#1 Initial checkin of tests from upstreamfirst project
Merged a year ago by psutter. Opened 2 years ago by mgahagan.
rpms/ mgahagan/iptables iptables-tests  into  master

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass

+ #   Description: Test for "--queue-bypass" backport

+ #   Author: Ales Zelinka <azelinka@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Sanity/NFQUEUE-queue-bypass

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Ales Zelinka <azelinka@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for \"--queue-bypass\" backport" >> $(METADATA)

+ 	@echo "Type:            Sanity" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass

+ Description: Test for "--queue-bypass" backport

+ Author: Ales Zelinka <azelinka@redhat.com>

+ Bug summary: "--queue-bypass" backport

@@ -0,0 +1,54 @@ 

+ #!/bin/bash

+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Sanity/NFQUEUE-queue-bypass

+ #   Description: Test for "--queue-bypass" backport

+ #   Author: Ales Zelinka <azelinka@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2013 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ 

+ rlJournalStart

+ 

+     rlPhaseStartTest control-ping

+          rlRun "ping -w 2 -c 2 127.0.0.1"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest NFQUEUE-no-listener

+          rlRun "iptables -I INPUT -p icmp -j NFQUEUE" 0 "queue all icmp for userspace processing"

+          rlRun "ping -w 2 -c 2 127.0.0.1" 1-255 "ping 127.0.0.1 - none is listening on queue so packets will be dropped"

+          rlRun "iptables -D INPUT -p icmp -j NFQUEUE" 0 "removing the queue rule"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest NFQUEUE-no-listener-bypass

+          rlRun "iptables -I INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "queue all icmp for userspace processing, bypass if no one is listening"

+          rlRun "ping -w 2 -c 2 127.0.0.1" 0 "ping 127.0.0.1 - none is listening on queue - bypass will make packets go through"

+          rlRun "iptables -D INPUT -p icmp -j NFQUEUE --queue-bypass" 0 "removing the queue rule"

+     rlPhaseEnd

+ 

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target

+ #   Description: Test for [RFE] Enable the missing IPv6 "SET" target

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for [RFE] Enable the missing IPv6 \"SET\" target" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables ipset" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target

+ Description: Test for [RFE] Enable the missing IPv6 "SET" target

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: [RFE] Enable the missing IPv6 "SET" target userland ip6tables support to enable ipset to be usable with IPv6

@@ -0,0 +1,65 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/RFE-Enable-the-missing-IPv6-SET-target

+ #   Description: Test for [RFE] Enable the missing IPv6 "SET" target

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ IPSET=testset6

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         # rlAssertRpm kernel

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         rlRun "ipset create $IPSET hash:ip family inet6"

+         rlRun "ipset add testset6 1234::3456"

+         rlRun "ip6tables-save -t filter > ipt6.save"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         RULE1="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j LOG --log-prefix 'LOG:IPSET added to $IPSET'"

+         RULE2="INPUT -p tcp -m multiport --dports 21,22,23,25,53,81,123,143 -m conntrack --ctstate NEW --syn -m set ! --match-set $IPSET src -j SET --add-set $IPSET src"

+         for op in -A -C -D; do #add, check, delete

+             rlRun "ip6tables $op $RULE1" 0 "do $op logrule"

+             rlRun "ip6tables $op $RULE2" 0 "do $op -j SET rule"

+         done

+         rlRun "ip6tables-save -t filter > ipt6.save2"

+         rlRun "sed -e '/^#/d' -e 's/\[.*:.*\]$//' -i ipt6*" 0 "magically unify savefiles"

+         rlAssertNotDiffer ipt6.save ipt6.save2

+         diff -u ipt6.save ipt6.save2

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "ipset destroy $IPSET"

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6

+ #   Description: Test for RFE iptables add -C option to iptables in RHEL6 to

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE rules.in

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for RFE iptables add -C option to iptables in RHEL6 to" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6

+ Description: Test for RFE iptables add -C option to iptables in RHEL6 to

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: RFE: iptables: add -C option to iptables in RHEL6 to check for existing rules

@@ -0,0 +1,50 @@ 

+ # vim: ft=sh

+ rules4=(

+ "-t nat -A POSTROUTING -o tun+ -j MASQUERADE"

+ "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"

+ "-A INPUT -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"

+ "-A INPUT -p icmp -j ACCEPT"

+ "-A INPUT -i lo -j ACCEPT"

+ "-A INPUT -i ippp+ -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT"

+ "-A INPUT -p ah -j ACCEPT"

+ "-A INPUT -p esp -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"

+ "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"

+ "-A FORWARD -p icmp -m icmp --icmp-type source-quench -j REJECT --reject-with icmp-host-prohibited"

