From c841101b3d73722c67f24127c3de26e94e53ce8a Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Sat, 23 Sep 2017 20:37:16 +0200 Subject: testsuite: Make sure it can be run over ssh :-) --- tests/check_klog.sh | 8 +++++++- tests/iptables.sh | 7 +++---- tests/match_flags.t | 20 ++++++++++---------- tests/match_target.t | 22 +++++++++++----------- tests/match_target6.t | 12 ++++++------ tests/sendip.sh | 6 ++++++ 6 files changed, 43 insertions(+), 32 deletions(-) create mode 100755 tests/sendip.sh (limited to 'tests') diff --git a/tests/check_klog.sh b/tests/check_klog.sh index a39da77..146e492 100755 --- a/tests/check_klog.sh +++ b/tests/check_klog.sh @@ -5,6 +5,12 @@ set -e # arguments: ipaddr proto port setname ... +test -f .loglines || exit 1 +loglines=$(<.loglines) +if [ $loglines -ne 0 ]; then + loglines=$((loglines - 1)) +fi + expand_ipv6() { # incomplete, but for our addresses it's OK addr= @@ -37,7 +43,7 @@ proto=`echo $1 | tr a-z A-Z`; shift port=$1; shift for setname in $@; do - match=`dmesg| tail -n 2 | grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*"` + match=`tail -n +$loglines /var/log/kern.log | grep -e "in set $setname: .* SRC=$ipaddr .* PROTO=$proto SPT=$port .*"` if [ -z "$match" ]; then echo "no match!" exit 1 diff --git a/tests/iptables.sh b/tests/iptables.sh index 490d42d..8bc77ef 100755 --- a/tests/iptables.sh +++ b/tests/iptables.sh @@ -36,7 +36,6 @@ inet6) ;; esac - case "$2" in start) $ipset n ip1 hash:ip $family 2>/dev/null @@ -93,16 +92,16 @@ start_flags_reversed) ;; del) $cmd -F INPUT - $cmd -A INPUT -j SET --del-set ipport src,src + $cmd -A INPUT -s $NET -j SET --del-set ipport src,src ;; add) $ipset n test hash:net $family 2>/dev/null $cmd -F INPUT - $cmd -A INPUT -j SET --add-set test src + $cmd -A INPUT -s $NET -j SET --add-set test src ;; timeout) $ipset n test hash:ip,port timeout 2 - $cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist + $cmd -A INPUT -s $NET -j SET --add-set test src,src --timeout 10 --exist ;; mangle) $ipset n test hash:net $family skbinfo 2>/dev/null diff --git a/tests/match_flags.t b/tests/match_flags.t index 8cede10..f14198c 100644 --- a/tests/match_flags.t +++ b/tests/match_flags.t @@ -1,23 +1,23 @@ # Create sets and inet rules which call set match 0 ./iptables.sh inet start_flags # Send probe packet from 10.0.0.0,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch # Send probe packet from 10.0.0.1,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched 0 ./check_klog.sh 10.0.0.1 tcp 1025 test # Send probe packet from 10.0.0.2,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch # Send probe packet from 10.0.0.255,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch # Send probe packet from 10.0.1.0,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched 0 ./check_klog.sh 10.0.1.0 tcp 1025 test # Destroy sets and rules @@ -25,23 +25,23 @@ # Create sets and inet rules which call set match, reversed rule order 0 ./iptables.sh inet start_flags_reversed # Send probe packet from 10.0.0.0,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.0 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.0 tcp 1025 test-nomatch # Send probe packet from 10.0.0.1,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.1 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched 0 ./check_klog.sh 10.0.0.1 tcp 1025 test # Send probe packet from 10.0.0.2,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.2 -is 10.0.0.2 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.2 tcp 1025 test-nomatch # Send probe packet from 10.0.0.255,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.0.255 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched with --return-nomatch 0 ./check_klog.sh 10.0.0.255 tcp 1025 test-nomatch # Send probe packet from 10.0.1.0,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.0.1.0 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that test set matched 0 ./check_klog.sh 10.0.1.0 tcp 1025 test # Destroy sets and rules diff --git a/tests/match_target.t b/tests/match_target.t index 59e1643..3d7ed1b 100644 --- a/tests/match_target.t +++ b/tests/match_target.t @@ -15,7 +15,7 @@ # Check that 10.255.255.64,tcp:1025 is not in ipport set 1 ipset test ipport 10.255.255.64,tcp:1025 # Send probe packet from 10.255.255.64,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that proper sets matched and target worked 0 ./check_klog.sh 10.255.255.64 tcp 1025 ipport list # Check that 10.255.255.64,tcp:1025 is in ipport set now @@ -23,7 +23,7 @@ # Check that 10.255.255.64,udp:1025 is not in ipport set 1 ipset test ipport 10.255.255.64,udp:1025 # Send probe packet from 10.255.255.64,udp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 # Check that proper sets matched and target worked 0 ./check_klog.sh 10.255.255.64 udp 1025 ipport list # Check that 10.255.255.64,udp:1025 is in ipport set now @@ -31,7 +31,7 @@ # Check that 10.255.255.1,tcp:1025 is not in ipport set 1 ipset test ipport 10.255.255.1,tcp:1025 # Send probe packet from 10.255.255.1,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.1 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that proper sets matched and target worked 0 ./check_klog.sh 10.255.255.1 tcp 1025 ip1 list # Check that 10.255.255.1,tcp:1025 is not in ipport set @@ -39,7 +39,7 @@ # Check that 10.255.255.32,tcp:1025 is not in ipport set 1 ipset test ipport 10.255.255.32,tcp:1025 # Send probe packet from 10.255.255.32,tcp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.32 -p tcp -td 80 -ts 1025 127.0.0.1 # Check that proper sets matched and target worked 0 ./check_klog.sh 10.255.255.32 tcp 1025 ip2 # Check that 10.255.255.32,tcp:1025 is not in ipport set @@ -47,13 +47,13 @@ # Check that 10.255.255.64,icmp:host-prohibited is not in ipport set 1 ipset test ipport 10.255.255.64,icmp:host-prohibited # Send probe packet 10.255.255.64,icmp:host-prohibited -0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 +0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 # Check that 10.255.255.64,icmp:3/10 is in ipport set now 0 ipset test ipport 10.255.255.64,icmp:host-prohibited # Modify rules to check target and deletion 0 ./iptables.sh inet del # Send probe packet 10.255.255.64,icmp:host-prohibited -0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 +0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 # Check that 10.255.255.64,icmp:3/10 isn't in ipport 1 ipset test ipport 10.255.255.64,icmp:host-prohibited # Destroy sets and rules @@ -73,7 +73,7 @@ # Sleep 1s 0 sleep 1s # Send probe packet 10.255.255.64,icmp:host-prohibited -0 sendip -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 +0 ./sendip.sh -d r10 -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p icmp -ct 3 -cd 10 127.0.0.1 # Sleep 5s, so original entry could time out 0 sleep 5s # Check that 10.255.255.64,icmp:3/10 is not in ipport set @@ -83,7 +83,7 @@ # Create test set and iptables rules 0 ./iptables.sh inet mangle # Send probe packet from 10.255.255.64,udp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 # Check that proper sets matched and target worked 0 ./check_klog.sh 10.255.255.64 udp 1025 mark # Destroy sets and rules @@ -91,7 +91,7 @@ # Create test set and iptables rules 0 ./iptables.sh inet add # Send probe packet from 10.255.255.64,udp:1025 -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 # Check that 10.255.255.64 is added to the set 0 ipset t test 10.255.255.64 # Flush set @@ -99,7 +99,7 @@ # Add a /24 network to the set 0 ipset a test 1.1.1.0/24 # Send probe packet from 10.255.255.64,udp:1025 again -0 sendip -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 +0 ./sendip.sh -p ipv4 -id 127.0.0.1 -is 10.255.255.64 -p udp -ud 80 -us 1025 127.0.0.1 # Check that 10.255.255.0/24 is added to the set 0 ipset t test 10.255.255.0/24 # Destroy sets and