Update firewall tests

This commit is contained in:
Pawel Marczewski 2020-01-09 18:42:14 +01:00
parent bfe31cfec8
commit c1d8d7bce1
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465

View File

@ -64,6 +64,7 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker):
self.init_called = False self.init_called = False
self.cleanup_called = False self.cleanup_called = False
self.user_script_called = False self.user_script_called = False
self.update_connected_ips_called_with = []
self.rules = {} self.rules = {}
def apply_rules(self, source_addr, rules): def apply_rules(self, source_addr, rules):
@ -78,6 +79,9 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker):
def run_user_script(self): def run_user_script(self):
self.user_script_called = True self.user_script_called = True
def update_connected_ips(self, family):
self.update_connected_ips_called_with.append(family)
class IptablesWorker(qubesagent.firewall.IptablesWorker): class IptablesWorker(qubesagent.firewall.IptablesWorker):
'''Override methods actually modifying system state to only log what '''Override methods actually modifying system state to only log what
@ -282,11 +286,17 @@ class TestIptablesWorker(TestCase):
self.assertEqual(self.obj.called_commands[4], [ self.assertEqual(self.obj.called_commands[4], [
['-F', 'QBS-FORWARD'], ['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP']]) ['-A', 'QBS-FORWARD', '-j', 'DROP'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
])
self.assertEqual(self.obj.called_commands[6], [ self.assertEqual(self.obj.called_commands[6], [
['-F', 'QBS-FORWARD'], ['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'], ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP']]) ['-A', 'QBS-FORWARD', '-j', 'DROP'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
])
def test_007_cleanup(self): def test_007_cleanup(self):
self.obj.init() self.obj.init()
@ -300,18 +310,26 @@ class TestIptablesWorker(TestCase):
self.obj.cleanup() self.obj.cleanup()
self.assertEqual([self.obj.called_commands[4][0]] + self.assertEqual([self.obj.called_commands[4][0]] +
sorted(self.obj.called_commands[4][1:], key=operator.itemgetter(1)), sorted(self.obj.called_commands[4][1:], key=operator.itemgetter(1)),
[['-F', 'QBS-FORWARD'], [
['-F', 'QBS-FORWARD'],
['-F', 'chain-ip4-1'], ['-F', 'chain-ip4-1'],
['-X', 'chain-ip4-1'], ['-X', 'chain-ip4-1'],
['-F', 'chain-ip4-2'], ['-F', 'chain-ip4-2'],
['-X', 'chain-ip4-2']]) ['-X', 'chain-ip4-2'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
])
self.assertEqual([self.obj.called_commands[6][0]] + self.assertEqual([self.obj.called_commands[6][0]] +
sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)), sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)),
[['-F', 'QBS-FORWARD'], [
['-F', 'QBS-FORWARD'],
['-F', 'chain-ip6-1'], ['-F', 'chain-ip6-1'],
['-X', 'chain-ip6-1'], ['-X', 'chain-ip6-1'],
['-F', 'chain-ip6-2'], ['-F', 'chain-ip6-2'],
['-X', 'chain-ip6-2']]) ['-X', 'chain-ip6-2'],
['-t', 'mangle', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
])
class TestNftablesWorker(TestCase): class TestNftablesWorker(TestCase):
@ -450,6 +468,14 @@ class TestNftablesWorker(TestCase):
' ct state established,related accept\n' ' ct state established,related accept\n'
' meta iifname != "vif*" accept\n' ' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
' chain prerouting {\n'
' type filter hook prerouting priority 0;\n'
' policy accept;\n'
' }\n'
' chain postrouting {\n'
' type filter hook postrouting priority 0;\n'
' policy accept;\n'
' }\n'
'}\n' '}\n'
'table ip6 qubes-firewall {\n' 'table ip6 qubes-firewall {\n'
' chain forward {\n' ' chain forward {\n'
@ -458,6 +484,14 @@ class TestNftablesWorker(TestCase):
' ct state established,related accept\n' ' ct state established,related accept\n'
' meta iifname != "vif*" accept\n' ' meta iifname != "vif*" accept\n'
' }\n' ' }\n'
' chain prerouting {\n'
' type filter hook prerouting priority 0;\n'
' policy accept;\n'
' }\n'
' chain postrouting {\n'
' type filter hook postrouting priority 0;\n'
' policy accept;\n'
' }\n'
'}\n' '}\n'
]) ])
@ -567,5 +601,6 @@ class TestFirewallWorker(TestCase):
self.assertTrue(self.obj.init_called) self.assertTrue(self.obj.init_called)
self.assertTrue(self.obj.cleanup_called) self.assertTrue(self.obj.cleanup_called)
self.assertTrue(self.obj.user_script_called) self.assertTrue(self.obj.user_script_called)
self.assertEqual(self.obj.update_connected_ips_called_with, [4, 6])
self.assertEqual(set(self.obj.rules.keys()), self.obj.list_targets()) self.assertEqual(set(self.obj.rules.keys()), self.obj.list_targets())
# rules content were already tested # rules content were already tested