Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 1 | #!/usr/bin/python |
| 2 | # |
| 3 | # (C) 2012-2013 by Pablo Neira Ayuso <pablo@netfilter.org> |
| 4 | # |
| 5 | # This program is free software; you can redistribute it and/or modify |
| 6 | # it under the terms of the GNU General Public License as published by |
| 7 | # the Free Software Foundation; either version 2 of the License, or |
| 8 | # (at your option) any later version. |
| 9 | # |
| 10 | # This software has been sponsored by Sophos Astaro <http://www.sophos.com> |
| 11 | # |
| 12 | |
| 13 | import sys |
| 14 | import os |
| 15 | import subprocess |
| 16 | import argparse |
| 17 | |
| 18 | IPTABLES = "iptables" |
| 19 | IP6TABLES = "ip6tables" |
Florian Westphal | fb747f8 | 2018-11-02 12:06:30 +0100 | [diff] [blame] | 20 | EBTABLES = "ebtables" |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 21 | |
| 22 | IPTABLES_SAVE = "iptables-save" |
| 23 | IP6TABLES_SAVE = "ip6tables-save" |
Florian Westphal | fb747f8 | 2018-11-02 12:06:30 +0100 | [diff] [blame] | 24 | EBTABLES_SAVE = "ebtables-save" |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 25 | #IPTABLES_SAVE = ['xtables-save','-4'] |
| 26 | #IP6TABLES_SAVE = ['xtables-save','-6'] |
| 27 | |
| 28 | EXTENSIONS_PATH = "extensions" |
| 29 | LOGFILE="/tmp/iptables-test.log" |
| 30 | log_file = None |
| 31 | |
| 32 | |
| 33 | class Colors: |
| 34 | HEADER = '\033[95m' |
| 35 | BLUE = '\033[94m' |
| 36 | GREEN = '\033[92m' |
| 37 | YELLOW = '\033[93m' |
| 38 | RED = '\033[91m' |
| 39 | ENDC = '\033[0m' |
| 40 | |
| 41 | |
| 42 | def print_error(reason, filename=None, lineno=None): |
| 43 | ''' |
| 44 | Prints an error with nice colors, indicating file and line number. |
| 45 | ''' |
| 46 | print (filename + ": " + Colors.RED + "ERROR" + |
| 47 | Colors.ENDC + ": line %d (%s)" % (lineno, reason)) |
| 48 | |
| 49 | |
| 50 | def delete_rule(iptables, rule, filename, lineno): |
| 51 | ''' |
| 52 | Removes an iptables rule |
| 53 | ''' |
Florian Westphal | a77a7d8 | 2018-05-07 00:05:11 +0200 | [diff] [blame] | 54 | cmd = iptables + " -D " + rule |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 55 | ret = execute_cmd(cmd, filename, lineno) |
| 56 | if ret == 1: |
| 57 | reason = "cannot delete: " + iptables + " -I " + rule |
| 58 | print_error(reason, filename, lineno) |
| 59 | return -1 |
| 60 | |
| 61 | return 0 |
| 62 | |
| 63 | |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 64 | def run_test(iptables, rule, rule_save, res, filename, lineno, netns): |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 65 | ''' |
| 66 | Executes an unit test. Returns the output of delete_rule(). |
| 67 | |
| 68 | Parameters: |
| 69 | :param iptables: string with the iptables command to execute |
| 70 | :param rule: string with iptables arguments for the rule to test |
| 71 | :param rule_save: string to find the rule in the output of iptables -save |
| 72 | :param res: expected result of the rule. Valid values: "OK", "FAIL" |
| 73 | :param filename: name of the file tested (used for print_error purposes) |
| 74 | :param lineno: line number being tested (used for print_error purposes) |
| 75 | ''' |
| 76 | ret = 0 |
| 77 | |
Florian Westphal | a77a7d8 | 2018-05-07 00:05:11 +0200 | [diff] [blame] | 78 | cmd = iptables + " -A " + rule |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 79 | if netns: |
| 80 | cmd = "ip netns exec ____iptables-container-test " + EXECUTEABLE + " " + cmd |
| 81 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 82 | ret = execute_cmd(cmd, filename, lineno) |
| 83 | |
| 84 | # |
| 85 | # report failed test |
| 86 | # |
| 87 | if ret: |
| 88 | if res == "OK": |
| 89 | reason = "cannot load: " + cmd |
