[Buildroot] [PATCH 1/1] support/testing: add iptables runtime test

[Buildroot] [PATCH 1/1] support/testing: add iptables runtime test

[Julien Olivain]

Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 DEVELOPERS                                    |  1 +
 .../testing/tests/package/test_iptables.py    | 78 +++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 support/testing/tests/package/test_iptables.py

diff --git a/DEVELOPERS b/DEVELOPERS
index a6364cdd441..328c654faed 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1797,6 +1797,7 @@ F:	support/testing/tests/package/test_highway.py
 F:	support/testing/tests/package/test_hwloc.py
 F:	support/testing/tests/package/test_iozone.py
 F:	support/testing/tests/package/test_iperf3.py
+F:	support/testing/tests/package/test_iptables.py
 F:	support/testing/tests/package/test_jailhouse.py
 F:	support/testing/tests/package/test_jq.py
 F:	support/testing/tests/package/test_jq/
diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py
new file mode 100644
index 00000000000..ee57b315589
--- /dev/null
+++ b/support/testing/tests/package/test_iptables.py
@@ -0,0 +1,78 @@
+import os
+
+import infra.basetest
+
+
+class TestIptables(infra.basetest.BRTest):
+    # The iptables package has _LINUX_CONFIG_FIXUPS, so we cannot use
+    # the runtime test pre-built Kernel. We need to compile a Kernel
+    # to make sure it will include the required configuration.
+    config = \
+        """
+        BR2_aarch64=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.82"
+        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
+        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
+        BR2_PACKAGE_IPTABLES=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def test_run(self):
+        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
+        kern = os.path.join(self.builddir, "images", "Image")
+        self.emulator.boot(arch="aarch64",
+                           kernel=kern,
+                           kernel_cmdline=["console=ttyAMA0"],
+                           options=["-M", "virt",
+                                    "-cpu", "cortex-a57",
+                                    "-m", "256M",
+                                    "-initrd", img])
+        self.emulator.login()
+
+        # We check the program can execute.
+        self.assertRunOk("iptables --version")
+
+        # We delete all rules in all chains. We also set default
+        # policies to ACCEPT for INPUT and OUPUT chains. This should
+        # already be the case (default Kernel config). This makes sure
+        # this test starts from a known state and also those common
+        # command invocations works.
+        self.assertRunOk("iptables --flush")
+        self.assertRunOk("iptables --policy INPUT ACCEPT")
+        self.assertRunOk("iptables --policy OUTPUT ACCEPT")
+
+        # We add a filter rule to drop all the ICMP protocol to the
+        # IPv4 destination 127.0.0.2, in the INPUT chain. This should
+        # block all pings (icmp echo-requests).
+        cmd = "iptables --append INPUT"
+        cmd += " --protocol icmp --destination 127.0.0.2 --jump DROP"
+        self.assertRunOk(cmd)
+
+        # We check we can list rules.
+        self.assertRunOk("iptables --list")
+
+        # A ping to 127.0.0.1 is expected to work, because it's not
+        # matching our rule. We expect 3 replies (-c), with 0.5s
+        # internal (-i), and set a maximum timeout of 2s.
+        ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 "
+        self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
+
+        # A ping to 127.0.0.2 is expected to fail, because our rule is
+        # supposed to drop it.
+        ping_test_cmd = ping_cmd_prefix + "127.0.0.2"
+        _, exit_code = self.emulator.run(ping_test_cmd)
+        self.assertNotEqual(exit_code, 0)
+
+        # We delete our only rule #1 in the INPUT chain.
+        self.assertRunOk("iptables --delete INPUT 1")
+
+        # Since we deleted the rule, the ping test command which was
+        # supposed to fail earlier is now supposed to succeed.
+        self.assertRunOk(ping_test_cmd)
-- 
2.44.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] support/testing: add iptables runtime test

[Arnout Vandecappelle via buildroot]

