def test_build_rule(self):
'''
Test if it build a well-formatted iptables rule based on kwargs.
'''
with patch.object(iptables, '_has_option',
MagicMock(return_value=True)):
self.assertEqual(iptables.build_rule(), '')
self.assertEqual(
iptables.build_rule(name='ignored', state='ignored'), '',
'build_rule should ignore name and state')
# Should properly negate bang-prefixed values
self.assertEqual(iptables.build_rule(**{'if': '!eth0'}),
'! -i eth0')
# Should properly negate "not"-prefixed values
self.assertEqual(iptables.build_rule(**{'if': 'not eth0'}),
'! -i eth0')
self.assertEqual(
iptables.build_rule(**{
'protocol': 'tcp',
'syn': '!'
}), '-p tcp ! --syn')
self.assertEqual(
iptables.build_rule(dports=[80, 443], protocol='tcp'),
'-p tcp -m multiport --dports 80,443')
self.assertEqual(
iptables.build_rule(dports='80,443', protocol='tcp'),
'-p tcp -m multiport --dports 80,443')
# Should it really behave this way?
self.assertEqual(
iptables.build_rule(dports=['!80', 443], protocol='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(
iptables.build_rule(dports='!80,443', protocol='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(
iptables.build_rule(sports=[80, 443], protocol='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(
iptables.build_rule(sports='80,443', protocol='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='I',
position='3',
full=True,
dports='protocol',
jump='ACCEPT'),
'Error: protocol must be specified')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='I',
position='3',
full=True,
sports='protocol',
jump='ACCEPT'),
'Error: protocol must be specified')
self.assertEqual(
iptables.build_rule('',
'INPUT',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Table needs to be specified')
self.assertEqual(
iptables.build_rule('filter',
'',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Chain needs to be specified')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Command needs to be specified')
# Test arguments that should appear after the --jump
self.assertEqual(
iptables.build_rule(jump='REDIRECT', **{'to-port': 8080}),
'--jump REDIRECT --to-port 8080')
# Should quote arguments with spaces, like log-prefix often has
self.assertEqual(
iptables.build_rule(jump='LOG',
**{'log-prefix': 'long prefix'}),
'--jump LOG --log-prefix "long prefix"')
# Should quote arguments with leading or trailing spaces
self.assertEqual(
iptables.build_rule(jump='LOG', **{'log-prefix': 'spam: '}),
'--jump LOG --log-prefix "spam: "')
# Should allow no-arg jump options
self.assertEqual(
iptables.build_rule(jump='CLUSTERIP', **{'new': ''}),
'--jump CLUSTERIP --new')
# Should allow no-arg jump options as None
self.assertEqual(
iptables.build_rule(jump='CT', **{'notrack': None}),
'--jump CT --notrack')
# should build match-sets with single string
self.assertEqual(
iptables.build_rule(**{'match-set': 'src flag1,flag2'}),
'-m set --match-set src flag1,flag2')
# should build match-sets as list
match_sets = [
'src1 flag1',
'src2 flag2,flag3',
]
self.assertEqual(
iptables.build_rule(**{'match-set': match_sets}),
'-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3'
)
# should handle negations for string match-sets
self.assertEqual(iptables.build_rule(**{'match-set': '!src flag'}),
'-m set ! --match-set src flag')
# should handle negations for list match-sets
match_sets = ['src1 flag', 'not src2 flag2']
self.assertEqual(
iptables.build_rule(**{'match-set': match_sets}),
'-m set --match-set src1 flag -m set ! --match-set src2 flag2')
# should allow escaped name
self.assertEqual(
iptables.build_rule(**{
'match': 'recent',
'name_': 'SSH'
}), '-m recent --name SSH')
# should allow empty arguments
self.assertEqual(
iptables.build_rule(**{
'match': 'recent',
'update': None
}), '-m recent --update')
# Should allow the --save jump option to CONNSECMARK
#self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
# **{'save': ''}),
# '--jump CONNSECMARK --save ')
ret = '/sbin/iptables --wait -t salt -I INPUT 3 -m state --jump ACCEPT'
with patch.object(iptables, '_iptables_cmd',
MagicMock(return_value='/sbin/iptables')):
self.assertEqual(
iptables.build_rule('salt',
'INPUT',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'), ret)
def test_build_rule(self):
'''
Test if it build a well-formatted iptables rule based on kwargs.
