Re: [Audit-test-developer] [PATCH] netfilter: simplify RST tests, probe closed ports

[Linda K. <lin...@hp...>]

Hi Jiri,

Based on our previous mail, this looks good to me.
Looking at the code changes, it does look like some things were
missed in earlier changes to those tests.  For questions about
whether the test case is sufficient, we may need to send a note to
Stephan.

-- ljk

Jiri Jaburek wrote:
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
>  1 file changed, 15 insertions(+), 27 deletions(-)
> 
> diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
> index 423b3cb..e519a6c 100644
> --- a/audit-test/netfilter/run.conf
> +++ b/audit-test/netfilter/run.conf
> @@ -395,18 +395,6 @@ function setup_default {
>            kill -9 $tspid
>         fi
>  
> -    # For the RST flag test of IPv4 we do not want to start the netfilter
> -    # server and we will run a netcat command against the ipv4 loop back
> -    # address after we set the iptables so just return
> -
> -       if [[ $tnum == 46 ]]; then
> -          if [[ $xndpid ]]; then
> -             kill -9 $xndpid
> -             xndrst=1
> -          fi
> -          return
> -       fi
> -
>         if [[ ! $xndpid ]]; then
>            echo "starting local lblnet_tst_server"
>           ./do_netfilsvr.bash
> @@ -661,7 +649,9 @@ function run_test {
>          iptables_setup
>          ip6tables_setup
>          sleep 3
> -        if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
> +        # exclude ping and RST tests
> +        if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
> +        && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
>               setup_default
>               echo "going to setup_default"
>          fi
> @@ -817,15 +807,15 @@ function run_test {
>                 protov=6
>                   ;;
>               45)
> -               ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
> -               ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
> +               ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
> +               ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
>                 logrotate -f /etc/logrotate.d/syslog
>                 actv=0
>                 protov=6
>                   ;;
>               46)
> -               iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
> -               iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
> +               iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
> +               iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
>                 logrotate -f /etc/logrotate.d/syslog
>                 actv=0
>                 protov=6
> @@ -1792,32 +1782,30 @@ done
>      host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
>      tnum=44 '$host_remote tcp $port'
>  ## TESTCASE Test #44 tnum 45
> -##  Table Rule        received tcp segments (ipv6) to destination port 4000
> +##  Table Rule        received tcp segments (ipv6) from dst port $tst_port1
>  ##                    with RST flag set are accepted and logged to
>  ##                    /var/log/messages with "rst received ipv6" log prefix
>  ##                    and recorded in audit.log
> -##  Input             nc listen (forced ipv6)is started on TOE on $port and nc
> -##                    connection (forced ipv6) is started on $port, this
> -##                    should generate segment with an RST flag
> +##  Input             tcp connection request (ipv6) is sent over local
> +##                    loopback device to port $tst_port1
>  ##  Expected Result   segments pass through, messages file has log, audit.log
>  ##                    has record.
>  + connect \
>      mlsop=eq expres=success \
> -    host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
> +    host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
>      tnum=45 '$host_remote tcp $port'
>  ## TESTCASE Test #45 tnum 46
> -##  Table Rule        received tcp segments (ipv4) to destination port 4000
> +##  Table Rule        received tcp segments (ipv4) from dst port $tst_port1
>  ##                    with RST flag set are accepted and logged to
>  ##                    /var/log/messages with "rst received ipv4" log prefix
>  ##                    and recorded in audit.log
> -##  Input             nc listen is started on TOE on $port and nc connection
> -##                    initiation is started on $port, this should generate
> -##                    segment with an RST flag
> +##  Input             tcp connection request (ipv4) is sent over local
> +##                    loopback device to port $tst_port1
>  ##  Expected Result   segments pass through, messages file has log, audit.log
>  ##                    has record.
>  + connect \
>      mlsop=eq expres=success \
> -    host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
> +    host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
>      tnum=46 '$host_remote tcp $port'
>  ## TESTCASE Test #46 tnum 47
>  ##  Table Rule        received tcp segments (ipv4) to destination port