public void TestSplit()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<RuleOutputter, IPAddress> ma = new FeatureSplitter<RuleOutputter,IPAddress>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j QGkTSfSaLIaS4B/kr3WQ -m comment --comment '_|FS|INPUT_8.1.1.1'",
rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ciE0aMcfwN36u0sNiC6w -m comment --comment '_|FS|INPUT_8.1.1.2'",
rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
Assert.AreEqual("-A QGkTSfSaLIaS4B/kr3WQ -j ACCEPT -m udp --sport 1",
rules.Chains.Skip(1).First().Rules.First().GetActionCommand());
}
public void TestParseRuleLocal()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRouteController(systemFactory);
var one = ipUtils.ParseObjectInternal("local default dev lo table 100 scope host", "to");
ipUtils.ExportObject(one);
}
public void TestParseRule()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRouteController(systemFactory);
var one = ipUtils.ParseObjectInternal("default via 199.19.225.1 dev eth0", "to");
var two = ipUtils.ParseObjectInternal("10.128.1.0/24 dev tap0 proto kernel scope link src 10.128.1.201", "to");
}
public void TestParseRule()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRuleController(systemFactory);
var one = ipUtils.ParseObjectInternal("default via 10.17.199.1 dev s4 table 200", "to");
var two = ipUtils.ParseObjectInternal("default via 10.17.199.1 dev s4 table 200", "to");
CollectionAssert.AreEqual(one.Pairs, two.Pairs);
Assert.AreEqual("default", one.Pairs["to"]);
Assert.AreEqual("200",one.Pairs["table"]);
}
public void TestDeleteRule()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRuleController(systemFactory);
ipUtils.Delete("from", "1.1.1.1", "lookup", "100");
var expected = new List<KeyValuePair<String, String>>
{
new KeyValuePair<string, string> ("ip","rule delete from 1.1.1.1 lookup 100")
};
CollectionAssert.AreEqual(expected, systemFactory.ExecutionLog);
}
public void TestAddObjRule()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRuleController(systemFactory);
var obj = new IpObject();
obj.Pairs.Add("from", "1.1.1.1");
obj.Pairs.Add("lookup", "100");
obj.Singles.Add("not");
ipUtils.Add(obj);
var expected = new List<KeyValuePair<String, String>>
{
new KeyValuePair<string, string> ("ip","rule add not from 1.1.1.1 lookup 100")
};
CollectionAssert.AreEqual(expected, systemFactory.ExecutionLog);
}
public void TestNesting()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
FeatureSplitter<MultiportAggregator<IPAddress>, String> ma = new FeatureSplitter<MultiportAggregator<IPAddress>, String>("INPUT", "filter", extractor, setter, nestedGenerator, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth0 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -i eth1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -i eth0 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(3, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.Skip(1).First().Rules.Count);
Assert.AreEqual(1, rules.Chains.Skip(2).First().Rules.Count);
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestSingular()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_", null);
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 1 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 2 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.2 -m udp --sport 3 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(1, rules.Chains.Count());
Assert.AreEqual(2, rules.Chains.First().Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 1:2", rules.Chains.First().Rules.First().GetActionCommand());
Assert.AreEqual("-A INPUT -s 8.1.1.2 -j ACCEPT -m comment --comment '_|s5FXv5bN+84QgKZzjZ3Q|1' -m multiport --sports 3", rules.Chains.First().Rules.Skip(1).First().GetActionCommand());
}
public void TestSimpleDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
List<String> expectedCommands = new List<String>() {};
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestAddDuplicate()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
}, system);
List<String> expectedCommands = new List<String>() { rulesNew.Chains.First().Rules[2].GetActionCommand() };
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands);
}
public void TestQuotes()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP",
"-A INPUT -m comment --comment 'test space'"
}, system);
List<String> expectedCommands = new List<String> { "*filter",
"-A INPUT -m comment --comment \"test space\"", "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
var output = (system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput();
CollectionAssert.AreEqual(output, expectedCommands);
}
public void TestAdd()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2",
"-A INPUT -d 1.2.3.4/16 -j DROP"
}, system);
List<String> expectedCommands = new List<String> { "*filter", rulesNew.Chains.First().Rules[2].GetActionCommand(), "COMMIT" };
mock.TestSync(rulesOriginal, rulesNew);
CollectionAssert.AreEqual((system.GetTableAdapter(4) as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
public void TestMultiple()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesChainSet chains = new IpTablesChainSet(4);
MultiportAggregator<IPAddress> ma = new MultiportAggregator<IPAddress>("INPUT", "filter", extractSrcIp, extractSrcPort,
