|
@@ -64,6 +64,7 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker):
|
|
|
self.init_called = False
|
|
|
self.cleanup_called = False
|
|
|
self.user_script_called = False
|
|
|
+ self.update_connected_ips_called_with = []
|
|
|
self.rules = {}
|
|
|
|
|
|
def apply_rules(self, source_addr, rules):
|
|
@@ -78,6 +79,9 @@ class FirewallWorker(qubesagent.firewall.FirewallWorker):
|
|
|
def run_user_script(self):
|
|
|
self.user_script_called = True
|
|
|
|
|
|
+ def update_connected_ips(self, family):
|
|
|
+ self.update_connected_ips_called_with.append(family)
|
|
|
+
|
|
|
|
|
|
class IptablesWorker(qubesagent.firewall.IptablesWorker):
|
|
|
'''Override methods actually modifying system state to only log what
|
|
@@ -282,11 +286,17 @@ class TestIptablesWorker(TestCase):
|
|
|
self.assertEqual(self.obj.called_commands[4], [
|
|
|
['-F', 'QBS-FORWARD'],
|
|
|
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
|
|
|
- ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
|
|
+ ['-A', 'QBS-FORWARD', '-j', 'DROP'],
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ])
|
|
|
self.assertEqual(self.obj.called_commands[6], [
|
|
|
['-F', 'QBS-FORWARD'],
|
|
|
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
|
|
|
- ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
|
|
+ ['-A', 'QBS-FORWARD', '-j', 'DROP'],
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ])
|
|
|
|
|
|
def test_007_cleanup(self):
|
|
|
self.obj.init()
|
|
@@ -300,18 +310,67 @@ class TestIptablesWorker(TestCase):
|
|
|
self.obj.cleanup()
|
|
|
self.assertEqual([self.obj.called_commands[4][0]] +
|
|
|
sorted(self.obj.called_commands[4][1:], key=operator.itemgetter(1)),
|
|
|
- [['-F', 'QBS-FORWARD'],
|
|
|
+ [
|
|
|
+ ['-F', 'QBS-FORWARD'],
|
|
|
['-F', 'chain-ip4-1'],
|
|
|
['-X', 'chain-ip4-1'],
|
|
|
['-F', 'chain-ip4-2'],
|
|
|
- ['-X', 'chain-ip4-2']])
|
|
|
+ ['-X', 'chain-ip4-2'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ])
|
|
|
self.assertEqual([self.obj.called_commands[6][0]] +
|
|
|
sorted(self.obj.called_commands[6][1:], key=operator.itemgetter(1)),
|
|
|
- [['-F', 'QBS-FORWARD'],
|
|
|
+ [
|
|
|
+ ['-F', 'QBS-FORWARD'],
|
|
|
['-F', 'chain-ip6-1'],
|
|
|
['-X', 'chain-ip6-1'],
|
|
|
['-F', 'chain-ip6-2'],
|
|
|
- ['-X', 'chain-ip6-2']])
|
|
|
+ ['-X', 'chain-ip6-2'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_008_update_connected_ips(self):
|
|
|
+ self.obj.qdb.entries['/connected-ips'] = b'10.137.0.1 10.137.0.2'
|
|
|
+ self.obj.called_commands[4] = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.called_commands[4], [
|
|
|
+ ['-t', 'raw', '-P', 'PREROUTING', 'DROP'],
|
|
|
+ ['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'],
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ['-t', 'raw', '-A', 'QBS-PREROUTING',
|
|
|
+ '!', '-i', 'vif+', '-s', '10.137.0.1', '-j', 'DROP'],
|
|
|
+ ['-t', 'mangle', '-A', 'QBS-POSTROUTING',
|
|
|
+ '!', '-o', 'vif+', '-d', '10.137.0.1', '-j', 'DROP'],
|
|
|
+ ['-t', 'raw', '-A', 'QBS-PREROUTING',
|
|
|
+ '!', '-i', 'vif+', '-s', '10.137.0.2', '-j', 'DROP'],
|
|
|
+ ['-t', 'mangle', '-A', 'QBS-POSTROUTING',
|
|
|
+ '!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP'],
|
|
|
+ ['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'],
|
|
|
+ ['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'],
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_009_update_connected_ips_empty(self):
|
|
|
+ self.obj.qdb.entries['/connected-ips'] = b''
