diff options
Diffstat (limited to 'testdata/acl_interface.tdir')
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.conf | 140 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.dsc | 16 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.post | 11 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.pre | 75 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.test | 11 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.test.scenario | 205 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.testns | 26 | ||||
| -rw-r--r-- | testdata/acl_interface.tdir/acl_interface.testns2 | 13 |
8 files changed, 497 insertions, 0 deletions
diff --git a/testdata/acl_interface.tdir/acl_interface.conf b/testdata/acl_interface.tdir/acl_interface.conf new file mode 100644 index 000000000000..157a2d7b76bf --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.conf @@ -0,0 +1,140 @@ +server: + verbosity: 7 + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + use-caps-for-id: no + define-tag: "one two refuse" + +# Interface configuration for IPv4 + interface: @IPV4_ADDR@@@PORT_ALLOW@ + interface: @IPV4_ADDR@@@PORT_DENY@ + interface: @IPV4_ADDR@@@PORT_REFUSE@ + interface: @IPV4_ADDR@@@PORT_TAG_1@ + interface: @IPV4_ADDR@@@PORT_TAG_2@ + interface: @IPV4_ADDR@@@PORT_TAG_3@ + interface: @IPV4_ADDR@@@PORT_VIEW_INT@ + interface: @IPV4_ADDR@@@PORT_VIEW_EXT@ + interface: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ + + interface-action: @IPV4_ADDR@@@PORT_ALLOW@ allow + interface-action: @IPV4_ADDR@@@PORT_DENY@ deny + # interface-action: @IPV4_ADDR@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @IPV4_ADDR@@@PORT_TAG_1@ allow + interface-action: @IPV4_ADDR@@@PORT_TAG_2@ allow + interface-action: @IPV4_ADDR@@@PORT_TAG_3@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_INT@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_EXT@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @IPV4_ADDR@@@PORT_TAG_1@ "one" + interface-tag: @IPV4_ADDR@@@PORT_TAG_2@ "two" + interface-tag: @IPV4_ADDR@@@PORT_TAG_3@ "refuse" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_1@ one redirect + interface-tag-data: @IPV4_ADDR@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_2@ two redirect + interface-tag-data: @IPV4_ADDR@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @IPV4_ADDR@@@PORT_VIEW_INT@ "int" + interface-view: @IPV4_ADDR@@@PORT_VIEW_EXT@ "ext" + interface-view: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ "intext" + +# Mirrored interface configuration for IPv6 + interface: @IPV6_ADDR@@@PORT_ALLOW@ + interface: @IPV6_ADDR@@@PORT_DENY@ + interface: @IPV6_ADDR@@@PORT_REFUSE@ + interface: @IPV6_ADDR@@@PORT_TAG_1@ + interface: @IPV6_ADDR@@@PORT_TAG_2@ + interface: @IPV6_ADDR@@@PORT_TAG_3@ + interface: @IPV6_ADDR@@@PORT_VIEW_INT@ + interface: @IPV6_ADDR@@@PORT_VIEW_EXT@ + interface: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ + + interface-action: @IPV6_ADDR@@@PORT_ALLOW@ allow + interface-action: @IPV6_ADDR@@@PORT_DENY@ deny + # interface-action: @IPV6_ADDR@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @IPV6_ADDR@@@PORT_TAG_1@ allow + interface-action: @IPV6_ADDR@@@PORT_TAG_2@ allow + interface-action: @IPV6_ADDR@@@PORT_TAG_3@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_INT@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_EXT@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @IPV6_ADDR@@@PORT_TAG_1@ "one" + interface-tag: @IPV6_ADDR@@@PORT_TAG_2@ "two" + interface-tag: @IPV6_ADDR@@@PORT_TAG_3@ "refuse" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_1@ one redirect + interface-tag-data: @IPV6_ADDR@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_2@ two redirect + interface-tag-data: @IPV6_ADDR@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @IPV6_ADDR@@@PORT_VIEW_INT@ "int" + interface-view: @IPV6_ADDR@@@PORT_VIEW_EXT@ "ext" + interface-view: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ "intext" + +# Mirrored interface configuration for interface name + interface: @INTERFACE@@@PORT_ALLOW@ + interface: @INTERFACE@@@PORT_DENY@ + interface: @INTERFACE@@@PORT_REFUSE@ + interface: @INTERFACE@@@PORT_TAG_1@ + interface: @INTERFACE@@@PORT_TAG_2@ + interface: @INTERFACE@@@PORT_TAG_3@ + interface: @INTERFACE@@@PORT_VIEW_INT@ + interface: @INTERFACE@@@PORT_VIEW_EXT@ + interface: @INTERFACE@@@PORT_VIEW_INTEXT@ + + interface-action: @INTERFACE@@@PORT_ALLOW@ allow + interface-action: @INTERFACE@@@PORT_DENY@ deny + # interface-action: @INTERFACE@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @INTERFACE@@@PORT_TAG_1@ allow + interface-action: @INTERFACE@@@PORT_TAG_2@ allow + interface-action: @INTERFACE@@@PORT_TAG_3@ allow + interface-action: @INTERFACE@@@PORT_VIEW_INT@ allow + interface-action: @INTERFACE@@@PORT_VIEW_EXT@ allow + interface-action: @INTERFACE@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @INTERFACE@@@PORT_TAG_1@ "one" + interface-tag: @INTERFACE@@@PORT_TAG_2@ "two" + interface-tag: @INTERFACE@@@PORT_TAG_3@ "refuse" + interface-tag-action: @INTERFACE@@@PORT_TAG_1@ one redirect + interface-tag-data: @INTERFACE@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @INTERFACE@@@PORT_TAG_2@ two redirect + interface-tag-data: @INTERFACE@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @INTERFACE@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @INTERFACE@@@PORT_VIEW_INT@ "int" + interface-view: @INTERFACE@@@PORT_VIEW_EXT@ "ext" + interface-view: @INTERFACE@@@PORT_VIEW_INTEXT@ "intext" + +# Local zones configuration + local-zone: local. transparent + local-data: "local. A 0.0.0.0" + local-zone-tag: local. "one two refuse" + +# Views configuration +view: + name: "int" + view-first: yes + local-zone: "." refuse + local-zone: "internal" transparent +view: + name: "ext" + view-first: yes + local-zone: "internal" refuse +view: + name: "intext" + view-first: yes + +# Stubs configuration +forward-zone: + name: "." + forward-addr: @IPV4_ADDR@@@FORWARD_PORT@ + +stub-zone: + name: "internal" + stub-addr: @IPV4_ADDR@@@STUB_PORT@ diff --git a/testdata/acl_interface.tdir/acl_interface.dsc b/testdata/acl_interface.tdir/acl_interface.dsc new file mode 100644 index 000000000000..cfe5c3cf56c8 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.dsc @@ -0,0 +1,16 @@ +BaseName: acl_interface +Version: 1.0 +Description: Check the interface-* settings +CreationDate: Fri 8 Oct 18:14:40 CEST 2021 +Maintainer: +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: acl_interface.pre +Post: acl_interface.post +Test: acl_interface.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/acl_interface.tdir/acl_interface.post b/testdata/acl_interface.tdir/acl_interface.post new file mode 100644 index 000000000000..982e2b8955a5 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.post @@ -0,0 +1,11 @@ +# #-- acl_interface.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $UNBOUND_PID +kill_pid $FWD_PID +kill_pid $STUB_PID diff --git a/testdata/acl_interface.tdir/acl_interface.pre b/testdata/acl_interface.tdir/acl_interface.pre new file mode 100644 index 000000000000..ce5358c1b2d9 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.pre @@ -0,0 +1,75 @@ +# #-- acl_interface.pre--# +PRE="../.." +. ../common.sh + +# This test uses the unshare utility +if test ! -x "`which unshare 2>&1`"; then + skip_test "no unshare (from util-linux package) available, skip test" +fi + +get_random_port 11 + +PORT_ALLOW=$RND_PORT +PORT_DENY=$(($RND_PORT + 1)) +PORT_REFUSE=$(($RND_PORT + 2)) +PORT_TAG_1=$(($RND_PORT + 3)) +PORT_TAG_2=$(($RND_PORT + 4)) +PORT_TAG_3=$(($RND_PORT + 5)) +PORT_VIEW_INT=$(($RND_PORT + 6)) +PORT_VIEW_EXT=$(($RND_PORT + 7)) +PORT_VIEW_INTEXT=$(($RND_PORT + 8)) +FORWARD_PORT=$(($RND_PORT + 9)) +STUB_PORT=$(($RND_PORT + 10)) + +IPV4_ADDR=192.168.1.1 +IPV6_ADDR=2001:db8::1 + +INTERFACE=eth24 +INTERFACE_ADDR_1=10.0.0.1 +INTERFACE_ADDR_2=10.0.0.2 +INTERFACE_ADDR_3=10.0.0.3 +INTERFACE_ADDR_4=10.0.0.4 + +# make config file +sed \ + -e 's/@PORT_ALLOW\@/'$PORT_ALLOW'/' \ + -e 's/@PORT_DENY\@/'$PORT_DENY'/' \ + -e 's/@PORT_REFUSE\@/'$PORT_REFUSE'/' \ + -e 's/@PORT_TAG_1\@/'$PORT_TAG_1'/' \ + -e 's/@PORT_TAG_2\@/'$PORT_TAG_2'/' \ + -e 's/@PORT_TAG_3\@/'$PORT_TAG_3'/' \ + -e 's/@PORT_VIEW_INT\@/'$PORT_VIEW_INT'/' \ + -e 's/@PORT_VIEW_EXT\@/'$PORT_VIEW_EXT'/' \ + -e 's/@PORT_VIEW_INTEXT\@/'$PORT_VIEW_INTEXT'/' \ + -e 's/@FORWARD_PORT\@/'$FORWARD_PORT'/' \ + -e 's/@STUB_PORT\@/'$STUB_PORT'/' \ + -e 's/@IPV4_ADDR\@/'$IPV4_ADDR'/' \ + -e 's/@IPV6_ADDR\@/'$IPV6_ADDR'/' \ + -e 's/@INTERFACE\@/'$INTERFACE'/' \ + < acl_interface.conf > ub.conf + +if test -x "`which bash`"; then + shell="bash" +else + shell="sh" +fi + +echo "PORT_ALLOW=$PORT_ALLOW" >> .tpkg.var.test +echo "PORT_DENY=$PORT_DENY" >> .tpkg.var.test +echo "PORT_REFUSE=$PORT_REFUSE" >> .tpkg.var.test +echo "PORT_TAG_1=$PORT_TAG_1" >> .tpkg.var.test +echo "PORT_TAG_2=$PORT_TAG_2" >> .tpkg.var.test +echo "PORT_TAG_3=$PORT_TAG_3" >> .tpkg.var.test +echo "PORT_VIEW_INT=$PORT_VIEW_INT" >> .tpkg.var.test +echo "PORT_VIEW_EXT=$PORT_VIEW_EXT" >> .tpkg.var.test +echo "PORT_VIEW_INTEXT=$PORT_VIEW_INTEXT" >> .tpkg.var.test +echo "FORWARD_PORT=$FORWARD_PORT" >> .tpkg.var.test +echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test +echo "IPV4_ADDR=$IPV4_ADDR" >> .tpkg.var.test +echo "IPV6_ADDR=$IPV6_ADDR" >> .tpkg.var.test +echo "INTERFACE=$INTERFACE" >> .tpkg.var.test +echo "INTERFACE_ADDR_1=$INTERFACE_ADDR_1" >> .tpkg.var.test +echo "INTERFACE_ADDR_2=$INTERFACE_ADDR_2" >> .tpkg.var.test +echo "INTERFACE_ADDR_3=$INTERFACE_ADDR_3" >> .tpkg.var.test +echo "INTERFACE_ADDR_4=$INTERFACE_ADDR_4" >> .tpkg.var.test +echo "shell=$shell" >> .tpkg.var.test diff --git a/testdata/acl_interface.tdir/acl_interface.test b/testdata/acl_interface.tdir/acl_interface.test new file mode 100644 index 000000000000..421081887086 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.test @@ -0,0 +1,11 @@ +# #-- acl_interface.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test +PRE="../.." +. ../common.sh + +# Run the scenario in an unshared namespace +unshare -rUn $shell acl_interface.test.scenario +exit $? diff --git a/testdata/acl_interface.tdir/acl_interface.test.scenario b/testdata/acl_interface.tdir/acl_interface.test.scenario new file mode 100644 index 000000000000..00b2b059f942 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.test.scenario @@ -0,0 +1,205 @@ +# #-- acl_interface.test.scenario --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test +PRE="../.." +. ../common.sh + +ip addr add $IPV4_ADDR dev lo +ip addr add $IPV6_ADDR dev lo +ip link set lo up + +ip link add $INTERFACE type dummy +ip addr add $INTERFACE_ADDR_1 dev $INTERFACE +ip addr add $INTERFACE_ADDR_2 dev $INTERFACE +ip addr add $INTERFACE_ADDR_3 dev $INTERFACE +ip addr add $INTERFACE_ADDR_4 dev $INTERFACE +ip link set $INTERFACE up + +# start the forwarder in the background +get_ldns_testns +$LDNS_TESTNS -p $FORWARD_PORT acl_interface.