+ "-A FORWARD -p icmp -j ACCEPT"

+ "-A FORWARD -i lo -j ACCEPT"

+ "-A FORWARD -i ippp+ -j ACCEPT"

+ "-A FORWARD -o tun+ -j ACCEPT"

+ "-A INPUT -j REJECT --reject-with icmp-host-prohibited"

+ "-A FORWARD -j REJECT --reject-with icmp-host-prohibited"

+ )

+ 

+ rules6=(

+ "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"

+ "-A INPUT -p ipv6-icmp -j ACCEPT"

+ "-A INPUT -i lo -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT"

+ "-A INPUT -i ippp+ -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 631 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d ff02::fb -j ACCEPT"

+ "-A INPUT -m ipv6header --header ah -j ACCEPT"

+ "-A INPUT -m ipv6header --header esp -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT"

+ "-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT"

+ "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"

+ "-A FORWARD -p ipv6-icmp -j ACCEPT"

+ "-A FORWARD -i lo -j ACCEPT"

+ "-A FORWARD -i ippp+ -j ACCEPT"

+ "-A INPUT -j REJECT --reject-with icmp6-adm-prohibited"

+ "-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited"

+ )

@@ -0,0 +1,73 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/RFE-iptables-add-C-option-to-iptables-in-RHEL6

+ #   Description: Test for RFE iptables add -C option to iptables in RHEL6 to

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ TESTD=$PWD

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         rlRun "source $TESTD/rules.in" 0 "read ruleset"

+         rlRun "iptables -F"

+         rlRun "ip6tables -F"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         declare -i sane=0

+         for i in ${!rules4[*]}; do

+             let sane++

+             rlRun "iptables ${rules4[$i]}"

+             testrule="${rules4[$i]/-A/-C}"

+             rlRun "iptables $testrule"

+         done

+         for i in ${!rules6[*]}; do

+             let sane++

+             rlRun "ip6tables ${rules6[$i]}"

+             testrule="${rules6[$i]/-A/-C}"

+             rlRun "ip6tables $testrule"

+         done

+         #check itercount

+         if [[ $sane -lt 40 ]]; then

+             rlFail "test insane, do inspect" # rules were not properly loaded!

+         fi

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "iptables -F"

+         rlRun "iptables -t nat -F"

+         rlRun "ip6tables -F"

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in

+ #   Description: Test for TRACE target of iptables can't work in

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for TRACE target of iptables can't work in" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables iptables-services" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in

+ Description: Test for TRACE target of iptables can't work in

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: TRACE target of iptables can't work in RHEL7.1/RHEL7.2

@@ -0,0 +1,136 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/TRACE-target-of-iptables-can-t-work-in

+ #   Description: Test for TRACE target of iptables can't work in

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ SERVICES="iptables ip6tables firewalld"

+ 

+ prepare_page() {

+     section=$1

+     name=$2

+     dest=${name}.manpage

+     zcat /usr/share/man/man${section}/${name}.${section}.gz | tr -s ' ' > ${dest}

+     rlAssertExists ${dest}

+ }

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         # rlAssertRpm kernel

+         rlLogInfo $(uname -r)

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         prepare_page 8 iptables-extensions

+         for svc in $SERVICES; do

+             rlServiceStop $svc

+         done

+         rlRun "ip -4 -o r | grep default | head -1 | sed -re 's/.*dev ((\.|\w)+).*/\1/' > default-iface"

+         IFACE="$(< default-iface)"

+         rlAssertExists "/sys/class/net/$IFACE"

+         rlRun "ip route save > ip-route.save" 0 "save routing info"

+         rlRun "ip -6 route save > ip-route.save6" 0 "save ipv6 routing info"

+         rlRun "ip -6 r add default dev $IFACE" 0,2 "add ipv6 default route"

+         rlRun "rmmod nf_log_ipv4" 0,1

+         rlRun "rmmod nf_log_ipv6" 0,1

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "manpage check"

+         rlAssertGrep "nfnetlink_log" iptables-extensions.manpage

+         if rlIsRHEL 7 && rlIsRHEL '>=7.3' ; then

+             # RHEL version-specific libxt_TRACE man page patchs

+             rlAssertGrep "nf_log_ipv4(6)" iptables-extensions.manpage

+             rlAssertNotGrep "ip(...)?t_LOG" iptables-extensions.manpage -Ei

+         fi

+     rlPhaseEnd

+ 

+     ipv4_ping() {

+         rlRun "ping -i 0.2 -c 3 -W 1 192.0.2.99" 0,1 "ipv4 icmp out (ping)"

