preroutingテスト追加

mimuret · Mar 10, 2016 · 5ba8043 · 5ba8043
1 parent 31286a9
commit 5ba8043
Show file tree

Hide file tree

Showing 31 changed files with 156 additions and 101 deletions.
diff --git a/test/03.1_ipv4_udp_match.sh b/test/03.1_ipv4_udp_match.sh
diff --git a/test/03.2_ipv4_tcp_match.sh b/test/03.2_ipv4_tcp_match.sh
diff --git a/test/03.3_ipv6_udp_match.sh b/test/03.3_ipv6_udp_match.sh
diff --git a/test/03.4_ipv6_tcp_match.sh b/test/03.4_ipv6_tcp_match.sh
diff --git a/test/04.1_ipv4_udp_nomatch.sh b/test/04.1_ipv4_udp_nomatch.sh
diff --git a/test/04.2_ipv4_tcp_nomatch.sh b/test/04.2_ipv4_tcp_nomatch.sh
diff --git a/test/04.3_ipv6_udp_nomatch.sh b/test/04.3_ipv6_udp_nomatch.sh
diff --git a/test/04.4_ipv6_tcp_nomatch.sh b/test/04.4_ipv6_tcp_nomatch.sh
diff --git a/test/01_module_load.sh → test/1_module_load.sh b/test/01_module_load.sh → test/1_module_load.sh
diff --git a/test/02_rule_create.sh → test/2_rule_create.sh b/test/02_rule_create.sh → test/2_rule_create.sh
@@ -2,17 +2,20 @@
 
 function ipt() {
   cmd=$1
-  chain=$2
-  act=$3
-  ./test-ipt.sh $cmd $chain $act
+  table=$2
+  chain=$3
+  act=$4
+  ./test-ipt.sh $cmd $table $chain $act
 }
 function begin() {
   cmd=$1
-  chain=$2
-  ipt $cmd $chain "append"
+  table=$2
+  chain=$3
+  act=$4
+  ipt $cmd $table $chain "append"
 }
 function finish() {
-  ipt $cmd $chain "delete"
+  ipt $cmd $table $chain "delete"
 }
 function error() {
   echo "[ERR] $@"
@@ -26,10 +29,11 @@ function check() {
 }
 function main() {
   cmd=$1
-  chain=$2
-  begin $cmd $chain
+  table=$2
+  chain=$3
+  begin $cmd $table $chain
 
-  RULES=`$cmd --list-rules $chain -v`
+  RULES=`$cmd -t $table --list-rules $chain -v`
 
   check "-m dns --qr"
   check "-m dns ! --qr"
@@ -68,15 +72,17 @@ function main() {
   check "-m dns --maxsize 128"
   check "-m dns ! --maxsize 128"
 
-  finish $cmd $chain
+  finish $cmd $table $chain
 
-  echo "[PASS] $cmd add rules"
+  echo "[PASS] $cmd $table add rules"
   return 0
 }
 
 
-main "iptables" $(date +DNSTEST-IPv4-%Y%m%d)
+main "iptables" filter $(date +DNSTEST-IPv4-%Y%m%d)
+main "iptables" mangle $(date +DNSTEST-IPv4-%Y%m%d)
 
-main "ip6tables" $(date +DNSTEST-IPv6-%Y%m%d)
+main "ip6tables" filter $(date +DNSTEST-IPv6-%Y%m%d)
+main "ip6tables" mangle $(date +DNSTEST-IPv6-%Y%m%d)
 
