github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/iptables_rhel6_test.go (about) 1 // +build rhel6 2 3 package iptablesctrl 4 5 import ( 6 "bytes" 7 "context" 8 "testing" 9 10 . "github.com/smartystreets/goconvey/convey" 11 "go.aporeto.io/enforcerd/trireme-lib/common" 12 "go.aporeto.io/enforcerd/trireme-lib/controller/constants" 13 provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider" 14 "go.aporeto.io/enforcerd/trireme-lib/controller/runtime" 15 "go.aporeto.io/enforcerd/trireme-lib/policy" 16 "go.aporeto.io/enforcerd/trireme-lib/utils/portspec" 17 ) 18 19 var icmpAllow = testICMPAllow 20 21 func testICMPAllow() string { 22 panic("icmp implementation for rhel6 should not call this") 23 } 24 25 var ( 26 expectedGlobalMangleChainsV4 = map[string][]string{ 27 "TRI-Nfq-IN": { 28 "-j MARK --set-mark 67", 29 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 30 }, 31 "TRI-Nfq-OUT": { 32 "-j MARK --set-mark 0", 33 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 34 }, 35 "INPUT": { 36 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 37 }, 38 "OUTPUT": { 39 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 40 }, 41 42 "TRI-App": { 43 "-p udp --dport 53 -j ACCEPT", 44 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 45 "-p tcp -m mark --mark 66 -j ACCEPT", 46 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 47 "-j TRI-Prx-App", 48 "-m connmark --mark 61167 -j ACCEPT", 49 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 50 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 51 "-m connmark --mark 61166 -p udp -j ACCEPT", 52 "-m mark --mark 1073741922 -j ACCEPT", 53 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 54 "-j TRI-Pid-App", 55 "-j TRI-Svc-App", 56 "-j TRI-Hst-App", 57 }, 58 "TRI-Net": { 59 "-p udp --sport 53 -j ACCEPT", 60 "-j TRI-Prx-Net", 61 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 62 "-p tcp -m mark --mark 66 -j ACCEPT", 63 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 64 "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 65 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 66 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 67 "-m connmark --mark 61166 -p udp -j ACCEPT", 68 "-j TRI-Pid-Net", 69 "-j TRI-Svc-Net", 70 "-j TRI-Hst-Net"}, 71 "TRI-Pid-App": {}, 72 "TRI-Pid-Net": {}, 73 "TRI-Prx-App": { 74 "-m mark --mark 0x40 -j ACCEPT", 75 }, 76 "TRI-Prx-Net": { 77 "-m mark --mark 0x40 -j ACCEPT", 78 }, 79 "TRI-Hst-App": {}, 80 "TRI-Hst-Net": {}, 81 "TRI-Svc-App": {}, 82 "TRI-Svc-Net": {}, 83 } 84 85 expectedGlobalNATChainsV4 = map[string][]string{ 86 "PREROUTING": { 87 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 88 }, 89 "OUTPUT": { 90 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 91 }, 92 "TRI-Redir-App": { 93 "-m mark --mark 0x40 -j ACCEPT", 94 }, 95 "TRI-Redir-Net": { 96 "-m mark --mark 0x40 -j ACCEPT", 97 }, 98 } 99 100 expectedMangleAfterPUInsertV4 = map[string][]string{ 101 "TRI-Nfq-IN": { 102 "-j MARK --set-mark 67", 103 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 104 }, 105 "TRI-Nfq-OUT": { 106 "-j MARK --set-mark 0", 107 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 108 }, 109 "INPUT": { 110 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 111 }, 112 "OUTPUT": { 113 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 114 }, 115 "TRI-App": { 116 "-p udp --dport 53 -j ACCEPT", 117 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 118 "-p tcp -m mark --mark 66 -j ACCEPT", 119 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 120 "-j TRI-Prx-App", 121 "-m connmark --mark 61167 -j ACCEPT", 122 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 123 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 124 "-m connmark --mark 61166 -p udp -j ACCEPT", 125 "-m mark --mark 1073741922 -j ACCEPT", 126 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 127 "-j TRI-Pid-App", 128 "-j TRI-Svc-App", 129 "-j TRI-Hst-App", 130 }, 131 "TRI-Net": { 132 "-p udp --sport 53 -j ACCEPT", 133 "-j TRI-Prx-Net", 134 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 135 "-p tcp -m mark --mark 66 -j ACCEPT", 136 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 137 "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 138 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 139 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 140 "-m connmark --mark 61166 -p udp -j ACCEPT", 141 "-j TRI-Pid-Net", 142 "-j TRI-Svc-Net", 143 "-j TRI-Hst-Net", 144 }, 145 "TRI-Pid-App": {}, 146 "TRI-Pid-Net": {}, 147 "TRI-Prx-App": { 148 "-m mark --mark 0x40 -j ACCEPT", 149 "-p tcp -m tcp --sport 0 -j ACCEPT", 150 "-p udp -m udp --sport 0 -j ACCEPT", 151 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 152 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 153 }, 154 "TRI-Prx-Net": { 155 "-m mark --mark 0x40 -j ACCEPT", 156 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 157 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 158 "-p tcp -m tcp --dport 0 -j ACCEPT", 159 "-p udp -m udp --dport 0 -j ACCEPT", 160 }, 161 "TRI-Hst-App": {}, 162 "TRI-Hst-Net": {}, 163 "TRI-Svc-App": { 164 "-p icmp -m comment --comment Server-specific-chain -j MARK --set-mark 10", 165 "-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j MARK --set-mark 10", 166 "-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0", 167 "-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j MARK --set-mark 10", 168 "-p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:3", 169 "-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT", 170 "-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0", 171 }, 172 "TRI-Svc-Net": { 173 "-p tcp -m multiport --destination-ports 9000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0", 174 "-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT", 175 "-p udp -m multiport --destination-ports 5000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0", 176 }, 177 178 "TRI-Net-pu1N7uS6--0": { 179 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 180 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 181 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 182 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 183 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 184 "-p icmp -j NFQUEUE --queue-balance 0:3", 185 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 186 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 187 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 188 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6", 189 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP", 190 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3", 191 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT", 192 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 193 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 194 "-s 0.0.0.0/0 -j DROP", 195 }, 196 "TRI-App-pu1N7uS6--0": { 197 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", 198 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", 199 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", 200 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 201 "-p icmp -j NFQUEUE --queue-balance 0:3", 202 "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", 203 "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j MARK --set-mark 40", 204 "-p udp -m set --match-set TRI-v4-TargetUDP dst -j MARK --set-mark 40", 205 "-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 206 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 207 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 208 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:rockstars _4090221238:6", 209 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP", 210 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3", 211 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT", 212 "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 213 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", 214 "-d 0.0.0.0/0 -j DROP", 215 }, 216 } 217 218 expectedNATAfterPUInsertV4 = map[string][]string{ 219 "PREROUTING": { 220 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 221 }, 222 "OUTPUT": { 223 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 224 }, 225 "TRI-Redir-App": { 226 "-m mark --mark 0x40 -j ACCEPT", 227 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m multiport --source-ports 9000 -j REDIRECT --to-ports 0", 228 "-p udp --dport 53 -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 229 }, 230 "TRI-Redir-Net": { 231 "-m mark --mark 0x40 -j ACCEPT", 232 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 233 }, 234 "POSTROUTING": { 235 "-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT", 236 }, 237 } 238 239 expectedMangleAfterPUUpdateV4 = map[string][]string{ 240 "TRI-Nfq-IN": { 241 "-j MARK --set-mark 67", 242 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 243 }, 244 "TRI-Nfq-OUT": { 245 "-j MARK --set-mark 0", 246 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 247 }, 248 "INPUT": { 249 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 250 }, 251 "OUTPUT": { 252 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 253 }, 254 "TRI-App": { 255 "-p udp --dport 53 -j ACCEPT", 256 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 257 "-p tcp -m mark --mark 66 -j ACCEPT", 258 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 259 "-j TRI-Prx-App", 260 "-m connmark --mark 61167 -j ACCEPT", 261 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 262 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 263 "-m connmark --mark 61166 -p udp -j ACCEPT", 264 "-m mark --mark 1073741922 -j ACCEPT", 265 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 266 "-j TRI-Pid-App", 267 "-j TRI-Svc-App", 268 "-j TRI-Hst-App"}, 269 "TRI-Net": { 270 "-p udp --sport 53 -j ACCEPT", 271 "-j TRI-Prx-Net", 272 