@@ -57,6 +57,7 @@ similar dependencies):
* keyutils-libs-devel _(tools used by the keys tests)_
* kernel-devel _(used by the kernel module tests)_
* quota, xfsprogs-devel and libuuid-devel _(used by the filesystem tests)_
+* nftables _(used by inet_socket and sctp tests if ver >= 9.3 for secmark testing )_
On a modern Fedora system you can install these dependencies with the
following command:
@@ -77,7 +78,8 @@ following command:
kernel-devel \
quota \
xfsprogs-devel \
- libuuid-devel
+ libuuid-devel \
+ nftables
#### Debian
new file mode 100644
@@ -0,0 +1,2 @@
+delete table ip security
+delete table ip6 security
new file mode 100644
@@ -0,0 +1,74 @@
+# Based on NFT project example. Requires kernel >= 4.20 and nft >= 0.9.3
+
+add table ip security
+add table ip6 security
+
+table ip security {
+
+ secmark inet_server {
+ "system_u:object_r:test_server_packet_t:s0"
+ }
+
+ map secmapping_in_out {
+ type inet_service : secmark
+ elements = { 65535 : "inet_server" }
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ # label new incoming packets and add to connection
+ ct state new meta secmark set tcp dport map @secmapping_in_out
+ ct state new meta secmark set udp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ # set label for est/rel packets from connection
+ ct state established,related meta secmark set ct secmark
+ }
+
+ chain output {
+ type filter hook output priority 0;
+
+ # label new outgoing packets and add to connection
+ ct state new meta secmark set tcp dport map @secmapping_in_out
+ # 'established' is used here so that the error return is the
+ # same as the 'iptables-load' tests (no reply from server)
+ ct state established meta secmark set udp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ # set label for est/rel packets from connection
+ ct state established,related meta secmark set ct secmark
+ }
+}
+
+table ip6 security {
+
+ secmark inet_server {
+ "system_u:object_r:test_server_packet_t:s0"
+ }
+
+ map secmapping_in_out {
+ type inet_service : secmark
+ elements = { 65535 : "inet_server" }
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ ct state new meta secmark set tcp dport map @secmapping_in_out
+ ct state new meta secmark set udp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ ct state established,related meta secmark set ct secmark
+ }
+
+ chain output {
+ type filter hook output priority 0;
+
+ ct state new meta secmark set tcp dport map @secmapping_in_out
+ ct state established meta secmark set udp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ ct state established,related meta secmark set ct secmark
+ }
+}
@@ -27,6 +27,19 @@ BEGIN {
$test_calipso_stream = 1;
}
+ # Determine nftables version, must be >= 0.9.3 for secmark support
+ # with kernel >= 4.20
+ $test_nft = 0;
+ $nft = `nft -v`;
+ $nft =~ s/\D//g;
+ $kverminstream = "4.20";
+
+ $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
+ if ( $nft gt "092" and $rc > 0 ) {
+ $test_count += 8;
+ $test_nft = 1;
+ }
+
plan tests => $test_count;
}
@@ -348,64 +361,76 @@ if ($test_ipsec) {
system "/bin/sh $basedir/ipsec-flush";
}
-# Load iptables (IPv4 & IPv6) configuration.
-system "/bin/sh $basedir/iptables-load";
+#
+################## Test iptables/nftables configuration ######################
+#
+sub test_tables {
-# Start the stream server.
-$pid = server_start( "-t test_inet_server_t", "-n stream 65535" );
+ # Start the stream server.
+ $pid = server_start( "-t test_inet_server_t", "-n stream 65535" );
-# Verify that authorized client can communicate with the server.
-$result = system
+ # Verify that authorized client can communicate with the server.
+ $result = system
"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535";
-ok( $result eq 0 );
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ ok( $result >> 8 eq 5 );
-# Verify that authorized client can communicate with the server.
-$result = system
- "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result = system
+"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
-ok( $result >> 8 eq 5 );
+ ok( $result >> 8 eq 5 );
-# Kill the server.
-server_end($pid);
+ # Kill the server.
+ server_end($pid);
-# Start the dgram server.
-$pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
+ # Start the dgram server.
+ $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
-# Verify that authorized client can communicate with the server.
-$result = system
+ # Verify that authorized client can communicate with the server.
+ $result = system
"runcon -t test_inet_client_t $basedir/client -e nopeer dgram 127.0.0.1 65535";
-ok( $result eq 0 );
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ ok( $result >> 8 eq 8 );
-# Verify that authorized client can communicate with the server.
-$result = system
- "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server.
+ $result = system
+ "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+ ok( $result eq 0 );
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+ # Verify that unauthorized client cannot communicate with the server.
+ $result = system
"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+ ok( $result >> 8 eq 8 );
-# Kill the server.
-server_end($pid);
+ # Kill the server.
+ server_end($pid);
+}
-# Flush iptables configuration.
+print "Testing iptables (IPv4/IPv6).\n";
+system "/bin/sh $basedir/iptables-load";
+test_tables();
system "/bin/sh $basedir/iptables-flush";
+if ($test_nft) {
+ print "Testing nftables (IPv4/IPv6).\n";
+ system "nft -f $basedir/nftables-load";
+ test_tables();
+ system "nft -f $basedir/nftables-flush";
+}
+
if ($test_calipso_stream) {
# Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
new file mode 100644
@@ -0,0 +1,2 @@
+delete table ip security
+delete table ip6 security
new file mode 100644
@@ -0,0 +1,68 @@
+# Based on NFT project example. Requires kernel >= 4.20 and nft >= 0.9.3
+
+add table ip security
+add table ip6 security
+
+table ip security {
+
+ secmark sctp_server {
+ "system_u:object_r:test_sctp_server_packet_t:s0"
+ }
+
+ map secmapping_in_out {
+ type inet_service : secmark
+ elements = { 1035 : "sctp_server" }
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ # label new incoming packets and add to connection
+ ct state new meta secmark set sctp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ # set label for est/rel packets from connection
+ ct state established,related meta secmark set ct secmark
+ }
+
+ chain output {
+ type filter hook output priority 0;
+
+ # label new outgoing packets and add to connection
+ ct state new meta secmark set sctp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ # set label for est/rel packets from connection
+ ct state established,related meta secmark set ct secmark
+ }
+}
+
+table ip6 security {
+
+ secmark sctp_server {
+ "system_u:object_r:test_sctp_server_packet_t:s0"
+ }
+
+ map secmapping_in_out {
+ type inet_service : secmark
+ elements = { 1035 : "sctp_server" }
+ }
+
+ chain input {
+ type filter hook input priority 0;
+
+ ct state new meta secmark set sctp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ ct state established,related meta secmark set ct secmark
+ }
+
+ chain output {
+ type filter hook output priority 0;
+
+ ct state new meta secmark set sctp dport map @secmapping_in_out
+ ct state new ct secmark set meta secmark
+
+ ct state established,related meta secmark set ct secmark
+ }
+}
@@ -56,6 +56,16 @@ BEGIN {
$test_calipso = 1;
}
+ # Determine nftables version, must be >= 0.9.3 for secmark support.
+ $test_nft = 0;
+ $nft = `nft -v`;
+ $nft =~ s/\D//g;
+
+ if ( $nft gt "092" ) {
+ $test_count += 8;
+ $test_nft = 1;
+ }
+
plan tests => $test_count;
}
}
@@ -749,64 +759,75 @@ if ($test_calipso) {
}
#
-##################### Test iptables configuration ############################
+################## Test iptables/nftables configuration ######################
#
-print "# Testing iptables (IPv4/IPv6).\n";
-system "/bin/sh $basedir/iptables-load";
+sub test_tables {
-# Start the stream server.
-$pid =
- server_start( "-t test_sctp_server_t", "sctp_server", "$v -n stream 1035" );
+ # Start the stream server.
+ $pid = server_start( "-t test_sctp_server_t",
+ "sctp_server", "$v -n stream 1035" );
-# Verify that authorized client can communicate with the server STREAM->STREAM.
-$result = system
+ # Verify that authorized client can communicate with the server STREAM->STREAM.
+ $result = system
"runcon -t test_sctp_client_t $basedir/sctp_client $v -e nopeer stream 127.0.0.1 1035";
-ok( $result eq 0 );
+ ok( $result eq 0 );
# Verify that a client without peer { recv } permission cannot communicate with the server STREAM->STREAM.
-$result = system
+ $result = system
"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer stream 127.0.0.1 1035 2>&1";
-ok( $result >> 8 eq 6 );
+ ok( $result >> 8 eq 6 );
-# Verify that authorized client can communicate with the server STREAM->STREAM.
-$result = system
+ # Verify that authorized client can communicate with the server STREAM->STREAM.
+ $result = system
"runcon -t test_sctp_client_t $basedir/sctp_client $v -e nopeer stream ::1 1035";
-ok( $result eq 0 );
+ ok( $result eq 0 );
# Verify that a client without peer { recv } permission cannot communicate with the server STREAM->STREAM.
-$result = system
+ $result = system
"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer stream ::1 1035 2>&1";
-ok( $result >> 8 eq 6 );
+ ok( $result >> 8 eq 6 );
-# Kill the stream server.
-server_end($pid);
+ # Kill the stream server.
+ server_end($pid);
-# Start the seq server.
-$pid = server_start( "-t test_sctp_server_t", "sctp_server", "$v -n seq 1035" );
+ # Start the seq server.
+ $pid =
+ server_start( "-t test_sctp_server_t", "sctp_server", "$v -n seq 1035" );
-# Verify that authorized client can communicate with the server SEQ->SEQ.
-$result = system
+ # Verify that authorized client can communicate with the server SEQ->SEQ.
+ $result = system
"runcon -t test_sctp_client_t $basedir/sctp_client $v -e nopeer seq 127.0.0.1 1035";
-ok( $result eq 0 );
+ ok( $result eq 0 );
# Verify that a client without peer { recv } permission cannot communicate with the server SEQ->SEQ.
-$result = system
+ $result = system
"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer seq 127.0.0.1 1035 2>&1";
-ok( $result >> 8 eq 6 );
+ ok( $result >> 8 eq 6 );
-# Verify that authorized client can communicate with the server SEQ->SEQ.
-$result = system
- "runcon -t test_sctp_client_t $basedir/sctp_client $v -e nopeer seq ::1 1035";
-ok( $result eq 0 );
+ # Verify that authorized client can communicate with the server SEQ->SEQ.
+ $result = system
+"runcon -t test_sctp_client_t $basedir/sctp_client $v -e nopeer seq ::1 1035";
+ ok( $result eq 0 );
# Verify that a client without peer { recv } permission cannot communicate with the server SEQ->SEQ.
-$result = system
+ $result = system
"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer seq ::1 1035 2>&1";
-ok( $result >> 8 eq 6 );
+ ok( $result >> 8 eq 6 );
-# Kill the seq server.
-server_end($pid);
+ # Kill the seq server.
+ server_end($pid);
+}
+print "# Testing iptables (IPv4/IPv6).\n";
+system "/bin/sh $basedir/iptables-load";
+test_tables();
system "/bin/sh $basedir/iptables-flush";
+if ($test_nft) {
+ print "# Testing nftables (IPv4/IPv6).\n";
+ system "nft -f $basedir/nftables-load";
+ test_tables();
+ system "nft -f $basedir/nftables-flush";
+}
+
exit;
Support secmark tests that require nftables version 9.3 or greater and kernel 4.20 or greater. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- V2 Change: Use common tests for iptables/nftables V3 Change: Use function README.md | 4 +- tests/inet_socket/nftables-flush | 2 + tests/inet_socket/nftables-load | 74 ++++++++++++++++++++++++ tests/inet_socket/test | 99 ++++++++++++++++++++------------ tests/sctp/nftables-flush | 2 + tests/sctp/nftables-load | 68 ++++++++++++++++++++++ tests/sctp/test | 87 +++++++++++++++++----------- 7 files changed, 265 insertions(+), 71 deletions(-) create mode 100644 tests/inet_socket/nftables-flush create mode 100644 tests/inet_socket/nftables-load create mode 100644 tests/sctp/nftables-flush create mode 100644 tests/sctp/nftables-load