netfilter template support

9 files changed, 278 insertions, 0 deletions

diff --git a/test/fnetfilter/cmdline.exp b/test/fnetfilter/cmdline.exp
new file mode 100755
index 000000000..1a0b1c5aa
--- /dev/null
+++ b/test/fnetfilter/cmdline.exp
@@ -0,0 +1,37 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "fnetfilter\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter -h\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter -h a b c d\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+
+send -- "fnetfilter a b c d\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Usage:"
+}
+after 100
+puts "\nall done\n"
diff --git a/test/fnetfilter/copy.exp b/test/fnetfilter/copy.exp
new file mode 100755
index 000000000..65145ec4b
--- /dev/null
+++ b/test/fnetfilter/copy.exp
@@ -0,0 +1,52 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test1.net outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "test1"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "*filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "disable STUN"
+}
+after 100
+
+send -- "fnetfilter foo outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "cannot open foo"
+}
+after 100
+
+send -- "fnetfilter test1.net outlocked\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "cannot open outlocked"
+}
+after 100
+
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fnetfilter/default.exp b/test/fnetfilter/default.exp
new file mode 100755
index 000000000..d7c9d91d5
--- /dev/null
+++ b/test/fnetfilter/default.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "*filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "disable STUN"
+}
+after 100
+
+send -- "fnetfilter test1.net,33\r"
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "invalid destination file in netfilter command"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fnetfilter/fnetfilter.sh b/test/fnetfilter/fnetfilter.sh
new file mode 100755
index 000000000..5fd08d186
--- /dev/null
+++ b/test/fnetfilter/fnetfilter.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+
+if [ -f /etc/debian_version ]; then
+        libdir=$(dirname "$(dpkg -L firejail | grep fcopy)")
+        export PATH="$PATH:$libdir"
+fi
+
+export PATH="$PATH:/usr/lib/firejail"
+
+echo "TESTING: fnetfilter cmdline (test/fnetfilter/cmdline.exp)"
+./cmdline.exp
+
+echo "TESTING: fnetfilter default (test/fnetfilter/default.exp)"
+./default.exp
+
+echo "TESTING: fnetfilter copy (test/fnetfilter/copy.exp)"
+./copy.exp
+
+echo "TESTING: fnetfilter template (test/fnetfilter/template.exp)"
+./template.exp
+
+rm -f outfile
diff --git a/test/fnetfilter/outlocked b/test/fnetfilter/outlocked
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/test/fnetfilter/outlocked
diff --git a/test/fnetfilter/template.exp b/test/fnetfilter/template.exp
new file mode 100755
index 000000000..eb57313bd
--- /dev/null
+++ b/test/fnetfilter/template.exp
@@ -0,0 +1,82 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2017 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "rm outfile\r"
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request,3478,3479 outfile\r"
+after 100
+
+send -- "cat outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "*filter"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "INPUT -m state --state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "icmp-type echo-reply"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "icmp-type destination-unreachable"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "icmp-type time-exceeded"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "icmp-type echo-request"
+}
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "dport 3478"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "dport 3479"
+}
+expect {
+        timeout {puts "TESTING ERROR 8\n";exit}
+        "dport 3478"
+}
+expect {
+        timeout {puts "TESTING ERROR 10\n";exit}
+        "dport 3479"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 11\n";exit}
+        "ARG5 on line 14 was not defined"
+}
+after 100
+
+send -- "fnetfilter test2.net,icmp-type,destination-unreachable,time-exceeded,echo-request\r"
+expect {
+        timeout {puts "TESTING ERROR 12\n";exit}
+        "invalid destination file in netfilter command"
+}
+after 100
+
+send -- "fnetfilter test3.net,44 outfile\r"
+expect {
+        timeout {puts "TESTING ERROR 13\n";exit}
+        "invalid template argument on line 1"
+}
+after 100
+send -- "rm outfile\r"
+after 100
+
+puts "\nall done\n"
diff --git a/test/fnetfilter/test1.net b/test/fnetfilter/test1.net
new file mode 100644
index 000000000..59bef1443
--- /dev/null
+++ b/test/fnetfilter/test1.net
@@ -0,0 +1,19 @@
+*filter
+# test2
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+-A INPUT -p icmp --icmp-type echo-request -j ACCEPT 
+# disable STUN
+-A OUTPUT -p udp --dport 3478 -j DROP
+-A OUTPUT -p udp --dport 3479 -j DROP
+-A OUTPUT -p tcp --dport 3478 -j DROP
+-A OUTPUT -p tcp --dport 3479 -j DROP
+COMMIT
+
diff --git a/test/fnetfilter/test2.net b/test/fnetfilter/test2.net
new file mode 100644
index 000000000..a02785413
--- /dev/null
+++ b/test/fnetfilter/test2.net
@@ -0,0 +1,19 @@
+*filter
+# test2
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# echo replay is handled by -m state RELATED/ESTABLISHED above
+#-A INPUT -p icmp --$ARG1 echo-reply -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG2 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG3 -j ACCEPT
+-A INPUT -p icmp --$ARG1 $ARG4 -j ACCEPT 
+# disable STUN
+-A OUTPUT -p udp --dport $ARG5 -j DROP
+-A OUTPUT -p udp --dport $ARG6 -j DROP
+-A OUTPUT -p tcp --dport $ARG5 -j DROP
+-A OUTPUT -p tcp --dport $ARG6 -j DROP
+COMMIT
+
diff --git a/test/fnetfilter/test3.net b/test/fnetfilter/test3.net
new file mode 100644
index 000000000..702cb06b3
--- /dev/null
+++ b/test/fnetfilter/test3.net
@@ -0,0 +1 @@
+asdfasdf $ARG asdfasdfdasf