|
|
|
+ self.obj.called_commands[4] = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.called_commands[4], [
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_010_update_connected_ips_missing(self):
|
|
|
+ self.obj.called_commands[4] = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.called_commands[4], [
|
|
|
+ ['-t', 'raw', '-F', 'QBS-PREROUTING'],
|
|
|
+ ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
|
|
|
+ ])
|
|
|
|
|
|
|
|
|
class TestNftablesWorker(TestCase):
|
|
@@ -450,6 +509,14 @@ class TestNftablesWorker(TestCase):
|
|
|
' ct state established,related accept\n'
|
|
|
' meta iifname != "vif*" accept\n'
|
|
|
' }\n'
|
|
|
+ ' chain prerouting {\n'
|
|
|
+ ' type filter hook prerouting priority -300;\n'
|
|
|
+ ' policy accept;\n'
|
|
|
+ ' }\n'
|
|
|
+ ' chain postrouting {\n'
|
|
|
+ ' type filter hook postrouting priority -300;\n'
|
|
|
+ ' policy accept;\n'
|
|
|
+ ' }\n'
|
|
|
'}\n'
|
|
|
'table ip6 qubes-firewall {\n'
|
|
|
' chain forward {\n'
|
|
@@ -458,6 +525,14 @@ class TestNftablesWorker(TestCase):
|
|
|
' ct state established,related accept\n'
|
|
|
' meta iifname != "vif*" accept\n'
|
|
|
' }\n'
|
|
|
+ ' chain prerouting {\n'
|
|
|
+ ' type filter hook prerouting priority -300;\n'
|
|
|
+ ' policy accept;\n'
|
|
|
+ ' }\n'
|
|
|
+ ' chain postrouting {\n'
|
|
|
+ ' type filter hook postrouting priority -300;\n'
|
|
|
+ ' policy accept;\n'
|
|
|
+ ' }\n'
|
|
|
'}\n'
|
|
|
])
|
|
|
|
|
@@ -473,7 +548,44 @@ class TestNftablesWorker(TestCase):
|
|
|
self.assertEqual(self.obj.loaded_rules,
|
|
|
['delete table ip qubes-firewall\n'
|
|
|
'delete table ip6 qubes-firewall\n',
|
|
|
- ])
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_008_update_connected_ips(self):
|
|
|
+ self.obj.qdb.entries['/connected-ips'] = b'10.137.0.1 10.137.0.2'
|
|
|
+ self.obj.loaded_rules = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.loaded_rules, [
|
|
|
+ 'flush chain ip qubes-firewall prerouting\n'
|
|
|
+ 'flush chain ip qubes-firewall postrouting\n'
|
|
|
+ 'table ip qubes-firewall {\n'
|
|
|
+ ' chain prerouting {\n'
|
|
|
+ ' iifname != "vif*" ip saddr {10.137.0.1, 10.137.0.2} drop\n'
|
|
|
+ ' }\n'
|
|
|
+ ' chain postrouting {\n'
|
|
|
+ ' oifname != "vif*" ip daddr {10.137.0.1, 10.137.0.2} drop\n'
|
|
|
+ ' }\n'
|
|
|
+ '}\n'
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_009_update_connected_ips_empty(self):
|
|
|
+ self.obj.qdb.entries['/connected-ips'] = b''
|
|
|
+ self.obj.loaded_rules = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.loaded_rules, [
|
|
|
+ 'flush chain ip qubes-firewall prerouting\n'
|
|
|
+ 'flush chain ip qubes-firewall postrouting\n'
|
|
|
+ ])
|
|
|
+
|
|
|
+ def test_010_update_connected_ips_missing(self):
|
|
|
+ self.obj.loaded_rules = []
|
|
|
+ self.obj.update_connected_ips(4)
|
|
|
+
|
|
|
+ self.assertEqual(self.obj.loaded_rules, [
|
|
|
+ 'flush chain ip qubes-firewall prerouting\n'
|
|
|
+ 'flush chain ip qubes-firewall postrouting\n'
|
|
|
+ ])
|
|
|
|
|
|
class TestFirewallWorker(TestCase):
|
|
|
def setUp(self):
|
|
@@ -567,5 +679,6 @@ class TestFirewallWorker(TestCase):
|
|
|
self.assertTrue(self.obj.init_called)
|
|
|
self.assertTrue(self.obj.cleanup_called)
|
|
|
self.assertTrue(self.obj.user_script_called)
|
|
|
+ self.assertEqual(self.obj.update_connected_ips_called_with, [4, 6])
|
|
|
self.assertEqual(set(self.obj.rules.keys()), self.obj.list_targets())
|
|
|
# rules content were already tested
|