
||||||
|
rlAssertNotGrep "$DEST_IP6" dmesg.out
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
kill $DMESG_P
|
||||||
|
# pings die after 30s of execution either way
|
||||||
|
kill $PING4_P1
|
||||||
|
kill $PING4_P2
|
||||||
|
$SKIP6 || kill $PING6_P1
|
||||||
|
$SKIP6 || kill $PING6_P2
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
rlRun "iptables -F" 0 "cleanup iptables"
|
||||||
|
rlRun "ip6tables -F" 0 "cleanup ip6tables"
|
||||||
|
rlServiceRestore firewalld
|
||||||
|
rlRun "cgdelete -g net_cls:$CGNAME" 0 "delete cgroup"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/initscript-sanity/Makefile
Normal file
63
tests/initscript-sanity/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Sanity/initscript-sanity
|
||||||
|
# Description: initscript-sanity
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Sanity/initscript-sanity
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: initscript-sanity" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables iptables-services" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/initscript-sanity/PURPOSE
Normal file
4
tests/initscript-sanity/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Sanity/initscript-sanity
|
||||||
|
Description: initscript-sanity
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: Can not "service iptables save": restorecon not found
|
56
tests/initscript-sanity/runtest.sh
Executable file
56
tests/initscript-sanity/runtest.sh
Executable file
@ -0,0 +1,56 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Sanity/initscript-sanity
|
||||||
|
# Description: initscript-sanity
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlLogInfo 'Can not "service iptables save": restorecon not found'
|
||||||
|
if rlIsRHEL 6 7 ; then
|
||||||
|
rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/iptables.init
|
||||||
|
rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/ip6tables.init
|
||||||
|
else
|
||||||
|
rlLogInfo 'skipping: test not applicable to this OS release'
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
3
tests/inventory
Executable file
3
tests/inventory
Executable file
@ -0,0 +1,3 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
export TEST_DOCKER_EXTRA_ARGS="--privileged"
|
||||||
|
exec merge-standard-inventory "$@"
|
@ -0,0 +1,62 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
# Description: Test for while adding iptables rules with ipv6 sets in
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2014 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for while adding iptables rules with ipv6 sets in" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables bridge-utils ipset" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
Description: Test for while adding iptables rules with ipv6 sets in
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: while adding iptables rules with ipv6 sets in destination direction, either individually or combined with source we see error messages.
|
85
tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh
Executable file
85
tests/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets/runtest.sh
Executable file
@ -0,0 +1,85 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
# Description: Test for while adding iptables rules with ipv6 sets in
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2014 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "ip6tables-save > ip6tables.backup"
|
||||||
|
rlRun "iptables-save > iptables.backup"
|
||||||
|
rlRun "brctl addbr testbr" 0 "create bridge iface"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "ipset create ipsetv6 hash:net timeout 60 family inet6" 0 "Create hash:net ipset for ipv6"
|
||||||
|
rlRun "ipset create ipsetv4 hash:net timeout 60 family inet" 0 "Create hash:net ipset for ipv4"
|
||||||
|
rlRun "ipset list ipsetv6" 0 "verify ipsetv6 presence"
|
||||||
|
rlRun "ipset list ipsetv4" 0 "verify ipsetv4 presence"
|
||||||
|
# echo waiting; read; echo cont
|
||||||
|
checkRule() {
|
||||||
|
binary="$1"
|
||||||
|
comment="$2"
|
||||||
|
rlRun "$binary -t mangle $RULE" 0 "$comment"
|
||||||
|
rlRun "$binary-save | grep -qe '$RULE'" 0 "verify rule"
|
||||||
|
}
|
||||||
|
for i in dst src dst,src src,dst; do
|
||||||
|
# 6,4 (+)
|
||||||
|
RULE="-A PREROUTING -i testbr -m set --match-set ipsetv6 $i -j ACCEPT"
|
||||||
|
checkRule ip6tables "[ipv6] direction: $i. adding ip6tables rule to match set"
|
||||||
|
RULE="-A PREROUTING -i testbr -m set --match-set ipsetv4 $i -j ACCEPT"
|
||||||
|
checkRule iptables "[ipv4] direction: $i. adding iptables rule to match set"
|
||||||
|
|
||||||
|
# 6,4 (-)
|
||||||
|
RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv6 $i -j ACCEPT"
|
||||||
|
checkRule ip6tables "[ipv6] direction: $i. adding negated ip6tables rule to match set"
|
||||||
|
RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv4 $i -j ACCEPT"
|
||||||
|
checkRule iptables "[ipv4] direction: $i. adding negated iptables rule to match set"
|
||||||
|
done
|
||||||
|
ip6tables-save
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "ip6tables -t mangle -F"
|
||||||
|
rlRun "iptables -t mangle -F"
|
||||||
|
rlRun "ip6tables-restore < ip6tables.backup"
|
||||||
|
rlRun "iptables-restore < iptables.backup"
|
||||||
|
rlRun "ip link set down dev testbr"
|
||||||
|
rlRun "brctl delbr testbr" 0 "remove bridge iface"
|
||||||
|
rlRun "ipset destroy ipsetv6" 0 "remove ipv6 ipset"
|
||||||
|
rlRun "ipset destroy ipsetv4" 0 "remove ipv4 ipset"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
# Description: Test for ip6tables service does not allow dhcpv6-client by
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for ip6tables service does not allow dhcpv6-client by" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables iptables-services" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
Description: Test for ip6tables service does not allow dhcpv6-client by
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: ip6tables service does not allow dhcpv6-client by default
|
53
tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh
Executable file
53
tests/ip6tables-service-does-not-allow-dhcpv6-client-by/runtest.sh
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
# Description: Test for ip6tables service does not allow dhcpv6-client by
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "cp /etc/sysconfig/ip6tables ."
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "sed -ie '/REJECT/,// d' ip6tables" 0 "remove all rejected rules"
|
||||||
|
echo --debug--; cat ip6tables
|
||||||
|
rlAssertGrep "-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT" ip6tables
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: ip6tables -t nat -A POSTROUTING/OUTPUT with DROP target can't filter packets
|
20
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh
Normal file
20
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/env.sh
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
ip netns del cs_client >/dev/null 2>&1
|
||||||
|
ip link del veth0 >/dev/null 2>&1
|
||||||
|
|
||||||
|
ip netns add cs_client
|
||||||
|
ip link add type veth
|
||||||
|
ip link set veth1 name eth1 netns cs_client
|
||||||
|
|
||||||
|
export cs_client_if1=eth1
|
||||||
|
export cs_server_if1=veth0
|
||||||
|
export cs_client_ip1=2001:db8:ffff::1
|
||||||
|
export cs_server_ip1=2001:db8:ffff::2
|
||||||
|
|
||||||
|
ip netns exec cs_client ip link set $cs_client_if1 up
|
||||||
|
ip link set $cs_server_if1 up
|
||||||
|
ip netns exec cs_client ip -6 addr add $cs_client_ip1/64 dev $cs_client_if1
|
||||||
|
ip -6 addr add $cs_server_ip1/64 dev $cs_server_if1
|
||||||
|
ip netns exec cs_client ifconfig lo up
|
||||||
|
ifconfig lo up
|
83
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh
Executable file
83
tests/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP/runtest.sh
Executable file
@ -0,0 +1,83 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
# Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
SERVICES="iptables ip6tables firewalld"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
for svc in $SERVICES; do
|
||||||
|
rlServiceStop $svc
|
||||||
|
done
|
||||||
|
rlRun "iptables -t nat -F"
|
||||||
|
rlRun "ip6tables -t nat -F"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
table="nat"
|
||||||
|
assert_string="nat.*intended.*inhibited"
|
||||||
|
for chain in PREROUTING INPUT OUTPUT POSTROUTING; do
|
||||||
|