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start the stub in the background +$LDNS_TESTNS -p $STUB_PORT acl_interface.testns2 >fwd2.log 2>&1 & +STUB_PID=$! +echo "STUB_PID=$STUB_PID" >> .tpkg.var.test + +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_ldns_testns_up fwd2.log +wait_unbound_up unbound.log + +end () { + echo "> cat logfiles" + cat fwd.log + cat fwd2.log + cat unbound.log + exit $1 +} + +# Query for the given domain to the given port +# $1: address family [4, 6] +# $2: port +# $3: dname +query () { + addr=$IPV4_ADDR + if test "$1" -eq 6; then + addr=$IPV6_ADDR + fi + echo "> dig -p $2 $3" + dig @"$addr" -p $2 $3 | tee outfile +} + +# Query for the given domain to the given port +# $1: address +# $2: port +# $3: dname +query_addr () { + echo "> dig @$1 -p $2 $3" + dig @"$1" -p $2 $3 | tee outfile +} + +expect_refused () { + echo "> check answer for REFUSED" + if grep "REFUSED" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_external_answer () { + echo "> check external answer" + if grep "1.2.3.4" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_internal_answer () { + echo "> check internal answer" + if grep "10.20.30.40" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_tag_one_answer () { + echo "> check tag 'one' answer" + if grep "1.1.1.1" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_tag_two_answer () { + echo "> check tag 'two' answer" + if grep "2.2.2.2" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +# do the test + +for i in 4 6; do + query $i $PORT_REFUSE "www.external" + expect_refused + + query $i $PORT_REFUSE "www.internal" + expect_refused + + query $i $PORT_ALLOW "www.external" + expect_external_answer + + query $i $PORT_ALLOW "www.internal" + expect_internal_answer + + query $i $PORT_TAG_1 "local" + expect_tag_one_answer + + query $i $PORT_TAG_2 "local" + expect_tag_two_answer + + query $i $PORT_TAG_3 "local" + expect_refused + + query $i $PORT_VIEW_INT "www.internal" + expect_internal_answer + + query $i $PORT_VIEW_INT "www.external" + expect_refused + + query $i $PORT_VIEW_EXT "www.internal" + expect_refused + + query $i $PORT_VIEW_EXT "www.external" + expect_external_answer + + query $i $PORT_VIEW_INTEXT "www.internal" + expect_internal_answer + + query $i $PORT_VIEW_INTEXT "www.external" + expect_external_answer +done + +for addr in $INTERFACE_ADDR_1 $INTERFACE_ADDR_2 $INTERFACE_ADDR_3 $INTERFACE_ADDR_4; do + query_addr $addr $PORT_REFUSE "www.external" + expect_refused + + query_addr $addr $PORT_REFUSE "www.internal" + expect_refused + + query_addr $addr $PORT_ALLOW "www.external" + expect_external_answer + + query_addr $addr $PORT_ALLOW "www.internal" + expect_internal_answer + + query_addr $addr $PORT_TAG_1 "local" + expect_tag_one_answer + + query_addr $addr $PORT_TAG_2 "local" + expect_tag_two_answer + + query_addr $addr $PORT_TAG_3 "local" + expect_refused + + query_addr $addr $PORT_VIEW_INT "www.internal" + expect_internal_answer + + query_addr $addr $PORT_VIEW_INT "www.external" + expect_refused + + query_addr $addr $PORT_VIEW_EXT "www.internal" + expect_refused + + query_addr $addr $PORT_VIEW_EXT "www.external" + expect_external_answer + + query_addr $addr $PORT_VIEW_INTEXT "www.internal" + expect_internal_answer + + query_addr $addr $PORT_VIEW_INTEXT "www.external" + expect_external_answer +done + +end 0 diff --git a/testdata/acl_interface.tdir/acl_interface.testns b/testdata/acl_interface.tdir/acl_interface.testns new file mode 100644 index 000000000000..d8c871b1c602 --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.testns @@ -0,0 +1,26 @@ +; nameserver test file +$ORIGIN external. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 1.2.3.4 +ENTRY_END + +$ORIGIN local. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +@ IN A +SECTION ANSWER +@ IN A 127.0.0.1 +ENTRY_END diff --git a/testdata/acl_interface.tdir/acl_interface.testns2 b/testdata/acl_interface.tdir/acl_interface.testns2 new file mode 100644 index 000000000000..e9edfc8ba56f --- /dev/null +++ b/testdata/acl_interface.tdir/acl_interface.testns2 @@ -0,0 +1,13 @@ +; nameserver test file +$ORIGIN internal. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END |