def testDestinationInterface(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + DESTINATION_INTERFACE_TERM, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-o eth0' in result, 'destination interface specification not in output.')
def testExpired(self, mock_warn): _ = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + EXPIRED_TERM, self.naming), EXP_INFO) mock_warn.assert_called_once_with( 'WARNING: Term %s in policy %s is expired' ' and will not be rendered.', 'is_expired', 'INPUT')
def testSetTarget(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) acl.SetTarget('OUTPUT', 'DROP') result = str(acl).split('\n') self.failUnless('-P OUTPUT DROP' in result, 'output default policy of drop not set.')
def testReject(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + REJECT_TERM2, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless( '-j REJECT --reject-with icmp-host-prohibited' in result, 'missing or incorrect reject specification.')
def testSourceInterface(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + SOURCE_INTERFACE_TERM, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-i eth0' in result, 'source interface specification not in output.')
def testLongTermAbbreviation(self): pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_LONG_TERM_NAME, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-abbreviations' in result, 'Our strings disappeared during abbreviation.')
def testSetCustomTarget(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) acl.SetTarget('foobar') result = str(acl).split('\n') self.failUnless('-N foobar' in result, 'did not find a new chain for foobar.')
def testBuildTokens(self): pol1 = iptables.Iptables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_5, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testCustomChain(self): acl = iptables.Iptables( policy.ParsePolicy(NON_STANDARD_CHAIN + GOOD_TERM_1, self.naming), EXP_INFO) result = str(acl).split('\n') self.failUnless('-N foo' in result, 'did not find new chain for foo.') self.failIf('-P foo' in result, 'chain foo may not have a policy set.')
def testRejectIpv6(self): pol = policy.ParsePolicy(IPV6_HEADER_1 + REJECT_TERM2, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failIf('-p all' in result, 'protocol spec present') self.failUnless('-j REJECT --reject-with icmp6-adm-prohibited' in result, 'missing or incorrect reject specification.')
def testExcludeReturnsPolicy(self): # # In this test, we should get fewer lines of output by performing # early return jumps on excluded addresses. # self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')], [nacaddr.IPv4('10.0.0.0/24')]] self.naming.GetServiceByProto.return_value = ['80'] acl = iptables.Iptables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.naming), EXP_INFO) result = str(acl) self.failUnless('-P INPUT ACCEPT' in result, 'no default policy found.') self.failUnless('-p tcp' in result, 'no protocol specification found.') self.failUnless('-s ' in result, 'no source address found.') self.failUnless('-s 10.0.0.0/24 -j RETURN' in result, 'expected address 10.0.0.0/24 not jumping to RETURN.') self.failUnless('--sport 80 -s 10.0.0.0/8' in result, 'expected source address 10.0.0.0/8 not accepted.') self.naming.GetNetAddr.assert_has_calls( [mock.call('INTERNAL'), mock.call('OOB_NET')]) self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testOwner(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_10, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl).split('\n') self.failUnless('-A I_good-term-10 -m comment --comment "Owner: ' '*****@*****.**"' in result, 'missing or incorrect comment specification.')
def testRejectReset(self): acl = iptables.Iptables( policy.ParsePolicy(GOOD_HEADER_1 + REJECT_TERM1, self.naming), EXP_INFO) result = str(acl) self.failUnless('-j REJECT --reject-with tcp-reset' in result, 'missing or incorrect reject specification.')
def testIPv6Headers(self): pol = policy.ParsePolicy(IPV6_HEADER_1 + IPV6_HEADERS, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-m u32 --u32 "0x3&0xff=0x0"' in result, 'match for hop-by-hop header is missing') self.failUnless('-m u32 --u32 "0x3&0xff=0x2c"' in result, 'match for fragment header is missing')
def testConntrackAll(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + STATEFUL_ONLY_TERM, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-m state --state ESTABLISHED,RELATED' in result, 'connection tracking is missing state module arguments') self.failIf('-dport 1024:65535' in result, 'High-ports should not appear for non-TCP/UDP protocols')
def testLongTermTruncation(self): pol = policy.ParsePolicy(GOOD_HEADER_4 + GOOD_LONG_TERM_NAME, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('google-experiment-abbrev' in result, 'Our strings disappeared during truncation.') self.failIf('google-experiment-abbreviations' in result, 'Term name was not truncated as expected.')
def testLogging(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-j LOG --log-prefix foo' in result, 'logging jump does not appear in output.') self.failUnless('-j ACCEPT' in result, 'action jump does not appear in output.')
