3
# Copyright 2014 Canonical Ltd.
5
# This program is free software: you can redistribute it and/or modify
6
# it under the terms of the GNU General Public License version 3,
7
# as published by the Free Software Foundation.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program. If not, see <http://www.gnu.org/licenses/>.
17
source "$TESTPATH/../testlib.sh"
19
# This isn't available everywhere, so we will test it later
20
sed -i "s/self.caps\['route limit'\]\['6'\] = True/self.caps['route limit']['6'] = False/" $TESTPATH/lib/python/ufw/backend.py
24
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
25
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
26
do_cmd "0" nostats disable
27
do_cmd "0" nostats enable
29
echo "TESTING ARGS (route allow/route deny to/from)" >> $TESTTMP/result
30
do_cmd "0" route allow 53
31
do_cmd "0" route allow 23/tcp
32
do_cmd "0" route allow smtp
33
do_cmd "0" route deny proto tcp to any port 80
34
do_cmd "0" route deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
35
do_cmd "0" route allow from 10.0.0.0/8
36
do_cmd "0" route allow from 172.16.0.0/12
37
do_cmd "0" route allow from 192.168.0.0/16
38
do_cmd "0" route deny proto udp from 1.2.3.4 to any port 514
39
do_cmd "0" route allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
40
do_cmd "0" route limit 22/tcp
41
if [ "$ipv6" = "yes" ]; then
42
do_cmd "0" route deny proto tcp from 2001:db8::/32 to any port 25
43
do_cmd "0" route deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8
46
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
47
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
49
echo "TESTING ARGS (delete route allow/route deny to/from)" >> $TESTTMP/result
50
do_cmd "0" route delete allow 53
51
do_cmd "0" route delete allow 23/tcp
52
do_cmd "0" route delete allow smtp
53
do_cmd "0" route delete deny proto tcp to any port 80
54
do_cmd "0" route delete deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
55
do_cmd "0" route delete allow from 10.0.0.0/8
56
do_cmd "0" route delete allow from 172.16.0.0/12
57
do_cmd "0" route delete allow from 192.168.0.0/16
58
do_cmd "0" route delete deny proto udp from 1.2.3.4 to any port 514
59
do_cmd "0" route delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
60
do_cmd "0" route delete limit 22/tcp
61
if [ "$ipv6" = "yes" ]; then
62
do_cmd "0" route delete deny proto tcp from 2001:db8::/32 to any port 25
63
do_cmd "0" route delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8
66
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
67
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
71
echo "Checking route reject" >> $TESTTMP/result
74
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
75
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
76
do_cmd "0" nostats disable
77
do_cmd "0" nostats enable
78
do_cmd "0" route reject 113
79
do_cmd "0" route reject 114/tcp
80
do_cmd "0" route reject 115/udp
82
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
83
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
84
do_cmd "0" route delete reject 113
85
do_cmd "0" route delete reject 114/tcp
86
do_cmd "0" route delete reject 115/udp
88
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
89
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
92
echo "Checking flush builtins" >> $TESTTMP/result
95
str="ufw_test_builtins"
96
do_cmd "0" nostats disable
97
sed -i "s/MANAGE_BUILTINS=.*/MANAGE_BUILTINS=$ans/" $TESTPATH/etc/default/ufw
99
echo iptables -I FORWARD -j ACCEPT -m comment --comment $str >> $TESTTMP/result
100
iptables -I FORWARD -j ACCEPT -m comment --comment $str >> $TESTTMP/result
101
do_cmd "0" nostats enable
102
iptables -n -L FORWARD | grep "$str" >> $TESTTMP/result
103
iptables -D FORWARD -j ACCEPT -m comment --comment $str 2>/dev/null
106
echo "Testing status numbered" >> $TESTTMP/result
109
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
110
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
111
do_cmd "0" nostats disable
112
do_cmd "0" nostats enable
114
do_cmd "0" route allow 53
115
do_cmd "0" route allow 23/tcp
116
do_cmd "0" route allow smtp
117
do_cmd "0" route deny proto tcp to any port 80
118
do_cmd "0" route deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
119
do_cmd "0" route allow from 10.0.0.0/8
120
do_cmd "0" route allow from 172.16.0.0/12
121
do_cmd "0" route allow from 192.168.0.0/16
122
do_cmd "0" route deny proto udp from 1.2.3.4 to any port 514
123
do_cmd "0" route allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
124
do_cmd "0" route limit 22/tcp
125
if [ "$ipv6" = "yes" ]; then
126
do_cmd "0" route deny proto tcp from 2001:db8::/32 to any port 25
127
do_cmd "0" route deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8
129
do_cmd "0" status numbered
131
do_cmd "0" route delete allow 53
132
do_cmd "0" route delete allow 23/tcp
133
do_cmd "0" route delete allow smtp
134
do_cmd "0" route delete deny proto tcp to any port 80
135
do_cmd "0" route delete deny proto tcp from 10.0.0.0/8 to 192.168.0.1 port 25
136
do_cmd "0" route delete allow from 10.0.0.0/8
137
do_cmd "0" route delete allow from 172.16.0.0/12
138
do_cmd "0" route delete allow from 192.168.0.0/16
139
do_cmd "0" route delete deny proto udp from 1.2.3.4 to any port 514
140
do_cmd "0" route delete allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469
141
do_cmd "0" route delete limit 22/tcp
142
if [ "$ipv6" = "yes" ]; then
143
do_cmd "0" route delete deny proto tcp from 2001:db8::/32 to any port 25
144
do_cmd "0" route delete deny from 2001:db8::/32 port 26 to 2001:db8:3:4:5:6:7:8
146
do_cmd "0" status numbered
153
echo "Testing interfaces" >> $TESTTMP/result
156
for i in "in" "out"; do
157
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
158
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
159
do_cmd "0" nostats disable
160
do_cmd "0" nostats enable
162
do_cmd "0" route allow $i on $fake_if
163
do_cmd "1" null route deny $i on $fake_if:1
164
do_cmd "0" route reject $i on $fake_if to 192.168.0.1 port 22
165
do_cmd "0" route limit $i on $fake_if from 10.0.0.1 port 80
166
do_cmd "0" route allow $i on $fake_if to 192.168.0.1 from 10.0.0.1
167
do_cmd "0" route deny $i on $fake_if to 192.168.0.1 port 22 from 10.0.0.1
168
do_cmd "0" route reject $i on $fake_if to 192.168.0.1 from 10.0.0.1 port 80
169
do_cmd "0" route limit $i on $fake_if to 192.168.0.1 port 22 from 10.0.0.1 port 80
171
do_cmd "0" route allow $i on $dmz_if log
172
do_cmd "0" route allow $i on $fake_if log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp
173
do_cmd "0" route deny $i on $fake_if log-all from 192.168.0.1 to 10.0.0.1 port 25 proto tcp
174
do_cmd "0" route allow $i on $fake_if to any app Samba
176
# These hardcode in and out
177
do_cmd "0" route allow in on $in_if out on $out_if from 192.168.0.1 port 25 to 10.0.0.1 port 25 proto tcp
178
do_cmd "0" route allow in on $in_if out on $dmz_if
180
do_cmd "0" status numbered
181
do_cmd "0" route insert 8 allow $i on $dmz_if to any app Samba
183
do_cmd "0" status numbered
184
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
185
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
187
# delete what we added
188
do_cmd "0" route delete allow $i on $fake_if
189
do_cmd "0" route delete reject $i on $fake_if to 192.168.0.1 port 22
190
do_cmd "0" route delete limit $i on $fake_if from 10.0.0.1 port 80
191
do_cmd "0" route delete allow $i on $fake_if to 192.168.0.1 from 10.0.0.1
192
do_cmd "0" route delete deny $i on $fake_if to 192.168.0.1 port 22 from 10.0.0.1
193
do_cmd "0" route delete reject $i on $fake_if to 192.168.0.1 from 10.0.0.1 port 80
194
do_cmd "0" route delete limit $i on $fake_if to 192.168.0.1 port 22 from 10.0.0.1 port 80
196
do_cmd "0" route delete allow $i on $dmz_if log
197
do_cmd "0" route delete allow $i on $fake_if log from 192.168.0.1 to 10.0.0.1 port 24 proto tcp
198
do_cmd "0" route delete deny $i on $fake_if log-all from 192.168.0.1 to 10.0.0.1 port 25 proto tcp
199
do_cmd "0" route delete allow $i on $fake_if to any app Samba
200
do_cmd "0" route delete allow $i on $dmz_if to any app Samba
201
do_cmd "0" route delete allow in on $in_if out on $out_if from 192.168.0.1 port 25 to 10.0.0.1 port 25 proto tcp
202
do_cmd "0" route delete allow in on $in_if out on $dmz_if
204
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
205
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
209
echo "Compare enable and ufw-init" >> $TESTTMP/result
210
sed -i "s/IPV6=.*/IPV6=yes/" $TESTPATH/etc/default/ufw
211
do_cmd "0" nostats disable
212
do_cmd "0" nostats route allow 23/tcp
213
do_cmd "0" nostats logging medium
214
do_cmd "0" null enable
215
iptables-save | grep '^-' > $TESTTMP/ipt.enable
216
ip6tables-save | grep '^-' > $TESTTMP/ip6t.enable
218
do_cmd "0" null disable
219
iptables-save | grep '^-' > $TESTTMP/ipt.disable
220
ip6tables-save | grep '^-' > $TESTTMP/ip6t.disable
222
sed -i 's/^ENABLED=no/ENABLED=yes/' $TESTPATH/etc/ufw/ufw.conf
223
do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init start
224
iptables-save | grep '^-' > $TESTTMP/ipt.start
225
ip6tables-save | grep '^-' > $TESTTMP/ip6t.start
227
do_extcmd "0" null $TESTPATH/lib/ufw/ufw-init stop
228
iptables-save | grep '^-' > $TESTTMP/ipt.stop
229
ip6tables-save | grep '^-' > $TESTTMP/ip6t.stop
231
diff $TESTTMP/ipt.enable $TESTTMP/ipt.start || {
232
echo "'ufw enable' and 'ufw-init start' are different"
236
diff $TESTTMP/ip6t.enable $TESTTMP/ip6t.start || {
237
echo "'ufw enable' and 'ufw-init start' are different (ipv6)"
241
diff $TESTTMP/ipt.disable $TESTTMP/ipt.stop || {
242
echo "'ufw disable' and 'ufw-init stop' are different"
246
diff $TESTTMP/ip6t.disable $TESTTMP/ip6t.stop || {
247
echo "'ufw disable' and 'ufw-init stop' are different (ipv6)"
250
do_cmd "0" nostats enable
251
do_cmd "0" nostats route delete allow 23/tcp
252
do_cmd "0" nostats logging low
253
do_cmd "0" nostats disable
254
sed -i "s/IPV6=.*/IPV6=no/" $TESTPATH/etc/default/ufw
256
echo "Delete by number" >> $TESTTMP/result
259
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
260
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
261
do_cmd "0" nostats disable
262
do_cmd "0" nostats enable
265
do_cmd "0" nostats route allow $i
268
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
269
if [ "$ipv6" = "yes" ]; then
270
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
274
grep -q "^### tuple ### route:allow any $i " $TESTSTATE/user.rules || {
275
echo "Failed: Could not find port '$i' user.rules" >> $TESTTMP/result
278
if [ "$ipv6" = "yes" ]; then
279
grep -q "^### tuple ### route:allow any $i " $TESTSTATE/user6.rules || {
280
echo "Failed: Could not find port '$i' user6.rules" >> $TESTTMP/result
285
if [ "$ipv6" = "yes" ]; then
286
do_cmd "0" null --force delete $((i+i))
287
grep -v -q "^### tuple ### route:allow any $i " $TESTSTATE/user6.rules || {
288
echo "Failed: Found port '$i' user6.rules" >> $TESTTMP/result
291
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
293
do_cmd "0" null --force delete $i
294
grep -v -q "^### tuple ### route:allow any $i " $TESTSTATE/user.rules || {
295
echo "Failed: Found port '$i' user.rules" >> $TESTTMP/result
298
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
301
grep -A2 "tuple" $TESTSTATE/user.rules >> $TESTTMP/result
302
grep -A2 "tuple" $TESTSTATE/user6.rules >> $TESTTMP/result
304
echo "Show added" >> $TESTTMP/result
307
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
308
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
309
do_cmd "0" nostats disable
310
do_cmd "0" nostats enable
311
do_cmd "0" nostats route limit 22/tcp
312
if [ "$ipv6" = "yes" ]; then
313
do_cmd "0" nostats route allow in on $in_if to 2001::211:aaaa:bbbb:d54c port 123 proto tcp
315
do_cmd "0" nostats route deny Samba
316
do_cmd "0" show added
317
do_cmd "0" nostats route delete limit 22/tcp
318
if [ "$ipv6" = "yes" ]; then
319
do_cmd "0" nostats route delete allow in on $in_if to 2001::211:aaaa:bbbb:d54c port 123 proto tcp
321
do_cmd "0" nostats route delete deny Samba
322
do_cmd "0" show added
324
do_cmd "0" nostats disable
326
echo "Checking status" >> $TESTTMP/result
327
for default in allow deny reject ; do
330
echo "Setting IPV6 to $ipv6" >> $TESTTMP/result
331
sed -i "s/IPV6=.*/IPV6=$ipv6/" $TESTPATH/etc/default/ufw
332
for forward in 0 1 ; do
333
echo "Running: sysctl -w net.ipv4.ip_forward=$forward" >> $TESTTMP/result
334
sysctl -w net.ipv4.ip_forward=$forward >/dev/null
336
if [ "$ipv6" = "yes" ]; then
337
echo "Running: sysctl -w net.ipv6.conf.default.forwarding=$forward" >> $TESTTMP/result
338
sysctl -w net.ipv6.conf.default.forwarding=$forward >/dev/null
339
echo "Running: sysctl -w net.ipv6.conf.all.forwarding=$forward" >> $TESTTMP/result
340
sysctl -w net.ipv6.conf.all.forwarding=$forward >/dev/null
343
do_cmd "0" nostats disable
344
do_cmd "0" default $default routed
345
do_cmd "0" nostats enable
346
do_cmd "0" status verbose