rlLogInfo "checking chain $chain"
|
||||||
|
rlRun "iptables -t $table -A $chain -p icmp -j DROP 2>iptables.stderr" 2 \
|
||||||
|
"iptables: Failure to accept DROP to '$table/$chain' chain"
|
||||||
|
rlRun "ip6tables -t $table -A $chain -p icmpv6 -j DROP 2>ip6tables.stderr" 2 \
|
||||||
|
"ip6tables: Failure to accept DROP to '$table/$chain' chain"
|
||||||
|
rlAssertGrep "$assert_string" iptables.stderr -E
|
||||||
|
rlAssertGrep "$assert_string" ip6tables.stderr -E
|
||||||
|
rm -f iptables.stderr ip6tables.stderr
|
||||||
|
echo --debug_START--
|
||||||
|
set -x
|
||||||
|
iptables-save | grep -E '\*|icmp'
|
||||||
|
ip6tables-save | grep -E '\*|icmp'
|
||||||
|
set +x
|
||||||
|
echo --debug_END--
|
||||||
|
done
|
||||||
|
rlRun "iptables-save > ipt4.out"
|
||||||
|
rlRun "ip6tables-save > ipt6.out"
|
||||||
|
rlAssertNotGrep "icmp" ipt4.out
|
||||||
|
rlAssertNotGrep "icmp" ipt6.out
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "iptables -t nat -F"
|
||||||
|
rlRun "ip6tables -t nat -F"
|
||||||
|
rlLogInfo "restoring services"
|
||||||
|
for svc in $SERVICES; do
|
||||||
|
rlServiceRestore $svc
|
||||||
|
done
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
# Description: Test for iptables rule deletion fails for rules that use
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for iptables rule deletion fails for rules that use" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables ipset" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
Description: Test for iptables rule deletion fails for rules that use
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: iptables rule deletion fails for rules that use ipset match "--match-set"
|
78
tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh
Executable file
78
tests/iptables-rule-deletion-fails-for-rules-that-use/runtest.sh
Executable file
@ -0,0 +1,78 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
# Description: Test for iptables rule deletion fails for rules that use
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
IPSET4="ipsetv4"
|
||||||
|
IPSET6="ipsetv6"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "ipset create $IPSET4 hash:ip"
|
||||||
|
rlRun "ipset create $IPSET6 hash:ip family inet6"
|
||||||
|
rlRun "iptables-save -t mangle > ipt4.save"
|
||||||
|
rlRun "ip6tables-save -t mangle > ipt6.save"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
RULE40="-A PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT"
|
||||||
|
RULE40d="-D PREROUTING -m set --match-set $IPSET4 dst -j ACCEPT"
|
||||||
|
RULE41="-A PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src"
|
||||||
|
RULE41d="-D PREROUTING -m set --match-set $IPSET4 dst -j SET --add-set $IPSET4 src"
|
||||||
|
RULE60="-A PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT"
|
||||||
|
RULE60d="-D PREROUTING -m set --match-set $IPSET6 dst -j ACCEPT"
|
||||||
|
RULE61="-A PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src"
|
||||||
|
RULE61d="-D PREROUTING -m set --match-set $IPSET6 dst -j SET --add-set $IPSET6 src"
|
||||||
|
for RULE in "$RULE40" "$RULE40d" "$RULE41" "$RULE41d"; do
|
||||||
|
rlRun "iptables -t mangle $RULE"
|
||||||
|
done
|
||||||
|
for RULE in "$RULE60" "$RULE60d" "$RULE61" "$RULE61d"; do
|
||||||
|
rlRun "ip6tables -t mangle $RULE"
|
||||||
|
done
|
||||||
|
rlRun "iptables-save -t mangle > ipt4.save2"
|
||||||
|
rlRun "ip6tables-save -t mangle > ipt6.save2"
|
||||||
|
rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt4* ipt6*" 0 "magically unify savefiles"
|
||||||
|
rlAssertNotDiffer ipt4.save ipt4.save2
|
||||||
|
rlAssertNotDiffer ipt6.save ipt6.save2
|
||||||
|
diff -u ipt4.save ipt4.save2
|
||||||
|
diff -u ipt6.save ipt6.save2
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "ipset destroy $IPSET4"
|
||||||
|
rlRun "ipset destroy $IPSET6"
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/iptables-save-cuts-space-before-j/Makefile
Normal file
63
tests/iptables-save-cuts-space-before-j/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
|
||||||
|
# Description: Test for iptables-save cuts space before -j
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for iptables-save cuts space before -j" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/iptables-save-cuts-space-before-j/PURPOSE