| 90 | print_error(reason, filename, lineno) |
| 91 | return -1 |
| 92 | else: |
| 93 | # do not report this error |
| 94 | return 0 |
| 95 | else: |
| 96 | if res == "FAIL": |
| 97 | reason = "should fail: " + cmd |
| 98 | print_error(reason, filename, lineno) |
| 99 | delete_rule(iptables, rule, filename, lineno) |
| 100 | return -1 |
| 101 | |
| 102 | matching = 0 |
| 103 | splitted = iptables.split(" ") |
| 104 | if len(splitted) == 2: |
| 105 | if splitted[1] == '-4': |
| 106 | command = IPTABLES_SAVE |
| 107 | elif splitted[1] == '-6': |
| 108 | command = IP6TABLES_SAVE |
| 109 | elif len(splitted) == 1: |
| 110 | if splitted[0] == IPTABLES: |
| 111 | command = IPTABLES_SAVE |
| 112 | elif splitted[0] == IP6TABLES: |
| 113 | command = IP6TABLES_SAVE |
Florian Westphal | fb747f8 | 2018-11-02 12:06:30 +0100 | [diff] [blame] | 114 | elif splitted[0] == EBTABLES: |
| 115 | command = EBTABLES_SAVE |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 116 | |
| 117 | path = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE |
| 118 | command = path + " " + command |
| 119 | |
| 120 | if netns: |
| 121 | command = "ip netns exec ____iptables-container-test " + command |
| 122 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 123 | args = splitted[1:] |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 124 | proc = subprocess.Popen(command, shell=True, |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 125 | stdin=subprocess.PIPE, |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 126 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 127 | out, err = proc.communicate() |
| 128 | |
| 129 | # |
| 130 | # check for segfaults |
| 131 | # |
| 132 | if proc.returncode == -11: |
| 133 | reason = "iptables-save segfaults: " + cmd |
| 134 | print_error(reason, filename, lineno) |
| 135 | delete_rule(iptables, rule, filename, lineno) |
| 136 | return -1 |
| 137 | |
| 138 | # find the rule |
| 139 | matching = out.find(rule_save) |
| 140 | if matching < 0: |
| 141 | reason = "cannot find: " + iptables + " -I " + rule |
| 142 | print_error(reason, filename, lineno) |
| 143 | delete_rule(iptables, rule, filename, lineno) |
| 144 | return -1 |
| 145 | |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 146 | # Test "ip netns del NETNS" path with rules in place |
| 147 | if netns: |
| 148 | return 0 |
| 149 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 150 | return delete_rule(iptables, rule, filename, lineno) |
| 151 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 152 | def execute_cmd(cmd, filename, lineno): |
| 153 | ''' |
| 154 | Executes a command, checking for segfaults and returning the command exit |
| 155 | code. |
| 156 | |
| 157 | :param cmd: string with the command to be executed |
| 158 | :param filename: name of the file tested (used for print_error purposes) |
| 159 | :param lineno: line number being tested (used for print_error purposes) |
| 160 | ''' |
| 161 | global log_file |
Florian Westphal | fb747f8 | 2018-11-02 12:06:30 +0100 | [diff] [blame] | 162 | if cmd.startswith('iptables ') or cmd.startswith('ip6tables ') or cmd.startswith('ebtables '): |
Florian Westphal | a77a7d8 | 2018-05-07 00:05:11 +0200 | [diff] [blame] | 163 | cmd = os.path.abspath(os.path.curdir) + "/iptables/" + EXECUTEABLE + " " + cmd |
| 164 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 165 | print >> log_file, "command: %s" % cmd |
| 166 | ret = subprocess.call(cmd, shell=True, universal_newlines=True, |
| 167 | stderr=subprocess.STDOUT, stdout=log_file) |
| 168 | log_file.flush() |
| 169 | |
| 170 | # generic check for segfaults |
| 171 | if ret == -11: |
| 172 | reason = "command segfaults: " + cmd |