 exit 0
diff --git a/test/3.1.1_check_ipv4_udp_input.sh b/test/3.1.1_check_ipv4_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables udp filter
diff --git a/test/3.1.2_check_ipv4_udp_prerouting.sh b/test/3.1.2_check_ipv4_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables udp mangle
diff --git a/test/3.2.1_check_ipv4_tcp_input.sh b/test/3.2.1_check_ipv4_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables tcp filter
diff --git a/test/3.2.2_check_ipv4_tcp_prerouting.sh b/test/3.2.2_check_ipv4_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh iptables tcp mangle
diff --git a/test/3.3.1_check_ipv6_udp_input.sh b/test/3.3.1_check_ipv6_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables udp filter
diff --git a/test/3.3.2_check_ipv6_udp_prerouting.sh b/test/3.3.2_check_ipv6_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables udp mangle
diff --git a/test/3.4.1_check_ipv6_tcp_input.sh b/test/3.4.1_check_ipv6_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables tcp filter
diff --git a/test/3.4.2_check_ipv6_tcp_prerouting.sh b/test/3.4.2_check_ipv6_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_match.sh ip6tables tcp mangle
diff --git a/test/4.1.1_check_no_ipv4_udp_input.sh b/test/4.1.1_check_no_ipv4_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables udp filter
diff --git a/test/4.1.2_check_no_ipv4_udp_prerouting.sh b/test/4.1.2_check_no_ipv4_udp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables udp mangle
diff --git a/test/4.2.1_check_no_ipv4_tcp_input.sh b/test/4.2.1_check_no_ipv4_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables tcp filter
diff --git a/test/4.2.2_check_no_ipv4_tcp_prerouting.sh b/test/4.2.2_check_no_ipv4_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh iptables tcp mangle
diff --git a/test/4.3.1_check_no_ipv6_udp_input.sh b/test/4.3.1_check_no_ipv6_udp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables udp filter
diff --git a/test/4.3.2_check_no_ipv6_udp_mangle.sh b/test/4.3.2_check_no_ipv6_udp_mangle.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables udp mangle
diff --git a/test/4.4.1_check_no_ipv6_tcp_input.sh b/test/4.4.1_check_no_ipv6_tcp_input.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables tcp filter
diff --git a/test/4.4.2_check_no_ipv6_tcp_prerouting.sh b/test/4.4.2_check_no_ipv6_tcp_prerouting.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./query_nomatch.sh ip6tables tcp mangle
diff --git a/test/Makefile.am b/test/Makefile.am
@@ -1,10 +1,18 @@
-TESTS=01_module_load.sh \
-02_rule_create.sh \
-03.1_ipv4_udp_match.sh \
-03.2_ipv4_tcp_match.sh \
-03.3_ipv6_udp_match.sh \
-03.4_ipv6_tcp_match.sh \
-04.1_ipv4_udp_nomatch.sh \
-04.2_ipv4_tcp_nomatch.sh \
-04.3_ipv6_udp_nomatch.sh \
-04.4_ipv6_tcp_nomatch.sh
+TESTS=1_module_load.sh \
+2_rule_create.sh \
+3.1.1_check_ipv4_udp_input.sh \
+3.1.2_check_ipv4_udp_prerouting.sh \
+3.2.1_check_ipv4_tcp_input.sh \
+3.2.2_check_ipv4_tcp_prerouting.sh \
+3.3.1_check_ipv6_udp_input.sh \
+3.3.2_check_ipv6_udp_prerouting.sh \
+3.4.1_check_ipv6_tcp_input.sh \
+3.4.2_check_ipv6_tcp_prerouting.sh \
+4.1.1_check_no_ipv4_udp_input.sh \
+4.1.2_check_no_ipv4_udp_prerouting.sh \
+4.2.1_check_no_ipv4_tcp_input.sh \
+4.2.2_check_no_ipv4_tcp_prerouting.sh \
+4.3.1_check_no_ipv6_udp_input.sh \
+4.3.2_check_no_ipv6_udp_mangle.sh \
+4.4.1_check_no_ipv6_tcp_input.sh \
+4.4.2_check_no_ipv6_tcp_prerouting.sh 
diff --git a/test/query_match.sh b/test/query_match.sh
@@ -1,9 +1,17 @@
 #!/bin/bash
 