Normal file
4
tests/iptables-save-cuts-space-before-j/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
|
||||||
|
Description: Test for iptables-save cuts space before -j
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: iptables-save cuts space before -j
|
61
tests/iptables-save-cuts-space-before-j/runtest.sh
Executable file
61
tests/iptables-save-cuts-space-before-j/runtest.sh
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/iptables-save-cuts-space-before-j
|
||||||
|
# Description: Test for iptables-save cuts space before -j
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlServiceStart iptables
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
RULE="-A INPUT -p dccp -m dccp --dccp-type RESET,INVALID -j LOG"
|
||||||
|
if rlIsRHEL '>6' || rlIsFedora; then
|
||||||
|
RULE="${RULE/type/types}" # it is exported under other name
|
||||||
|
fi
|
||||||
|
rlLogInfo "using rule '$RULE'"
|
||||||
|
rlRun "iptables $RULE" 0 "add rule for ipv4"
|
||||||
|
rlRun "ip6tables $RULE" 0 "add rule for ipv6"
|
||||||
|
rlRun "iptables-save | grep -- '$RULE'" 0 "check rule for ipv4"
|
||||||
|
rlRun "ip6tables-save | grep -- '$RULE'" 0 "check rule for ipv6"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlServiceStop iptables
|
||||||
|
rlServiceRestore iptables
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
63
tests/iptables-save-modprobe-option/Makefile
Normal file
63
tests/iptables-save-modprobe-option/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/iptables-save-modprobe-option
|
||||||
|
# Description: Test for iptables-save man page completely wrong - which
|
||||||
|
# Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/iptables-save-modprobe-option
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Ales Zelinka <azelinka@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for iptables-save man page completely wrong - which" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
4
tests/iptables-save-modprobe-option/PURPOSE
Normal file
4
tests/iptables-save-modprobe-option/PURPOSE
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/iptables-save-modprobe-option
|
||||||
|
Description: Test for iptables-save man page completely wrong - which
|
||||||
|
Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
Bug summary: iptables-save man page completely wrong - which conflicting arguments should work?
|
42
tests/iptables-save-modprobe-option/runtest.sh
Executable file
42
tests/iptables-save-modprobe-option/runtest.sh
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/iptables-save-modprobe-option
|
||||||
|
# Description: Test for iptables-save man page completely wrong - which
|
||||||
|
# Author: Ales Zelinka <azelinka@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "iptables-save -M /dev/null" 0 "iptables-save -M ... supported"
|
||||||
|
rlRun "iptables-save --modprobe /dev/null" 0 "iptables-save --modprobe ... supported"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
91
tests/tests.yml
Normal file
91
tests/tests.yml
Normal file
@ -0,0 +1,91 @@
|
|||||||
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
tags: [ always ]
|
||||||
|
tasks:
|
||||||
|
- set_fact:
|
||||||
|
our_required_packages:
|
||||||
|
- iproute # multiple tests need ip command
|
||||||
|
- iputils # multiple tests need ping/ping6 commands
|
||||||
|
- iptables # multiple tests need iptables/ip6tables commands
|
||||||
|
- iptables-services # multiple tests need iptables/ip6tables config files
|
||||||
|
- initscripts # multiple tests need system command
|
||||||
|
- libcgroup-tools # backport-iptables-add-libxt-cgroup-frontend needs cg* commands
|
||||||
|
- bridge-utils # ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets needs brctl command
|
||||||
|
- ipset # multiple tests need ipset command
|
||||||
|
- strace # xtables-tools-locking-vulnerable-to-local-DoS needs strace command
|
||||||
|
- policycoreutils # initscript-sanity needs restorecon command
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
tags:
|
||||||
|
- rhts-all
|
||||||
|
roles:
|
||||||
|
- role: standard-test-rhts
|
||||||
|
tests:
|
||||||
|
- backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
- initscript-sanity
|
||||||
|
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
- ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
- iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
- iptables-save-cuts-space-before-j
|
||||||
|
- iptables-save-modprobe-option
|
||||||
|
- NFQUEUE-queue-bypass
|
||||||
|
- RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
- TRACE-target-of-iptables-can-t-work-in
|
||||||
|
- xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
required_packages: "{{ our_required_packages }}"
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
- beakerlib-all
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tests:
|
||||||
|
- backport-iptables-add-libxt-cgroup-frontend
|
||||||
|
- initscript-sanity
|
||||||
|
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
- ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
- iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
- iptables-save-cuts-space-before-j
|
||||||
|
- iptables-save-modprobe-option
|
||||||
|
- NFQUEUE-queue-bypass
|
||||||
|
- RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
- TRACE-target-of-iptables-can-t-work-in
|
||||||
|
- xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
required_packages: "{{ our_required_packages }}"
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
tags:
|
||||||
|
- container
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tests:
|
||||||
|
#- backport-iptables-add-libxt-cgroup-frontend # journaling/logging issues?
|
||||||
|
- ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets
|
||||||
|
- ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
- ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP
|
||||||
|
- iptables-rule-deletion-fails-for-rules-that-use
|
||||||
|
- iptables-save-cuts-space-before-j
|
||||||
|
- iptables-save-modprobe-option
|
||||||
|
- NFQUEUE-queue-bypass
|
||||||
|
- RFE-Enable-the-missing-IPv6-SET-target
|
||||||
|
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
- xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
required_packages: "{{ our_required_packages }}"
|
||||||
|
|
||||||
|
- hosts: localhost
|
||||||
|
tags:
|
||||||
|
- atomic
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tests:
|
||||||
|
- ip6tables-service-does-not-allow-dhcpv6-client-by
|
||||||
|
- iptables-save-cuts-space-before-j
|
||||||
|
- iptables-save-modprobe-option
|
||||||
|
- NFQUEUE-queue-bypass
|
||||||
|
- RFE-iptables-add-C-option-to-iptables-in-RHEL6
|
||||||
|
- xtables-tools-locking-vulnerable-to-local-DoS
|
63
tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile
Normal file
63
tests/xtables-tools-locking-vulnerable-to-local-DoS/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
# Description: Test for xtables tools locking vulnerable to local DoS
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test for xtables tools locking vulnerable to local DoS" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: iptables" >> $(METADATA)
|
||||||
|
@echo "Requires: iptables strace" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
Description: Test for xtables tools locking vulnerable to local DoS
|
||||||
|
Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
Bug summary: xtables tools locking vulnerable to local DoS
|
54
tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh
Executable file
54
tests/xtables-tools-locking-vulnerable-to-local-DoS/runtest.sh
Executable file
@ -0,0 +1,54 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/iptables/Regression/xtables-tools-locking-vulnerable-to-local-DoS
|
||||||
|
# Description: Test for xtables tools locking vulnerable to local DoS
|
||||||
|
# Author: Tomas Dolezal <todoleza@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="iptables"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "strace -fe flock,bind,open,openat -o strace.out iptables -w -L" 0 "execute iptables in strace"
|
||||||
|
echo --debug--; cat strace.out
|
||||||
|
rlAssertNotGrep "bind.*xtables" strace.out -E
|
||||||
|
rlAssertGrep " flock(" strace.out
|
||||||
|
rlAssertGrep "/run/xtables.lock" strace.out
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
Loading…
Reference in New Issue
Block a user