source-git / augeas

Clone
Source Code
GIT

Blame lenses/tests/test_iptables.aug

c8 c8s master
  1.   c8s
  2.   lenses
  3.   tests
  4.   test_iptables.aug
Blob History Raw
Packit Service a2ae7a 
module Test_iptables =
Packit Service a2ae7a
Packit Service a2ae7a 
let add_rule = Iptables.table_rule
Packit Service a2ae7a 
let ipt_match = Iptables.ipt_match
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n" =
Packit Service a2ae7a 
  { "append" = "INPUT"
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "ESTABLISHED,RELATED" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
"-A INPUT -p icmp -j \tACCEPT \n" =
Packit Service a2ae7a 
  { "append" = "INPUT"
Packit Service a2ae7a 
      { "protocol" = "icmp" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
"-A INPUT -i lo -j ACCEPT\n" =
Packit Service a2ae7a 
  { "append" = "INPUT"
Packit Service a2ae7a 
    { "in-interface" = "lo" }
Packit Service a2ae7a 
    { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get " -m tcp -p tcp --dport 53" =
Packit Service a2ae7a 
  { "match" = "tcp" } { "protocol" = "tcp" } { "dport" = "53" }
Packit Service a2ae7a
Packit Service a2ae7a 
let arule = " -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get ("--append INPUT" . arule . "\n") =
Packit Service a2ae7a 
  { "append" = "INPUT"
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "NEW" }
Packit Service a2ae7a 
      { "match" = "tcp" }
Packit Service a2ae7a 
      { "protocol" = "tcp" }
Packit Service a2ae7a 
      { "dport" = "53" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get arule =
Packit Service a2ae7a 
  { "match" = "state" } { "state" = "NEW" } { "match" = "tcp" }
Packit Service a2ae7a 
  { "protocol" = "tcp" } { "dport" = "53" } { "jump" = "ACCEPT" }
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get ("-A INPUT" . arule) = *
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get " -p esp -j ACCEPT" =
Packit Service a2ae7a 
  { "protocol" = "esp" } { "jump" = "ACCEPT" }
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get
Packit Service a2ae7a 
  " -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT"
Packit Service a2ae7a 
 =
Packit Service a2ae7a 
  { "match" = "state" } { "state" = "NEW" } { "match" = "udp" }
Packit Service a2ae7a 
  { "protocol" = "udp" } { "dport" = "5353" }
Packit Service a2ae7a 
  { "destination" = "224.0.0.251" } { "jump" = "ACCEPT" }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
  "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT\n" =
Packit Service a2ae7a 
  { "insert" = "FORWARD"
Packit Service a2ae7a 
      { "match" = "physdev" } { "physdev-is-bridged" } { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
    "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n" =
Packit Service a2ae7a 
  { "append" = "INPUT"
Packit Service a2ae7a 
      { "jump" = "REJECT" } { "reject-with" = "icmp-host-prohibited" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get
Packit Service a2ae7a 
  "-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT\n" =
Packit Service a2ae7a 
  { "append" = "RH-Firewall-1-INPUT"
Packit Service a2ae7a 
      { "protocol" = "icmp" }
Packit Service a2ae7a 
      { "icmp-type" = "any" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test Iptables.table get "*filter
Packit Service a2ae7a 
:RH-Firewall-1-INPUT - [0:0]
Packit Service a2ae7a 
-A FORWARD -j RH-Firewall-1-INPUT
Packit Service a2ae7a 
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
Packit Service a2ae7a 
COMMIT\n" =
Packit Service a2ae7a 
  { "table" = "filter"
Packit Service a2ae7a 
      { "chain" = "RH-Firewall-1-INPUT"
Packit Service a2ae7a 
          { "policy" = "-" } }
Packit Service a2ae7a 
      { "append" = "FORWARD"
Packit Service a2ae7a 
          { "jump" = "RH-Firewall-1-INPUT" } }
Packit Service a2ae7a 
      { "append" = "RH-Firewall-1-INPUT"
Packit Service a2ae7a 
          { "in-interface" = "lo" }
Packit Service a2ae7a 
          { "jump" = "ACCEPT" } } }
Packit Service a2ae7a
Packit Service a2ae7a 
test Iptables.table get "*filter
