Message ID | 20240323203516.19205-1-ju.o@free.fr |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] support/testing: add iptables runtime test | expand |
On 23/03/2024 21:35, Julien Olivain wrote: > Signed-off-by: Julien Olivain <ju.o@free.fr> Applied to master, thanks. Regards, Arnout > --- > DEVELOPERS | 1 + > .../testing/tests/package/test_iptables.py | 78 +++++++++++++++++++ > 2 files changed, 79 insertions(+) > create mode 100644 support/testing/tests/package/test_iptables.py > > diff --git a/DEVELOPERS b/DEVELOPERS > index a6364cdd441..328c654faed 100644 > --- a/DEVELOPERS > +++ b/DEVELOPERS > @@ -1797,6 +1797,7 @@ F: support/testing/tests/package/test_highway.py > F: support/testing/tests/package/test_hwloc.py > F: support/testing/tests/package/test_iozone.py > F: support/testing/tests/package/test_iperf3.py > +F: support/testing/tests/package/test_iptables.py > F: support/testing/tests/package/test_jailhouse.py > F: support/testing/tests/package/test_jq.py > F: support/testing/tests/package/test_jq/ > diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py > new file mode 100644 > index 00000000000..ee57b315589 > --- /dev/null > +++ b/support/testing/tests/package/test_iptables.py > @@ -0,0 +1,78 @@ > +import os > + > +import infra.basetest > + > + > +class TestIptables(infra.basetest.BRTest): > + # The iptables package has _LINUX_CONFIG_FIXUPS, so we cannot use > + # the runtime test pre-built Kernel. We need to compile a Kernel > + # to make sure it will include the required configuration. > + config = \ > + """ > + BR2_aarch64=y > + BR2_TOOLCHAIN_EXTERNAL=y > + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" > + BR2_LINUX_KERNEL=y > + BR2_LINUX_KERNEL_CUSTOM_VERSION=y > + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.82" > + BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y > + BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config" > + BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y > + BR2_PACKAGE_IPTABLES=y > + BR2_TARGET_ROOTFS_CPIO=y > + BR2_TARGET_ROOTFS_CPIO_GZIP=y > + # BR2_TARGET_ROOTFS_TAR is not set > + """ > + > + def test_run(self): > + img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") > + kern = os.path.join(self.builddir, "images", "Image") > + self.emulator.boot(arch="aarch64", > + kernel=kern, > + kernel_cmdline=["console=ttyAMA0"], > + options=["-M", "virt", > + "-cpu", "cortex-a57", > + "-m", "256M", > + "-initrd", img]) > + self.emulator.login() > + > + # We check the program can execute. > + self.assertRunOk("iptables --version") > + > + # We delete all rules in all chains. We also set default > + # policies to ACCEPT for INPUT and OUPUT chains. This should > + # already be the case (default Kernel config). This makes sure > + # this test starts from a known state and also those common > + # command invocations works. > + self.assertRunOk("iptables --flush") > + self.assertRunOk("iptables --policy INPUT ACCEPT") > + self.assertRunOk("iptables --policy OUTPUT ACCEPT") > + > + # We add a filter rule to drop all the ICMP protocol to the > + # IPv4 destination 127.0.0.2, in the INPUT chain. This should > + # block all pings (icmp echo-requests). > + cmd = "iptables --append INPUT" > + cmd += " --protocol icmp --destination 127.0.0.2 --jump DROP" > + self.assertRunOk(cmd) > + > + # We check we can list rules. > + self.assertRunOk("iptables --list") > + > + # A ping to 127.0.0.1 is expected to work, because it's not > + # matching our rule. We expect 3 replies (-c), with 0.5s > + # internal (-i), and set a maximum timeout of 2s. > + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " > + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") > + > + # A ping to 127.0.0.2 is expected to fail, because our rule is > + # supposed to drop it. > + ping_test_cmd = ping_cmd_prefix + "127.0.0.2" > + _, exit_code = self.emulator.run(ping_test_cmd) > + self.assertNotEqual(exit_code, 0) > + > + # We delete our only rule #1 in the INPUT chain. > + self.assertRunOk("iptables --delete INPUT 1") > + > + # Since we deleted the rule, the ping test command which was > + # supposed to fail earlier is now supposed to succeed. > + self.assertRunOk(ping_test_cmd)
>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes: > Signed-off-by: Julien Olivain <ju.o@free.fr> > --- > DEVELOPERS | 1 + > .../testing/tests/package/test_iptables.py | 78 +++++++++++++++++++ > 2 files changed, 79 insertions(+) > create mode 100644 support/testing/tests/package/test_iptables.py Committed to 2024.02.x, thanks.
