added tests for firewall chain-filtering

superstes · superstes · commit 71aba7d66f9b · 2025-09-06T22:31:16.000+02:00
diff --git a/src/firewall_test/simulator/04_firewall_tables_test.py b/src/firewall_test/simulator/04_firewall_tables_test.py
@@ -218,3 +218,168 @@ def test_firewall_inherit_table_priority_chain(prio_table, prio_chain, result):
 
     fw._run_tables._inherit_table_priority_to_chain(table=table, chain=chain)
     assert chain.priority == result
+
+
+def test_firewall_chain_filter_pre_routing():
+    from simulator.firewall import Firewall
+    from plugins.system.system_linux_netfilter import SystemLinuxNetfilter
+    from plugins.translate.netfilter.ruleset import NetfilterRuleset, NetfilterChainOutput as Chain
+
+    ruleset = NetfilterRuleset(TESTDATA_RULESET).get()
+    fw = Firewall(
+        system=SystemLinuxNetfilter,
+        ruleset=ruleset,
+    )
+
+    dnat = SystemLinuxNetfilter.FIREWALL_NAT[FlowForward]['dnat']
+
+    chains = [
+        Chain(name='ingress', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='ingress'),
+        Chain(name='prerouting-early', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='prerouting', priority=dnat['priority'] - 1),
+        Chain(name='prerouting-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='prerouting', priority=dnat['priority']),
+        Chain(name='output-early', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='output', priority=dnat['priority'] - 1),
+        Chain(name='output-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='output', priority=dnat['priority']),
+        Chain(name='prerouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='prerouting', priority=0),
+        Chain(name='input', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='input'),
+        Chain(name='forward', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='forward'),
+        Chain(name='postrouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='postrouting'),
+    ]
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_pre_routing(chain=c, flow=FlowForward)]
+    assert len(filtered_chains) == 3
+    assert filtered_chains[0].name == 'ingress'
+    assert filtered_chains[1].name == 'prerouting-early'
+    assert filtered_chains[2].name == 'prerouting-dnat'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_pre_routing(chain=c, flow=FlowInput)]
+    assert len(filtered_chains) == 3
+    assert filtered_chains[0].name == 'ingress'
+    assert filtered_chains[1].name == 'prerouting-early'
+    assert filtered_chains[2].name == 'prerouting-dnat'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_pre_routing(chain=c, flow=FlowOutput)]
+    assert len(filtered_chains) == 2
+    assert filtered_chains[0].name == 'output-early'
+    assert filtered_chains[1].name == 'output-dnat'
+
+
+def test_firewall_chain_filter_dnat():
+    from simulator.firewall import Firewall
+    from plugins.system.system_linux_netfilter import SystemLinuxNetfilter
+    from plugins.translate.netfilter.ruleset import NetfilterRuleset, NetfilterChainOutput as Chain
+
+    ruleset = NetfilterRuleset(TESTDATA_RULESET).get()
+    fw = Firewall(
+        system=SystemLinuxNetfilter,
+        ruleset=ruleset,
+    )
+
+    fwd_dnat = SystemLinuxNetfilter.FIREWALL_NAT[FlowForward]['dnat']
+    out_dnat = SystemLinuxNetfilter.FIREWALL_NAT[FlowOutput]['dnat']
+
+    chains = [
+        Chain(name='ingress', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='ingress'),
+        Chain(name='prerouting-early', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=fwd_dnat['hook'], priority=fwd_dnat['priority'] - 1),
+        Chain(name='prerouting-filter', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=fwd_dnat['hook'], priority=fwd_dnat['priority']),
+        Chain(name='prerouting-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=fwd_dnat['hook'], priority=fwd_dnat['priority'], type=Chain.TYPE_NAT),
+        Chain(name='prerouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=fwd_dnat['hook']),
+        Chain(name='output', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=out_dnat['hook']),
+        Chain(name='output-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=out_dnat['hook'], priority=out_dnat['priority'], type=Chain.TYPE_NAT),
+        Chain(name='input', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='input'),
+        Chain(name='forward', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='forward'),
+        Chain(name='postrouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='postrouting'),
+    ]
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_dnat(chain=c, flow=FlowForward)]
+    assert len(filtered_chains) == 1
+    assert filtered_chains[0].name == 'prerouting-dnat'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_dnat(chain=c, flow=FlowOutput)]
+    assert len(filtered_chains) == 1
+    assert filtered_chains[0].name == 'output-dnat'
+
+
+def test_firewall_chain_filter_main():
+    from simulator.firewall import Firewall
+    from plugins.system.system_linux_netfilter import SystemLinuxNetfilter
+    from plugins.translate.netfilter.ruleset import NetfilterRuleset, NetfilterChainOutput as Chain
+
+    ruleset = NetfilterRuleset(TESTDATA_RULESET).get()
+    fw = Firewall(
+        system=SystemLinuxNetfilter,
+        ruleset=ruleset,
+    )
+
+    dnat = SystemLinuxNetfilter.FIREWALL_NAT[FlowForward]['dnat']
+    snat = SystemLinuxNetfilter.FIREWALL_NAT[FlowForward]['snat']
+
+    chains = [
+        Chain(name='ingress', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='ingress'),
+        Chain(name='prerouting-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=dnat['hook'], priority=dnat['priority'], type=Chain.TYPE_NAT),
+        Chain(name='prerouting-late', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=dnat['hook'], priority=dnat['priority'] + 1),
+        Chain(name='prerouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=dnat['hook']),
+        Chain(name='input', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='input'),
+        Chain(name='output', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='output'),
+        Chain(name='forward', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='forward'),
+        Chain(name='postrouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook']),
+        Chain(name='postrouting-filter', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority']),
+        Chain(name='postrouting-snat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority'], type=Chain.TYPE_NAT),
+        Chain(name='postrouting-late', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority'] + 1),
+    ]
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_main(chain=c, flow=FlowForward)]
+    assert len(filtered_chains) == 5
+    assert filtered_chains[0].name == 'prerouting-late'
+    assert filtered_chains[1].name == 'prerouting'
+    assert filtered_chains[2].name == 'forward'
+    assert filtered_chains[3].name == 'postrouting'
+    assert filtered_chains[4].name == 'postrouting-filter'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_main(chain=c, flow=FlowInput)]
+    assert len(filtered_chains) == 3
+    assert filtered_chains[0].name == 'prerouting-late'
+    assert filtered_chains[1].name == 'prerouting'
+    assert filtered_chains[2].name == 'input'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_main(chain=c, flow=FlowOutput)]
+    assert len(filtered_chains) == 3
+    assert filtered_chains[0].name == 'output'
+    assert filtered_chains[1].name == 'postrouting'
+    assert filtered_chains[2].name == 'postrouting-filter'
+
+
+def test_firewall_chain_filter_snat():
+    from simulator.firewall import Firewall
+    from plugins.system.system_linux_netfilter import SystemLinuxNetfilter
+    from plugins.translate.netfilter.ruleset import NetfilterRuleset, NetfilterChainOutput as Chain
+
+    ruleset = NetfilterRuleset(TESTDATA_RULESET).get()
+    fw = Firewall(
+        system=SystemLinuxNetfilter,
+        ruleset=ruleset,
+    )
+
+    snat = SystemLinuxNetfilter.FIREWALL_NAT[FlowForward]['snat']
+
+    chains = [
+        Chain(name='ingress', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='ingress'),
+        Chain(name='prerouting-dnat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='prerouting', priority=-100, type=Chain.TYPE_NAT),
+        Chain(name='prerouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='prerouting', priority=0),
+        Chain(name='input', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='input'),
+        Chain(name='forward', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook='forward'),
+        Chain(name='postrouting', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook']),
+        Chain(name='postrouting-filter', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority']),
+        Chain(name='postrouting-snat', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority'], type=Chain.TYPE_NAT),
+        Chain(name='postrouting-late', rules=[], family=ProtoL3IP4, policy=Chain.POLICY_ACCEPT, hook=snat['hook'], priority=snat['priority'] + 1),
+    ]
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_snat(chain=c, flow=FlowForward)]
+    assert len(filtered_chains) == 1
+    assert filtered_chains[0].name == 'postrouting-snat'
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_snat(chain=c, flow=FlowInput)]