| 173 | print_error(reason, filename, lineno) |
| 174 | return ret |
| 175 | |
| 176 | |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 177 | def run_test_file(filename, netns): |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 178 | ''' |
| 179 | Runs a test file |
| 180 | |
| 181 | :param filename: name of the file with the test rules |
| 182 | ''' |
| 183 | # |
| 184 | # if this is not a test file, skip. |
| 185 | # |
| 186 | if not filename.endswith(".t"): |
| 187 | return 0, 0 |
| 188 | |
| 189 | if "libipt_" in filename: |
| 190 | iptables = IPTABLES |
| 191 | elif "libip6t_" in filename: |
| 192 | iptables = IP6TABLES |
| 193 | elif "libxt_" in filename: |
| 194 | iptables = IPTABLES |
Florian Westphal | fb747f8 | 2018-11-02 12:06:30 +0100 | [diff] [blame] | 195 | elif "libebt_" in filename: |
| 196 | # only supported with nf_tables backend |
| 197 | if EXECUTEABLE != "xtables-nft-multi": |
| 198 | return 0, 0 |
| 199 | iptables = EBTABLES |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 200 | else: |
| 201 | # default to iptables if not known prefix |
| 202 | iptables = IPTABLES |
| 203 | |
| 204 | f = open(filename) |
| 205 | |
| 206 | tests = 0 |
| 207 | passed = 0 |
| 208 | table = "" |
| 209 | total_test_passed = True |
| 210 | |
Taehee Yoo | 9ff9915 | 2018-11-01 23:32:50 +0900 | [diff] [blame] | 211 | if netns: |
| 212 | execute_cmd("ip netns add ____iptables-container-test", filename, 0) |
| 213 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 214 | for lineno, line in enumerate(f): |
| 215 | if line[0] == "#": |
| 216 | continue |
| 217 | |
| 218 | if line[0] == ":": |
| 219 | chain_array = line.rstrip()[1:].split(",") |
| 220 | continue |
| 221 | |
| 222 | # external non-iptables invocation, executed as is. |
| 223 | if line[0] == "@": |
| 224 | external_cmd = line.rstrip()[1:] |
Taehee Yoo | 9ff9915 | 2018-11-01 23:32:50 +0900 | [diff] [blame] | 225 | if netns: |
Pablo Neira Ayuso | b81c8da | 2018-11-03 14:40:26 +0100 | [diff] [blame^] | 226 | external_cmd = "ip netns exec ____iptables-container-test " + external_cmd |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 227 | execute_cmd(external_cmd, filename, lineno) |
| 228 | continue |
| 229 | |
| 230 | if line[0] == "*": |
| 231 | table = line.rstrip()[1:] |
| 232 | continue |
| 233 | |
| 234 | if len(chain_array) == 0: |
| 235 | print "broken test, missing chain, leaving" |
| 236 | sys.exit() |
| 237 | |
| 238 | test_passed = True |
| 239 | tests += 1 |
| 240 | |
| 241 | for chain in chain_array: |
| 242 | item = line.split(";") |
| 243 | if table == "": |
| 244 | rule = chain + " " + item[0] |
| 245 | else: |
| 246 | rule = chain + " -t " + table + " " + item[0] |
| 247 | |
| 248 | if item[1] == "=": |
| 249 | rule_save = chain + " " + item[0] |
| 250 | else: |
| 251 | rule_save = chain + " " + item[1] |
| 252 | |
| 253 | res = item[2].rstrip() |
Taehee Yoo | 9ff9915 | 2018-11-01 23:32:50 +0900 | [diff] [blame] | 254 | ret = run_test(iptables, rule, rule_save, |
| 255 | res, filename, lineno + 1, netns) |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 256 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 257 | if ret < 0: |
| 258 | test_passed = False |
| 259 | total_test_passed = False |
| 260 | break |
| 261 | |
| 262 | if test_passed: |
| 263 | passed += 1 |
| 264 | |
Taehee Yoo | 9ff9915 | 2018-11-01 23:32:50 +0900 | [diff] [blame] | 265 | if netns: |
| 266 | execute_cmd("ip netns del ____iptables-container-test", filename, 0) |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 267 | if total_test_passed: |
| 268 | print filename + ": " + Colors.GREEN + "OK" + Colors.ENDC |
| 269 | |
| 270 | f.close() |
| 271 | return tests, passed |