diff --git a/DEVELOPERS b/DEVELOPERS index a6364cdd441..328c654faed 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1797,6 +1797,7 @@ F: support/testing/tests/package/test_highway.py F: support/testing/tests/package/test_hwloc.py F: support/testing/tests/package/test_iozone.py F: support/testing/tests/package/test_iperf3.py +F: support/testing/tests/package/test_iptables.py F: support/testing/tests/package/test_jailhouse.py F: support/testing/tests/package/test_jq.py F: support/testing/tests/package/test_jq/ diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py new file mode 100644 index 00000000000..ee57b315589 --- /dev/null +++ b/support/testing/tests/package/test_iptables.py @@ -0,0 +1,78 @@ +import os + +import infra.basetest + + +class TestIptables(infra.basetest.BRTest): + # The iptables package has _LINUX_CONFIG_FIXUPS, so we cannot use + # the runtime test pre-built Kernel. We need to compile a Kernel + # to make sure it will include the required configuration. + config = \ + """ + BR2_aarch64=y + BR2_TOOLCHAIN_EXTERNAL=y + BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0" + BR2_LINUX_KERNEL=y + BR2_LINUX_KERNEL_CUSTOM_VERSION=y + BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.82" + BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y + BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config" + BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y + BR2_PACKAGE_IPTABLES=y + BR2_TARGET_ROOTFS_CPIO=y + BR2_TARGET_ROOTFS_CPIO_GZIP=y + # BR2_TARGET_ROOTFS_TAR is not set + """ + + def test_run(self): + img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") + kern = os.path.join(self.builddir, "images", "Image") + self.emulator.boot(arch="aarch64", + kernel=kern, + kernel_cmdline=["console=ttyAMA0"], + options=["-M", "virt", + "-cpu", "cortex-a57", + "-m", "256M", + "-initrd", img]) + self.emulator.login() + + # We check the program can execute. + self.assertRunOk("iptables --version") + + # We delete all rules in all chains. We also set default + # policies to ACCEPT for INPUT and OUPUT chains. This should + # already be the case (default Kernel config). This makes sure + # this test starts from a known state and also those common + # command invocations works. + self.assertRunOk("iptables --flush") + self.assertRunOk("iptables --policy INPUT ACCEPT") + self.assertRunOk("iptables --policy OUTPUT ACCEPT") + + # We add a filter rule to drop all the ICMP protocol to the + # IPv4 destination 127.0.0.2, in the INPUT chain. This should + # block all pings (icmp echo-requests). + cmd = "iptables --append INPUT" + cmd += " --protocol icmp --destination 127.0.0.2 --jump DROP" + self.assertRunOk(cmd) + + # We check we can list rules. + self.assertRunOk("iptables --list") + + # A ping to 127.0.0.1 is expected to work, because it's not + # matching our rule. We expect 3 replies (-c), with 0.5s + # internal (-i), and set a maximum timeout of 2s. + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + + # A ping to 127.0.0.2 is expected to fail, because our rule is + # supposed to drop it. + ping_test_cmd = ping_cmd_prefix + "127.0.0.2" + _, exit_code = self.emulator.run(ping_test_cmd) + self.assertNotEqual(exit_code, 0) + + # We delete our only rule #1 in the INPUT chain. + self.assertRunOk("iptables --delete INPUT 1") + + # Since we deleted the rule, the ping test command which was + # supposed to fail earlier is now supposed to succeed. + self.assertRunOk(ping_test_cmd)
Signed-off-by: Julien Olivain <ju.o@free.fr> --- DEVELOPERS | 1 + .../testing/tests/package/test_iptables.py | 78 +++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 support/testing/tests/package/test_iptables.py