def wg_firewall_client_init_once():
"""One time initialization of the client side firewall.
"""
iptables.create_chain('filter', 'WG_INGRESS')
iptables.add_raw_rule('filter',
'INPUT', (' -m state --state ESTABLISHED,RELATED'
' -j ACCEPT'),
safe=True)
iptables.add_raw_rule('filter',
'INPUT', (' -m state --state INVALID'
' -j DROP'),
safe=True)
def test_add_rule_safe(self):
"""Test adding iptable rule (safe)."""
treadmill.subproc.check_output.return_value = ''
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
treadmill.subproc.check_output.assert_called_with(
['iptables', '-t', 'nat', '-S', 'OUTPUT'])
treadmill.subproc.check_call.assert_called_with(
['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO'])
treadmill.subproc.check_output.reset_mock()
treadmill.subproc.check_call.reset_mock()
treadmill.subproc.check_output.return_value = '-A OUTPUT -j FOO'
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
treadmill.subproc.check_output.assert_called_with(
['iptables', '-t', 'nat', '-S', 'OUTPUT'])
self.assertEquals(0, treadmill.subproc.check_call.call_count)
def test_add_raw_rule_safe(self):
"""Test adding iptable rule (safe)."""
treadmill.subproc.check_call.return_value = 0
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
treadmill.subproc.check_call.assert_called_once_with(
['iptables', '-t', 'nat', '-C', 'OUTPUT', '-j', 'FOO'])
# Rule does not exist.
treadmill.subproc.check_call.reset_mock()
treadmill.subproc.check_call.side_effect = [
subproc.CalledProcessError(1, ''),
0,
]
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
treadmill.subproc.check_call.assert_has_calls([
mock.call(['iptables', '-t', 'nat', '-C', 'OUTPUT', '-j', 'FOO']),
mock.call(['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO'])
])
# Unexpected iptables error while checking if the rule already exists.
treadmill.subproc.check_call.reset_mock()
treadmill.subproc.check_call.side_effect = \
subproc.CalledProcessError(3, '')
with self.assertRaises(subproc.CalledProcessError):
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
def wg_firewall_client_init(devname, endpoints):
"""Client firewall setup for a new device and endpoints.
"""
iptables.flush_chain('filter', 'WG_INGRESS')
# This chain only filters on the WarpGate interface
for endpoint in endpoints:
assert endpoint['proto'] in ['udp', 'tcp']
iptables.add_raw_rule('filter', 'WG_INGRESS',
(' -m state --state NEW'
' -p {proto} -m {proto} --dport {port}'
' -j ACCEPT').format(
proto=endpoint['proto'],
port=endpoint['port'],
))
# Anything not explicitely allowed is denied
iptables.add_raw_rule('filter', 'WG_INGRESS', '-j DROP')
iptables.add_raw_rule('filter', 'INPUT',
('-i {devname}'
' -j WG_INGRESS').format(devname=devname))
def test_add_raw_rule(self):
"""Test adding iptable rule."""
iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=False)
treadmill.subproc.check_call.assert_called_with(
['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO'])
