diff options
author | netblue30 <netblue30@yahoo.com> | 2017-11-18 08:39:02 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-11-18 08:39:02 -0500 |
commit | ead4ec3089b97eda1b438da248caf76f169345ad (patch) | |
tree | 31bc22bcba4e6530b5f0daba3f332702efa7a4b9 /test/fnetfilter | |
parent | Consistent home directory nomenclature (diff) | |
download | firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.gz firejail-ead4ec3089b97eda1b438da248caf76f169345ad.tar.zst firejail-ead4ec3089b97eda1b438da248caf76f169345ad.zip |
netfilter template support
Diffstat (limited to 'test/fnetfilter')
-rwxr-xr-x | test/fnetfilter/cmdline.exp | 37 | ||||
-rwxr-xr-x | test/fnetfilter/copy.exp | 52 | ||||
-rwxr-xr-x | test/fnetfilter/default.exp | 40 | ||||
-rwxr-xr-x | test/fnetfilter/fnetfilter.sh | 28 | ||||
-rw-r--r-- | test/fnetfilter/outlocked | 0 | ||||
-rwxr-xr-x | test/fnetfilter/template.exp | 82 | ||||
-rw-r--r-- | test/fnetfilter/test1.net | 19 | ||||
-rw-r--r-- | test/fnetfilter/test2.net | 19 | ||||
-rw-r--r-- | test/fnetfilter/test3.net | 1 |
9 files changed, 278 insertions, 0 deletions
diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp new file mode 100755 index 000000000..1a0b1c5aa --- /dev/null +++ b/test/fnetfilter/cmdline.exp | |||
@@ -0,0 +1,37 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "fnetfilter\r" | ||
11 | expect { | ||
12 | timeout {puts "TESTING ERROR 1\n";exit} | ||
13 | "Usage:" | ||
14 | } | ||
15 | after 100 | ||
16 | |||
17 | send -- "fnetfilter -h\r" | ||
18 | expect { | ||
19 | timeout {puts "TESTING ERROR 2\n";exit} | ||
20 | "Usage:" | ||
21 | } | ||
22 | after 100 | ||
23 | |||
24 | send -- "fnetfilter -h a b c d\r" | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 2\n";exit} | ||
27 | "Usage:" | ||
28 | } | ||
29 | after 100 | ||
30 | |||
31 | send -- "fnetfilter a b c d\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 2\n";exit} | ||
34 | "Usage:" | ||
35 | } | ||
36 | after 100 | ||
37 | puts "\nall done\n" | ||
diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp new file mode 100755 index 000000000..65145ec4b --- /dev/null +++ b/test/fnetfilter/copy.exp | |||
@@ -0,0 +1,52 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "rm outfile\r" | ||
11 | after 100 | ||
12 | |||
13 | send -- "fnetfilter test1.net outfile\r" | ||
14 | after 100 | ||
15 | |||
16 | send -- "cat outfile\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "test1" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "*filter" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "INPUT -m state --state RELATED,ESTABLISHED" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 4\n";exit} | ||
31 | "disable STUN" | ||
32 | } | ||
33 | after 100 | ||
34 | |||
35 | send -- "fnetfilter foo outfile\r" | ||
36 | expect { | ||
37 | timeout {puts "TESTING ERROR 5\n";exit} | ||
38 | "cannot open foo" | ||
39 | } | ||
40 | after 100 | ||
41 | |||
42 | send -- "fnetfilter test1.net outlocked\r" | ||
43 | expect { | ||
44 | timeout {puts "TESTING ERROR 6\n";exit} | ||
45 | "cannot open outlocked" | ||
46 | } | ||
47 | after 100 | ||
48 | |||
49 | send -- "rm outfile\r" | ||
50 | after 100 | ||
51 | |||
52 | puts "\nall done\n" | ||
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp new file mode 100755 index 000000000..d7c9d91d5 --- /dev/null +++ b/test/fnetfilter/default.exp | |||
