1import os
2
3import infra.basetest
4
5
6class TestIptables(infra.basetest.BRTest):
7    # The iptables package has _LINUX_CONFIG_FIXUPS, so we cannot use
8    # the runtime test pre-built Kernel. We need to compile a Kernel
9    # to make sure it will include the required configuration.
10    config = \
11        """
12        BR2_aarch64=y
13        BR2_TOOLCHAIN_EXTERNAL=y
14        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
15        BR2_LINUX_KERNEL=y
16        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
17        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.1.82"
18        BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
19        BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/aarch64-virt/linux.config"
20        BR2_LINUX_KERNEL_NEEDS_HOST_OPENSSL=y
21        BR2_PACKAGE_IPTABLES=y
22        BR2_TARGET_ROOTFS_CPIO=y
23        BR2_TARGET_ROOTFS_CPIO_GZIP=y
24        # BR2_TARGET_ROOTFS_TAR is not set
25        """
26
27    def test_run(self):
28        img = os.path.join(self.builddir, "images", "rootfs.cpio.gz")
29        kern = os.path.join(self.builddir, "images", "Image")
30        self.emulator.boot(arch="aarch64",
31                           kernel=kern,
32                           kernel_cmdline=["console=ttyAMA0"],
33                           options=["-M", "virt",
34                                    "-cpu", "cortex-a57",
35                                    "-m", "256M",
36                                    "-initrd", img])
37        self.emulator.login()
38
39        # We check the program can execute.
40        self.assertRunOk("iptables --version")
41
42        # We delete all rules in all chains. We also set default
43        # policies to ACCEPT for INPUT and OUPUT chains. This should
44        # already be the case (default Kernel config). This makes sure
45        # this test starts from a known state and also those common
46        # command invocations works.
47        self.assertRunOk("iptables --flush")
48        self.assertRunOk("iptables --policy INPUT ACCEPT")
49        self.assertRunOk("iptables --policy OUTPUT ACCEPT")
50
51        # We add a filter rule to drop all the ICMP protocol to the
52        # IPv4 destination 127.0.0.2, in the INPUT chain. This should
53        # block all pings (icmp echo-requests).
54        cmd = "iptables --append INPUT"
55        cmd += " --protocol icmp --destination 127.0.0.2 --jump DROP"
56        self.assertRunOk(cmd)
57
58        # We check we can list rules.
59        self.assertRunOk("iptables --list")
60
61        # A ping to 127.0.0.1 is expected to work, because it's not
62        # matching our rule. We expect 3 replies (-c), with 0.5s
63        # internal (-i), and set a maximum timeout of 2s.
64        ping_cmd_prefix = "ping -c 3 -i 0.5 -W 2 "
65        self.assertRunOk(ping_cmd_prefix + "127.0.0.1")
66
67        # A ping to 127.0.0.2 is expected to fail, because our rule is
68        # supposed to drop it.
69        ping_test_cmd = ping_cmd_prefix + "127.0.0.2"
70        _, exit_code = self.emulator.run(ping_test_cmd)
71        self.assertNotEqual(exit_code, 0)
72
73        # We delete our only rule #1 in the INPUT chain.
74        self.assertRunOk("iptables --delete INPUT 1")
75
76        # Since we deleted the rule, the ping test command which was
77        # supposed to fail earlier is now supposed to succeed.
78        self.assertRunOk(ping_test_cmd)
79