+     }

+     ipv6_ping() {

+         rlRun "ping6 -i 0.2 -c 3 -W 1 2001:DB8::99" 0,1 "ipv6 icmp out (ping6)"

+     }

+     get_messages() {

+         if rlIsFedora; then

+             journalctl -qkb

+         else

+             cat /var/log/messages

+         fi

+     }

+ 

+     rlPhaseStartTest "iptables_TRACE"

+         rlRun "get_messages > messages.log-orig"

+         rlRun "iptables -t raw -I OUTPUT -p icmp -j TRACE" 0

+         rlRun "ip6tables -t raw -I OUTPUT -p icmpv6 -j TRACE" 0

+         if rlTestVersion "$(uname -r)" "<" "4.6"; then

+             ipv4_ping; ipv6_ping

+             rlRun "get_messages > messages.current"

+ 

+             rlRun "diff messages.log-orig messages.current > diff.1" 0,1

+             echo --debug_START--

+             cat diff.1

+             echo --debug_END--

+             rlRun "modprobe nf_log_ipv4" 0 "load ipv4 TRACE logging module"

+             rlRun "modprobe nf_log_ipv6" 0 "load ipv6 TRACE logging module"

+             rlAssertNotGrep "TRACE" diff.1

+         else

+             rlLogInfo "new kernel detected: skipping loading modules and associated checks"

+         fi

+         ipv4_ping; ipv6_ping

+         rlRun "get_messages > messages.current"

+ 

+         rlRun "diff messages.log-orig messages.current > diff.2" 0,1

+         rlAssertGrep "TRACE" diff.2

+         rlAssertGrep "TRACE.*PROTO=ICMP " diff.2

+         rlAssertGrep "TRACE.*PROTO=ICMPv6 " diff.2

+         echo --debug_START--

+         cat diff.2

+         echo --debug_END--

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "ip route flush default" 0 "flush ip route data"

+         rlRun "ip -6 route flush default" 0 "flush ipv6 route data"

+         rlRun "ip route restore < ip-route.save" 0 "restore routing info"

+         rlRun "ip -6 route restore < ip-route.save6" 0 "restore routing info ipv6"

+         rlRun "iptables -t raw -F"

+         rlRun "ip6tables -t raw -F"

+         rlRun "rmmod nf_log_ipv4"

+         rlRun "rmmod nf_log_ipv6"

+         rlRun "rmmod nf_log_common"

+         rlRun "rmmod nfnetlink_log" 0,1

+         rlLogInfo "restoring services"

+         for svc in $SERVICES; do

+             rlServiceRestore $svc

+         done

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend

+ #   Description: Test for backport iptables add libxt_cgroup frontend

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for backport iptables add libxt_cgroup frontend" >> $(METADATA)

+ 	@echo "Type:            Sanity" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables libcgroup-tools" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend

+ Description: Test for backport iptables add libxt_cgroup frontend

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: Backport: iptables: add libxt_cgroup frontend

@@ -0,0 +1,111 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Sanity/backport-iptables-add-libxt-cgroup-frontend

+ #   Description: Test for backport iptables add libxt_cgroup frontend

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ CGNUM="15"

+ CGNAME="15"

+ CGDIR="/sys/fs/cgroup/net_cls/$CGNAME"

+ DEST_IP4="192.0.2.99" # TEST-NET-1

+ DEST_IP42="192.0.2.199" # TEST-NET-1

+ DEST_IP6="2001:0db8:0000:0000:0000:0000:0000:abc0" #has to be expanded due to matching !

+ DEST_IP62="2001:0db8:0000:0000:0000:0000:0000:abc1"

+ SKIP6=false

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         # rlAssertRpm kernel-$(uname -r)

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         if rlIsRHEL '>=7'; then

+             rlServiceStop firewalld

+             sleep 1

+         fi

+         rlLogInfo "check if net_cls cgroup is present"

+         rlAssertGrep "cgroup.*net_cls" /proc/mounts

+         rlRun "cgcreate -g net_cls:$CGNAME" 0 "create cgroup '15'"

+         rlRun "echo $CGNUM > $CGDIR/net_cls.classid" 0 "assign numerical id to cgroup"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         ping -W 1 -c 30 $DEST_IP4 &

+         PING4_P1=$! EC4=$?

+         ping -W 1 -c 30 $DEST_IP42 &

+         PING4_P2=$! EC42=$?

+         rlRun "[[ $EC4 -eq 0 && $EC42 -eq 0 ]]" 0 "ping ipv4 running to $DEST_IP4, $DEST_IP42"

+ 

+         ping6 -W 1 -c 30 $DEST_IP6 &

+         PING6_P1=$! EC6=$?

+         sleep 1

+         if [[ $EC6 -eq 2 ]] || ! kill -0 $PING6_P1 2>/dev/null; then

+             rlLogInfo "skipping ipv6 test, network stack unavailable"

+             SKIP6=true

+         else

+             ping6 -W 1 -c 30 $DEST_IP62 &

+             PING6_P2=$!

+             rlRun "kill -0 $PING6_P1 && kill -0 $PING6_P2" 0 "ping ipv6 running to $DEST_IP6, $DEST_IP62"

+         fi

+         journalctl -fkb > dmesg.out &

+         DMESG_P=$!

+         echo > dmesg.out # clear dmesg out

+ 

+         rlRun "iptables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"

+         rlRun "ip6tables -A OUTPUT -m cgroup --cgroup $CGNUM -j LOG"

+ 

+         rlRun "echo $PING4_P2 >> $CGDIR/tasks" 0 "Add second ping to cgroup '15'"

+         $SKIP6 || rlRun "echo $PING6_P2 >> $CGDIR/tasks" 0 "Add second ping6 to cgroup '15'"

+         cat $CGDIR/tasks

+         sleep 10

+         cat dmesg.out

+         rlAssertGrep "$DEST_IP42" dmesg.out

+         $SKIP6 || rlAssertGrep "$DEST_IP62" dmesg.out

+         rlAssertNotGrep "$DEST_IP4" dmesg.out

+         rlAssertNotGrep "$DEST_IP6" dmesg.out

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         kill $DMESG_P

+         # pings die after 30s of execution either way

+         kill $PING4_P1

+         kill $PING4_P2

+         $SKIP6 || kill $PING6_P1

+         $SKIP6 || kill $PING6_P2

+         sleep 1

+ 

+         rlRun "iptables -F" 0 "cleanup iptables"

+         rlRun "ip6tables -F" 0 "cleanup ip6tables"

+         rlServiceRestore firewalld

+         rlRun "cgdelete -g net_cls:$CGNAME" 0 "delete cgroup"

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Sanity/initscript-sanity

+ #   Description: initscript-sanity

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Sanity/initscript-sanity

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     initscript-sanity" >> $(METADATA)

+ 	@echo "Type:            Sanity" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables iptables-services" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Sanity/initscript-sanity

+ Description: initscript-sanity

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: Can not "service iptables save": restorecon not found

@@ -0,0 +1,56 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Sanity/initscript-sanity

+ #   Description: initscript-sanity

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         rlLogInfo 'Can not "service iptables save": restorecon not found'

+         if rlIsRHEL 6 7 ; then

+             rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/iptables.init

+             rlAssertGrep '[ ! -x "$RESTORECON" ] && RESTORECON=/bin/true' /usr/libexec/iptables/ip6tables.init

+         else

+ 	    rlLogInfo 'skipping: test not applicable to this OS release'

+         fi

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

file added
+3

@@ -0,0 +1,3 @@ 

+ #!/bin/bash

+ export TEST_DOCKER_EXTRA_ARGS="--privileged"

+ exec merge-standard-inventory "$@"

@@ -0,0 +1,62 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets

+ #   Description: Test for while adding iptables rules with ipv6 sets in

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2014 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for while adding iptables rules with ipv6 sets in" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables bridge-utils ipset" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets

+ Description: Test for while adding iptables rules with ipv6 sets in

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: while adding iptables rules with ipv6 sets in destination direction, either individually or combined with source we see error messages.

@@ -0,0 +1,85 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/ip6tables-do-not-accept-dst-or-src-direction-on-ip6sets

+ #   Description: Test for while adding iptables rules with ipv6 sets in

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2014 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         rlRun "ip6tables-save > ip6tables.backup"

+         rlRun "iptables-save > iptables.backup"

+         rlRun "brctl addbr testbr" 0 "create bridge iface"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         rlRun "ipset create ipsetv6 hash:net timeout 60 family inet6" 0 "Create hash:net ipset for ipv6"

+         rlRun "ipset create ipsetv4 hash:net timeout 60 family inet" 0  "Create hash:net ipset for ipv4"

+         rlRun "ipset list ipsetv6" 0 "verify ipsetv6 presence"

+         rlRun "ipset list ipsetv4" 0 "verify ipsetv4 presence"

+ #        echo waiting; read; echo cont

+         checkRule() {

+             binary="$1"

+             comment="$2"

+             rlRun "$binary -t mangle $RULE" 0 "$comment"

+             rlRun "$binary-save | grep -qe '$RULE'" 0 "verify rule"

+         }

+         for i in dst src dst,src src,dst; do

+             # 6,4 (+)

+             RULE="-A PREROUTING -i testbr -m set --match-set ipsetv6 $i -j ACCEPT"

+             checkRule ip6tables "[ipv6] direction: $i. adding ip6tables rule to match set"

+             RULE="-A PREROUTING -i testbr -m set --match-set ipsetv4 $i -j ACCEPT"

+             checkRule iptables  "[ipv4] direction: $i. adding iptables rule to match set"

+ 

+             # 6,4 (-)

+             RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv6 $i -j ACCEPT"

+             checkRule ip6tables "[ipv6] direction: $i. adding negated ip6tables rule to match set"

+             RULE="-A PREROUTING -i testbr -m set ! --match-set ipsetv4 $i -j ACCEPT"

+             checkRule iptables  "[ipv4] direction: $i. adding negated iptables rule to match set"

+         done

+         ip6tables-save

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "ip6tables -t mangle -F"

+         rlRun "iptables -t mangle -F"

+         rlRun "ip6tables-restore < ip6tables.backup"

+         rlRun "iptables-restore < iptables.backup"

+         rlRun "ip link set down dev testbr"

+         rlRun "brctl delbr testbr" 0 "remove bridge iface"

+         rlRun "ipset destroy ipsetv6" 0 "remove ipv6 ipset"

+         rlRun "ipset destroy ipsetv4" 0 "remove ipv4 ipset"

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by

+ #   Description: Test for ip6tables service does not allow dhcpv6-client by

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for ip6tables service does not allow dhcpv6-client by" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables iptables-services" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by

+ Description: Test for ip6tables service does not allow dhcpv6-client by

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: ip6tables service does not allow dhcpv6-client by default

@@ -0,0 +1,53 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/ip6tables-service-does-not-allow-dhcpv6-client-by

+ #   Description: Test for ip6tables service does not allow dhcpv6-client by

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2015 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="iptables"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlAssertRpm $PACKAGE

+         rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"

+         rlRun "pushd $TmpDir"

+         rlRun "cp /etc/sysconfig/ip6tables ."

+     rlPhaseEnd

+ 

+     rlPhaseStartTest

+         rlRun "sed -ie '/REJECT/,// d' ip6tables" 0 "remove all rejected rules"

+         echo --debug--; cat ip6tables

+         rlAssertGrep "-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT" ip6tables

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         rlRun "popd"

+         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

@@ -0,0 +1,63 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP

+ #   Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2016 Red Hat, Inc.

+ #

+ #   This program is free software: you can redistribute it and/or

+ #   modify it under the terms of the GNU General Public License as

+ #   published by the Free Software Foundation, either version 2 of

+ #   the License, or (at your option) any later version.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE.  See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public License

+ #   along with this program. If not, see http://www.gnu.org/licenses/.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	test -x runtest.sh || chmod a+x runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Tomas Dolezal <todoleza@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        5m" >> $(METADATA)

+ 	@echo "RunFor:          iptables" >> $(METADATA)

+ 	@echo "Requires:        iptables" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2+" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)

+ 

+ 	rhts-lint $(METADATA)

@@ -0,0 +1,4 @@ 

+ PURPOSE of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP

+ Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP

+ Author: Tomas Dolezal <todoleza@redhat.com>

+ Bug summary: ip6tables -t nat -A POSTROUTING/OUTPUT with DROP target can't filter packets

@@ -0,0 +1,20 @@ 

+ #!/bin/sh

+ 

+ ip netns del cs_client >/dev/null 2>&1

+ ip link del veth0 >/dev/null 2>&1

+ 

+ ip netns add cs_client

+ ip link add type veth

+ ip link set veth1 name eth1 netns cs_client

+ 

+ export cs_client_if1=eth1

+ export cs_server_if1=veth0

+ export cs_client_ip1=2001:db8:ffff::1

+ export cs_server_ip1=2001:db8:ffff::2

+ 

+ ip netns exec cs_client ip link set $cs_client_if1 up

+ ip link set $cs_server_if1 up

+ ip netns exec cs_client ip -6 addr add $cs_client_ip1/64 dev $cs_client_if1

+ ip -6 addr add $cs_server_ip1/64 dev $cs_server_if1

+ ip netns exec cs_client ifconfig lo up

+ ifconfig lo up

@@ -0,0 +1,83 @@ 

+ #!/bin/bash

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/iptables/Regression/ip6tables-t-nat-A-POSTROUTING-OUTPUT-with-DROP

+ #   Description: Test for ip6tables -t nat -A POSTROUTING/OUTPUT with DROP

+ #   Author: Tomas Dolezal <todoleza@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~