'''
self.assertEqual(iptables.build_rule(), '')
self.assertEqual(iptables.build_rule(name='ignored', state='ignored'),
'', 'build_rule should ignore name and state')
# Should properly negate bang-prefixed values
self.assertEqual(iptables.build_rule(**{'if': '!eth0'}), '! -i eth0')
# Should properly negate "not"-prefixed values
self.assertEqual(iptables.build_rule(**{'if': 'not eth0'}),
'! -i eth0')
self.assertEqual(iptables.build_rule(dports=[80, 443], proto='tcp'),
'-p tcp -m multiport --dports 80,443')
self.assertEqual(iptables.build_rule(dports='80,443', proto='tcp'),
'-p tcp -m multiport --dports 80,443')
# Should it really behave this way?
self.assertEqual(iptables.build_rule(dports=['!80', 443], proto='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(iptables.build_rule(dports='!80,443', proto='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(iptables.build_rule(sports=[80, 443], proto='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(iptables.build_rule(sports='80,443', proto='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='I',
position='3',
full=True,
dports='proto',
jump='ACCEPT'),
'Error: proto must be specified')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='I',
position='3',
full=True,
sports='proto',
jump='ACCEPT'),
'Error: proto must be specified')
self.assertEqual(
iptables.build_rule('',
'INPUT',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Table needs to be specified')
self.assertEqual(
iptables.build_rule('filter',
'',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Chain needs to be specified')
self.assertEqual(
iptables.build_rule('filter',
'INPUT',
command='',
position='3',
full='True',
match='state',
jump='ACCEPT'),
'Error: Command needs to be specified')
# Test arguments that should appear after the --jump
self.assertEqual(
iptables.build_rule(jump='REDIRECT', **{'to-port': 8080}),
'--jump REDIRECT --to-port 8080')
# Should quote arguments with spaces, like log-prefix often has
self.assertEqual(
iptables.build_rule(jump='LOG', **{'log-prefix': 'long prefix'}),
'--jump LOG --log-prefix "long prefix"')
# Should quote arguments with leading or trailing spaces
self.assertEqual(
iptables.build_rule(jump='LOG', **{'log-prefix': 'spam: '}),
'--jump LOG --log-prefix "spam: "')
# Should allow no-arg jump options
self.assertEqual(iptables.build_rule(jump='CLUSTERIP', **{'new': ''}),
'--jump CLUSTERIP --new ')
# Should allow the --save jump option to CONNSECMARK
#self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
# **{'save': ''}),
# '--jump CONNSECMARK --save ')
ret = '/sbin/iptables --wait -t salt -I INPUT 3 -m state --jump ACCEPT'
with patch.object(iptables, '_iptables_cmd',
MagicMock(return_value='/sbin/iptables')):
self.assertEqual(
iptables.build_rule('salt',
'INPUT',
command='I',
position='3',
full='True',
match='state',
jump='ACCEPT'), ret)
def test_build_rule(self):
"""
Test if it build a well-formatted iptables rule based on kwargs.
"""
with patch.object(iptables, "_has_option",
MagicMock(return_value=True)):
self.assertEqual(iptables.build_rule(), "")
self.assertEqual(
iptables.build_rule(name="ignored", state="ignored"),
"",
"build_rule should ignore name and state",
)
# Should properly negate bang-prefixed values
self.assertEqual(iptables.build_rule(**{"if": "!eth0"}),
"! -i eth0")
# Should properly negate "not"-prefixed values
self.assertEqual(iptables.build_rule(**{"if": "not eth0"}),
"! -i eth0")
self.assertEqual(
iptables.build_rule(**{
"protocol": "tcp",
"syn": "!"
}), "-p tcp ! --syn")
self.assertEqual(
iptables.build_rule(dports=[80, 443], protocol="tcp"),
"-p tcp -m multiport --dports 80,443",
)
self.assertEqual(
iptables.build_rule(dports="80,443", protocol="tcp"),
"-p tcp -m multiport --dports 80,443",
)
# Should it really behave this way?
self.assertEqual(
iptables.build_rule(dports=["!80", 443], protocol="tcp"),
"-p tcp -m multiport ! --dports 80,443",
)
self.assertEqual(
iptables.build_rule(dports="!80,443", protocol="tcp"),
"-p tcp -m multiport ! --dports 80,443",
)
self.assertEqual(
iptables.build_rule(sports=[80, 443], protocol="tcp"),
"-p tcp -m multiport --sports 80,443",
)
self.assertEqual(
iptables.build_rule(sports="80,443", protocol="tcp"),
"-p tcp -m multiport --sports 80,443",
)
self.assertEqual(
iptables.build_rule(
"filter",
"INPUT",
command="I",
position="3",
full=True,
dports="protocol",
jump="ACCEPT",
),
"Error: protocol must be specified",
)
self.assertEqual(
iptables.build_rule(
"filter",
"INPUT",
command="I",
position="3",
full=True,
sports="protocol",
jump="ACCEPT",
),
"Error: protocol must be specified",
)
self.assertEqual(
iptables.build_rule(
"",
"INPUT",
command="I",
position="3",
full="True",
match="state",
jump="ACCEPT",
),
"Error: Table needs to be specified",
)
self.assertEqual(
iptables.build_rule(
"filter",
"",
command="I",
position="3",
full="True",
match="state",
jump="ACCEPT",
),
"Error: Chain needs to be specified",
)
self.assertEqual(
iptables.build_rule(
"filter",
"INPUT",
command="",
position="3",
full="True",
match="state",
jump="ACCEPT",
),
"Error: Command needs to be specified",
)
# Test arguments that should appear after the --jump
self.assertEqual(
iptables.build_rule(jump="REDIRECT", **{"to-port": 8080}),
"--jump REDIRECT --to-port 8080",
)
# Should quote arguments with spaces, like log-prefix often has
self.assertEqual(
iptables.build_rule(jump="LOG",
**{"log-prefix": "long prefix"}),
'--jump LOG --log-prefix "long prefix"',
)
# Should quote arguments with leading or trailing spaces
self.assertEqual(
iptables.build_rule(jump="LOG", **{"log-prefix": "spam: "}),
'--jump LOG --log-prefix "spam: "',
)
# Should allow no-arg jump options
self.assertEqual(
iptables.build_rule(jump="CLUSTERIP", **{"new": ""}),
"--jump CLUSTERIP --new",
)
# Should allow no-arg jump options as None
self.assertEqual(
iptables.build_rule(jump="CT", **{"notrack": None}),
"--jump CT --notrack",
)
# should build match-sets with single string
self.assertEqual(
iptables.build_rule(**{"match-set": "src flag1,flag2"}),
"-m set --match-set src flag1,flag2",
)
# should build match-sets as list
match_sets = [
"src1 flag1",
"src2 flag2,flag3",
]
self.assertEqual(
iptables.build_rule(**{"match-set": match_sets}),
"-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3",
)
# should handle negations for string match-sets
self.assertEqual(
iptables.build_rule(**{"match-set": "!src flag"}),
"-m set ! --match-set src flag",
)
# should handle negations for list match-sets
match_sets = ["src1 flag", "not src2 flag2"]
self.assertEqual(
iptables.build_rule(**{"match-set": match_sets}),
"-m set --match-set src1 flag -m set ! --match-set src2 flag2",
)
# should allow escaped name
self.assertEqual(
iptables.build_rule(**{
"match": "recent",
"name_": "SSH"
}),
"-m recent --name SSH",
)
# should allow empty arguments
self.assertEqual(
iptables.build_rule(**{
"match": "recent",
"update": None
}),
"-m recent --update",
)
# Should allow the --save jump option to CONNSECMARK
# self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
# **{'save': ''}),
# '--jump CONNSECMARK --save ')
ret = "/sbin/iptables --wait -t salt -I INPUT 3 -m state --jump ACCEPT"
with patch.object(iptables, "_iptables_cmd",
MagicMock(return_value="/sbin/iptables")):
self.assertEqual(
iptables.build_rule(
"salt",
"INPUT",
command="I",
position="3",
full="True",
match="state",
jump="ACCEPT",
),
ret,
)
def test_build_rule(self):
'''
Test if it build a well-formatted iptables rule based on kwargs.