@@ -0,0 +1,40 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "rm outfile\r" | ||
11 | after 100 | ||
12 | |||
13 | send -- "fnetfilter outfile\r" | ||
14 | after 100 | ||
15 | |||
16 | send -- "cat outfile\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "*filter" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "INPUT -m state --state RELATED,ESTABLISHED" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "disable STUN" | ||
28 | } | ||
29 | after 100 | ||
30 | |||
31 | send -- "fnetfilter test1.net,33\r" | ||
32 | expect { | ||
33 | timeout {puts "TESTING ERROR 4\n";exit} | ||
34 | "invalid destination file in netfilter command" | ||
35 | } | ||
36 | after 100 | ||
37 | send -- "rm outfile\r" | ||
38 | after 100 | ||
39 | |||
40 | puts "\nall done\n" | ||
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh new file mode 100755 index 000000000..5fd08d186 --- /dev/null +++ b/test/fnetfilter/fnetfilter.sh | |||
@@ -0,0 +1,28 @@ | |||
1 | #!/bin/bash | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | export MALLOC_CHECK_=3 | ||
7 | export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) | ||
8 | |||
9 | if [ -f /etc/debian_version ]; then | ||
10 | libdir=$(dirname "$(dpkg -L firejail | grep fcopy)") | ||
11 | export PATH="$PATH:$libdir" | ||
12 | fi | ||
13 | |||
14 | export PATH="$PATH:/usr/lib/firejail" | ||
15 | |||
16 | echo "TESTING: fnetfilter cmdline (test/fnetfilter/cmdline.exp)" | ||
17 | ./cmdline.exp | ||
18 | |||
19 | echo "TESTING: fnetfilter default (test/fnetfilter/default.exp)" | ||
20 | ./default.exp | ||
21 | |||
22 | echo "TESTING: fnetfilter copy (test/fnetfilter/copy.exp)" | ||
23 | ./copy.exp | ||
24 | |||
25 | echo "TESTING: fnetfilter template (test/fnetfilter/template.exp)" | ||
26 | ./template.exp | ||
27 | |||
28 | rm -f outfile | ||
diff --git a/test/fnetfilter/outlocked b/test/fnetfilter/outlocked new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/test/fnetfilter/outlocked | |||
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp new file mode 100755 index 000000000..eb57313bd --- /dev/null +++ b/test/fnetfilter/template.exp | |||
@@ -0,0 +1,82 @@ | |||
1 | #!/usr/bin/expect -f | ||
2 | # This file is part of Firejail project | ||
3 | # Copyright (C) 2014-2017 Firejail Authors | ||
4 | # License GPL v2 | ||
5 | |||
6 | set timeout 10 | ||
7 | spawn $env(SHELL) | ||
8 | match_max 100000 | ||
9 | |||
10 | send -- "rm outfile\r" | ||
11 | after 100 | ||
12 | |||
13 | send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request,3478,3479 outfile\r" | ||
14 | after 100 | ||
15 | |||
16 | send -- "cat outfile\r" | ||
17 | expect { | ||
18 | timeout {puts "TESTING ERROR 1\n";exit} | ||
19 | "*filter" | ||
20 | } | ||
21 | expect { | ||
22 | timeout {puts "TESTING ERROR 2\n";exit} | ||
23 | "INPUT -m state --state RELATED,ESTABLISHED" | ||
24 | } | ||
25 | expect { | ||
26 | timeout {puts "TESTING ERROR 3\n";exit} | ||
27 | "icmp-type echo-reply" | ||
28 | } | ||
29 | expect { | ||
30 | timeout {puts "TESTING ERROR 4\n";exit} | ||
31 | "icmp-type destination-unreachable" | ||
32 | } | ||
33 | expect { | ||
34 | timeout {puts "TESTING ERROR 5\n";exit} | ||
35 | "icmp-type time-exceeded" | ||
36 | } | ||
37 | expect { | ||
38 | timeout {puts "TESTING ERROR 6\n";exit} | ||
39 | "icmp-type echo-request" | ||
40 | } | ||
41 | expect { | ||
42 | timeout {puts "TESTING ERROR 7\n";exit} | ||
43 | "dport 3478" | ||
44 | } | ||
45 | expect { | ||
46 | timeout {puts "TESTING ERROR 8\n";exit} | ||
47 | "dport 3479" | ||
48 | } | ||
49 | expect { | ||
50 | timeout {puts "TESTING ERROR 8\n";exit} | ||
51 | "dport 3478" | ||
52 | } | ||
53 | expect { | ||
54 | timeout {puts "TESTING ERROR 10\n";exit} | ||
55 | "dport 3479" | ||
56 | } | ||
57 | after 100 | ||
58 | |||
59 | send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request outfile\r" | ||
60 | expect { | ||
61 | timeout {puts "TESTING ERROR 11\n";exit} | ||
62 | "ARG5 on line 14 was not defined" | ||
63 | } | ||
64 | after 100 | ||
65 | |||
66 | send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r" | ||
67 | expect { | ||
68 | timeout {puts "TESTING ERROR 12\n";exit} | ||
69 | "invalid destination file in netfilter command" | ||
70 | } | ||
71 | after 100 | ||
72 | |||
73 | send -- "fnetfilter test3.net,44 outfile\r" | ||
74 | expect { | ||
75 | timeout {puts "TESTING ERROR 13\n";exit} | ||
76 | "invalid template argument on line 1" | ||
77 | } | ||
78 | after 100 | ||
79 | send -- "rm outfile\r" | ||
80 | after 100 | ||
81 | |||
82 | puts "\nall done\n" | ||
diff --git a/test/fnetfilter/test1.net b/test/fnetfilter/test1.net new file mode 100644 index 000000000..59bef1443 --- /dev/null +++ b/test/fnetfilter/test1.net | |||
@@ -0,0 +1,19 @@ | |||
1 | *filter | ||
2 | # test2 | ||
3 | :INPUT DROP [0:0] | ||
4 | :FORWARD DROP [0:0] | ||
5 | :OUTPUT ACCEPT [0:0] | ||
6 | -A INPUT -i lo -j ACCEPT | ||
7 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
8 | # echo replay is handled by -m state RELATED/ESTABLISHED above | ||
9 | #-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | ||
10 | -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | ||
11 | -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | ||
12 | -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
13 | # disable STUN | ||
14 | -A OUTPUT -p udp --dport 3478 -j DROP | ||
15 | -A OUTPUT -p udp --dport 3479 -j DROP | ||
16 | -A OUTPUT -p tcp --dport 3478 -j DROP | ||
17 | -A OUTPUT -p tcp --dport 3479 -j DROP | ||
18 | COMMIT | ||
19 | |||
diff --git a/test/fnetfilter/test2.net b/test/fnetfilter/test2.net new file mode 100644 index 000000000..a02785413 --- /dev/null +++ b/test/fnetfilter/test2.net | |||
@@ -0,0 +1,19 @@ | |||
1 | *filter | ||
2 | # test2 | ||
3 | :INPUT DROP [0:0] | ||
4 | :FORWARD DROP [0:0] | ||
5 | :OUTPUT ACCEPT [0:0] | ||
6 | -A INPUT -i lo -j ACCEPT | ||
7 | -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | ||
8 | # echo replay is handled by -m state RELATED/ESTABLISHED above | ||
9 | #-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT | ||
10 | -A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT | ||
11 | -A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT | ||
12 | -A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT | ||
13 | # disable STUN | ||
14 | -A OUTPUT -p udp --dport $ARG5 -j DROP | ||
15 | -A OUTPUT -p udp --dport $ARG6 -j DROP | ||
16 | -A OUTPUT -p tcp --dport $ARG5 -j DROP | ||
17 | -A OUTPUT -p tcp --dport $ARG6 -j DROP | ||
18 | COMMIT | ||
19 | |||
diff --git a/test/fnetfilter/test3.net b/test/fnetfilter/test3.net new file mode 100644 index 000000000..702cb06b3 --- /dev/null +++ b/test/fnetfilter/test3.net | |||
@@ -0,0 +1 @@ | |||
asdfasdf $ARG asdfasdfdasf | |||