From: Mauricio Vásquez Date: Fri, 26 Feb 2021 00:59:36 +0000 (-0500) Subject: tests: add integration test for RestrictNetworkInterfaces= X-Git-Tag: v250-rc1~800^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=00d6fceeb3724bbe8fa0e0138bb23954c1d44642;p=thirdparty%2Fsystemd.git tests: add integration test for RestrictNetworkInterfaces= Signed-off-by: Mauricio Vásquez --- diff --git a/test/TEST-62-RESTRICT-IFACES/Makefile b/test/TEST-62-RESTRICT-IFACES/Makefile new file mode 120000 index 00000000000..e9f93b1104c --- /dev/null +++ b/test/TEST-62-RESTRICT-IFACES/Makefile @@ -0,0 +1 @@ +../TEST-01-BASIC/Makefile \ No newline at end of file diff --git a/test/TEST-62-RESTRICT-IFACES/test.sh b/test/TEST-62-RESTRICT-IFACES/test.sh new file mode 100755 index 00000000000..b2829d2a1fd --- /dev/null +++ b/test/TEST-62-RESTRICT-IFACES/test.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +TEST_NO_NSPAWN=1 + +set -e +TEST_DESCRIPTION="test RestrictNetworkInterfaces=" +. $TEST_BASE_DIR/test-functions + +do_test "$@" 62 diff --git a/test/test-functions b/test/test-functions index 27508957deb..0ecc7c04d0e 100644 --- a/test/test-functions +++ b/test/test-functions @@ -673,6 +673,7 @@ setup_basic_environment() { has_user_dbus_socket && install_user_dbus setup_selinux strip_binaries + instmods veth install_depmod_files generate_module_dependencies if get_bool "$IS_BUILT_WITH_ASAN"; then diff --git a/test/units/testsuite-62-1.service b/test/units/testsuite-62-1.service new file mode 100644 index 00000000000..b8e15c99259 --- /dev/null +++ b/test/units/testsuite-62-1.service @@ -0,0 +1,8 @@ +[Unit] +Description=TEST-62-RESTRICT-IFACES-all-pings-work +[Service] +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9' +RestrictNetworkInterfaces= +Type=oneshot diff --git a/test/units/testsuite-62-2.service b/test/units/testsuite-62-2.service new file mode 100644 index 00000000000..51328b0bce7 --- /dev/null +++ b/test/units/testsuite-62-2.service @@ -0,0 +1,9 @@ +[Unit] +Description=TEST-62-RESTRICT-IFACES-allow-list +[Service] +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5' +ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9' +RestrictNetworkInterfaces=veth0 +RestrictNetworkInterfaces=veth1 +Type=oneshot diff --git a/test/units/testsuite-62-3.service b/test/units/testsuite-62-3.service new file mode 100644 index 00000000000..54ab1965ffd --- /dev/null +++ b/test/units/testsuite-62-3.service @@ -0,0 +1,9 @@ +[Unit] +Description=TEST-62-RESTRICT-IFACES-deny-list +[Service] +ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.1' +ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.5' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9' +RestrictNetworkInterfaces=~veth0 +RestrictNetworkInterfaces=~veth1 +Type=oneshot diff --git a/test/units/testsuite-62-4.service b/test/units/testsuite-62-4.service new file mode 100644 index 00000000000..1d267a9cbe3 --- /dev/null +++ b/test/units/testsuite-62-4.service @@ -0,0 +1,9 @@ +[Unit] +Description=TEST-62-RESTRICT-IFACES-empty-assigment +[Service] +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.1' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.9' +RestrictNetworkInterfaces=veth0 +RestrictNetworkInterfaces= +Type=oneshot diff --git a/test/units/testsuite-62-5.service b/test/units/testsuite-62-5.service new file mode 100644 index 00000000000..b69485edac5 --- /dev/null +++ b/test/units/testsuite-62-5.service @@ -0,0 +1,10 @@ +[Unit] +Description=TEST-62-RESTRICT-IFACES-invert-assigment +[Service] +ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.1' +ExecStart=/bin/sh -c 'ping -c 1 -W 0.2 192.168.113.5' +ExecStart=/bin/sh -c '! ping -c 1 -W 0.2 192.168.113.9' +RestrictNetworkInterfaces=veth0 +RestrictNetworkInterfaces=veth0 veth1 +RestrictNetworkInterfaces=~veth0 +Type=oneshot diff --git a/test/units/testsuite-62.service b/test/units/testsuite-62.service new file mode 100644 index 00000000000..faaa2c85e3d --- /dev/null +++ b/test/units/testsuite-62.service @@ -0,0 +1,6 @@ +Description=TEST-62-RESTRICT-IFACES + +[Service] +ExecStartPre=rm -f /failed /testok +ExecStart=/usr/lib/systemd/tests/testdata/units/%N.sh +Type=oneshot diff --git a/test/units/testsuite-62.sh b/test/units/testsuite-62.sh new file mode 100755 index 00000000000..9b22d79fd31 --- /dev/null +++ b/test/units/testsuite-62.sh @@ -0,0 +1,60 @@ +#!/usr/bin/env bash +set -ex +set -o pipefail + +setup() { + systemd-analyze log-level debug + systemd-analyze log-target console + + for i in `seq 0 3`; + do + ip netns del ns${i} || true + ip link del veth${i} || true + ip netns add ns${i} + ip link add veth${i} type veth peer name veth${i}_ + ip link set veth${i}_ netns ns${i} + ip -n ns${i} link set dev veth${i}_ up + ip -n ns${i} link set dev lo up + ip -n ns${i} addr add "192.168.113."$((4*i+1))/30 dev veth${i}_ + ip link set dev veth${i} up + ip addr add "192.168.113."$((4*i+2))/30 dev veth${i} + done +} + +teardown() { + set +e + + for i in `seq 0 3`; + do + ip netns del ns${i} + ip link del veth${i} + done + + systemd-analyze log-level info +} + +KERNEL_VERSION="$(uname -r)" +KERNEL_MAJOR="${KERNEL_VERSION%%.*}" +KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}" +KERNEL_MINOR="${KERNEL_MINOR%%.*}" + +MAJOR_REQUIRED=5 +MINOR_REQUIRED=7 + +if [[ "$KERNEL_MAJOR" -lt $MAJOR_REQUIRED || ("$KERNEL_MAJOR" -eq $MAJOR_REQUIRED && "$KERNEL_MINOR" -lt $MINOR_REQUIRED) ]]; then + echo "kernel is not 5.7+" >>/skipped + exit 0 +fi + +trap teardown EXIT +setup + +systemctl start --wait testsuite-62-1.service +systemctl start --wait testsuite-62-2.service +systemctl start --wait testsuite-62-3.service +systemctl start --wait testsuite-62-4.service +systemctl start --wait testsuite-62-5.service + +echo OK > /testok + +exit 0