From patchwork Tue Jul 23 10:28:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Fiona Klute X-Patchwork-Id: 1963724 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WStfz6tlGz1yXp for ; Tue, 23 Jul 2024 20:29:15 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 14F43812A3; Tue, 23 Jul 2024 10:29:14 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id fmJlt1chtpFl; Tue, 23 Jul 2024 10:29:12 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.166.34; helo=ash.osuosl.org; envelope-from=buildroot-bounces@buildroot.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0E274812A4 Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id 0E274812A4; Tue, 23 Jul 2024 10:29:12 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 5E7C51BF20F for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5818D402B8 for ; Tue, 23 Jul 2024 10:29:03 +0000 (UTC) X-Virus-Scanned: amavis at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP id M7-H2WlomEJN for ; Tue, 23 Jul 2024 10:29:02 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=212.227.17.20; helo=mout.gmx.net; envelope-from=fiona.klute@gmx.de; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org BBD24402AB DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BBD24402AB Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by smtp4.osuosl.org (Postfix) with ESMTPS id BBD24402AB for ; Tue, 23 Jul 2024 10:29:01 +0000 (UTC) X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from haruka.lan ([85.22.125.116]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M26vB-1sTjn52sDR-00GPND; Tue, 23 Jul 2024 12:28:54 +0200 To: buildroot@buildroot.org Date: Tue, 23 Jul 2024 12:28:29 +0200 Message-ID: <20240723102832.2522307-5-fiona.klute@gmx.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240723102832.2522307-1-fiona.klute@gmx.de> References: <20240723102832.2522307-1-fiona.klute@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:7SzbQ/SbWytQ7Z+du8ssemguywK/CoJnKuCLgtoQs0k9I2Nh2bG QK9FiHYTmrb7VyfK/CGVwDxLw/FfUhx7pGlM0uP4/WoE/KoiPUJAl+wLr52blfzKSV0aoW9 p0yHTuDBEwJni8KEWDizQErX2BDbJ1cq1tLGhPtxNqddggi1cdh/Kw9ECoI9u49WzWqbSGI 77cQ1BiKLGp3s3EaVELbw== UI-OutboundReport: notjunk:1;M01:P0:0Y5m0cYgOko=;Q7NfYsBRr4iwp8SRJXAC2oOfv/Y 42EhkK3LN9pFzOCPieSimrUT2QwjymVQWvTdsBFcuUOERVoHZqbYfWW3vl5CiqChqAf4mcbh8 XQuGzry/EfyG3h/qRINtzODW3u4NPBs/x+ppm233UDjtFXJf8jPrZA5FOadlqaSUbf2mvG/ef PmjWvfyISEpnCKJuH3CmXdLBBQposqDMhd/qtglP74g6ImVfIVjeOevQ+1cqMm5ovuG9AS/1k QppZROFvekqqgJ6fafEOrz/SLSMrS+P9/pND8hxZ8aOkdoWmAuFrYvuRaRi/7RRRiau+X96Mb X0WiutBFSsc5ZHZQ/nE231VBR1DbRlSqLwntCQCNev9MbqGqLAw0+f+6eCYmE0hrsQ3rtF8K+ qyWENIUsPTQ1Lkrar07X5jKTr9LVv++OKJGTxsgC+WntxfIuuI6wigiy9aEp63boD5mIxidla zAxWVjFVV88lfYA3zejQ7c7L172b2noEfTKhjy+lxHGlmwyIjnvMLMWiWpK5e7w9fNoGNggyD WNx99B94CfPS2XtihxN+sqAQkZR0KjjfzHBaYz7aOvZbl0l8MbcKpCdPy1wZFxGa/S7vhWydb wkxSQwMt9QwTvoIGruyT/viJLoLfxzds9geOezgK+00Uxe7YmIQFWw4KdOLTq133Bam27kSaf 4eSrEQPF+hjrEMLuXuHLKZQpyB5pZvV5UO+7TutjFpb2yPGVhf4ejigH8j8OieYBiOMubjTMs JPnhIsF95bef6zMUa93PFmxvHXeEwisgYNYGQ+5G/1woPsmCpkB6RONtRQeoPjgWtJpQnCnZ0 4RDkCWPnJH9u0FJgOk8ejUeg== X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1721730534; x=1722335334; i=fiona.klute@gmx.de; bh=qJJTxKL9Lh7grpBOddrHtkG3fPJ1ONIinCD9kUtE1Xg=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:Message-ID:In-Reply-To: References:MIME-Version:Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=sgwhO9dx7/FvLDJEq9OCutyASp0NwoC7NrpES4nhNZYawfNtNWy+YJ5/HDO5DJ9t XvVuXSZWSy3p0ktC4wAKCHLI5WhyqZC7MR6jwnmfmeKVIROkTI4s4zPmkuJtIbLys tKp7lRMRVfyZtjgYzOoaVbjY+qocazPlXJS8CSs2INDFiGinNjJypNoxpWrH7Uq1d 24R8JGvZ7uFwGGcfb/MVQvIJZw2jcoKLLTLL/gSTjGuOmxsBcZ1+ikzIxAf700psw +8SfdgHCaPu0WmV54OHV6vNQsjLUTJISChNrDk1xq0VLNCd70C+58qoCKcmhi+uMC JC+JS3mZIJus6W7mWA== X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=gmx.de X-Mailman-Original-Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=gmx.de header.i=fiona.klute@gmx.de header.a=rsa-sha256 header.s=s31663417 header.b=sgwhO9dx Subject: [Buildroot] [PATCH v2 4/6] support/testing: test for nftables init script X-BeenThere: buildroot@buildroot.