Packit Service a2ae7a
Packit Service a2ae7a 
:RH-Firewall-1-INPUT - [0:0]
Packit Service a2ae7a
Packit Service a2ae7a 
-A FORWARD -j RH-Firewall-1-INPUT
Packit Service a2ae7a
Packit Service a2ae7a 
COMMIT\n" =
Packit Service a2ae7a 
  { "table" = "filter"
Packit Service a2ae7a 
      { }
Packit Service a2ae7a 
      { "chain" = "RH-Firewall-1-INPUT"
Packit Service a2ae7a 
          { "policy" = "-" } }
Packit Service a2ae7a 
      { }
Packit Service a2ae7a 
      { "append" = "FORWARD"
Packit Service a2ae7a 
          { "jump" = "RH-Firewall-1-INPUT" } }
Packit Service a2ae7a 
      { } }
Packit Service a2ae7a
Packit Service a2ae7a 
let conf = "# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
Packit Service a2ae7a 
*filter
Packit Service a2ae7a 
:INPUT DROP [1:229]
Packit Service a2ae7a 
:FORWARD DROP [0:0]
Packit Service a2ae7a 
:OUTPUT DROP [0:0]
Packit Service a2ae7a 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Packit Service a2ae7a
Packit Service a2ae7a 
-I FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
Packit Service a2ae7a
Packit Service a2ae7a 
# comments and blank lines are allow between rules
Packit Service a2ae7a
Packit Service a2ae7a 
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Packit Service a2ae7a 
--append OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Packit Service a2ae7a 
COMMIT
Packit Service a2ae7a 
# Completed on Wed Apr 24 10:19:55 2002
Packit Service a2ae7a 
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
Packit Service a2ae7a 
*mangle
Packit Service a2ae7a 
:PREROUTING ACCEPT [658:32445]
Packit Service a2ae7a
Packit Service a2ae7a 
:INPUT ACCEPT [658:32445]
Packit Service a2ae7a 
:FORWARD ACCEPT [0:0]
Packit Service a2ae7a 
:OUTPUT ACCEPT [891:68234]
Packit Service a2ae7a 
:POSTROUTING ACCEPT [891:68234]
Packit Service a2ae7a 
COMMIT
Packit Service a2ae7a 
# Completed on Wed Apr 24 10:19:55 2002
Packit Service a2ae7a 
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
Packit Service a2ae7a 
*nat
Packit Service a2ae7a 
:PREROUTING ACCEPT [1:229]
Packit Service a2ae7a 
:POSTROUTING ACCEPT [3:450]
Packit Service a2ae7a 
# The output chain
Packit Service a2ae7a 
:OUTPUT ACCEPT [3:450]
Packit Service a2ae7a 
# insert something
Packit Service a2ae7a 
--insert POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1 \t
Packit Service a2ae7a 
# and now commit
Packit Service a2ae7a 
COMMIT
Packit Service a2ae7a 
# Completed on Wed Apr 24 10:19:55 2002\n"
Packit Service a2ae7a
Packit Service a2ae7a 
test Iptables.lns get conf =
Packit Service a2ae7a 
  { "#comment" =
Packit Service a2ae7a 
      "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a 
  { "table" = "filter"
Packit Service a2ae7a 
    { "chain" = "INPUT" { "policy" = "DROP" } }
Packit Service a2ae7a 
    { "chain" = "FORWARD" { "policy" = "DROP" } }
Packit Service a2ae7a 
    { "chain" = "OUTPUT" { "policy" = "DROP" } }
Packit Service a2ae7a 
    { "append" = "INPUT"
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "RELATED,ESTABLISHED" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a 
    {}
Packit Service a2ae7a 
    { "insert" = "FORWARD"
Packit Service a2ae7a 
      { "in-interface" = "eth0" }
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "RELATED,ESTABLISHED" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a 
    {}
Packit Service a2ae7a 
    { "#comment" = "comments and blank lines are allow between rules" }
Packit Service a2ae7a 
    {}
Packit Service a2ae7a 
    { "append" = "FORWARD"
Packit Service a2ae7a 
      { "in-interface" = "eth1" }
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "NEW,RELATED,ESTABLISHED" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } }
Packit Service a2ae7a 
    { "append" = "OUTPUT"
Packit Service a2ae7a 
      { "match" = "state" }
Packit Service a2ae7a 
      { "state" = "NEW,RELATED,ESTABLISHED" }
Packit Service a2ae7a 
      { "jump" = "ACCEPT" } } }
Packit Service a2ae7a 
  { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a 
  { "#comment" =
