[Audit-test-developer] [PATCH 01/26] netfilter: simplify RST tests, probe closed ports

[Jiri J. <jja...@re...>]

The new approach is to *not* set up listening on any port
and send a connection attempt (TCP SYN) to an closed/unused one.
This operation generates a TCP RST response, which gets logged.

Signed-off-by: Jiri Jaburek <jja...@re...>
---
 audit-test/netfilter/run.conf | 42 +++++++++++++++---------------------------
 1 file changed, 15 insertions(+), 27 deletions(-)

diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index 423b3cb..e519a6c 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -395,18 +395,6 @@ function setup_default {
           kill -9 $tspid
        fi
 
-    # For the RST flag test of IPv4 we do not want to start the netfilter
-    # server and we will run a netcat command against the ipv4 loop back
-    # address after we set the iptables so just return
-
-       if [[ $tnum == 46 ]]; then
-          if [[ $xndpid ]]; then
-             kill -9 $xndpid
-             xndrst=1
-          fi
-          return
-       fi
-
        if [[ ! $xndpid ]]; then
           echo "starting local lblnet_tst_server"
          ./do_netfilsvr.bash
@@ -661,7 +649,9 @@ function run_test {
         iptables_setup
         ip6tables_setup
         sleep 3
-        if [[ $tnum -lt 29 ]] || [[ $tnum -gt 36 ]]; then
+        # exclude ping and RST tests
+        if ! [[ $tnum -ge 29 && $tnum -le 36 ]] \
+        && ! [[ $tnum -ge 45 && $tnum -le 46 ]]; then
              setup_default
              echo "going to setup_default"
         fi
@@ -817,15 +807,15 @@ function run_test {
                protov=6
                  ;;
              45)
-               ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j LOG --log-prefix "rst received ipv6"
-               ip6tables -A INPUT -p tcp --dport 4000 --tcp-flags ALL RST -j AUDIT_ACCEPT
+               ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv6"
+               ip6tables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
                logrotate -f /etc/logrotate.d/syslog
                actv=0
                protov=6
                  ;;
              46)
-               iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
-               iptables -A INPUT -i lo -p tcp --sport 4000 --tcp-flags RST RST -j AUDIT_ACCEPT
+               iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j LOG --log-prefix "rst received ipv4"
+               iptables -A INPUT -i lo -p tcp --sport $tst_port1 --tcp-flags RST RST -j AUDIT_ACCEPT
                logrotate -f /etc/logrotate.d/syslog
                actv=0
                protov=6
@@ -1792,32 +1782,30 @@ done
     host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
     tnum=44 '$host_remote tcp $port'
 ## TESTCASE Test #44 tnum 45
-##  Table Rule        received tcp segments (ipv6) to destination port 4000
+##  Table Rule        received tcp segments (ipv6) from dst port $tst_port1
 ##                    with RST flag set are accepted and logged to
 ##                    /var/log/messages with "rst received ipv6" log prefix
 ##                    and recorded in audit.log
-##  Input             nc listen (forced ipv6)is started on TOE on $port and nc
-##                    connection (forced ipv6) is started on $port, this
-##                    should generate segment with an RST flag
+##  Input             tcp connection request (ipv6) is sent over local
+##                    loopback device to port $tst_port1
 ##  Expected Result   segments pass through, messages file has log, audit.log
 ##                    has record.
 + connect \
     mlsop=eq expres=success \
-    host=local type=unlabeled op=recv_tcp ipv=ipv6 port=$tst_port1 \
+    host=local type=unlabeled ipv=ipv6 port=$tst_port1 \
     tnum=45 '$host_remote tcp $port'
 ## TESTCASE Test #45 tnum 46
-##  Table Rule        received tcp segments (ipv4) to destination port 4000
+##  Table Rule        received tcp segments (ipv4) from dst port $tst_port1
 ##                    with RST flag set are accepted and logged to
 ##                    /var/log/messages with "rst received ipv4" log prefix
 ##                    and recorded in audit.log
-##  Input             nc listen is started on TOE on $port and nc connection
-##                    initiation is started on $port, this should generate
-##                    segment with an RST flag
+##  Input             tcp connection request (ipv4) is sent over local
+##                    loopback device to port $tst_port1
 ##  Expected Result   segments pass through, messages file has log, audit.log
 ##                    has record.
 + connect \
     mlsop=eq expres=success \
-    host=local type=unlabeled op=recv_tcp ipv=ipv4 port=4000 \
+    host=local type=unlabeled ipv=ipv4 port=$tst_port1 \
     tnum=46 '$host_remote tcp $port'
 ## TESTCASE Test #46 tnum 47
 ##  Table Rule        received tcp segments (ipv4) to destination port
-- 
1.8.3.1