On 23/03/2024 21:35, Julien Olivain wrote:
> Signed-off-by: Julien Olivain <ju.o@free.fr>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   DEVELOPERS                                    |  1 +
>   .../testing/tests/package/test_iptables.py    | 78 +++++++++++++++++++
>   2 files changed, 79 insertions(+)
>   create mode 100644 support/testing/tests/package/test_iptables.py
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index a6364cdd441..328c654faed 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -1797,6 +1797,7 @@ F:	support/testing/tests/package/test_highway.py
>   F:	support/testing/tests/package/test_hwloc.py
>   F:	support/testing/tests/package/test_iozone.py
>   F:	support/testing/tests/package/test_iperf3.py
> +F:	support/testing/tests/package/test_iptables.py
>   F:	support/testing/tests/package/test_jailhouse.py
>   F:	support/testing/tests/package/test_jq.py
>   F:	support/testing/tests/package/test_jq/
> diff --git a/support/testing/tests/package/test_iptables.py b/support/testing/tests/package/test_iptables.py
> new file mode 100644
> index 00000000000..ee57b315589
> --- /dev/null
> +++ b/support/testing/tests/package/test_iptables.py
> @@ -0,0 +1,78 @@
> +import os
> +
> +import infra.basetest
> +
> +
> +class TestIptables(infra.basetest.BRTest):
> +    # The iptables package has _LINUX_CONFIG_FIXUPS, so we cannot use
> +    # the runtime test pre-built Kernel. We need to compile a Kernel
> +    # to make sure it will include the required configuration.
> +    config = \
> +        """
> +        BR2_aarch64=y
> +        BR2_TOOLCHAIN_EXTERNAL=y
> +        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
> +        BR2_LINUX_KERNEL=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.82"
> +        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
> +        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
> +        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
> +        BR2_PACKAGE_IPTABLES=y
> +        BR2_TARGET_ROOTFS_CPIO=y
> +        BR2_TARGET_ROOTFS_CPIO_GZIP=y
> +        # BR2_TARGET_ROOTFS_TAR is not set
> +        """
> +
> +    def test_run(self):
> +        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
> +        kern = os.path.join(self.builddir, "images", "Image")
> +        self.emulator.boot(arch="aarch64",
> +                           kernel=kern,
> +                           kernel_cmdline=["console=ttyAMA0"],
> +                           options=["-M", "virt",
> +                                    "-cpu", "cortex-a57",
> +                                    "-m", "256M",
> +                                    "-initrd", img])
> +        self.emulator.login()
> +
> +        # We check the program can execute.
> +        self.assertRunOk("iptables --version")
> +
> +        # We delete all rules in all chains. We also set default
> +        # policies to ACCEPT for INPUT and OUPUT chains. This should
> +        # already be the case (default Kernel config). This makes sure
> +        # this test starts from a known state and also those common
> +        # command invocations works.
> +        self.assertRunOk("iptables --flush")
> +        self.assertRunOk("iptables --policy INPUT ACCEPT")
> +        self.assertRunOk("iptables --policy OUTPUT ACCEPT")
> +
> +        # We add a filter rule to drop all the ICMP protocol to the
> +        # IPv4 destination 127.0.0.2, in the INPUT chain. This should
> +        # block all pings (icmp echo-requests).
> +        cmd = "iptables --append INPUT"
> +        cmd += " --protocol icmp --destination 127.0.0.2 --jump DROP"
> +        self.assertRunOk(cmd)
> +
> +        # We check we can list rules.
> +        self.assertRunOk("iptables --list")
> +
> +        # A ping to 127.0.0.1 is expected to work, because it's not
> +        # matching our rule. We expect 3 replies (-c), with 0.5s
> +        # internal (-i), and set a maximum timeout of 2s.
> +        ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 "
> +        self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
> +
> +        # A ping to 127.0.0.2 is expected to fail, because our rule is
> +        # supposed to drop it.
> +        ping_test_cmd = ping_cmd_prefix + "127.0.0.2"
> +        _, exit_code = self.emulator.run(ping_test_cmd)
> +        self.assertNotEqual(exit_code, 0)
> +
> +        # We delete our only rule #1 in the INPUT chain.
> +        self.assertRunOk("iptables --delete INPUT 1")
> +
> +        # Since we deleted the rule, the ping test command which was
> +        # supposed to fail earlier is now supposed to succeed.
> +        self.assertRunOk(ping_test_cmd)
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] support/testing: add iptables runtime test

[Peter Korsgaard]

>>>>> "Julien" == Julien Olivain <ju.o@free.fr> writes:

 > Signed-off-by: Julien Olivain <ju.o@free.fr>
 > ---
 >  DEVELOPERS                                    |  1 +
 >  .../testing/tests/package/test_iptables.py    | 78 +++++++++++++++++++
 >  2 files changed, 79 insertions(+)
 >  create mode 100644 support/testing/tests/package/test_iptables.py

Committed to 2024.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot