Project

General

Profile

Bug #9704

Feature #7563: Update the automated test suite for Jessie ISO images

iptables_parse is buggy for IPv6

Added by intrigeri about 3 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Test suite
Target version:
-
Start date:
07/08/2015
Due date:
01/15/2016
% Done:

100%

QA Check:
Pass
Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

ip6tables doesn't write anything in the opt column in our configuration, while iptables prints --, which iptables_parse relies on, so all fields starting with opt are shifted in the parsed rule data structure:

    And the firewall is configured to block all outgoing IPv6 traffic                                                            # features/step_definitions/tor.rb:146
      {"rule"=>"0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp dpt:4101", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"dpt:4101"}
      {"rule"=>"0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp spt:4101 state RELATED,ESTABLISHED", "pkts"=>0, "target"=>"ACCEPT", "protocol"=>"tcp", "opt"=>"lo", "in_iface"=>"*", "out_iface"=>"::1", "source"=>"::1", "destination"=>"tcp", "extra"=>"spt:4101 state RELATED,ESTABLISHED"}
      The IPv6 table's INPUT chain contains some unexptected rules:
      0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp dpt:4101
      0     0 ACCEPT     tcp      lo     *       ::1                  ::1                  tcp spt:4101 state RELATED,ESTABLISHED.

This prevents us from adapting tor_enforcement.feature for Jessie: we would need to whitelist IPv6 traffic to lo there, because we had to allow some of it to make Orca work.

Associated revisions

Revision 7345d9dc (diff)
Added by anonym over 2 years ago

Introduce a new XML-based iptables parser.

The old `iptables_parse()` way relies on regex parsing the output of
the `iptables` output, which of course is not very reliable. In Jessie
the `ip6tables` output has changed and differs (if there are no
options the "opt" column will be empty, and not have a "--"). The new
parser fixes this.

The goal will be to convert all `iptables_parse()` instances to the
new parser.

Will-fix: #9704

History

#1 Updated by intrigeri about 3 years ago

  • Parent task set to #7563

#2 Updated by intrigeri about 3 years ago

  • Due date set to 01/15/2016

#5 Updated by intrigeri over 2 years ago

  • Assignee changed from anonym to intrigeri

I'm going to give it a try since it's the only blocker to see features/tor_enforcement.feature pass.

#6 Updated by intrigeri over 2 years ago

  • Status changed from Confirmed to In Progress
  • Assignee changed from intrigeri to anonym
  • % Done changed from 0 to 10
  • QA Check set to Info Needed

Our current parser uses the output of ip6tables -L -n -v, which is not machine readable enough for our needs. I could not find an iptables rules parser in Ruby that clearly states that it's compatible with IPv6 (ip6tables). I'm not thrilled at the idea of seeing us write another custom iptables rules parser, given the outcome of this first attempt. I think our best option may be to use an existing parser written in another language, e.g. those are available in Jessie:

... and write whatever wrapper script we need around the library we pick, to output whatever info we need to JSON or YAML that our test suite's support code could read.

anonym, what do you think?

#8 Updated by anonym over 2 years ago

  • Assignee changed from anonym to intrigeri
  • % Done changed from 10 to 40
  • QA Check changed from Info Needed to Ready for QA

Wow, I completely missed your comment here. Any way, I converted the existing parser to something I believe is a lot more robust (based on XML via iptables-xml). I hope you find it ok:

e9fefde Kill the now unused `iptables_parse()`.
e877253 Convert `iptables_parse()` instance.
c2d0b3e Convert `iptables_parse()` instance.
da339d8 Convert `iptables_parse()` instance.
7e889a3 Convert `iptables_parse()` instance.
7345d9d Introduce a new XML-based iptables parser.

#9 Updated by intrigeri over 2 years ago

Any way, I converted the existing parser to something I believe is a lot more robust (based on XML via iptables-xml).

Sounds exciting! I'll try to review it shortly :)

#10 Updated by intrigeri over 2 years ago

At least it passes tor_enforcement.feature here, which is a good start :)

#11 Updated by intrigeri over 2 years ago

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • Target version changed from Tails_1.8 to SponsorS_M4
  • % Done changed from 40 to 100
  • QA Check changed from Ready for QA to Pass

Looks good to me, great work! I didn't explicitly try to break it with corner cases, but the code indeed looks sane and more robust than a home-brewn regexp parser :)

#12 Updated by intrigeri about 2 years ago

  • Target version deleted (SponsorS_M4)

Also available in: Atom PDF