Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update tests for anti-spoofing, add test for the method itself

Browse Source
This commit is contained in:
Pawel Marczewski 2020-01-10 09:19:40 +01:00
parent cd19073d50
commit 860a07166b
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
1 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
qubesagent/test_firewall.py
View File

@ -287,14 +287,14 @@ class TestIptablesWorker(TestCase):
['-F', 'QBS-FORWARD'], ['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP'], ['-A', 'QBS-FORWARD', '-j', 'DROP'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'], ['-t', 'raw', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'], ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
]) ])
self.assertEqual(self.obj.called_commands[6], [ self.assertEqual(self.obj.called_commands[6], [
['-F', 'QBS-FORWARD'], ['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP'], ['-A', 'QBS-FORWARD', '-j', 'DROP'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'], ['-t', 'raw', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'], ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
]) ])
@ -316,8 +316,8 @@ class TestIptablesWorker(TestCase):
['-X', 'chain-ip4-1'], ['-X', 'chain-ip4-1'],
['-F', 'chain-ip4-2'], ['-F', 'chain-ip4-2'],
['-X', 'chain-ip4-2'], ['-X', 'chain-ip4-2'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'], ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
['-t', 'raw', '-F', 'QBS-PREROUTING'],
]) ])
self.assertEqual([self.obj.called_commands[6][0]] + self.assertEqual([self.obj.called_commands[6][0]] +
sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)), sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)),
@ -327,10 +327,29 @@ class TestIptablesWorker(TestCase):
['-X', 'chain-ip6-1'], ['-X', 'chain-ip6-1'],
['-F', 'chain-ip6-2'], ['-F', 'chain-ip6-2'],
['-X', 'chain-ip6-2'], ['-X', 'chain-ip6-2'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'], ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
['-t', 'raw', '-F', 'QBS-PREROUTING'],
]) ])
def test_008_update_connected_ips(self):
with patch.object(self.obj, 'get_connected_ips') as get_connected_ips:
get_connected_ips.return_value = ['10.137.0.1', '10.137.0.2']
self.obj.called_commands[4] = []
self.obj.update_connected_ips(4)
self.assertEqual(self.obj.called_commands[4], [
['-t', 'raw', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
['-t', 'raw', '-A', 'QBS-PREROUTING',
'!', '-i', 'vif+', '-s', '10.137.0.1', '-j', 'DROP'],
['-t', 'mangle', '-A', 'QBS-POSTROUTING',
'!', '-o', 'vif+', '-d', '10.137.0.1', '-j', 'DROP'],
['-t', 'raw', '-A', 'QBS-PREROUTING',
'!', '-i', 'vif+', '-s', '10.137.0.2', '-j', 'DROP'],
['-t', 'mangle', '-A', 'QBS-POSTROUTING',
'!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP']
])
class TestNftablesWorker(TestCase): class TestNftablesWorker(TestCase):
def setUp(self): def setUp(self):
@ -469,11 +488,11 @@ class TestNftablesWorker(TestCase):
' meta iifname != "vif*" accept\n' ' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
' chain prerouting {\n' ' chain prerouting {\n'
' type filter hook prerouting priority 0;\n' ' type filter hook prerouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }\n' ' }\n'
' chain postrouting {\n' ' chain postrouting {\n'
' type filter hook postrouting priority 0;\n' ' type filter hook postrouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }\n' ' }\n'
'}\n' '}\n'
@ -485,11 +504,11 @@ class TestNftablesWorker(TestCase):
' meta iifname != "vif*" accept\n' ' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
' chain prerouting {\n' ' chain prerouting {\n'
' type filter hook prerouting priority 0;\n' ' type filter hook prerouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }\n' ' }\n'
' chain postrouting {\n' ' chain postrouting {\n'
' type filter hook postrouting priority 0;\n' ' type filter hook postrouting priority -300;\n'
' policy accept;\n' ' policy accept;\n'
' }\n' ' }\n'
'}\n' '}\n'
@ -507,7 +526,26 @@ class TestNftablesWorker(TestCase):
self.assertEqual(self.obj.loaded_rules, self.assertEqual(self.obj.loaded_rules,
['delete table ip qubes-firewall\n' ['delete table ip qubes-firewall\n'
'delete table ip6 qubes-firewall\n', 'delete table ip6 qubes-firewall\n',
]) ])
def test_008_update_connected_ips(self):
with patch.object(self.obj, 'get_connected_ips') as get_connected_ips:
get_connected_ips.return_value = ['10.137.0.1', '10.137.0.2']
self.obj.loaded_rules = []
self.obj.update_connected_ips(4)
self.assertEqual(self.obj.loaded_rules, [
'flush chain ip qubes-firewall prerouting\n'
'flush chain ip qubes-firewall postrouting\n'
'table ip qubes-firewall {\n'
' chain prerouting {\n'
' iifname != "vif*" ip saddr {10.137.0.1, 10.137.0.2} drop\n'
' }\n'
' chain postrouting {\n'
' oifname != "vif*" ip daddr {10.137.0.1, 10.137.0.2} drop\n'
' }\n'
'}\n'
])
class TestFirewallWorker(TestCase): class TestFirewallWorker(TestCase):
def setUp(self): def setUp(self):