Menu
▾
▴
[Audit-test-developer] [PATCH 03/26] netcat related fixes for rhel7
|
From: Jiri J. <jja...@re...> - 2013-10-07 11:29:12
|
RHEL7 now uses Nmap's "ncat" instead of traditional netcat.
The ncat has a different meaning of the `-w' switch - its original
functionality
-w secs Timeout for connects and final net reads
has been split into `-w' and `-i'
-i, --idle-timeout <time> Idle read/write timeout
-w, --wait <time> Connect timeout
However original nc lines cannot be simply rewritten as `-w 1 -i 1',
because ncat returns 1 and fails with error message as soon as
the idle timeout expires.
The original meaning of `-w' has been used in various use cases
throughout the suite, mostly for its idle-timeout capability:
1. to close conn to lblnet_tst_server when it sleeps
2. to check for listening daemons (and close conn on connect)
3. because it was used elsewhere and somebody just copied it (?)
This patch makes these use cases use proper solutions:
1. use the new detach; command before issuing sleep
2. send ^D to sshd when a connection opens
It also makes use of the new meaning of `-w', to specify conn timeout,
so that tests don't need to wait 30 seconds for timeout.
A new value of 3 seconds is used to mitigate possible first-packet
issues with late delivery because of ARP/ND resolution.
The removal of unnecessary idle waits in network/netfilter/netfilebt
buckets also speeds up the suite execution by several minutes.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/kvm/test_network_export_other_source_ip.exp | 2 +-
audit-test/kvm/test_network_import_other_dest_ip.exp | 2 +-
audit-test/netfilebt/Makefile | 2 +-
audit-test/netfilebt/run.conf | 9 +++++----
audit-test/netfilter/Makefile | 2 +-
audit-test/netfilter/netfilter_functions.bash | 12 ++++++------
audit-test/netfilter/run.conf | 9 +++++----
audit-test/network/Makefile | 4 ++--
audit-test/network/run.conf | 9 +++++----
audit-test/trustedprograms/tests/test_ipsec.bash | 6 +++---
audit-test/trustedprograms/tests/test_xinetd.bash | 4 ++--
11 files changed, 32 insertions(+), 29 deletions(-)
diff --git a/audit-test/kvm/test_network_export_other_source_ip.exp b/audit-test/kvm/test_network_export_other_source_ip.exp
index 2e7bf9f..5926318 100755
--- a/audit-test/kvm/test_network_export_other_source_ip.exp
+++ b/audit-test/kvm/test_network_export_other_source_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/kvm/test_network_import_other_dest_ip.exp b/audit-test/kvm/test_network_import_other_dest_ip.exp
index 1b107b5..9d2171e 100755
--- a/audit-test/kvm/test_network_import_other_dest_ip.exp
+++ b/audit-test/kvm/test_network_import_other_dest_ip.exp
@@ -41,7 +41,7 @@ for {set i $first} {$i <= $env(last)} {incr i 1} {
# virtual machine environment network sshd service to start.
for {set j 1} {$j <= $env(kvm_guest_timeout)} {incr j 1} {
- set rc [catch { exec nc -s $env(kvm_guest_${i}_hostaddr) -w 1 $env(kvm_guest_${i}_addr) 22 } results]
+ set rc [catch { exec echo -ne \004 | nc -s $env(kvm_guest_${i}_hostaddr) -w 3 $env(kvm_guest_${i}_addr) 22 } results]
if { $rc eq 0 } {
break
diff --git a/audit-test/netfilebt/Makefile b/audit-test/netfilebt/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilebt/Makefile
+++ b/audit-test/netfilebt/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
index 290bb5e..f8676bd 100644
--- a/audit-test/netfilebt/run.conf
+++ b/audit-test/netfilebt/run.conf
@@ -288,7 +288,7 @@ function tstsvr_lock {
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
echo $lblnet_svr6_host
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -319,7 +319,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -379,6 +379,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -410,11 +411,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 2 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/netfilter/Makefile b/audit-test/netfilter/Makefile
index d29058c..f3b5b4a 100644
--- a/audit-test/netfilter/Makefile
+++ b/audit-test/netfilter/Makefile
@@ -22,4 +22,4 @@ include $(TOPDIR)/rules.mk
unlock:
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
diff --git a/audit-test/netfilter/netfilter_functions.bash b/audit-test/netfilter/netfilter_functions.bash
index 81211f9..67e0982 100644
--- a/audit-test/netfilter/netfilter_functions.bash
+++ b/audit-test/netfilter/netfilter_functions.bash
@@ -147,20 +147,20 @@ function do_nc {
declare rc
declare data_str="This string simply provides data to send over netcat"
case $ipv_arg in
+ # for tnum 47,48 - listening is set up by setup_default on port 4100