-. query_match_common.sh
-
 IPT=$1
 PROTOCOL=$2
+TABLE=$3
+
+. query_match_common.sh
+
+if [ "$TABLE" = "filter" ] ; then
+  TARGET_CHAIN="INPUT"
+fi
+if [ "$TABLE" = "mangle" ] ; then
+  TARGET_CHAIN="PREROUTING"
+fi
 
 function match_check() {
   val=$1

diff --git a/test/query_match_common.sh b/test/query_match_common.sh
@@ -31,37 +31,37 @@ fi
 DNSTEST=$(date +DNSTEST-%Y%m%d)
 
 function ipt() {
-  ./test-ipt.sh $IPT $DNSTEST $1
+  ./test-ipt.sh $IPT $TABLE $DNSTEST $1
 }
 function begin() {
   ipt "append"
   if [ "$PROTOCOL" = "udp" ] ; then
-    $IPT -I INPUT -i lo -p udp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -I $TARGET_CHAIN -i lo -p udp --dport 53 -j $DNSTEST
   else
-    $IPT -I INPUT -i lo -p tcp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -I $TARGET_CHAIN -i lo -p tcp --dport 53 -j $DNSTEST
   fi
 }
 function finish() {
   if [ "$PROTOCOL" = "udp" ] ; then
-    $IPT -D INPUT -i lo -p udp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -D $TARGET_CHAIN -i lo -p udp --dport 53 -j $DNSTEST
   else
-    $IPT -D INPUT -i lo -p tcp --dport 53 -j $DNSTEST
+    $IPT -t $TABLE -D $TARGET_CHAIN -i lo -p tcp --dport 53 -j $DNSTEST
   fi
   ipt "delete"
 }
 function error() {
   echo "[FAIL] $@"
-  $IPT --list-rules $DNSTEST -v
+  $IPT -t $TABLE --list-rules $DNSTEST -v
   finish
   exit 1
 }
 function updateCheck() {
   rule=$1
-  $IPT --zero $DNSTEST
+  $IPT -t $TABLE --zero $DNSTEST
 
   echo $UPDATE_HEX | xxd -r -p | nc $SERVER 53 $NC_OPT > /dev/null 2>&1
 
-  res=$($IPT --list-rules $DNSTEST -v | grep -- "$rule")
+  res=$($IPT -t $TABLE --list-rules $DNSTEST -v | grep -- "$rule")
   if [ $? != 0 ] ; then
     echo "[ERR] $res"
     error $rule
@@ -76,9 +76,9 @@ function updateCheck() {
 function check() {
   rule=$1 ; shift
   domain=$1 ; shift
-  $IPT --zero $DNSTEST
+  $IPT -t $TABLE --zero $DNSTEST
   drill $domain @$SERVER $DRILL_OPT $@ > /dev/null 2>&1
-  res=$($IPT --list-rules $DNSTEST -v | grep -- "$rule ")
+  res=$($IPT -t $TABLE --list-rules $DNSTEST -v | grep -- "$rule ")
   if [ $? != 0 ] ; then
     echo "[ERR] $res"
     error $rule

diff --git a/test/query_nomatch.sh b/test/query_nomatch.sh
@@ -1,9 +1,17 @@
 #!/bin/bash
 
-. query_match_common.sh
-
 IPT=$1
 PROTOCOL=$2
+TABLE=$3
+
+. query_match_common.sh
+
+if [ "$TABLE" = "filter" ] ; then
+TARGET_CHAIN="INPUT"
+fi
+if [ "$TABLE" = "mangle" ] ; then
+TARGET_CHAIN="PREROUTING"
+fi
 