Packit Service a2ae7a 
      "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a 
  { "table" = "mangle"
Packit Service a2ae7a 
    { "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    {}
Packit Service a2ae7a 
    { "chain" = "INPUT" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "chain" = "FORWARD" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "chain" = "POSTROUTING" { "policy" = "ACCEPT" } } }
Packit Service a2ae7a 
  { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a 
  { "#comment" =
Packit Service a2ae7a 
      "Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a 
  { "table" = "nat"
Packit Service a2ae7a 
    { "chain" = "PREROUTING" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "chain" = "POSTROUTING" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "#comment" = "The output chain" }
Packit Service a2ae7a 
    { "chain" = "OUTPUT" { "policy" = "ACCEPT" } }
Packit Service a2ae7a 
    { "#comment" = "insert something" }
Packit Service a2ae7a 
    { "insert" = "POSTROUTING"
Packit Service a2ae7a 
      { "out-interface" = "eth0" }
Packit Service a2ae7a 
      { "jump" = "SNAT" }
Packit Service a2ae7a 
      { "to-source" = "195.233.192.1" } }
Packit Service a2ae7a 
    { "#comment" = "and now commit" } }
Packit Service a2ae7a 
  { "#comment" = "Completed on Wed Apr 24 10:19:55 2002" }
Packit Service a2ae7a
Packit Service a2ae7a 
test ipt_match get " -m comment --comment \"A comment\"" =
Packit Service a2ae7a 
  { "match" = "comment" }
Packit Service a2ae7a 
  { "comment" = "\"A comment\"" }
Packit Service a2ae7a
Packit Service a2ae7a 
(*
Packit Service a2ae7a 
 * Test the various schemes for negation that iptables supports
Packit Service a2ae7a 
 *
Packit Service a2ae7a 
 * Note that the two ways in which a parameter can be negated lead to
Packit Service a2ae7a 
 * two different trees that mean the same.
Packit Service a2ae7a 
 *)
Packit Service a2ae7a 
test add_rule get "-I POSTROUTING ! -d 192.168.122.0/24 -j MASQUERADE\n" =
Packit Service a2ae7a 
  { "insert" = "POSTROUTING"
Packit Service a2ae7a 
    { "destination" = "192.168.122.0/24"
Packit Service a2ae7a 
      { "not" } }
Packit Service a2ae7a 
    { "jump" = "MASQUERADE" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule get "-I POSTROUTING -d ! 192.168.122.0/24 -j MASQUERADE\n" =
Packit Service a2ae7a 
  { "insert" = "POSTROUTING"
Packit Service a2ae7a 
    { "destination" = "! 192.168.122.0/24" }
Packit Service a2ae7a 
    { "jump" = "MASQUERADE" } }
Packit Service a2ae7a
Packit Service a2ae7a 
test add_rule put "-I POSTROUTING ! -d 192.168.122.0/24 -j MASQUERADE\n"
Packit Service a2ae7a 
    after rm "/insert/destination/not" =
Packit Service a2ae7a 
  "-I POSTROUTING -d 192.168.122.0/24 -j MASQUERADE\n"
Packit Service a2ae7a
Packit Service a2ae7a 
(* I have no idea if iptables will accept double negations, but we
Packit Service a2ae7a 
 * allow it syntactically *)
Packit Service a2ae7a 
test add_rule put "-I POSTROUTING -d ! 192.168.122.0/24 -j MASQUERADE\n"
Packit Service a2ae7a 
    after clear "/insert/destination/not" =
Packit Service a2ae7a 
  "-I POSTROUTING ! -d ! 192.168.122.0/24 -j MASQUERADE\n"
Packit Service a2ae7a
Packit Service a2ae7a 
test Iptables.chain get ":tcp_packets - [0:0]
Packit Service a2ae7a 
" =
Packit Service a2ae7a 
    { "chain" = "tcp_packets" { "policy" = "-" } }
Packit Service a2ae7a
Packit Service a2ae7a 
(* Bug #157 *)
Packit Service a2ae7a 
test ipt_match get " --tcp-flags SYN,RST,ACK,FIN SYN" =
Packit Service a2ae7a 
  { "tcp-flags"
Packit Service a2ae7a 
    { "mask" = "SYN" }
Packit Service a2ae7a 
    { "mask" = "RST" }
Packit Service a2ae7a 
    { "mask" = "ACK" }
Packit Service a2ae7a 
    { "mask" = "FIN" }
Packit Service a2ae7a 
    { "set" = "SYN" } }
Packit Service a2ae7a
Packit Service a2ae7a 
(* Bug #224 *)
Packit Service a2ae7a 
test ipt_match get " --icmpv6-type neighbor-solicitation" =
Packit Service a2ae7a 
  { "icmpv6-type" = "neighbor-solicitation" }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation