github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/firewall/incoming_firewall_iptables_test.go (about) 1 /* 2 * Copyright (C) 2019 The "MysteriumNetwork/node" Authors. 3 * 4 * This program is free software: you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License as published by 6 * the Free Software Foundation, either version 3 of the License, or 7 * (at your option) any later version. 8 * 9 * This program is distributed in the hope that it will be useful, 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 * GNU General Public License for more details. 13 * 14 * You should have received a copy of the GNU General Public License 15 * along with this program. If not, see <http://www.gnu.org/licenses/>. 16 */ 17 18 package firewall 19 20 import ( 21 "net" 22 "testing" 23 24 "github.com/mysteriumnetwork/node/firewall/ipset" 25 "github.com/mysteriumnetwork/node/firewall/iptables" 26 "github.com/stretchr/testify/assert" 27 ) 28 29 func Test_incomingFirewallIptables_Setup(t *testing.T) { 30 mockedIpset := ipsetExecMock{ 31 mocks: map[string]ipsetExecResult{ 32 "--version": { 33 output: []string{ 34 "ipset v7.2, protocol version: 7", 35 "Warning: Kernel support protocol versions 6-6 while userspace supports protocol versions 6-7", 36 }, 37 }, 38 "-S FORWARD": { 39 output: []string{"-P FORWARD ACCEPT"}, 40 }, 41 }, 42 } 43 ipset.Exec = mockedIpset.Exec 44 45 mockedIptables := iptablesExecMock{ 46 mocks: map[string]iptablesExecResult{}, 47 } 48 iptables.Exec = mockedIptables.Exec 49 50 fw := &incomingFirewallIptables{} 51 err := fw.Setup() 52 assert.NoError(t, err) 53 assert.True(t, mockedIpset.VerifyCalledWithArgs("version")) 54 assert.True(t, mockedIpset.VerifyCalledWithArgs("create myst-provider-dst-whitelist hash:ip --timeout 86400")) 55 assert.True(t, mockedIptables.VerifyCalledWithArgs("-N MYST_PROVIDER_FIREWALL")) 56 assert.True(t, mockedIptables.VerifyCalledWithArgs("-A MYST_PROVIDER_FIREWALL -m set --match-set myst-provider-dst-whitelist dst -j ACCEPT")) 57 assert.True(t, mockedIptables.VerifyCalledWithArgs("-A MYST_PROVIDER_FIREWALL -j REJECT")) 58 } 59 60 func Test_incomingFirewallIptables_Teardown(t *testing.T) { 61 mockedIpset := ipsetExecMock{ 62 mocks: map[string]ipsetExecResult{}, 63 } 64 ipset.Exec = mockedIpset.Exec 65 66 mockedIptables := iptablesExecMock{ 67 mocks: map[string]iptablesExecResult{ 68 "-S FORWARD": { 69 output: []string{ 70 "-P FORWARD ACCEPT", 71 }, 72 }, 73 }, 74 } 75 iptables.Exec = mockedIptables.Exec 76 77 fw := &incomingFirewallIptables{} 78 fw.Teardown() 79 assert.True(t, mockedIpset.VerifyCalledWithArgs("destroy myst-provider-dst-whitelist")) 80 assert.True(t, mockedIptables.VerifyCalledWithArgs("-F MYST_PROVIDER_FIREWALL")) 81 assert.True(t, mockedIptables.VerifyCalledWithArgs("-X MYST_PROVIDER_FIREWALL")) 82 } 83 84 func Test_incomingFirewallIptables_TeardownIfPreviousCleanupFailed(t *testing.T) { 85 mockedIpset := ipsetExecMock{ 86 mocks: map[string]ipsetExecResult{}, 87 } 88 ipset.Exec = mockedIpset.Exec 89 90 mockedIptables := iptablesExecMock{ 91 mocks: map[string]iptablesExecResult{ 92 "-S FORWARD": { 93 output: []string{ 94 "-P FORWARD ACCEPT", 95 // leftover - DNS firewall is still enabled 96 "-A FORWARD -s 10.8.0.1/24 -j MYST_PROVIDER_FIREWALL", 97 }, 98 }, 99 // DNS fw chain still exists 100 "-S MYST_PROVIDER_FIREWALL": { 101 output: []string{ 102 // with some allowed ips 103 "-N MYST_PROVIDER_FIREWALL", 104 "-A MYST_PROVIDER_FIREWALL -m set --match-set myst-provider-dst-whitelist dst -j ACCEPT", 105 "-A MYST_PROVIDER_FIREWALL -j REJECT --reject-with icmp-port-unreachable", 106 }, 107 }, 108 }, 109 } 110 iptables.Exec = mockedIptables.Exec 111 112 fw := &incomingFirewallIptables{} 113 fw.Teardown() 114 assert.True(t, mockedIpset.VerifyCalledWithArgs("destroy myst-provider-dst-whitelist")) 115 assert.True(t, mockedIptables.VerifyCalledWithArgs("-D FORWARD -s 10.8.0.1/24 -j MYST_PROVIDER_FIREWALL")) 116 assert.True(t, mockedIptables.VerifyCalledWithArgs("-F MYST_PROVIDER_FIREWALL")) 117 assert.True(t, mockedIptables.VerifyCalledWithArgs("-X MYST_PROVIDER_FIREWALL")) 118 } 119 120 func Test_incomingFirewallIptables_BlockIncomingTraffic(t *testing.T) { 121 mockedIptables := iptablesExecMock{ 122 mocks: map[string]iptablesExecResult{}, 123 } 124 iptables.Exec = mockedIptables.Exec 125 126 fw := &incomingFirewallIptables{} 127 128 _, network, _ := net.ParseCIDR("10.8.0.1/24") 129 removeRule, err := fw.BlockIncomingTraffic(*network) 130 assert.NoError(t, err) 131 assert.True(t, mockedIptables.VerifyCalledWithArgs("-A FORWARD -s 10.8.0.0/24 -j MYST_PROVIDER_FIREWALL")) 132 133 removeRule() 134 assert.True(t, mockedIptables.VerifyCalledWithArgs("-D FORWARD -s 10.8.0.0/24 -j MYST_PROVIDER_FIREWALL")) 135 } 136 137 func Test_incomingFirewallIptables_AllowIPAccess(t *testing.T) { 138 mockedIpset := ipsetExecMock{ 139 mocks: map[string]ipsetExecResult{}, 140 } 141 ipset.Exec = mockedIpset.Exec 142 143 fw := &incomingFirewallIptables{} 144 145 removeRule, err := fw.AllowIPAccess(net.IP{1, 2, 3, 4}) 146 assert.NoError(t, err) 147 assert.True(t, mockedIpset.VerifyCalledWithArgs("add myst-provider-dst-whitelist 1.2.3.4 --exist")) 148 149 err = removeRule() 150 assert.NoError(t, err) 151 assert.True(t, mockedIpset.VerifyCalledWithArgs("del myst-provider-dst-whitelist 1.2.3.4")) 152 }