PortRangeHelpers.SourcePortSetter, setSourceIp, "_");
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 10 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 20 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 30 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 40 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 50 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 60 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 70 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 80 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 90 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 100 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 110 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 120 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 130 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 140 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 150 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 160 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 170 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 180 -j ACCEPT", system, chains));
ma.AddRule(IpTablesRule.Parse("-A INPUT -s 8.1.1.1 -m udp --sport 190 -j ACCEPT", system, chains));
IpTablesRuleSet rules = new IpTablesRuleSet(4,system);
ma.Output(system, rules);
Assert.AreEqual(2, rules.Chains.Count());
Assert.AreEqual(1, rules.Chains.GetChainOrDefault("INPUT","filter").Rules.Count);
Assert.AreEqual("-A INPUT -s 8.1.1.1 -j uXTlO5H/5x9hJe9WK1hw -m comment --comment '_|MA|INPUT_8.1.1.1'",
rules.Chains.GetChainOrDefault("INPUT", "filter").Rules.First().GetActionCommand());
Assert.AreEqual("-A uXTlO5H/5x9hJe9WK1hw -j ACCEPT -m comment --comment '_|uXTlO5H/5x9hJe9WK1hw|1' -m multiport --sports 10,20,30,40,50,60,70,80,90,100,110,120,130,140,150",
rules.Chains.GetChainOrDefault("uXTlO5H/5x9hJe9WK1hw", "filter").Rules.First().GetActionCommand());
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List<String> expectedCommands = new List<String>() { "-D INPUT 1", "-D INPUT 2" };
mock.TestSync(rulesOriginal, rulesNew, expectedCommands);
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new IPTablesBinaryAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4,new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
rulesNew.Chains.First().Rules[1].GetActionCommand("-R")
};
mock.TestSync(system.GetTableAdapter(4), rulesOriginal, rulesNew, expectedCommands, CommentComparer);
}
public void TestNatDoNothing()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A PREROUTING -t nat -j DNAT -p tcp -m tcp --dport 80 --to-destination 99.99.99.99:80",
"-A PREROUTING -t nat -j SNAT --to-source 99.99.99.99:80"
}, system);
List<String> expectedCommands = new List<String>() { };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestUpdateMiddle()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10 -m comment --comment \"ID1\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 28 -m comment --comment \"ID2\"",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2 -m comment --comment \"ID3\""
}, system);
List<String> expectedCommands = new List<String>()
{
"*filter", rulesNew.Chains.First().Rules[1].GetActionCommand("-R"), "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew, CommentComparer);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestDeleteMultiples()
{
var mock = new MockIptablesSystemFactory();
var system = new IpTablesSystem(mock, new MockIpTablesRestoreAdapter());
IpTablesRuleSet rulesOriginal = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 10",
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5",
"-A INPUT -p udp -j DROP -m connlimit --connlimit-above 2"
}, system);
IpTablesRuleSet rulesNew = new IpTablesRuleSet(4, new List<String>()
{
"-A INPUT -p tcp -j DROP -m connlimit --connlimit-above 5"
}, system);
List<String> expectedCommands = new List<String>() { "*filter", "-D INPUT 1", "-D INPUT 2", "COMMIT" };
using (var client = system.GetTableAdapter(4))
{
mock.TestSync(client, rulesOriginal, rulesNew);
CollectionAssert.AreEqual((client as IMockIpTablesRestoreGetOutput).GetOutput(), expectedCommands);
}
}
public void TestDeleteRuleId()
{
var systemFactory = new MockIptablesSystemFactory();
var ipUtils = new IpRuleController(systemFactory);
IpObject ipObject = new IpObject();
ipObject.Pairs.Add("pref","100");
ipObject.Pairs.Add("from","1.1.1.1");
ipUtils.Delete(ipObject);
var expected = new List<KeyValuePair<String, String>>
{
new KeyValuePair<string, string> ("ip","rule delete pref 100 from 1.1.1.1")
};
CollectionAssert.AreEqual(expected, systemFactory.ExecutionLog);
}
public void TestGetRules()
{
var systemFactory = new MockIptablesSystemFactory();
var output = "32766: from all lookup main\n32767: from all lookup default";
systemFactory.MockOutputs.Add(new KeyValuePair<string, string>("ip","rule show"), new StreamReader[]{new StreamReader(new MemoryStream(Encoding.ASCII.GetBytes(output)))});
var ipUtils = new IpRuleController(systemFactory);
var rules = ipUtils.GetAll();
Assert.AreEqual(2, rules.Count);
Assert.AreEqual("pref 32766 from all lookup main", string.Join(" ", ipUtils.ExportObject(rules[0])));
Assert.AreEqual("pref 32767 from all lookup default", string.Join(" ", ipUtils.ExportObject(rules[1])));
}
