#!/bin/bash # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in # Description: Test for TRACE target of iptables can't work in # Author: Tomas Dolezal # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # Copyright (c) 2016 Red Hat, Inc. # # This program is free software: you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation, either version 2 of # the License, or (at your option) any later version. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment . /usr/bin/rhts-environment.sh || exit 1 . /usr/share/beakerlib/beakerlib.sh || exit 1 SERVICES="iptables ip6tables firewalld" prepare_page() { section=$1 name=$2 dest=${name}.manpage zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest} rlAssertExists ${dest} } rlJournalStart rlPhaseStartSetup rlLogInfo $(uname -r) rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" rlRun "pushd $TmpDir" prepare_page 8 iptables-extensions for svc in $SERVICES; do rlServiceStop $svc done rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface" IFACE="$(< default-iface)" rlAssertExists "/sys/class/net/$IFACE" rlRun "ip route save > ip-route.save" 0 "save routing info" rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info" rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route" rlRun "rmmod nf_log_ipv4" 0,1 rlRun "rmmod nf_log_ipv6" 0,1 rlPhaseEnd rlPhaseStartTest "manpage check" rlAssertGrep "nfnetlink_log" iptables-extensions.manpage if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then # RHEL version-specific libxt_TRACE man page patchs rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei fi rlPhaseEnd ipv4_ping() { rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)" } ipv6_ping() { rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)" } get_messages() { if rlIsFedora; then journalctl -qkb else cat /var/log/messages fi } rlPhaseStartTest "iptables_TRACE" rlRun "get_messages > messages.log-orig" rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0 rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0 if rlTestVersion "$(uname -r)" "<" "4.6"; then ipv4_ping; ipv6_ping rlRun "get_messages > messages.current" rlRun "diff messages.log-orig messages.current > diff.1" 0,1 echo --debug_START-- cat diff.1 echo --debug_END-- rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module" rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module" rlAssertNotGrep "TRACE" diff.1 else rlLogInfo "new kernel detected: skipping loading modules and associated checks" fi if rlIsRHEL '>7' || rlIsFedora '>31' || rlIsCentOS '>7'; then # assume iptables-nft xtables-monitor --trace >messages.current & monitor_pid=$! ipv4_ping ipv6_ping kill $monitor_pid rlAssertGrep "TRACE: 2 .* -4 " messages.current rlAssertGrep "TRACE: 10 .* -6 " messages.current echo --debug_START-- cat messages.current echo --debug_END-- else ipv4_ping; ipv6_ping rlRun "get_messages > messages.current" rlRun "diff messages.log-orig messages.current > diff.2" 0,1 rlAssertGrep "TRACE" diff.2 rlAssertGrep "TRACE.*PROTO=ICMP " diff.2 rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2 echo --debug_START-- cat diff.2 echo --debug_END-- fi rlPhaseEnd rlPhaseStartCleanup rlRun "ip route flush default" 0 "flush ip route data" rlRun "ip -6 route flush default" 0 "flush ipv6 route data" rlRun "ip route restore < ip-route.save" 0 "restore routing info" rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6" rlRun "iptables -t raw -F" rlRun "ip6tables -t raw -F" rlRun "rmmod nf_log_ipv4" 0,1 rlRun "rmmod nf_log_ipv6" 0,1 rlRun "rmmod nf_log_common" 0,1 rlRun "rmmod nfnetlink_log" 0,1 rlLogInfo "restoring services" for svc in $SERVICES; do rlServiceRestore $svc done rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" rlPhaseEnd rlJournalPrintText rlJournalEnd