def testUdpEstablishedNostate(self): pol = policy.ParsePolicy(NOSTATE_HEADER + UDP_STATE_TERM, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.assertIn('-p udp --dport 1024:65535 -j ACCEPT', result, 'No rule matching TCP packets with ACK bit.\n' + result) self.failIf('--state' in result, 'Nostate header should not use nf_conntrack --state flag')
def testSkipHopByHopinV4(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + HOPOPT_TERM + GOOD_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.assertNotIn('-m u32 --u32 "0x3&0xff=0x0"', result, 'match for hop-by-hop header is missing')
def testFragmentOptions(self): pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_7, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('--u32 4&0x3FFF=0x2000' in result, 'first-fragment rule is missing') self.failUnless('--length 1:119' in result, 'length match is missing') self.failUnless('--u32 4&0x1FFF=1:119' in result, 'fragment-offset rule is missing')
def testBuildWarningTokens(self): self.naming.GetServiceByProto.return_value = ['80'] pol1 = iptables.Iptables( policy.ParsePolicy(GOOD_HEADER_1 + GOOD_WARNING_TERM, self.naming), EXP_INFO) st, sst = pol1._BuildTokens() self.assertEquals(st, SUPPORTED_TOKENS) self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testExpiringTerm(self, mock_info): exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO) _ = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + EXPIRING_TERM % exp_date.strftime('%Y-%m-%d'), self.naming), EXP_INFO) mock_info.assert_called_once_with( 'INFO: Term %s in policy %s expires in ' 'less than two weeks.', 'is_expiring', 'INPUT')
def testCustomChainNoTarget(self): acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_6 + GOOD_TERM_1, self.naming), EXP_INFO) result = str(acl).split('\n') self.failUnless('-N foo' in result, 'did not find a new chain for foo.') for line in result: self.failIf(line.startswith(':foo'), 'chain may not have a policy set.') self.failIf(line.startswith('-P foo'), 'chain may not have a policy set.')
def testCommentReflowing(self): acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_6, self.naming), EXP_INFO) result = str(acl) self.failIf('--comments ""' in result, 'Iptables cannot handle empty comments') self.failIf(re.search('--comments "[^"]{256,}"', result), 'Iptables comments must be under 255 characters.') self.failIf(re.search('--comments "[^"]*\n', result), 'Iptables comments may not contain newline characters.')
def testConntrackUDP(self): pol = policy.ParsePolicy(GOOD_HEADER_1 + UDP_STATE_TERM, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('-m state --state ESTABLISHED,RELATED' in result, 'udp connection tracking is missing state module') self.assertNotIn('-dport 1024:65535', result, 'udp connection tracking contains destination high-ports') self.failUnless('-p udp' in result, 'udp connection tracking is missing protocol specification')
def testIPv6Icmp(self): pol = policy.ParsePolicy(IPV6_HEADER_1 + IPV6_TERM_1, self.naming) acl = iptables.Iptables(pol, EXP_INFO) result = str(acl) self.failUnless('--icmpv6-type 1' in result, 'icmpv6-type 1 (echo-reply) is missing') self.failUnless('--icmpv6-type 3' in result, 'icmpv6-type 3 (destination-unreachable) is missing') self.failUnless('--icmpv6-type 129' in result, 'icmpv6-type 129 (router-solicit) is missing')
def testIcmpv6InetMismatch(self, mock_debug): acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + IPV6_TERM_1, self.naming), EXP_INFO) # output happens in __str_ str(acl) mock_debug.assert_called_once_with( 'Term inet6-icmp will not be rendered,' ' as it has [u\'icmpv6\'] match specified but ' 'the ACL is of inet address family.')
def testVerbatimTerm(self): acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_5, self.naming), EXP_INFO) result = str(acl) self.failUnless('mary had a little lamb' in result, 'first verbatim output is missing or incorrect.') # check if another platforms verbatim shows up self.failIf('mary had a second lamb' in result, 'second vebatim output is missing or incorrect.') self.failIf('mary had a third lamb' in result, 'third verbatim output is missing or incorrect.')
def testProtocols(self): acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_4, self.naming), EXP_INFO) result = str(acl) self.failUnless('-p tcp' in result, 'protocol tcp not found.') self.failUnless('-p udp' in result, 'protocol udp not found.') self.failUnless('-p esp' in result, 'protocol esp not found.') self.failUnless('-p ah' in result, 'protocol ah not found.') self.failUnless('-p gre' in result, 'protocol gre not found.') self.failUnless('-p icmp' in result, 'protocol icmp not found.') self.failUnless('-p 50' in result, 'protocol 50 not found.')
def testIcmpInet6Mismatch(self, mock_debug): acl = iptables.Iptables( policy.ParsePolicy(IPV6_HEADER_1 + GOOD_TERM_1, self.naming), EXP_INFO) # output happens in __str_ str(acl) mock_debug.assert_called_once_with( 'Term good-term-1 will not be rendered,' ' as it has icmp match specified but ' 'the ACL is of inet6 address family.')