'''
self.assertEqual(iptables.build_rule(), '')
self.assertEqual(iptables.build_rule(name='ignored', state='ignored'),
'',
'build_rule should ignore name and state')
# Should properly negate bang-prefixed values
self.assertEqual(iptables.build_rule(**{'if': '!eth0'}),
'! -i eth0')
# Should properly negate "not"-prefixed values
self.assertEqual(iptables.build_rule(**{'if': 'not eth0'}),
'! -i eth0')
self.assertEqual(iptables.build_rule(dports=[80, 443], proto='tcp'),
'-p tcp -m multiport --dports 80,443')
self.assertEqual(iptables.build_rule(dports='80,443', proto='tcp'),
'-p tcp -m multiport --dports 80,443')
# Should it really behave this way?
self.assertEqual(iptables.build_rule(dports=['!80', 443],
proto='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(iptables.build_rule(dports='!80,443', proto='tcp'),
'-p tcp -m multiport ! --dports 80,443')
self.assertEqual(iptables.build_rule(sports=[80, 443], proto='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(iptables.build_rule(sports='80,443', proto='tcp'),
'-p tcp -m multiport --sports 80,443')
self.assertEqual(iptables.build_rule('filter', 'INPUT', command='I',
position='3', full=True,
dports='proto', jump='ACCEPT'),
'Error: proto must be specified')
self.assertEqual(iptables.build_rule('filter', 'INPUT', command='I',
position='3', full=True,
sports='proto', jump='ACCEPT'),
'Error: proto must be specified')
self.assertEqual(iptables.build_rule('', 'INPUT', command='I',
position='3', full='True',
match='state', jump='ACCEPT'),
'Error: Table needs to be specified')
self.assertEqual(iptables.build_rule('filter', '', command='I',
position='3', full='True',
match='state', jump='ACCEPT'),
'Error: Chain needs to be specified')
self.assertEqual(iptables.build_rule('filter', 'INPUT', command='',
position='3', full='True',
match='state', jump='ACCEPT'),
'Error: Command needs to be specified')
# Test arguments that should appear after the --jump
self.assertEqual(iptables.build_rule(jump='REDIRECT',
**{'to-port': 8080}),
'--jump REDIRECT --to-port 8080')
# Should quote arguments with spaces, like log-prefix often has
self.assertEqual(iptables.build_rule(jump='LOG',
**{'log-prefix': 'long prefix'}),
'--jump LOG --log-prefix "long prefix"')
# Should quote arguments with leading or trailing spaces
self.assertEqual(iptables.build_rule(jump='LOG',
**{'log-prefix': 'spam: '}),
'--jump LOG --log-prefix "spam: "')
# Should allow no-arg jump options
self.assertEqual(iptables.build_rule(jump='CLUSTERIP',
**{'new': ''}),
'--jump CLUSTERIP --new')
# Should allow no-arg jump options as None
self.assertEqual(iptables.build_rule(jump='CT',
**{'notrack': None}),
'--jump CT --notrack')
# should build match-sets with single string
self.assertEqual(iptables.build_rule(**{'match-set': 'src flag1,flag2'}),
'-m set --match-set src flag1,flag2')
# should build match-sets as list
match_sets = ['src1 flag1',
'src2 flag2,flag3',
]
self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
'-m set --match-set src1 flag1 -m set --match-set src2 flag2,flag3')
# should handle negations for string match-sets
self.assertEqual(iptables.build_rule(**{'match-set': '!src flag'}),
'-m set ! --match-set src flag')
# should handle negations for list match-sets
match_sets = ['src1 flag',
'not src2 flag2']
self.assertEqual(iptables.build_rule(**{'match-set': match_sets}),
'-m set --match-set src1 flag -m set ! --match-set src2 flag2')
# should allow escaped name
self.assertEqual(iptables.build_rule(**{'match': 'recent', 'name_': 'SSH'}),
'-m recent --name SSH')
# should allow empty arguments
self.assertEqual(iptables.build_rule(**{'match': 'recent', 'update': None}),
'-m recent --update')
# Should allow the --save jump option to CONNSECMARK
#self.assertEqual(iptables.build_rule(jump='CONNSECMARK',
# **{'save': ''}),
# '--jump CONNSECMARK --save ')
ret = '/sbin/iptables --wait -t salt -I INPUT 3 -m state --jump ACCEPT'
with patch.object(iptables, '_iptables_cmd',
MagicMock(return_value='/sbin/iptables')):
self.assertEqual(iptables.build_rule('salt', 'INPUT', command='I',
position='3', full='True',
match='state', jump='ACCEPT'),
ret)