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 273 "-p tcp -m mark --mark 66 -j ACCEPT", 274 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 275 "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 276 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 277 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 278 "-m connmark --mark 61166 -p udp -j ACCEPT", 279 "-j TRI-Pid-Net", 280 "-j TRI-Svc-Net", 281 "-j TRI-Hst-Net", 282 }, 283 "TRI-Pid-App": {}, 284 "TRI-Pid-Net": {}, 285 "TRI-Prx-App": { 286 "-m mark --mark 0x40 -j ACCEPT", 287 "-p tcp -m tcp --sport 0 -j ACCEPT", 288 "-p udp -m udp --sport 0 -j ACCEPT", 289 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 290 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 291 }, 292 "TRI-Prx-Net": { 293 "-m mark --mark 0x40 -j ACCEPT", 294 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 295 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 296 "-p tcp -m tcp --dport 0 -j ACCEPT", 297 "-p udp -m udp --dport 0 -j ACCEPT", 298 }, 299 "TRI-Hst-App": {}, 300 "TRI-Hst-Net": {}, 301 "TRI-Svc-App": {}, 302 "TRI-Svc-Net": {}, 303 304 "TRI-Net-pu1N7uS6--1": { 305 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 306 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 307 "-p icmp -j NFQUEUE --queue-balance 0:3", 308 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 309 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 310 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 311 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 312 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 313 "-s 0.0.0.0/0 -j DROP", 314 }, 315 316 "TRI-App-pu1N7uS6--1": { 317 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", 318 "-p icmp -j NFQUEUE --queue-balance 0:3", 319 "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", 320 "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j MARK --set-mark 40", 321 "-p udp -m set --match-set TRI-v4-TargetUDP dst -j MARK --set-mark 40", 322 "-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 323 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 324 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 325 "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 326 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", 327 "-d 0.0.0.0/0 -j DROP", 328 }, 329 } 330 ) 331 332 func Test_Rhel6ConfigureRulesV4(t *testing.T) { 333 Convey("Given an iptables controller with a memory backend ", t, func() { 334 cfg := &runtime.Configuration{ 335 TCPTargetNetworks: []string{"0.0.0.0/0"}, 336 UDPTargetNetworks: []string{"10.0.0.0/8"}, 337 ExcludedNetworks: []string{"127.0.0.1"}, 338 } 339 340 commitFunc := func(buf *bytes.Buffer) error { 341 return nil 342 } 343 344 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 345 "mangle"}) 346 So(iptv4, ShouldNotBeNil) 347 348 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 349 "mangle"}) 350 So(iptv6, ShouldNotBeNil) 351 352 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 353 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 354 So(err, ShouldBeNil) 355 So(i, ShouldNotBeNil) 356 357 Convey("When I start the controller, I should get the right global chains and ipsets", func() { 358 ctx, cancel := context.WithCancel(context.Background()) 359 defer cancel() 360 err := i.Run(ctx) 361 i.SetTargetNetworks(cfg) // nolint 362 So(err, ShouldBeNil) 363 364 t := i.iptv4.impl.RetrieveTable() 365 So(t, ShouldNotBeNil) 366 So(len(t), ShouldEqual, 2) 367 So(t["mangle"], ShouldNotBeNil) 368 So(t["nat"], ShouldNotBeNil) 369 for chain, rules := range t["mangle"] { 370 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 371 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 372 } 373 374 for chain, rules := range t["nat"] { 375 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 376 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 377 } 378 379 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 380 appACLs := policy.IPRuleList{ 381 policy.IPRule{ 382 Addresses: []string{"60.0.0.0/24"}, 383 Ports: nil, 384 Protocols: []string{constants.AllProtoString}, 385 Policy: &policy.FlowPolicy{ 386 Action: policy.Accept | policy.Log, 387 ServiceID: "a3", 388 PolicyID: "123a", 389 }, 390 }, 391 policy.IPRule{ 392 Addresses: []string{"30.0.0.0/24"}, 393 Ports: []string{"80"}, 394 Protocols: []string{"TCP"}, 395 Policy: &policy.FlowPolicy{ 396 Action: policy.Reject, 397 ServiceID: "s1", 398 PolicyID: "1", 399 }, 400 }, 401 policy.IPRule{ 402 Addresses: []string{"30.0.0.0/24"}, 403 Ports: []string{"443"}, 404 Protocols: []string{"UDP"}, 405 Policy: &policy.FlowPolicy{ 406 Action: policy.Accept, 407 ServiceID: "s2", 408 PolicyID: "2", 409 }, 410 }, 411 policy.IPRule{ 412 Addresses: []string{"50.0.0.0/24"}, 413 Ports: []string{}, 414 Protocols: []string{"icmp"}, 415 Policy: &policy.FlowPolicy{ 416 Action: policy.Accept, 417 ServiceID: "s3", 418 PolicyID: "3", 419 }, 420 }, 421 policy.IPRule{ 