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Fiona Klute via buildroot From: Fiona Klute Reply-To: Fiona Klute Cc: Julien Olivain , Fiona Klute , Ricardo Martincoski Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" From: "Fiona Klute (WIWA)" The new test checks that a pre-defined rules file can be loaded and works as expected, and that after flushing the blocked IP responds to ping again. Signed-off-by: Fiona Klute (WIWA) --- DEVELOPERS | 1 + .../testing/tests/package/test_nftables.py | 37 ++++++++++++++++++- .../rootfs-overlay/etc/nftables.conf | 8 ++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf -- 2.45.2 diff --git a/DEVELOPERS b/DEVELOPERS index 3650321d6f..36418f9d6f 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -1108,6 +1108,7 @@ F: package/python-pymodbus/ N: Fiona Klute F: package/python-pyasynchat/ F: package/python-pyasyncore/ +F: support/testing/tests/package/test_nftables.py N: Flávio Tapajós F: configs/asus_tinker-s_rk3288_defconfig diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py index 142e7d0352..2622c7e822 100644 --- a/support/testing/tests/package/test_nftables.py +++ b/support/testing/tests/package/test_nftables.py @@ -85,7 +85,7 @@ class TestNftables(infra.basetest.BRTest): # supposed to fail earlier is now supposed to succeed. self.assertRunOk(ping_test_cmd) - def test_run(self): + def boot_vm(self): img = os.path.join(self.builddir, "images", "rootfs.cpio.gz") kern = os.path.join(self.builddir, "images", "Image") self.emulator.boot(arch="aarch64", @@ -97,6 +97,9 @@ class TestNftables(infra.basetest.BRTest): "-initrd", img]) self.emulator.login() + def test_run(self): + self.boot_vm() + # We check the program can execute. self.assertRunOk("nft --version") @@ -107,3 +110,35 @@ class TestNftables(infra.basetest.BRTest): # We run again the same test sequence using our simple nft # python implementation, to check the language bindings. self.nftables_test(prog="/root/nft.py") + + +class TestNftablesInit(TestNftables): + config = TestNftables.config + \ + """ + BR2_INIT_BUSYBOX=y + """ + + def test_run(self): + self.boot_vm() + + # start with known state (rules from /etc/nftables.conf) + self.assertRunOk("/etc/init.d/S35nftables reload") + + # Same concept as in TestNftables.nftables_test: The rules + # should allow ping to 127.0.0.1, but not 127.0.0.2. + ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 " + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) + + # Stop should flush the rules, ping to both addresses should + # work now. + self.assertRunOk("/etc/init.d/S35nftables stop") + self.assertRunOk(ping_cmd_prefix + "127.0.0.1") + self.assertRunOk(ping_cmd_prefix + "127.0.0.2") + + # Start is essentially the same as reload, check that + # 127.0.0.2 gets blocked again. + self.assertRunOk("/etc/init.d/S35nftables start") + _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2") + self.assertNotEqual(exit_code, 0) diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf new file mode 100644 index 0000000000..a04af1d634 --- /dev/null +++ b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf @@ -0,0 +1,8 @@ +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; policy accept; + ip daddr 127.0.0.2 icmp type echo-request drop + } +}