github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/network/iptables/iptables_test.go

github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/network/iptables/iptables_test.go (about)

     1  // Copyright 2017 Canonical Ltd.
     2  // Licensed under the AGPLv3, see LICENCE file for details.
     3  
     4  package iptables_test
     5  
     6  import (
     7  	"strings"
     8  
     9  	"github.com/juju/testing"
    10  	jc "github.com/juju/testing/checkers"
    11  	gc "gopkg.in/check.v1"
    12  
    13  	corenetwork "github.com/juju/juju/core/network"
    14  	"github.com/juju/juju/network"
    15  	"github.com/juju/juju/network/iptables"
    16  )
    17  
    18  type IptablesSuite struct {
    19  	testing.IsolationSuite
    20  }
    21  
    22  var _ = gc.Suite(&IptablesSuite{})
    23  
    24  func (*IptablesSuite) TestDropCommand(c *gc.C) {
    25  	assertRender(c,
    26  		iptables.DropCommand{},
    27  		"sudo iptables -I INPUT -m state --state NEW -j DROP -m comment --comment 'juju internal'",
    28  	)
    29  	assertRender(c,
    30  		iptables.DropCommand{DestinationAddress: "1.2.3.4"},
    31  		"sudo iptables -I INPUT -m state --state NEW -j DROP -m comment --comment 'juju internal' -d 1.2.3.4",
    32  	)
    33  	assertRender(c,
    34  		iptables.DropCommand{Interface: "eth0"},
    35  		"sudo iptables -I INPUT -m state --state NEW -j DROP -m comment --comment 'juju internal' -i eth0",
    36  	)
    37  }
    38  
    39  func (*IptablesSuite) TestAcceptInternalPortCommand(c *gc.C) {
    40  	assertRender(c,
    41  		iptables.AcceptInternalCommand{},
    42  		"sudo iptables -I INPUT -j ACCEPT -m comment --comment 'juju internal'",
    43  	)
    44  	assertRender(c,
    45  		iptables.AcceptInternalCommand{
    46  			DestinationAddress: "1.2.3.4",
    47  			DestinationPort:    17070,
    48  			Protocol:           "tcp",
    49  		},
    50  		"sudo iptables -I INPUT -j ACCEPT -m comment --comment 'juju internal' -p tcp -d 1.2.3.4 --dport 17070",
    51  	)
    52  }
    53  
    54  func (*IptablesSuite) TestIngressRuleCommand(c *gc.C) {
    55  	assertRender(c,
    56  		iptables.IngressRuleCommand{
    57  			Rule: network.IngressRule{
    58  				PortRange: corenetwork.PortRange{Protocol: "icmp"},
    59  			},
    60  		},
    61  		"(sudo iptables -C INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment 'juju ingress') || "+
    62  			"(sudo iptables -I INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment 'juju ingress')",
    63  	)
    64  
    65  	// Same as above, but with "Delete: true". The only difference in
    66  	// output is that "-D" is specified in place of "-I".
    67  	assertRender(c,
    68  		iptables.IngressRuleCommand{
    69  			Rule: network.IngressRule{
    70  				PortRange: corenetwork.PortRange{Protocol: "icmp"},
    71  			},
    72  			Delete: true,
    73  		},
    74  		"(sudo iptables -C INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment 'juju ingress') && "+
    75  			"(sudo iptables -D INPUT -j ACCEPT -p icmp --icmp-type 8 -m comment --comment 'juju ingress')",
    76  	)
    77  
    78  	// If SourceCIDRs is non-empty, then the CIDRs will be
    79  	// specified in the rule with "-s". Multiple CIDRs are
    80  	// joined with a comma.
    81  	assertRender(c,
    82  		iptables.IngressRuleCommand{
    83  			Rule: network.IngressRule{
    84  				PortRange:   corenetwork.PortRange{Protocol: "icmp"},
    85  				SourceCIDRs: []string{"1.2.3.4", "5.6.7.8"},
    86  			},
    87  		},
    88  		"(sudo iptables -C INPUT -j ACCEPT -p icmp --icmp-type 8 -s 1.2.3.4,5.6.7.8 -m comment --comment 'juju ingress') || "+
    89  			"(sudo iptables -I INPUT -j ACCEPT -p icmp --icmp-type 8 -s 1.2.3.4,5.6.7.8 -m comment --comment 'juju ingress')",
    90  	)
    91  
    92  	// UDP, single port.
    93  	assertRender(c,
    94  		iptables.IngressRuleCommand{
    95  			Rule: network.IngressRule{
    96  				PortRange: corenetwork.PortRange{
    97  					Protocol: "udp",
    98  					FromPort: 53,
    99  					ToPort:   53,
   100  				},
   101  			},
   102  		},
   103  		"(sudo iptables -C INPUT -j ACCEPT -p udp --dport 53 -m comment --comment 'juju ingress') || "+
   104  			"(sudo iptables -I INPUT -j ACCEPT -p udp --dport 53 -m comment --comment 'juju ingress')",
   105  	)
   106  
   107  	// TCP, port range.
   108  	assertRender(c,
   109  		iptables.IngressRuleCommand{
   110  			Rule: network.IngressRule{
   111  				PortRange: corenetwork.PortRange{
   112  					Protocol: "tcp",
   113  					FromPort: 6001,
   114  					ToPort:   6007,
   115  				},
   116  			},
   117  		},
   118  		"(sudo iptables -C INPUT -j ACCEPT -p tcp -m multiport --dports 6001:6007 -m comment --comment 'juju ingress') || "+
   119  			"(sudo iptables -I INPUT -j ACCEPT -p tcp -m multiport --dports 6001:6007 -m comment --comment 'juju ingress')",
   120  	)
   121  }
   122  
   123  func (*IptablesSuite) TestParseIngressRulesEmpty(c *gc.C) {
   124  	assertParseIngressRules(c, ``, []network.IngressRule{})
   125  }
   126  
   127  func (*IptablesSuite) TestParseIngressRulesGarbage(c *gc.C) {
   128  	assertParseIngressRules(c, `a
   129  b
   130  ACCEPT zing
   131  blargh
   132  
   133  `, []network.IngressRule{})
   134  }
   135  
   136  func (*IptablesSuite) TestParseIngressRulesChecksComment(c *gc.C) {
   137  	assertParseIngressRules(c, `
   138  Chain INPUT (policy ACCEPT)
   139  target     prot opt source               destination         
   140  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* managed by lxd-bridge */
   141  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* juju ingress */
   142  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* managed by lxd-bridge */
   143  ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
   144  `[1:], []network.IngressRule{{
   145  		PortRange: corenetwork.PortRange{
   146  			Protocol: "tcp",
   147  			FromPort: 53,
   148  			ToPort:   53,
   149  		},
   150  		SourceCIDRs: []string{"0.0.0.0/0"},
   151  	}})
   152  }
   153  
   154  func (*IptablesSuite) TestParseIngressRules(c *gc.C) {
   155  	assertParseIngressRules(c, `
   156  Chain INPUT (policy ACCEPT)
   157  target     prot opt source               destination         
   158  ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0    multiport dports 3456:3458 /* juju ingress */
   159  ACCEPT     tcp  --  1.2.3.4/20           0.0.0.0/0    tcp dpt:12345 /* juju ingress */
   160  ACCEPT     udp  --  1.2.3.4/20           0.0.0.0/0    udp dpt:12345 /* juju ingress */
   161  ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0    icmptype 8 /* juju ingress */
   162  `[1:],
   163  		[]network.IngressRule{{
   164  			PortRange: corenetwork.PortRange{
   165  				Protocol: "tcp",
   166  				FromPort: 3456,
   167  				ToPort:   3458,
   168  			},
   169  			SourceCIDRs: []string{"0.0.0.0/0"},
   170  		}, {
   171  			PortRange: corenetwork.PortRange{
   172  				Protocol: "tcp",
   173  				FromPort: 12345,
   174  				ToPort:   12345,
   175  			},
   176  			SourceCIDRs: []string{"1.2.3.4/20"},
   177  		}, {
   178  			PortRange: corenetwork.PortRange{
   179  				Protocol: "udp",
   180  				FromPort: 12345,
   181  				ToPort:   12345,
   182  			},
   183  			SourceCIDRs: []string{"1.2.3.4/20"},
   184  		}, {
   185  			PortRange: corenetwork.PortRange{
   186  				Protocol: "icmp",
   187  				FromPort: -1,
   188  				ToPort:   -1,
   189  			},
   190  			SourceCIDRs: []string{"0.0.0.0/0"},
   191  		}},
   192  	)
   193  }
   194  
   195  func assertParseIngressRules(c *gc.C, in string, expect []network.IngressRule) {
   196  	rules, err := iptables.ParseIngressRules(strings.NewReader(in))
   197  	c.Assert(err, jc.ErrorIsNil)
   198  	c.Assert(rules, jc.DeepEquals, expect)
   199  }
   200  
   201  type renderer interface {
   202  	Render() string
   203  }
   204  
   205  func assertRender(c *gc.C, r renderer, expect string) {
   206  	c.Assert(r.Render(), gc.Equals, expect)
   207  }