422 Addresses: []string{"60.0.0.0/24"}, 423 Ports: nil, 424 Protocols: []string{constants.AllProtoString}, 425 Policy: &policy.FlowPolicy{ 426 Action: policy.Reject | policy.Log, 427 ServiceID: "a3", 428 PolicyID: "123a", 429 RuleName: "rockstars forev", 430 }, 431 }, 432 } 433 netACLs := policy.IPRuleList{ 434 policy.IPRule{ 435 Addresses: []string{"60.0.0.0/24"}, 436 Ports: nil, 437 Protocols: []string{constants.AllProtoString}, 438 Policy: &policy.FlowPolicy{ 439 Action: policy.Accept | policy.Log, 440 ServiceID: "a3", 441 PolicyID: "123a", 442 }, 443 }, 444 policy.IPRule{ 445 Addresses: []string{"40.0.0.0/24"}, 446 Ports: []string{"80"}, 447 Protocols: []string{"TCP"}, 448 Policy: &policy.FlowPolicy{ 449 Action: policy.Reject, 450 ServiceID: "s3", 451 PolicyID: "1", 452 }, 453 }, 454 policy.IPRule{ 455 Addresses: []string{"40.0.0.0/24"}, 456 Ports: []string{"443"}, 457 Protocols: []string{"UDP"}, 458 Policy: &policy.FlowPolicy{ 459 Action: policy.Accept, 460 ServiceID: "s4", 461 PolicyID: "2", 462 }, 463 }, 464 policy.IPRule{ 465 Addresses: []string{"60.0.0.0/24"}, 466 Ports: nil, 467 Protocols: []string{constants.AllProtoString}, 468 Policy: &policy.FlowPolicy{ 469 Action: policy.Reject | policy.Log, 470 ServiceID: "a3", 471 PolicyID: "123a", 472 }, 473 }, 474 } 475 ipl := policy.ExtendedMap{} 476 policyrules := policy.NewPUPolicy( 477 "Context", 478 "/ns1", 479 policy.Police, 480 appACLs, 481 netACLs, 482 nil, 483 nil, 484 nil, 485 nil, 486 nil, 487 nil, 488 ipl, 489 0, 490 0, 491 nil, 492 nil, 493 []string{}, 494 policy.EnforcerMapping, 495 policy.Reject|policy.Log, 496 policy.Reject|policy.Log, 497 ) 498 puInfo := policy.NewPUInfo("Context", 499 //"/ns1", common.HostPU) 500 "/ns1", common.HostNetworkPU) 501 puInfo.Policy = policyrules 502 puInfo.Runtime.SetOptions(policy.OptionsType{ 503 CgroupMark: "10", 504 }) 505 506 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 507 So(err, ShouldBeNil) 508 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 509 So(err, ShouldBeNil) 510 511 puInfo.Runtime.SetServices([]common.Service{ 512 { 513 Ports: udpPortSpec, 514 Protocol: 17, 515 }, 516 { 517 Ports: tcpPortSpec, 518 Protocol: 6, 519 }, 520 }) 521 522 var iprules policy.IPRuleList 523 524 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 525 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 526 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 527 err = i.iptv4.ConfigureRules(0, 528 "pu1", puInfo) 529 So(err, ShouldBeNil) 530 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 531 "8080") 532 So(err, ShouldBeNil) 533 t := i.iptv4.impl.RetrieveTable() 534 535 for chain, rules := range t["mangle"] { 536 So(expectedMangleAfterPUInsertV4, ShouldContainKey, chain) 537 So(rules, ShouldResemble, expectedMangleAfterPUInsertV4[chain]) 538 } 539 540 for chain, rules := range t["nat"] { 541 So(expectedNATAfterPUInsertV4, ShouldContainKey, chain) 542 So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain]) 543 } 544 545 Convey("When I update the policy, the update must result in correct state", func() { 546 appACLs := policy.IPRuleList{ 547 policy.IPRule{ 548 Addresses: []string{"30.0.0.0/24"}, 549 Ports: []string{"80"}, 550 Protocols: []string{"TCP"}, 551 Policy: &policy.FlowPolicy{ 552 Action: policy.Reject, 553 ServiceID: "s1", 554 PolicyID: "1", 555 }, 556 }, 557 } 558 netACLs := policy.IPRuleList{ 559 policy.IPRule{ 560 Addresses: []string{"40.0.0.0/24"}, 561 Ports: []string{"80"}, 562 Protocols: []string{"TCP"}, 563 Policy: &policy.FlowPolicy{ 564 Action: policy.Reject, 565 ServiceID: "s3", 566 PolicyID: "1", 567 }, 568 }, 569 } 570 ipl := policy.ExtendedMap{} 571 policyrules := policy.NewPUPolicy( 572 "Context", 573 "/ns1", 574 policy.Police, 575 appACLs, 576 netACLs, 577 nil, 578 nil, 579 nil, 580 nil, 581 nil, 582 nil, 583 ipl, 584 0, 585 0, 586 nil, 587 nil, 588 []string{}, 589 policy.EnforcerMapping, 590 policy.Reject|policy.Log, 591 policy.Reject|policy.Log, 592 ) 593 puInfoUpdated := policy.NewPUInfo("Context", 594 //"/ns1", common.HostPU) 595 "/ns1", common.HostNetworkPU) 596 puInfoUpdated.Policy = policyrules 597 puInfoUpdated.Runtime.SetOptions(policy.OptionsType{ 598 CgroupMark: "10", 599 }) 600 601 var iprules policy.IPRuleList 602 603 iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...) 604 iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...) 