def testDestinationInterface(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + DESTINATION_INTERFACE_TERM,
self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-o eth0' in result,
'destination interface specification not in output.')
def testExpired(self, mock_warn):
_ = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + EXPIRED_TERM,
self.naming), EXP_INFO)
mock_warn.assert_called_once_with(
'WARNING: Term %s in policy %s is expired'
' and will not be rendered.', 'is_expired', 'INPUT')
def testSetTarget(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
acl.SetTarget('OUTPUT', 'DROP')
result = str(acl).split('\n')
self.failUnless('-P OUTPUT DROP' in result,
'output default policy of drop not set.')
def testSourceInterface(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + SOURCE_INTERFACE_TERM,
self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-i eth0' in result,
'source interface specification not in output.')
def testSetCustomTarget(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
acl.SetTarget('foobar')
result = str(acl).split('\n')
self.failUnless('-N foobar' in result,
'did not find a new chain for foobar.')
def testBuildTokens(self):
pol1 = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_5, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testCustomChain(self):
acl = iptables.Iptables(
policy.ParsePolicy(NON_STANDARD_CHAIN + GOOD_TERM_1, self.naming),
EXP_INFO)
result = str(acl).split('\n')
self.failUnless('-N foo' in result, 'did not find new chain for foo.')
self.failIf('-P foo' in result, 'chain foo may not have a policy set.')
def testRejectReset(self):
acl = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + REJECT_TERM1, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('-j REJECT --reject-with tcp-reset' in result,
'missing or incorrect reject specification.')
def testExcludeReturnsPolicy(self):
#
# In this test, we should get fewer lines of output by performing
# early return jumps on excluded addresses.
#
self.naming.GetNetAddr.side_effect = [[nacaddr.IPv4('10.0.0.0/8')],
[nacaddr.IPv4('10.0.0.0/24')]]
self.naming.GetServiceByProto.return_value = ['80']
acl = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_2, self.naming),
EXP_INFO)
result = str(acl)
self.failUnless('-P INPUT ACCEPT' in result,
'no default policy found.')
self.failUnless('-p tcp' in result, 'no protocol specification found.')
self.failUnless('-s ' in result, 'no source address found.')
self.failUnless('-s 10.0.0.0/24 -j RETURN' in result,
'expected address 10.0.0.0/24 not jumping to RETURN.')
self.failUnless('--sport 80 -s 10.0.0.0/8' in result,
'expected source address 10.0.0.0/8 not accepted.')
self.naming.GetNetAddr.assert_has_calls(
[mock.call('INTERNAL'),
mock.call('OOB_NET')])
self.naming.GetServiceByProto.assert_called_once_with('HTTP', 'tcp')
def testRejectIpv6(self):
pol = policy.ParsePolicy(IPV6_HEADER_1 + REJECT_TERM2, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failIf('-p all' in result, 'protocol spec present')
self.failUnless('-j REJECT --reject-with icmp6-adm-prohibited' in result,
'missing or incorrect reject specification.')
def testReject(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + REJECT_TERM2, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless(
'-j REJECT --reject-with icmp-host-prohibited' in result,
'missing or incorrect reject specification.')
def testOwner(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_10, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl).split('\n')
self.failUnless('-A I_good-term-10 -m comment --comment "Owner: '
'*****@*****.**"' in result,
'missing or incorrect comment specification.')
def testLongTermAbbreviation(self):
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_LONG_TERM_NAME,
self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-abbreviations' in result,
'Our strings disappeared during abbreviation.')
def testUdpEstablishedNostate(self):
pol = policy.ParsePolicy(NOSTATE_HEADER + UDP_STATE_TERM, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-p udp --dport 1024:65535 -j ACCEPT' in result,
'No rule matching TCP packets with ACK bit.\n' + result)
self.failIf('--state' in result,
'Nostate header should not use nf_conntrack --state flag')
def testConntrackAll(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + STATEFUL_ONLY_TERM, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-m state --state ESTABLISHED,RELATED' in result,
'connection tracking is missing state module arguments')
self.failIf('-dport 1024:65535' in result,
'High-ports should not appear for non-TCP/UDP protocols')
def testLongTermTruncation(self):
pol = policy.ParsePolicy(GOOD_HEADER_4 + GOOD_LONG_TERM_NAME, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('google-experiment-abbrev' in result,
'Our strings disappeared during truncation.')
self.failIf('google-experiment-abbreviations' in result,
'Term name was not truncated as expected.')
def testLogging(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + LOGGING_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-j LOG --log-prefix foo' in result,
'logging jump does not appear in output.')
self.failUnless('-j ACCEPT' in result,
'action jump does not appear in output.')
def testIPv6Headers(self):
pol = policy.ParsePolicy(IPV6_HEADER_1 + IPV6_HEADERS, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-m u32 --u32 "0x3&0xff=0x0"' in result,
'match for hop-by-hop header is missing')
self.failUnless('-m u32 --u32 "0x3&0xff=0x2c"' in result,
'match for fragment header is missing')
def testBuildWarningTokens(self):
self.naming.GetServiceByProto.return_value = ['80']
pol1 = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + GOOD_WARNING_TERM, self.naming),
EXP_INFO)
st, sst = pol1._BuildTokens()
self.assertEquals(st, SUPPORTED_TOKENS)
self.assertEquals(sst, SUPPORTED_SUB_TOKENS)
def testFragmentOptions(self):
pol = policy.ParsePolicy(GOOD_HEADER_3 + GOOD_TERM_7, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('--u32 4&0x3FFF=0x2000' in result,
'first-fragment rule is missing')
self.failUnless('--length 1:119' in result, 'length match is missing')
self.failUnless('--u32 4&0x1FFF=1:119' in result,
'fragment-offset rule is missing')
def testExpiringTerm(self, mock_info):
exp_date = datetime.date.today() + datetime.timedelta(weeks=EXP_INFO)
_ = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + EXPIRING_TERM %
exp_date.strftime('%Y-%m-%d'),
self.naming), EXP_INFO)
mock_info.assert_called_once_with(
'INFO: Term %s in policy %s expires in '
'less than two weeks.', 'is_expiring', 'INPUT')
def testExpired(self):
self.mox.StubOutWithMock(iptables.logging, 'warn')
# create mock to ensure we warn about expired terms being skipped
iptables.logging.warn(
'WARNING: Term %s in policy %s is expired'
' and will not be rendered.', 'is_expired', 'INPUT')
self.mox.ReplayAll()
_ = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + EXPIRED_TERM, self.naming),
EXP_INFO)
def testCustomChainNoTarget(self):
acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_6 + GOOD_TERM_1,
self.naming), EXP_INFO)
result = str(acl).split('\n')
self.failUnless('-N foo' in result, 'did not find a new chain for foo.')
for line in result:
self.failIf(line.startswith(':foo'),
'chain may not have a policy set.')
self.failIf(line.startswith('-P foo'),
'chain may not have a policy set.')
def testCommentReflowing(self):
acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + GOOD_TERM_6,
self.naming), EXP_INFO)
result = str(acl)
self.failIf('--comments ""' in result,
'Iptables cannot handle empty comments')
self.failIf(re.search('--comments "[^"]{256,}"', result),
'Iptables comments must be under 255 characters.')
self.failIf(re.search('--comments "[^"]*\n', result),
'Iptables comments may not contain newline characters.')
def testConntrackUDP(self):
pol = policy.ParsePolicy(GOOD_HEADER_1 + UDP_STATE_TERM, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('-m state --state ESTABLISHED,RELATED' in result,
'udp connection tracking is missing state module')
self.failUnless('-dport 1024:65535' in result,
'udp connection tracking is missing destination high-ports')
self.failUnless('-p udp' in result,
'udp connection tracking is missing protocol specification')
def testIPv6Icmp(self):
pol = policy.ParsePolicy(IPV6_HEADER_1 + IPV6_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless('--icmpv6-type 1' in result,
'icmpv6-type 1 (echo-reply) is missing')
self.failUnless('--icmpv6-type 3' in result,
'icmpv6-type 3 (destination-unreachable) is missing')
self.failUnless('--icmpv6-type 129' in result,
'icmpv6-type 129 (router-solicit) is missing')
def testIcmpv6InetMismatch(self, mock_debug):
acl = iptables.Iptables(policy.ParsePolicy(GOOD_HEADER_1 + IPV6_TERM_1,
self.naming), EXP_INFO)
# output happens in __str_
str(acl)
mock_debug.assert_called_once_with(
'Term inet6-icmp will not be rendered,'
' as it has [u\'icmpv6\'] match specified but '
'the ACL is of inet address family.')
def testIPv6IcmpOrder(self):
self.naming.GetNetAddr('IPV6_INTERNAL').InAnyOrder().AndReturn(
[nacaddr.IPv6('fd87:6044:ac54:3558::/64')])
self.mox.ReplayAll()
pol = policy.ParsePolicy(IPV6_HEADER_1 + ICMPV6_TERM_1, self.naming)
acl = iptables.Iptables(pol, EXP_INFO)
result = str(acl)
self.failUnless(
'-s fd87:6044:ac54:3558::/64 -p ipv6-icmp -m icmp6'
' --icmpv6-type 1' in result,
'incorrect order of ICMPv6 match elements')
def testMultiportLargePortCount(self):
ports = [str(x) for x in range(1, 71, 2)]
self.naming.GetServiceByProto('LOTS_OF_PORTS', 'tcp').AndReturn(ports)
self.mox.ReplayAll()
acl = iptables.Iptables(
policy.ParsePolicy(GOOD_HEADER_1 + LARGE_MULTIPORT, self.naming),
EXP_INFO)
self.failUnless('-m multiport --dports 1,3,5,7,9' in str(acl))
self.failUnless('-m multiport --dports 29,31,33,35,37' in str(acl))
self.failUnless(
'-m multiport --dports 57,59,61,63,65,67,69' in str(acl))
def testIcmpInet6Mismatch(self):
self.mox.StubOutWithMock(iptables.logging, 'debug')
iptables.logging.debug('Term good-term-1 will not be rendered,'
' as it has [\'icmp\'] match specified but '
'the ACL is of inet6 address family.')
self.mox.ReplayAll()
acl = iptables.Iptables(
policy.ParsePolicy(IPV6_HEADER_1 + GOOD_TERM_1, self.naming),
EXP_INFO)
# output happens in __str_
str(acl)