| 272 | |
| 273 | |
| 274 | def show_missing(): |
| 275 | ''' |
| 276 | Show the list of missing test files |
| 277 | ''' |
| 278 | file_list = os.listdir(EXTENSIONS_PATH) |
| 279 | testfiles = [i for i in file_list if i.endswith('.t')] |
| 280 | libfiles = [i for i in file_list |
| 281 | if i.startswith('lib') and i.endswith('.c')] |
| 282 | |
| 283 | def test_name(x): |
| 284 | return x[0:-2] + '.t' |
| 285 | missing = [test_name(i) for i in libfiles |
| 286 | if not test_name(i) in testfiles] |
| 287 | |
| 288 | print '\n'.join(missing) |
| 289 | |
| 290 | |
| 291 | # |
| 292 | # main |
| 293 | # |
| 294 | def main(): |
| 295 | parser = argparse.ArgumentParser(description='Run iptables tests') |
| 296 | parser.add_argument('filename', nargs='?', |
| 297 | metavar='path/to/file.t', |
| 298 | help='Run only this test') |
Florian Westphal | be70918 | 2018-06-18 09:18:28 +0200 | [diff] [blame] | 299 | parser.add_argument('-l', '--legacy', action='store_true', |
| 300 | help='Test iptables-legacy') |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 301 | parser.add_argument('-m', '--missing', action='store_true', |
| 302 | help='Check for missing tests') |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 303 | parser.add_argument('-n', '--nftables', action='store_true', |
| 304 | help='Test iptables-over-nftables') |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 305 | parser.add_argument('-N', '--netns', action='store_true', |
| 306 | help='Test netnamespace path') |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 307 | args = parser.parse_args() |
| 308 | |
| 309 | # |
| 310 | # show list of missing test files |
| 311 | # |
| 312 | if args.missing: |
| 313 | show_missing() |
| 314 | return |
| 315 | |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 316 | global EXECUTEABLE |
Florian Westphal | be70918 | 2018-06-18 09:18:28 +0200 | [diff] [blame] | 317 | EXECUTEABLE = "xtables-legacy-multi" |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 318 | if args.nftables: |
Florian Westphal | be70918 | 2018-06-18 09:18:28 +0200 | [diff] [blame] | 319 | EXECUTEABLE = "xtables-nft-multi" |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 320 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 321 | if os.getuid() != 0: |
| 322 | print "You need to be root to run this, sorry" |
| 323 | return |
| 324 | |
Florian Westphal | d7ac61b | 2018-04-27 16:50:13 +0200 | [diff] [blame] | 325 | os.putenv("XTABLES_LIBDIR", os.path.abspath(EXTENSIONS_PATH)) |
| 326 | os.putenv("PATH", "%s/iptables:%s" % (os.path.abspath(os.path.curdir), os.getenv("PATH"))) |
| 327 | |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 328 | test_files = 0 |
| 329 | tests = 0 |
| 330 | passed = 0 |
| 331 | |
| 332 | # setup global var log file |
| 333 | global log_file |
| 334 | try: |
| 335 | log_file = open(LOGFILE, 'w') |
| 336 | except IOError: |
| 337 | print "Couldn't open log file %s" % LOGFILE |
| 338 | return |
| 339 | |
| 340 | file_list = [os.path.join(EXTENSIONS_PATH, i) |
| 341 | for i in os.listdir(EXTENSIONS_PATH)] |
| 342 | if args.filename: |
| 343 | file_list = [args.filename] |
| 344 | for filename in file_list: |
Pablo Neira Ayuso | 0123183 | 2018-10-19 12:13:37 +0200 | [diff] [blame] | 345 | file_tests, file_passed = run_test_file(filename, args.netns) |
Pablo Neira Ayuso | c8b7aaa | 2012-08-21 19:43:09 +0200 | [diff] [blame] | 346 | if file_tests: |
| 347 | tests += file_tests |
| 348 | passed += file_passed |
| 349 | test_files += 1 |
| 350 | |
| 351 | print ("%d test files, %d unit tests, %d passed" % |
| 352 | (test_files, tests, passed)) |
| 353 | |
| 354 | |
| 355 | if __name__ == '__main__': |
| 356 | main() |