+ # for tnum 45,46 - lblnet_tst_server on port 4000 is used
ipv4)
if [[ $tnum == 47 ]]; then
- nc -l $port &
- rc="$(nc -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -w 1 "$1" "$port")"
+ rc="$(nc -w 3 "$1" "$port")"
fi
;;
ipv6)
if [[ $tnum == 48 ]]; then
- nc -l $port &
- rc="$(nc -6 -w 1 "$1" "$port" <<< $data_str)"
+ rc="$(nc -6 -w 3 "$1" "$port" <<< $data_str)"
else
- rc="$(nc -6 -w 1 "$1" "$port")"
+ rc="$(nc -6 -w 3 "$1" "$port")"
fi
;;
*)
diff --git a/audit-test/netfilter/run.conf b/audit-test/netfilter/run.conf
index e519a6c..762b516 100644
--- a/audit-test/netfilter/run.conf
+++ b/audit-test/netfilter/run.conf
@@ -287,7 +287,7 @@ function tstsvr_lock {
declare rc
declare cmd_str="lock:set,$tstsvr_lock_timeout;"
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -318,7 +318,7 @@ function tstsvr_unlock {
declare cmd_str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str
+ nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str
fi
}
@@ -405,6 +405,7 @@ function setup_default {
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
cmd_str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ cmd_str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -432,11 +433,11 @@ function setup_default {
for ((loop_cnt=0; loop_cnt<=2 && rc!=0; loop_cnt++)); do
case $host in
remote)
- rc="$(nc -6 -w 1 $lblnet_svr6_host 4000 <<< $cmd_str)"
+ rc="$(nc -6 -w 3 $lblnet_svr6_host 4000 <<< $cmd_str)"
;;
local)
# use the same port as the remote IPv4 setting
- rc="$(nc -w 1 ::1 4000 <<< $cmd_str)"
+ rc="$(nc -w 3 ::1 4000 <<< $cmd_str)"
;;
*)
exit_fail "invalid test argument"
diff --git a/audit-test/network/Makefile b/audit-test/network/Makefile
index ea7380c..6055de3 100644
--- a/audit-test/network/Makefile
+++ b/audit-test/network/Makefile
@@ -25,8 +25,8 @@ SUB_DIRS = system
unlock:
ifneq ($(DISTRO), SUSE)
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc -w 3 $$LBLNET_SVR_IPV6 4000)
else
[[ -n $$LBLNET_SVR_IPV6 ]] && \
- (echo "lock:release;" | nc6 -t 1 -w 1 $$LBLNET_SVR_IPV6 4000)
+ (echo "lock:release;" | nc6 -t 1 -w 3 $$LBLNET_SVR_IPV6 4000)
endif
diff --git a/audit-test/network/run.conf b/audit-test/network/run.conf
index 307d218..d1b11f2 100644
--- a/audit-test/network/run.conf
+++ b/audit-test/network/run.conf
@@ -313,7 +313,7 @@ function tstsvr_lock {
declare rc
declare str="lock:set,$tstsvr_lock_timeout;"
- rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
+ rc="$($cmd_nc $lblnet_svr6_host 4000 <<< $str)"
if [[ $rc == 0 ]]; then
tstsvr_lock_held=1
return 0
@@ -344,7 +344,7 @@ function tstsvr_unlock {
declare str="lock:release;"
if [[ $tstsvr_lock_held == 1 ]]; then
- nc -w 1 $lblnet_svr6_host 4000 <<< $str
+ nc -w 3 $lblnet_svr6_host 4000 <<< $str
fi
}
@@ -451,6 +451,7 @@ set -x
# generate the host command string
remote_obj="$(get_label_obj $mlsop)"
str="sockcon:full,system_u:system_r:$(get_test_domain $type $host):$remote_obj;"
+ str+="detach;"
case $op in
sendrand_tcp)
local_host="$(get_host_local $ipv $host)"
@@ -1001,9 +1002,9 @@ esac
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
diff --git a/audit-test/trustedprograms/tests/test_ipsec.bash b/audit-test/trustedprograms/tests/test_ipsec.bash
index 289642b..25541fd 100755
--- a/audit-test/trustedprograms/tests/test_ipsec.bash
+++ b/audit-test/trustedprograms/tests/test_ipsec.bash
@@ -108,7 +108,7 @@ function normalize_addr {
#
function remote_ipsec_flush {
declare str="ipsec:flush;"
- $cmd_nc -w 1 $1 4000 <<< $str
+ $cmd_nc -w 3 $1 4000 <<< $str
}
@@ -144,10 +144,10 @@ function ipsec_add {
# do the setup
if [ $1 == "6" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4000 <<< "recv:ipv6,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4000 <<< "detach;recv:ipv6,tcp,4300,0;"
elif [ $1 == "4" ]; then
runcon -t lspp_test_netlabel_t -l SystemLow -- \
- $cmd_nc $ip_dst 4001 <<< "recv:ipv4,tcp,4300,0;" &
+ $cmd_nc $ip_dst 4001 <<< "detach;recv:ipv4,tcp,4300,0;"
else
die "error: expected parameter 4 | 6 not given"
fi
diff --git a/audit-test/trustedprograms/tests/test_xinetd.bash b/audit-test/trustedprograms/tests/test_xinetd.bash
index ac778c8..6b65994 100755
--- a/audit-test/trustedprograms/tests/test_xinetd.bash
+++ b/audit-test/trustedprograms/tests/test_xinetd.bash
@@ -75,9 +75,9 @@ function xinetd_test {
# determine the netcat variant
if which nc6 >& /dev/null; then
- cmd_nc="nc6 ----idle-timeout=1 -w 1 "
+ cmd_nc="nc6 --idle-timeout=1 -w 3 "
elif which nc >& /dev/null; then
- cmd_nc="nc -w 1 "
+ cmd_nc="nc -w 3 "
else
die "error: netcat not installed"
fi
--
1.8.3.1
|