605 606 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 607 608 err := i.iptv4.UpdateRules(1, 609 "pu1", puInfoUpdated, puInfo) 610 So(err, ShouldBeNil) 611 612 i.iptv4.ipsetmanager.DestroyUnusedIPsets() 613 614 t := i.iptv4.impl.RetrieveTable() 615 for chain, rules := range t["mangle"] { 616 So(expectedMangleAfterPUUpdateV4, ShouldContainKey, chain) 617 So(rules, ShouldResemble, expectedMangleAfterPUUpdateV4[chain]) 618 } 619 620 Convey("When I delete the same rule, the chains must be restored in the global state", func() { 621 err = i.iptv4.ipsetmanager.DeletePortFromServerPortSet("pu1", 622 "8080") 623 err := i.iptv4.DeleteRules(1, 624 "pu1", 625 "0", 626 "5000", 627 "10", 628 "", puInfoUpdated) 629 i.iptv4.ipsetmanager.RemoveExternalNets("pu1") 630 So(err, ShouldBeNil) 631 So(err, ShouldBeNil) 632 t := i.iptv4.impl.RetrieveTable() 633 So(t["mangle"], ShouldNotBeNil) 634 So(t["nat"], ShouldNotBeNil) 635 for chain, rules := range t["mangle"] { 636 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 637 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 638 } 639 640 for chain, rules := range t["nat"] { 641 if len(rules) > 0 { 642 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 643 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 644 } 645 } 646 }) 647 }) 648 }) 649 }) 650 }) 651 } 652 653 var ( 654 expectedGlobalMangleChainsV6 = map[string][]string{ 655 "TRI-Nfq-IN": { 656 "-j MARK --set-mark 67", 657 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 658 }, 659 "TRI-Nfq-OUT": { 660 "-j MARK --set-mark 0", 661 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 662 }, 663 "INPUT": { 664 "-m set ! --match-set TRI-v6-Excluded src -j TRI-Net", 665 }, 666 "OUTPUT": { 667 "-m set ! --match-set TRI-v6-Excluded dst -j TRI-App", 668 }, 669 "TRI-App": { 670 "-p udp --dport 53 -j ACCEPT", 671 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 672 "-p tcp -m mark --mark 66 -j ACCEPT", 673 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 674 "-j TRI-Prx-App", 675 "-m connmark --mark 61167 -j ACCEPT", 676 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 677 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 678 "-m connmark --mark 61166 -p udp -j ACCEPT", 679 "-m mark --mark 1073741922 -j ACCEPT", 680 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 681 "-j TRI-Pid-App", 682 "-j TRI-Svc-App", 683 "-j TRI-Hst-App", 684 }, 685 "TRI-Net": { 686 "-p udp --sport 53 -j ACCEPT", 687 "-j TRI-Prx-Net", 688 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 689 "-p tcp -m mark --mark 66 -j ACCEPT", 690 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 691 "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 692 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 693 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 694 "-m connmark --mark 61166 -p udp -j ACCEPT", 695 "-j TRI-Pid-Net", 696 "-j TRI-Svc-Net", 697 "-j TRI-Hst-Net", 698 }, 699 "TRI-Pid-App": {}, 700 "TRI-Pid-Net": {}, 701 "TRI-Prx-App": { 702 "-m mark --mark 0x40 -j ACCEPT", 703 }, 704 "TRI-Prx-Net": { 705 "-m mark --mark 0x40 -j ACCEPT", 706 }, 707 "TRI-Hst-App": {}, 708 "TRI-Hst-Net": {}, 709 "TRI-Svc-App": {}, 710 "TRI-Svc-Net": {}, 711 } 712 713 expectedGlobalNATChainsV6 = map[string][]string{ 714 "PREROUTING": { 715 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net", 716 }, 717 "OUTPUT": { 718 "-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App", 719 }, 720 "TRI-Redir-App": { 721 "-m mark --mark 0x40 -j ACCEPT", 722 }, 723 "TRI-Redir-Net": { 724 "-m mark --mark 0x40 -j ACCEPT", 725 }, 726 } 727 728 expectedMangleAfterPUInsertV6 = map[string][]string{ 729 "TRI-Nfq-IN": { 730 "-j MARK --set-mark 67", 731 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 732 }, 733 "TRI-Nfq-OUT": { 734 "-j MARK --set-mark 0", 735 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 736 }, 737 "INPUT": { 738 "-m set ! --match-set TRI-v6-Excluded src -j TRI-Net", 739 }, 740 "OUTPUT": { 741 "-m set ! --match-set TRI-v6-Excluded dst -j TRI-App", 742 }, 743 "TRI-App": { 744 "-p udp --dport 53 -j ACCEPT", 745 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 746 "-p tcp -m mark --mark 66 -j ACCEPT", 747 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 748 "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", 749 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 750 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 751 "-m connmark --mark 61166 -p udp -j ACCEPT", 752 "-m mark --mark 1073741922 -j ACCEPT", 753 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 754 "-j TRI-Pid-App", 755 "-j TRI-Svc-App", 756 "-j TRI-Hst-App", 757 }, 758 "TRI-Net": { 759 "-p udp --sport 53 -j ACCEPT", 760 "-j TRI-Prx-Net", 761 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 762 "-p tcp -m mark --mark 66 -j ACCEPT", 763 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 764 "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 765 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 766 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 767 "-m connmark --mark 61166 -p udp -j ACCEPT", 768 "-j TRI-Pid-Net", 769 "-j TRI-Svc-Net", 770 "-j TRI-Hst-Net", 771 }, 772 "TRI-Pid-App": {}, 773 "TRI-Pid-Net": {}, 774 "TRI-Prx-App": { 775 "-m mark --mark 0x40 -j ACCEPT", 776 "-p tcp -m tcp --sport 0 -j ACCEPT", 777 "-p udp -m udp --sport 0 -j ACCEPT", 778 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT", 779 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 780 }, 781 "TRI-Prx-Net": { 782 "-m mark --mark 0x40 -j ACCEPT", 783 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT", 784 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 785 "-p tcp -m tcp --dport 0 -j ACCEPT", 786 "-p udp -m udp --dport 0 -j ACCEPT", 787 }, 788 "TRI-Hst-App": {}, 789 "TRI-Hst-Net": {}, 790 "TRI-Svc-App": { 791 "-p icmp -m comment --comment Server-specific-chain -j MARK --set-mark 10", 792 "-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j MARK --set-mark 10", 793 "-p tcp -m multiport --source-ports 9000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0", 794 "-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j MARK --set-mark 10", 795 "-p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:3", 796 "-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT", 797 "-p udp -m multiport --source-ports 5000 -m comment --comment Server-specific-chain -j TRI-App-pu1N7uS6--0", 798 }, 799 "TRI-Svc-Net": { 800 "-p tcp -m multiport --destination-ports 9000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0", 801 "-m comment --comment traffic-same-pu -p udp -m mark --mark 10 -m addrtype --src-type LOCAL -m addrtype --dst-type LOCAL -j ACCEPT", 802 "-p udp -m multiport --destination-ports 5000 -m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0", 803 }, 804 805 "TRI-Net-pu1N7uS6--0": { 806 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 807 "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 808 "-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 809 "-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 810 "-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 811 "-p icmp -j NFQUEUE --queue-balance 0:3", 812 "-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 813 "-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 814 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 815 "-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 816 "-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 817 "-s ::/0 -j DROP", 818 }, 819 "TRI-App-pu1N7uS6--0": { 820 "-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", 821 "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", 822 "-p UDP -m set --match-set TRI-v6-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v6-TargetUDP dst --match multiport --dports 443 -j ACCEPT", 823 "-p icmpv6 -m set --match-set TRI-v6-ext-w5frVvhsnpU= dst -j ACCEPT", 824 "-p UDP -m set --match-set TRI-v6-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 825 "-p icmp -j NFQUEUE --queue-balance 0:3", 826 "-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", 827 "-m set --match-set TRI-v6-TargetTCP dst -p tcp -j MARK --set-mark 40", 828 "-p udp -m set --match-set TRI-v6-TargetUDP dst -j MARK --set-mark 40", 829 "-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 830 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 831 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 832 "-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 833 "-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", 834 "-d ::/0 -j DROP", 835 }, 836 } 837 838 expectedNATAfterPUInsertV6 = map[string][]string{ 839 "PREROUTING": { 840 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v6-Excluded src -j TRI-Redir-Net", 841 }, 842 "OUTPUT": { 843 "-m set ! --match-set TRI-v6-Excluded dst -j TRI-Redir-App", 844 }, 845 "TRI-Redir-App": { 846 "-m mark --mark 0x40 -j ACCEPT", 847 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m multiport --source-ports 9000 -j REDIRECT --to-ports 0", 848 "-p udp --dport 53 -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 849 }, 850 "TRI-Redir-Net": { 851 "-m mark --mark 0x40 -j ACCEPT", 852 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 853 }, 854 "POSTROUTING": { 855 "-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT", 856 }, 857 } 858 859 expectedMangleAfterPUUpdateV6 = map[string][]string{ 860 "TRI-Nfq-IN": { 861 "-j MARK --set-mark 67", 862 "-m mark --mark 67 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 863 }, 864 "TRI-Nfq-OUT": { 865 "-j MARK --set-mark 0", 866 "-m mark --mark 0 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 867 }, 868 "INPUT": { 869 "-m set ! --match-set TRI-v6-Excluded src -j TRI-Net", 870 }, 871 "OUTPUT": { 872 "-m set ! --match-set TRI-v6-Excluded dst -j TRI-App", 873 }, 874 "TRI-App": { 875 "-p udp --dport 53 -j ACCEPT", 876 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 877 "-p tcp -m mark --mark 66 -j ACCEPT", 878 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 879 "-j TRI-Prx-App", 880 "-m connmark --mark 61167 -j ACCEPT", 881 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 882 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 883 "-m connmark --mark 61166 -p udp -j ACCEPT", 884 "-m mark --mark 1073741922 -j ACCEPT", 885 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 886 "-j TRI-Pid-App", 887 "-j TRI-Svc-App", 888 "-j TRI-Hst-App", 889 }, 890 "TRI-Net": { 891 "-p udp --sport 53 -j ACCEPT", 892 "-j TRI-Prx-Net", 893 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 894 "-p tcp -m mark --mark 66 -j ACCEPT", 895 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 896 "-m set --match-set TRI-v6-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 897 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 898 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 899 "-m connmark --mark 61166 -p udp -j ACCEPT", 900 "-j TRI-Pid-Net", 901 "-j TRI-Svc-Net", 902 "-j TRI-Hst-Net", 903 }, 904 "TRI-Pid-App": {}, 905 "TRI-Pid-Net": {}, 906 "TRI-Prx-App": { 907 "-m mark --mark 0x40 -j ACCEPT", 908 "-p tcp -m tcp --sport 0 -j ACCEPT", 909 "-p udp -m udp --sport 0 -j ACCEPT", 910 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -j ACCEPT", 911 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 912 }, 913 "TRI-Prx-Net": { 914 "-m mark --mark 0x40 -j ACCEPT", 915 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-dst src,src -j ACCEPT", 916 "-p tcp -m set --match-set TRI-v6-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 917 "-p tcp -m tcp --dport 0 -j ACCEPT", 918 "-p udp -m udp --dport 0 -j ACCEPT", 919 }, 920 "TRI-Hst-App": {}, 921 "TRI-Hst-Net": {}, 922 "TRI-Svc-App": {}, 923 "TRI-Svc-Net": {}, 924 925 "TRI-Net-pu1N7uS6--1": { 926 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 927 "-p TCP -m set --match-set TRI-v6-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 928 "-p icmp -j NFQUEUE --queue-balance 0:3", 929 "-p tcp -m set --match-set TRI-v6-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 930 "-p udp -m set --match-set TRI-v6-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 931 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 932 "-s ::/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 933 "-s ::/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 934 "-s ::/0 -j DROP", 935 }, 936 "TRI-App-pu1N7uS6--1": { 937 "-p TCP -m set --match-set TRI-v6-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", 938 "-p icmp -j NFQUEUE --queue-balance 0:3", 939 "-m set --match-set TRI-v6-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", 940 "-m set --match-set TRI-v6-TargetTCP dst -p tcp -j MARK --set-mark 40", 941 "-p udp -m set --match-set TRI-v6-TargetUDP dst -j MARK --set-mark 40", 942 "-m mark --mark 40 -j NFQUEUE --queue-balance 0:3 --queue-bypass", 943 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 944 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 945 "-d ::/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 946 "-d ::/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", 947 "-d ::/0 -j DROP", 948 }, 949 } 950 ) 951 952 func Test_Rhel6ConfigureRulesV6(t *testing.T) { 953 954 Convey("Given an iptables controller with a memory backend ", t, func() { 955 cfg := &runtime.Configuration{ 956 TCPTargetNetworks: []string{"::/0"}, 957 UDPTargetNetworks: []string{"1120::/64"}, 958 ExcludedNetworks: []string{"::1"}, 959 } 960 961 commitFunc := func(buf *bytes.Buffer) error { 962 return nil 963 } 964 965 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 966 "mangle"}) 967 So(iptv4, ShouldNotBeNil) 968 969 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 970 "mangle"}) 971 So(iptv6, ShouldNotBeNil) 972 973 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 974 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 975 So(err, ShouldBeNil) 976 So(i, ShouldNotBeNil) 977 978 Convey("When I start the controller, I should get the right global chains and ipsets", func() { 979 ctx, cancel := context.WithCancel(context.Background()) 980 defer cancel() 981 err := i.Run(ctx) 982 i.SetTargetNetworks(cfg) // nolint 983 984 So(err, ShouldBeNil) 985 986 t := i.iptv6.impl.RetrieveTable() 987 So(t, ShouldNotBeNil) 988 So(len(t), ShouldEqual, 2) 989 So(t["mangle"], ShouldNotBeNil) 990 So(t["nat"], ShouldNotBeNil) 991 992 for chain, rules := range t["mangle"] { 993 So(expectedGlobalMangleChainsV6, ShouldContainKey, chain) 994 So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain]) 995 } 996 997 for chain, rules := range t["nat"] { 998 So(expectedGlobalNATChainsV6, ShouldContainKey, chain) 999 So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain]) 1000 } 1001 1002 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 1003 1004 appACLs := policy.IPRuleList{ 1005 policy.IPRule{ 1006 Addresses: []string{"1120::/64"}, 1007 Ports: []string{"80"}, 1008 Protocols: []string{"TCP"}, 1009 Policy: &policy.FlowPolicy{ 1010 Action: policy.Reject, 1011 ServiceID: "s1", 1012 PolicyID: "1", 1013 }, 1014 }, 1015 policy.IPRule{ 1016 Addresses: []string{"1120::/64"}, 1017 Ports: []string{"443"}, 1018 Protocols: []string{"UDP"}, 1019 Policy: &policy.FlowPolicy{ 1020 Action: policy.Accept, 1021 ServiceID: "s2", 1022 PolicyID: "2", 1023 }, 1024 }, 1025 policy.IPRule{ 1026 Addresses: []string{"1122::/64"}, 1027 Ports: []string{"443"}, 1028 Protocols: []string{"icmpv6"}, 1029 Policy: &policy.FlowPolicy{ 1030 Action: policy.Accept, 1031 ServiceID: "s3", 1032 PolicyID: "3", 1033 }, 1034 }, 1035 policy.IPRule{ 1036 Addresses: []string{"40.0.0.0/24"}, 1037 Ports: []string{"443"}, 1038 Protocols: []string{"icmp"}, 1039 Policy: &policy.FlowPolicy{ 1040 Action: policy.Accept, 1041 ServiceID: "s3", 1042 PolicyID: "3", 1043 }, 1044 }, 1045 } 1046 netACLs := policy.IPRuleList{ 1047 policy.IPRule{ 1048 Addresses: []string{"1122::/64"}, 1049 Ports: []string{"80"}, 1050 Protocols: []string{"TCP"}, 1051 Policy: &policy.FlowPolicy{ 1052 Action: policy.Reject, 1053 ServiceID: "s3", 1054 PolicyID: "1", 1055 }, 1056 }, 1057 policy.IPRule{ 1058 Addresses: []string{"1122::/64"}, 1059 Ports: []string{"443"}, 1060 Protocols: []string{"UDP"}, 1061 Policy: &policy.FlowPolicy{ 1062 Action: policy.Accept, 1063 ServiceID: "s4", 1064 PolicyID: "2", 1065 }, 1066 }, 1067 } 1068 ipl := policy.ExtendedMap{} 1069 policyrules := policy.NewPUPolicy( 1070 "Context", 1071 "/ns1", 1072 policy.Police, 1073 appACLs, 1074 netACLs, 1075 nil, 1076 nil, 1077 nil, 1078 nil, 1079 nil, 1080 nil, 1081 ipl, 1082 0, 1083 0, 1084 nil, 1085 nil, 1086 []string{}, 1087 policy.EnforcerMapping, 1088 policy.Reject|policy.Log, 1089 policy.Reject|policy.Log, 1090 ) 1091 puInfo := policy.NewPUInfo("Context", 1092 "/ns1", common.HostNetworkPU) 1093 puInfo.Policy = policyrules 1094 puInfo.Runtime.SetOptions(policy.OptionsType{ 1095 CgroupMark: "10", 1096 }) 1097 1098 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 1099 So(err, ShouldBeNil) 1100 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 1101 So(err, ShouldBeNil) 1102 1103 puInfo.Runtime.SetServices([]common.Service{ 1104 { 1105 Ports: udpPortSpec, 1106 Protocol: 17, 1107 }, 1108 { 1109 Ports: tcpPortSpec, 1110 Protocol: 6, 1111 }, 1112 }) 1113 1114 var iprules policy.IPRuleList 1115 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1116 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1117 i.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1118 1119 err = i.ConfigureRules(0, 1120 "pu1", puInfo) 1121 So(err, ShouldBeNil) 1122 t := i.iptv6.impl.RetrieveTable() 1123 1124 for chain, rules := range t["mangle"] { 1125 So(expectedMangleAfterPUInsertV6, ShouldContainKey, chain) 1126 So(rules, ShouldResemble, expectedMangleAfterPUInsertV6[chain]) 1127 } 1128 1129 for chain, rules := range t["nat"] { 1130 So(expectedNATAfterPUInsertV6, ShouldContainKey, chain) 1131 So(rules, ShouldResemble, expectedNATAfterPUInsertV6[chain]) 1132 } 1133 1134 Convey("When I update the policy, the update must result in correct state", func() { 1135 appACLs := policy.IPRuleList{ 1136 policy.IPRule{ 1137 Addresses: []string{"1120::/64"}, 1138 Ports: []string{"80"}, 1139 Protocols: []string{"TCP"}, 1140 Policy: &policy.FlowPolicy{ 1141 Action: policy.Reject, 1142 ServiceID: "s1", 1143 PolicyID: "1", 1144 }, 1145 }, 1146 } 1147 netACLs := policy.IPRuleList{ 1148 policy.IPRule{ 1149 Addresses: []string{"1122::/64"}, 1150 Ports: []string{"80"}, 1151 Protocols: []string{"TCP"}, 1152 Policy: &policy.FlowPolicy{ 1153 Action: policy.Reject, 1154 ServiceID: "s3", 1155 PolicyID: "1", 1156 }, 1157 }, 1158 } 1159 ipl := policy.ExtendedMap{} 1160 policyrules := policy.NewPUPolicy( 1161 "Context", 1162 "/ns1", 1163 policy.Police, 1164 appACLs, 1165 netACLs, 1166 nil, 1167 nil, 1168 nil, 1169 nil, 1170 nil, 1171 nil, 1172 ipl, 1173 0, 1174 0, 1175 nil, 1176 nil, 1177 []string{}, 1178 policy.EnforcerMapping, 1179 policy.Reject|policy.Log, 1180 policy.Reject|policy.Log, 1181 ) 1182 puInfoUpdated := policy.NewPUInfo("Context", 1183 "/ns1", common.HostNetworkPU) 1184 puInfoUpdated.Policy = policyrules 1185 puInfoUpdated.Runtime.SetOptions(policy.OptionsType{ 1186 CgroupMark: "10", 1187 }) 1188 1189 err := i.UpdateRules(1, 1190 "pu1", puInfoUpdated, puInfo) 1191 So(err, ShouldBeNil) 1192 1193 t := i.iptv6.impl.RetrieveTable() 1194 for chain, rules := range t["mangle"] { 1195 So(expectedMangleAfterPUUpdateV6, ShouldContainKey, chain) 1196 So(rules, ShouldResemble, expectedMangleAfterPUUpdateV6[chain]) 1197 } 1198 1199 Convey("When I delete the same rule, the chains must be restored in the global state", func() { 1200 err := i.DeleteRules(1, 1201 "pu1", 1202 "0", 1203 "5000", 1204 "10", 1205 "", puInfoUpdated) 1206 So(err, ShouldBeNil) 1207 1208 t := i.iptv6.impl.RetrieveTable() 1209 1210 So(t["mangle"], ShouldNotBeNil) 1211 So(t["nat"], ShouldNotBeNil) 1212 1213 for chain, rules := range t["mangle"] { 1214 So(expectedGlobalMangleChainsV6, ShouldContainKey, chain) 1215 So(rules, ShouldResemble, expectedGlobalMangleChainsV6[chain]) 1216 } 1217 1218 for chain, rules := range t["nat"] { 1219 if len(rules) > 0 { 1220 So(expectedGlobalNATChainsV6, ShouldContainKey, chain) 1221 So(rules, ShouldResemble, expectedGlobalNATChainsV6[chain]) 1222 } 1223 } 1224 }) 1225 }) 1226 }) 1227 }) 1228 }) 1229 }