 function match_check() {
   val=$1

diff --git a/test/test-ipt.sh b/test/test-ipt.sh
@@ -2,49 +2,50 @@
 
 function xtables() {
   ipt=$1
-  chain=$2
-  act=$3
+  table=$2
+  chain=$3
+  act=$4
   if [ "$act" = "append" ] ; then
-    $ipt -N $chain
+    $ipt -t $table -N $chain
   fi
-  $ipt --$act $chain -m dns --qr
-  $ipt --$act $chain -m dns ! --qr
-  $ipt --$act $chain -m dns --aa
-  $ipt --$act $chain -m dns ! --aa
-  $ipt --$act $chain -m dns --tc
-  $ipt --$act $chain -m dns ! --tc
-  $ipt --$act $chain -m dns --rd
-  $ipt --$act $chain -m dns ! --rd
-  $ipt --$act $chain -m dns --ra
-  $ipt --$act $chain -m dns ! --ra
-  $ipt --$act $chain -m dns --ad
-  $ipt --$act $chain -m dns ! --ad
-  $ipt --$act $chain -m dns --cd
-  $ipt --$act $chain -m dns ! --cd
-  $ipt --$act $chain -m dns --opcode QUERY
-  $ipt --$act $chain -m dns ! --opcode QUERY
-  $ipt --$act $chain -m dns --opcode UPDATE
-  $ipt --$act $chain -m dns ! --opcode UPDATE
-  $ipt --$act $chain -m dns --qname example.com
-  $ipt --$act $chain -m dns ! --qname example.com
-  $ipt --$act $chain -m dns --qtype A
-  $ipt --$act $chain -m dns ! --qtype A
-  $ipt --$act $chain -m dns --qtype AAAA
-  $ipt --$act $chain -m dns ! --qtype AAAA
-  $ipt --$act $chain -m dns --qtype MAILA
-  $ipt --$act $chain -m dns ! --qtype MAILA
-  $ipt --$act $chain -m dns --qtype ANY
-  $ipt --$act $chain -m dns ! --qtype ANY
-  $ipt --$act $chain -m dns --qtype URI
-  $ipt --$act $chain -m dns ! --qtype URI
-  $ipt --$act $chain -m dns --qtype TA
-  $ipt --$act $chain -m dns ! --qtype TA
-  $ipt --$act $chain -m dns --qname example.jp --rmatch
-  $ipt --$act $chain -m dns ! --qname example.jp --rmatch
-  $ipt --$act $chain -m dns --maxsize 128
-  $ipt --$act $chain -m dns ! --maxsize 128
+  $ipt -t $table --$act $chain -m dns --qr
+  $ipt -t $table --$act $chain -m dns ! --qr
+  $ipt -t $table --$act $chain -m dns --aa
+  $ipt -t $table --$act $chain -m dns ! --aa
+  $ipt -t $table --$act $chain -m dns --tc
+  $ipt -t $table --$act $chain -m dns ! --tc
+  $ipt -t $table --$act $chain -m dns --rd
+  $ipt -t $table --$act $chain -m dns ! --rd
+  $ipt -t $table --$act $chain -m dns --ra
+  $ipt -t $table --$act $chain -m dns ! --ra
+  $ipt -t $table --$act $chain -m dns --ad
+  $ipt -t $table --$act $chain -m dns ! --ad
+  $ipt -t $table --$act $chain -m dns --cd
+  $ipt -t $table --$act $chain -m dns ! --cd
+  $ipt -t $table --$act $chain -m dns --opcode QUERY
+  $ipt -t $table --$act $chain -m dns ! --opcode QUERY
+  $ipt -t $table --$act $chain -m dns --opcode UPDATE
+  $ipt -t $table --$act $chain -m dns ! --opcode UPDATE
+  $ipt -t $table --$act $chain -m dns --qname example.com
+  $ipt -t $table --$act $chain -m dns ! --qname example.com
+  $ipt -t $table --$act $chain -m dns --qtype A
+  $ipt -t $table --$act $chain -m dns ! --qtype A
+  $ipt -t $table --$act $chain -m dns --qtype AAAA
+  $ipt -t $table --$act $chain -m dns ! --qtype AAAA
+  $ipt -t $table --$act $chain -m dns --qtype MAILA
+  $ipt -t $table --$act $chain -m dns ! --qtype MAILA
+  $ipt -t $table --$act $chain -m dns --qtype ANY
+  $ipt -t $table --$act $chain -m dns ! --qtype ANY
+  $ipt -t $table --$act $chain -m dns --qtype URI
+  $ipt -t $table --$act $chain -m dns ! --qtype URI
+  $ipt -t $table --$act $chain -m dns --qtype TA
+  $ipt -t $table --$act $chain -m dns ! --qtype TA
+  $ipt -t $table --$act $chain -m dns --qname example.jp --rmatch
+  $ipt -t $table --$act $chain -m dns ! --qname example.jp --rmatch
+  $ipt -t $table --$act $chain -m dns --maxsize 128
+  $ipt -t $table --$act $chain -m dns ! --maxsize 128
   if [ "$act" = "delete" ] ; then
-    $ipt -X $chain
+    $ipt -t $table -X $chain
   fi
 }