rules @@ -107,7 +107,7 @@ # Create set and rules for 0.0.0.0/0 check in hash:net,iface 0 ./iptables.sh inet netiface # Send probe packet -0 sendip -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1 +0 ./sendip.sh -p ipv4 -id 10.255.255.254 -is 10.255.255.64 -p udp -ud 80 -us 1025 10.255.255.254 >/dev/null 2>&1 # Check kernel log that the packet matched the set 0 ./check_klog.sh 10.255.255.64 udp 1025 netiface # Destroy sets and rules diff --git a/tests/match_target6.t b/tests/match_target6.t index 86197c0..c2a6bf8 100644 --- a/tests/match_target6.t +++ b/tests/match_target6.t @@ -15,7 +15,7 @@ # Check that 1002:1002:1002:1002::64,tcp:1025 is not in ipport set 1 ipset test ipport 1002:1002:1002:1002::64,tcp:1025 # Send probe packet from 1002:1002:1002:1002::64,tcp:1025 -0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1 +0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p tcp -td 80 -ts 1025 ::1 # Check that proper sets matched and target worked 0 ./check_klog.sh 1002:1002:1002:1002::64 tcp 1025 ipport list # Check that 1002:1002:1002:1002::64,tcp:1025 is in ipport set now @@ -23,7 +23,7 @@ # Check that 1002:1002:1002:1002::64,udp:1025 is not in ipport set 1 ipset test ipport 1002:1002:1002:1002::64,udp:1025 # Send probe packet from 1002:1002:1002:1002::64,udp:1025 -0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1 +0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p udp -ud 80 -us 1025 ::1 # Check that proper sets matched and target worked 0 ./check_klog.sh 1002:1002:1002:1002::64 udp 1025 ipport list # Check that 1002:1002:1002:1002::64,udp:1025 is in ipport set now @@ -31,7 +31,7 @@ # Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set 1 ipset test ipport 1002:1002:1002:1002::1,tcp:1025 # Send probe packet from 1002:1002:1002:1002::1,tcp:1025 -0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1 +0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::1 -p tcp -td 80 -ts 1025 ::1 # Check that proper sets matched and target worked 0 ./check_klog.sh 1002:1002:1002:1002::1 tcp 1025 ip1 list # Check that 1002:1002:1002:1002::1,tcp:1025 is not in ipport set @@ -39,7 +39,7 @@ # Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set 1 ipset test ipport 1002:1002:1002:1002::32,tcp:1025 # Send probe packet from 1002:1002:1002:1002::32,tcp:1025 -0 sendip -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1 +0 ./sendip.sh -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::32 -p tcp -td 80 -ts 1025 ::1 # Check that proper sets matched and target worked 0 ./check_klog.sh 1002:1002:1002:1002::32 tcp 1025 ip2 # Check that 1002:1002:1002:1002::32,tcp:1025 is not in ipport set @@ -47,13 +47,13 @@ # Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is not in ipport set 1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly # Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly -0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 +0 ./sendip.sh -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 # Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly is in ipport set now 0 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly # Modify rules to check target and deletion 0 ./iptables.sh inet6 del # Send probe packet from 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly -0 sendip -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 +0 ./sendip.sh -d r10 -p ipv6 -6d ::1 -6s 1002:1002:1002:1002::64 -p icmp -ct 3 -cd 1 ::1 # Check that 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly isn't in ipport set 1 ipset test ipport 1002:1002:1002:1002::64,icmpv6:ttl-zero-during-reassembly # Destroy sets and rules diff --git a/tests/sendip.sh b/tests/sendip.sh new file mode 100755 index 0000000..3a951f5 --- /dev/null +++ b/tests/sendip.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# Save lineno for checking +wc -l /var/log/kern.log | cut -d ' ' -f 1 > .loglines +sendip "$@" + -- cgit v1.2.3