diff mbox series

[v4,4/6] support/testing: test for nftables init script

Message ID 20240726162013.2183792-5-fiona.klute@gmx.de
State New
Headers show
Series Improved nftables firewall support | expand

Commit Message

Fiona Klute July 26, 2024, 4:20 p.m. UTC 
From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de>

The new test checks that a pre-defined rules file can be loaded and
works as expected, and that after flushing the blocked IP responds to
ping again.

Signed-off-by: Fiona Klute (WIWA) <fiona.klute@gmx.de>
---
 DEVELOPERS                                    |  1 +
 .../testing/tests/package/test_nftables.py    | 37 ++++++++++++++++++-
 .../rootfs-overlay/etc/nftables.conf          |  8 ++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf

--
2.45.2
diff mbox series

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index 9a8c92f122..c358954645 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1108,6 +1108,7 @@  F:	package/python-pymodbus/
 N:	Fiona Klute <fiona.klute@gmx.de>
 F:	package/python-pyasynchat/
 F:	package/python-pyasyncore/
+F:	support/testing/tests/package/test_nftables.py

 N:	Flávio Tapajós <flavio.tapajos@newtesc.com.br>
 F:	configs/asus_tinker-s_rk3288_defconfig
diff --git a/support/testing/tests/package/test_nftables.py b/support/testing/tests/package/test_nftables.py
index 142e7d0352..2622c7e822 100644
--- a/support/testing/tests/package/test_nftables.py
+++ b/support/testing/tests/package/test_nftables.py
@@ -85,7 +85,7 @@  class TestNftables(infra.basetest.BRTest):
         # supposed to fail earlier is now supposed to succeed.
         self.assertRunOk(ping_test_cmd)

-    def test_run(self):
+    def boot_vm(self):
         img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
         kern = os.path.join(self.builddir, "images", "Image")
         self.emulator.boot(arch="aarch64",
@@ -97,6 +97,9 @@  class TestNftables(infra.basetest.BRTest):
                                     "-initrd", img])
         self.emulator.login()

+    def test_run(self):
+        self.boot_vm()
+
         # We check the program can execute.
         self.assertRunOk("nft --version")

@@ -107,3 +110,35 @@  class TestNftables(infra.basetest.BRTest):
         # We run again the same test sequence using our simple nft
         # python implementation, to check the language bindings.
         self.nftables_test(prog="/root/nft.py")
+
+
+class TestNftablesInit(TestNftables):
+    config = TestNftables.config + \
+        """
+        BR2_INIT_BUSYBOX=y
+        """
+
+    def test_run(self):
+        self.boot_vm()
+
+        # start with known state (rules from /etc/nftables.conf)
+        self.assertRunOk("/etc/init.d/S35nftables reload")
+
+        # Same concept as in TestNftables.nftables_test: The rules
+        # should allow ping to 127.0.0.1, but not 127.0.0.2.
+        ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 "
+        self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
+        _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2")
+        self.assertNotEqual(exit_code, 0)
+
+        # Stop should flush the rules, ping to both addresses should
+        # work now.
+        self.assertRunOk("/etc/init.d/S35nftables stop")
+        self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
+        self.assertRunOk(ping_cmd_prefix + "127.0.0.2")
+
+        # Start is essentially the same as reload, check that
+        # 127.0.0.2 gets blocked again.
+        self.assertRunOk("/etc/init.d/S35nftables start")
+        _, exit_code = self.emulator.run(ping_cmd_prefix + "127.0.0.2")
+        self.assertNotEqual(exit_code, 0)
diff --git a/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf
new file mode 100644
index 0000000000..a04af1d634
--- /dev/null
+++ b/support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf
@@ -0,0 +1,8 @@ 
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter; policy accept;
+		ip daddr 127.0.0.2 icmp type echo-request drop
+	}
+}