def wg_firewall_client_init_once(): """One time initialization of the client side firewall. """ iptables.create_chain('filter', 'WG_INGRESS') iptables.add_raw_rule('filter', 'INPUT', (' -m state --state ESTABLISHED,RELATED' ' -j ACCEPT'), safe=True) iptables.add_raw_rule('filter', 'INPUT', (' -m state --state INVALID' ' -j DROP'), safe=True)
def test_add_rule_safe(self): """Test adding iptable rule (safe).""" treadmill.subproc.check_output.return_value = '' iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True) treadmill.subproc.check_output.assert_called_with( ['iptables', '-t', 'nat', '-S', 'OUTPUT']) treadmill.subproc.check_call.assert_called_with( ['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO']) treadmill.subproc.check_output.reset_mock() treadmill.subproc.check_call.reset_mock() treadmill.subproc.check_output.return_value = '-A OUTPUT -j FOO' iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True) treadmill.subproc.check_output.assert_called_with( ['iptables', '-t', 'nat', '-S', 'OUTPUT']) self.assertEquals(0, treadmill.subproc.check_call.call_count)
def test_add_raw_rule_safe(self): """Test adding iptable rule (safe).""" treadmill.subproc.check_call.return_value = 0 iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True) treadmill.subproc.check_call.assert_called_once_with( ['iptables', '-t', 'nat', '-C', 'OUTPUT', '-j', 'FOO']) # Rule does not exist. treadmill.subproc.check_call.reset_mock() treadmill.subproc.check_call.side_effect = [ subproc.CalledProcessError(1, ''), 0, ] iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True) treadmill.subproc.check_call.assert_has_calls([ mock.call(['iptables', '-t', 'nat', '-C', 'OUTPUT', '-j', 'FOO']), mock.call(['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO']) ]) # Unexpected iptables error while checking if the rule already exists. treadmill.subproc.check_call.reset_mock() treadmill.subproc.check_call.side_effect = \ subproc.CalledProcessError(3, '') with self.assertRaises(subproc.CalledProcessError): iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=True)
def wg_firewall_client_init(devname, endpoints): """Client firewall setup for a new device and endpoints. """ iptables.flush_chain('filter', 'WG_INGRESS') # This chain only filters on the WarpGate interface for endpoint in endpoints: assert endpoint['proto'] in ['udp', 'tcp'] iptables.add_raw_rule('filter', 'WG_INGRESS', (' -m state --state NEW' ' -p {proto} -m {proto} --dport {port}' ' -j ACCEPT').format( proto=endpoint['proto'], port=endpoint['port'], )) # Anything not explicitely allowed is denied iptables.add_raw_rule('filter', 'WG_INGRESS', '-j DROP') iptables.add_raw_rule('filter', 'INPUT', ('-i {devname}' ' -j WG_INGRESS').format(devname=devname))
def test_add_raw_rule(self): """Test adding iptable rule.""" iptables.add_raw_rule('nat', 'OUTPUT', '-j FOO', safe=False) treadmill.subproc.check_call.assert_called_with( ['iptables', '-t', 'nat', '-A', 'OUTPUT', '-j', 'FOO'])