From c1d8d7bce137f5a5fb9b87ac7de8e8daa6686bd2 Mon Sep 17 00:00:00 2001 From: Pawel Marczewski Date: Thu, 9 Jan 2020 18:42:14 +0100 Subject: [PATCH] Update firewall tests --- qubesagent/test_firewall.py | 47 ++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py index d06253c..bc50a3e 100644 --- a/qubesagent/test_firewall.py +++ b/qubesagent/test_firewall.py @@ -64,6 +64,7 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker): self.init_called = False self.cleanup_called = False self.user_script_called = False + self.update_connected_ips_called_with = [] self.rules = {} def apply_rules(self, source_addr, rules): @@ -78,6 +79,9 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker): def run_user_script(self): self.user_script_called = True + def update_connected_ips(self, family): + self.update_connected_ips_called_with.append(family) + class IptablesWorker(qubesagent.firewall.IptablesWorker): '''Override methods actually modifying system state to only log what @@ -282,11 +286,17 @@ class TestIptablesWorker(TestCase): self.assertEqual(self.obj.called_commands[4], [ ['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], - ['-A', 'QBS-FORWARD', '-j', 'DROP']]) + ['-A', 'QBS-FORWARD', '-j', 'DROP'], + ['-t', 'mangle', '-F', 'QBS-PREROUTING'], + ['-t', 'mangle', '-F', 'QBS-POSTROUTING'], + ]) self.assertEqual(self.obj.called_commands[6], [ ['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], - ['-A', 'QBS-FORWARD', '-j', 'DROP']]) + ['-A', 'QBS-FORWARD', '-j', 'DROP'], + ['-t', 'mangle', '-F', 'QBS-PREROUTING'], + ['-t', 'mangle', '-F', 'QBS-POSTROUTING'], + ]) def test_007_cleanup(self): self.obj.init() @@ -300,18 +310,26 @@ class TestIptablesWorker(TestCase): self.obj.cleanup() self.assertEqual([self.obj.called_commands[4][0]] + sorted(self.obj.called_commands[4][1:], key=operator.itemgetter(1)), - [['-F', 'QBS-FORWARD'], + [ + ['-F', 'QBS-FORWARD'], ['-F', 'chain-ip4-1'], ['-X', 'chain-ip4-1'], ['-F', 'chain-ip4-2'], - ['-X', 'chain-ip4-2']]) + ['-X', 'chain-ip4-2'], + ['-t', 'mangle', '-F', 'QBS-PREROUTING'], + ['-t', 'mangle', '-F', 'QBS-POSTROUTING'], + ]) self.assertEqual([self.obj.called_commands[6][0]] + sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)), - [['-F', 'QBS-FORWARD'], + [ + ['-F', 'QBS-FORWARD'], ['-F', 'chain-ip6-1'], ['-X', 'chain-ip6-1'], ['-F', 'chain-ip6-2'], - ['-X', 'chain-ip6-2']]) + ['-X', 'chain-ip6-2'], + ['-t', 'mangle', '-F', 'QBS-PREROUTING'], + ['-t', 'mangle', '-F', 'QBS-POSTROUTING'], + ]) class TestNftablesWorker(TestCase): @@ -450,6 +468,14 @@ class TestNftablesWorker(TestCase): ' ct state established,related accept\n' ' meta iifname != "vif*" accept\n' ' }\n' + ' chain prerouting {\n' + ' type filter hook prerouting priority 0;\n' + ' policy accept;\n' + ' }\n' + ' chain postrouting {\n' + ' type filter hook postrouting priority 0;\n' + ' policy accept;\n' + ' }\n' '}\n' 'table ip6 qubes-firewall {\n' ' chain forward {\n' @@ -458,6 +484,14 @@ class TestNftablesWorker(TestCase): ' ct state established,related accept\n' ' meta iifname != "vif*" accept\n' ' }\n' + ' chain prerouting {\n' + ' type filter hook prerouting priority 0;\n' + ' policy accept;\n' + ' }\n' + ' chain postrouting {\n' + ' type filter hook postrouting priority 0;\n' + ' policy accept;\n' + ' }\n' '}\n' ]) @@ -567,5 +601,6 @@ class TestFirewallWorker(TestCase): self.assertTrue(self.obj.init_called) self.assertTrue(self.obj.cleanup_called) self.assertTrue(self.obj.user_script_called) + self.assertEqual(self.obj.update_connected_ips_called_with, [4, 6]) self.assertEqual(set(self.obj.rules.keys()), self.obj.list_targets()) # rules content were already tested