Bash程序  |  367行  |  9.57 KB

#!/bin/sh
# SPDX-License-Identifier: GPL-2.0-or-later
# Copyright (c) 2018 Oracle and/or its affiliates. All Rights Reserved.
# Copyright (c) International Business Machines  Corp., 2001
#
#  Author:	Jan 20 2004 Hubert Lin <linux02NOSPAAAM@tw.ibm.com>
#				       <hubertNOSPAAAM@symbio.com.tw>

TST_CNT=6
TST_SETUP="init"
TST_TESTFUNC="test"
TST_CLEANUP="cleanup"
TST_NEEDS_TMPDIR=1
TST_NEEDS_ROOT=1
TST_NEEDS_CMDS="iptables grep ping telnet"

. tst_test.sh

init()
{
	tst_res TINFO "INIT: Inititalizing tests."

	modprobe ip_tables
	if [ $? -ne 0 ]; then
		iptables -L > tst_iptables.out 2>&1
		if [ $? -ne 0 ]; then
			tst_brk TCONF "no iptables support in kernel."
		fi
	fi

	tst_res TINFO "INIT: Flushing all rules."
	iptables -F -t filter > tst_iptables.out 2>&1
	iptables -F -t nat > tst_iptables.out 2>&1
	iptables -F -t mangle > tst_iptables.out 2>&1
}

cleanup()
{
	lsmod | grep "ip_tables" > tst_iptables.out 2>&1
	if [ $? -eq 0 ]; then
		iptables -F -t filter > tst_iptables.out 2>&1
		iptables -F -t nat > tst_iptables.out 2>&1
		iptables -F -t mangle > tst_iptables.out 2>&1
		rmmod -v ipt_limit ipt_multiport ipt_LOG ipt_REJECT \
			 iptable_mangle iptable_nat ip_conntrack \
			 iptable_filter ip_tables nf_nat_ipv4 nf_nat \
			 nf_log_ipv4 nf_log_common nf_reject_ipv4 \
			 nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack \
			 > tst_iptables.out 2>&1
	fi
}

test1()
{
	local chaincnt=0

	local cmd="iptables -L -t filter"
	tst_res TINFO "$cmd will list all rules in table filter."
	$cmd > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "$cmd failed to list rules."
		cat tst_iptables.out
		return
	else
		chaincnt=$(grep -c Chain tst_iptables.out)
		if [ $chaincnt -lt 3 ]; then
			tst_res TFAIL "$cmd failed to list rules."
			cat tst_iptables.out
			return
		else
			tst_res TINFO "$cmd lists rules."
		fi
	fi

	local cmd="iptables -L -t nat"
	tst_res TINFO "$cmd will list all rules in table nat."
	$cmd > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "$cmd failed to list rules."
		cat tst_iptables.out
		return
	else
		chaincnt=$(grep -c Chain tst_iptables.out)
		if [ $chaincnt -lt 3 ]; then
			tst_res TFAIL "$cmd failed to list rules."
			cat tst_iptables.out
			return
		else
			tst_res TINFO "$cmd lists rules."
		fi
	fi

	local cmd="iptables -L -t mangle"
	tst_res TINFO "$cmd will list all rules in table mangle."
	$cmd > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "$cmd failed to list rules."
		cat tst_iptables.out
		return
	else
		chaincnt=$(grep -c Chain tst_iptables.out)
		if [ $chaincnt -lt 5 ]; then
			tst_res TFAIL "$cmd failed to list rules."
			cat tst_iptables.out
		else
			tst_res TINFO "$cmd lists rules."
		fi
	fi

	tst_res TPASS "iptables -L lists rules."
}

test2()
{
	tst_res TINFO "Use iptables to DROP packets from particular IP"
	tst_res TINFO "Rule to block icmp from 127.0.0.1"

	iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Pinging 127.0.0.1"
	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
		if [ $? -ne 0 ]; then
			tst_res TFAIL \
				 "iptables did not block packets from loopback"
			cat tst_iptables.err
			return
		else
			tst_res TINFO "Ping 127.0.0.1 not successful."
		fi
	else
		tst_res TFAIL "iptables did not block icmp from 127.0.0.1"
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Deleting icmp DROP from 127.0.0.1 rule."
	iptables -D INPUT 1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables did not remove the rule."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "Pinging 127.0.0.1 again"
	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables blocking loopback. This is expected" \
			       "behaviour on certain distributions where" \
			       "enabling firewall drops all packets by default."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "Ping succsess"
	tst_res TPASS "iptables can DROP packets from particular IP."
}

test3()
{
	tst_res TINFO "Use iptables to REJECT ping request."
	tst_res TINFO "Rule to reject ping request."

	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -j \
		 REJECT > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Pinging 127.0.0.1"
	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		grep "100% packet loss" tst_iptables.out > tst_iptables.err 2>&1
		if [ $? -ne 0 ]; then
			tst_res TFAIL "iptables did not block ping request."
			cat tst_iptables.err
			return
		else
			tst_res TINFO "Ping 127.0.0.1 not successful."
		fi
	else
		tst_res TFAIL "iptables did not reject ping request."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Deleting icmp request REJECT rule."
	iptables -D INPUT 1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables did not remove the rule."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "Pinging 127.0.0.1 again"
	ping -c 2 127.0.0.1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables blocking ping requests. This is" \
			      "expected behaviour on certain distributions" \
			      "where enabling firewall drops all packets by" \
			      "default."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "Ping succsess"
	tst_res TPASS "iptables can REJECT ping requests."
}

test4()
{
	local dport=45886
	local logprefix="${TCID}$(date +%m%d%H%M%S):"

	tst_res TINFO "Use iptables to log packets to particular port."
	tst_res TINFO "Rule to log tcp packets to particular port."

	iptables -A INPUT -p tcp -d 127.0.0.1 --dport $dport -j LOG \
		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "telnet 127.0.0.1 $dport"
	telnet 127.0.0.1 $dport > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		sleep 2
		dmesg | grep "$logprefix" > tst_iptables.err 2>&1
		if [ $? -ne 0 ]; then
			tst_res TFAIL \
				 "iptables did not log packets to port $dport"
			cat tst_iptables.err
			return
		else
			tst_res TINFO "Packets to port $dport logged."
		fi
	else
		tst_res TFAIL "telnet to 127.0.0.1 $dport should fail."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Deleting the rule to log."
	iptables -D INPUT 1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables did not remove the rule."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "iptables logging succsess"
	tst_res TPASS "iptables can log packets to particular port."
}

test5()
{
	local dport=0
	local logprefix="${TCID}$(date +%m%d%H%M%S):"

	tst_res TINFO "Use iptables to log packets to multiple ports."
	tst_res TINFO "Rule to log tcp packets to port 45801 - 45803."
	iptables -A INPUT -p tcp -d 127.0.0.1 --dport 45801:45803 -j LOG \
		 --log-prefix "$logprefix" > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Rule to log tcp packets to port 45804 - 45806."
	iptables -A INPUT -p tcp -d 127.0.0.1 -m multiport --dports \
		 45804,45806,45805 -j LOG --log-prefix "$logprefix" \
		 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	for dport in 45801 45802 45803 45804 45805 45806; do
		tst_res TINFO "telnet 127.0.0.1 $dport"
		telnet 127.0.0.1 $dport > tst_iptables.out 2>&1
		if [ $? -ne 0 ]; then
			sleep 2
			dmesg | grep "$logprefix" | grep "=$dport " \
				> tst_iptables.err 2>&1
			if [ $? -ne 0 ]; then
				tst_res TFAIL "iptables did not log packets" \
					       "to port $dport"
				cat tst_iptables.err
				return
			else
				tst_res TINFO "Packets to port $dport logged."
			fi
		else
			tst_res TFAIL "telnet to 127.0.0.1 $dport should fail."
			cat tst_iptables.out
			return
		fi
	done

	tst_res TINFO "Flushing all rules."
	iptables -F > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables did not flush all rules."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "iptables logging succsess"
	tst_res TPASS "iptables can log packets to multiple ports."
}

test6()
{
	local logcnt=0
	local logprefix="${TCID}$(date +%m%d%H%M%S):"

	tst_res TINFO "Use iptables to log ping request with limited rate."
	tst_res TINFO "Rule to log ping request."

	iptables -A INPUT -p icmp --icmp-type echo-request -d 127.0.0.1 -m \
		 limit -j LOG --log-prefix "$logprefix" > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables command failed to append new rule."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "ping 127.0.0.1"
	ping -c 10 127.0.0.1 > tst_iptables.out 2>&1
	if [ $? -eq 0 ]; then
		sleep 2
		logcnt=$(dmesg | grep -c "$logprefix")
		if [ $logcnt -ne 5 ]; then
			tst_res TFAIL "iptables did not log packets with" \
				      "limited rate."
			cat tst_iptables.out
			return
		else
			tst_res TINFO "ping requests logged with limited rate."
		fi
	else
		tst_res TFAIL "ping to 127.0.0.1 failed. This is expected" \
			      "behaviour on certain distributions where" \
			      "enabling firewall drops all packets by default."
		cat tst_iptables.out
		return
	fi

	tst_res TINFO "Deleting the rule to log."
	iptables -D INPUT 1 > tst_iptables.out 2>&1
	if [ $? -ne 0 ]; then
		tst_res TFAIL "iptables did not remove the rule."
		cat tst_iptables.out
		return
	fi
	tst_res TINFO "iptables limited logging succsess"
	tst_res TPASS "iptables can log packets with limited rate."
}

tst_run