+    assert len(filtered_chains) == 0
+
+    filtered_chains = [c for c in chains if fw._run_tables._chain_filter_snat(chain=c, flow=FlowOutput)]
+    assert len(filtered_chains) == 1
+    assert filtered_chains[0].name == 'postrouting-snat'
diff --git a/src/firewall_test/simulator/06_firewall_test.py b/src/firewall_test/simulator/06_firewall_test.py
@@ -97,3 +97,4 @@ def test_firewall_basic(src, dst, ni_in, ni_out, result_pre, result_dnat, result
 #   lazy action
 #   lazy action mixed with 'quick' action
 #   chain default-policy
+
diff --git a/src/firewall_test/simulator/07_firewall_e2e_test.py b/src/firewall_test/simulator/07_firewall_e2e_test.py
@@ -0,0 +1,86 @@
+import pytest
+
+from testdata_test import TESTDATA_FILE_NF_RULESET, TEST_DST_IP6_DROP, TEST_DST_IP4_ACCEPT, TEST_DST_IP6_ACCEPT, \
+    TEST_DST_IP4_REJECT, TEST_DST_IP6_REJECT, TEST_DST_IP4_DROP
+from config import RuleActionAccept, RuleActionDrop, RuleActionReject, RuleActionSNAT
+
+with open(TESTDATA_FILE_NF_RULESET, 'r', encoding='utf-8') as f:
+    TESTDATA_RULESET = f.read()
+
+
+@pytest.mark.parametrize(
+    'src,dst,ni_in,ni_out,result_pre,result_dnat,result_main,result_snat,result_eg',
+    [
+        # default policy drop of forward chain
+        ('192.168.0.10', '1.1.1.1', 'wan', 'wan', RuleActionAccept, None, RuleActionDrop, None, RuleActionAccept),
+        # explicit drop in forward chain
+        ('192.168.0.10', TEST_DST_IP4_DROP, 'wan', 'wan', RuleActionAccept, None, RuleActionDrop, None, RuleActionAccept),
+        # explicit reject in forward chain
+        ('192.168.0.10', TEST_DST_IP4_REJECT, 'wan', 'wan', RuleActionAccept, None, RuleActionReject, None, RuleActionAccept),
+        # explicit accept in forward chain
+        ('192.168.0.10', TEST_DST_IP4_ACCEPT, 'wan', 'wan', RuleActionAccept, None, RuleActionAccept, None, RuleActionAccept),
+        # DOCKER-FORWARD accept
+        ('172.17.11.5', '1.1.1.1', 'docker0', 'wan', RuleActionAccept, None, RuleActionAccept, RuleActionSNAT, RuleActionAccept),
+        # explicit drop in forward chain
+        ('172.17.11.5', TEST_DST_IP4_DROP, 'docker0', 'wan', RuleActionAccept, None, RuleActionDrop, RuleActionSNAT, RuleActionAccept),
+        # explicit accept in forward chain
+        ('2003:1::1', TEST_DST_IP6_ACCEPT, 'wan', 'wan', RuleActionAccept, None, RuleActionAccept, None, RuleActionAccept),
+        # explicit drop in forward chain
+        ('2003:1::1', TEST_DST_IP6_DROP, 'wan', 'wan', RuleActionAccept, None, RuleActionDrop, None, RuleActionAccept),
+        # explicit reject in forward chain
+        ('2003:1::1', TEST_DST_IP6_REJECT, 'wan', 'wan', RuleActionAccept, None, RuleActionReject, None, RuleActionAccept),
+    ]
+)
+def test_firewall_basic(src, dst, ni_in, ni_out, result_pre, result_dnat, result_main, result_snat, result_eg):
+    from config import FlowForward
+    from plugins.system.system_linux_netfilter import SystemLinuxNetfilter
+    from plugins.translate.netfilter.ruleset import NetfilterRuleset
+    from simulator.packet import PacketIP
+    from simulator.firewall import Firewall
+
+    ruleset = NetfilterRuleset(TESTDATA_RULESET).get()
+    fw = Firewall(
+        system=SystemLinuxNetfilter,
+        ruleset=ruleset,
+    )
+    packet = PacketIP(src=src, dst=dst)
+    # NOTE: network-interface discovery is done by main simulator.. will impact rule-matching
+    packet.ni_in = ni_in
+    packet.ni_out = ni_out
+
+    passed, rule = fw.process_pre_routing(packet=packet, flow=FlowForward)
+    assert passed == (result_pre == RuleActionAccept)
+    if rule is not None:
+        assert rule.action == result_pre
+
+    has_nat, rule = fw.process_dnat(packet=packet, flow=FlowForward)
+    if result_dnat is None:
+        assert not has_nat
+        assert rule is None
+
+    else:
+        assert has_nat
+        assert rule.action == result_dnat
+
+    passed, rule = fw.process_main(packet=packet, flow=FlowForward)
+    if passed != (result_main == RuleActionAccept):
+        raise ValueError(rule)
+
+    assert passed == (result_main == RuleActionAccept)
+    if rule is not None:
+        assert rule.action == result_main
+
+    has_nat, rule = fw.process_snat(packet=packet, flow=FlowForward)
+    if result_snat is None:
+        assert not has_nat
+        assert rule is None
+
+    else:
+        assert has_nat
+        if rule is not None:
+            assert rule.action == result_snat
+
+    passed, rule = fw.process_egress(packet=packet, flow=FlowForward)
+    assert passed == (result_eg == RuleActionAccept)
+    if rule is not None:
+        assert rule.action == result_eg
diff --git a/src/firewall_test/simulator/firewall.py b/src/firewall_test/simulator/firewall.py
