6eebdb8221
* Wed Aug 14 2024 Phil Sutter <psutter@redhat.com> [1.8.10-5.el9] - xtables-monitor: Ignore ebtables policy rules unless tracing (Phil Sutter) [RHEL-47264] - xtables-monitor: Fix for ebtables rule events (Phil Sutter) [RHEL-47264] - tests: shell: New xtables-monitor test (Phil Sutter) [RHEL-47264] - xtables-monitor: Support arptables chain events (Phil Sutter) [RHEL-47264] - xtables-monitor: Align builtin chain and table output (Phil Sutter) [RHEL-47264] - xtables-monitor: Flush stdout after all lines of output (Phil Sutter) [RHEL-47264] - xtables-monitor: Proper re-init for rule's family (Phil Sutter) [RHEL-47264] - nft: Fix for zeroing existent builtin chains (Phil Sutter) [RHEL-49497] - nft: cache: Annotate faked base chains as such (Phil Sutter) [RHEL-49497] - nft: Fix for zeroing non-existent builtin chains (Phil Sutter) [RHEL-49497] Resolves: RHEL-47264, RHEL-49497
180 lines
6.0 KiB
Diff
180 lines
6.0 KiB
Diff
From ba52fc13241a72ad26b7ea0cd38a1e8ded693961 Mon Sep 17 00:00:00 2001
|
|
From: Phil Sutter <psutter@redhat.com>
|
|
Date: Wed, 14 Aug 2024 14:30:11 +0200
|
|
Subject: [PATCH] tests: shell: New xtables-monitor test
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-47264
|
|
Upstream Status: iptables commit 876a71bf7ad573dea998ca61a03fd35f2b04557b
|
|
|
|
commit 876a71bf7ad573dea998ca61a03fd35f2b04557b
|
|
Author: Phil Sutter <phil@nwl.cc>
|
|
Date: Fri Jul 12 13:10:08 2024 +0200
|
|
|
|
tests: shell: New xtables-monitor test
|
|
|
|
Only events monitoring for now.
|
|
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
---
|
|
.../testcases/nft-only/0012-xtables-monitor_0 | 149 ++++++++++++++++++
|
|
1 file changed, 149 insertions(+)
|
|
create mode 100755 iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
|
|
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
new file mode 100755
|
|
index 0000000..7b028ba
|
|
--- /dev/null
|
|
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
|
|
@@ -0,0 +1,149 @@
|
|
+#!/bin/bash
|
|
+
|
|
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
|
|
+
|
|
+log=$(mktemp)
|
|
+trap "rm -f $log" EXIT
|
|
+echo "logging into file $log"
|
|
+rc=0
|
|
+
|
|
+# Filter monitor output:
|
|
+# - NEWGEN event is moot:
|
|
+# - GENID/PID are arbitrary,
|
|
+# - NAME always "xtables-nft-mul"
|
|
+# - handle is arbitrary as well
|
|
+logfilter() { # (logfile)
|
|
+ grep -v '^NEWGEN:' "$1" | sed -e 's/handle [0-9]\+/handle 0/'
|
|
+}
|
|
+
|
|
+# Compare monitor output for given command against content of the global $EXP
|
|
+monitorcheck() { # (cmd ...)
|
|
+ $XT_MULTI xtables-monitor -e >"$log"&
|
|
+ monpid=$!
|
|
+ sleep 0.5
|
|
+
|
|
+ $XT_MULTI "$@" || {
|
|
+ echo "Error: command failed: $@"
|
|
+ let "rc++"
|
|
+ kill $monpid
|
|
+ wait
|
|
+ return
|
|
+ }
|
|
+ sleep 0.5
|
|
+ kill $monpid
|
|
+ wait
|
|
+ diffout=$(diff -u <(echo "$EXP") <(logfilter "$log")) || {
|
|
+ echo "Fail: unexpected result for command: '$@':"
|
|
+ grep -v '^\(---\|+++\|@@\)' <<< "$diffout"
|
|
+ let "rc++"
|
|
+ }
|
|
+}
|
|
+
|
|
+EXP="\
|
|
+ EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0
|
|
+ EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
|
|
+ EVENT: -4 -t filter -A FORWARD -j ACCEPT"
|
|
+monitorcheck iptables -A FORWARD -j ACCEPT
|
|
+
|
|
+EXP="\
|
|
+ EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0
|
|
+ EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
|
|
+ EVENT: -6 -t filter -A FORWARD -j ACCEPT"
|
|
+monitorcheck ip6tables -A FORWARD -j ACCEPT
|
|
+
|
|
+# FIXME
|
|
+EXP="\
|
|
+ EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
|
|
+ EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
|
|
+ EVENT: "
|
|
+monitorcheck ebtables -A FORWARD -j ACCEPT
|
|
+
|
|
+EXP="\
|
|
+ EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0
|
|
+ EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1
|
|
+ EVENT: -0 -t filter -A INPUT -j ACCEPT"
|
|
+monitorcheck arptables -A INPUT -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -4 -t filter -N foo"
|
|
+monitorcheck iptables -N foo
|
|
+
|
|
+EXP=" EVENT: -6 -t filter -N foo"
|
|
+monitorcheck ip6tables -N foo
|
|
+
|
|
+# FIXME
|
|
+EXP="\
|
|
+ EVENT: nft: NEW chain: bridge filter foo use 1
|
|
+ EVENT: "
|
|
+monitorcheck ebtables -N foo
|
|
+
|
|
+EXP=" EVENT: -0 -t filter -N foo"
|
|
+monitorcheck arptables -N foo
|
|
+
|
|
+# meta l4proto matches require proper nft_handle:family value
|
|
+EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
|
|
+monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
|
|
+monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
|
|
+
|
|
+# FIXME
|
|
+EXP=" EVENT: "
|
|
+monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
|
|
+monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
|
|
+monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
|
|
+monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
|
|
+
|
|
+# FIXME
|
|
+EXP=" EVENT: "
|
|
+monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
|
|
+monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
|
|
+
|
|
+EXP=" EVENT: -4 -t filter -X foo"
|
|
+monitorcheck iptables -X foo
|
|
+
|
|
+EXP=" EVENT: -6 -t filter -X foo"
|
|
+monitorcheck ip6tables -X foo
|
|
+
|
|
+# FIXME
|
|
+EXP="\
|
|
+ EVENT:
|
|
+ EVENT: nft: DEL chain: bridge filter foo use 0"
|
|
+monitorcheck ebtables -X foo
|
|
+
|
|
+EXP=" EVENT: -0 -t filter -X foo"
|
|
+monitorcheck arptables -X foo
|
|
+
|
|
+EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT"
|
|
+monitorcheck iptables -F FORWARD
|
|
+
|
|
+EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
|
|
+monitorcheck ip6tables -F FORWARD
|
|
+
|
|
+# FIXME
|
|
+EXP=" EVENT: "
|
|
+monitorcheck ebtables -F FORWARD
|
|
+
|
|
+EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
|
|
+monitorcheck arptables -F INPUT
|
|
+
|
|
+EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"
|
|
+monitorcheck iptables -X FORWARD
|
|
+
|
|
+EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"
|
|
+monitorcheck ip6tables -X FORWARD
|
|
+
|
|
+EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1"
|
|
+monitorcheck ebtables -X FORWARD
|
|
+
|
|
+EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1"
|
|
+monitorcheck arptables -X INPUT
|
|
+
|
|
+exit $rc
|