TEST-19-CGROUP: add test cases for IPAddressAllow=/IPAddressDeny=

(cherry picked from commit 5f3cfb9d5ee334c53cc407308ba677401a6ba1cd) (cherry picked from commit 04bf8544baa3ef4c675e610f35dd44f2ea60382e)
2025-01-07 17:17:44 +03:00 · 2024-10-16 14:31:16 +09:00 · 2024-10-16 14:31:16 +09:00 · 41ebd13365
commit 41ebd13365
parent 71fca73f70
2 changed files with 86 additions and 2 deletions
--- a/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh
+++ b/test/units/TEST-19-CGROUP.IPAddressAllow-Deny.sh
@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -ex
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
+    echo "Skipping $0 as we're not running with the unified cgroup hierarchy."
+    exit 0
+fi
+
+if systemd-detect-virt --container --quiet; then
+    echo "Skipping $0 as we're running on container."
+    exit 0
+fi
+
+ip netns add test-ns
+ip link add test-veth-1 type veth peer test-veth-2
+ip link set test-veth-2 netns test-ns
+ip link set test-veth-1 up
+ip address add 192.0.2.1/24 dev test-veth-1
+ip address add 2001:db8::1/64 dev test-veth-1 nodad
+ip netns exec test-ns ip link set test-veth-2 up
+ip netns exec test-ns ip address add 192.0.2.2/24 dev test-veth-2
+ip netns exec test-ns ip address add 2001:db8::2/64 dev test-veth-2 nodad
+
+ping_ok_one() {
+    local interface="${1?}"
+    local target="${2?}"
+    shift 2
+
+    assert_ok systemd-run --wait --pipe "$@" ping -c 1 -W 1 -I "$interface" "$target"
+}
+
+ping_fail_one() {
+    local interface="${1?}"
+    local target="${2?}"
+    shift 2
+
+    assert_fail systemd-run --wait --pipe "$@" ping -c 1 -W 1 -I "$interface" "$target"
+}
+
+ping_ok() {
+    ping_ok_one lo 127.0.0.1 "$@"
+    ping_ok_one lo ::1 "$@"
+    ping_ok_one test-veth-1 192.0.2.2 "$@"
+    ping_ok_one test-veth-1 2001:db8::2 "$@"
+}
+
+ping_fail() {
+    ping_fail_one lo 127.0.0.1 "$@"
+    ping_fail_one lo ::1 "$@"
+    ping_fail_one test-veth-1 192.0.2.2 "$@"
+    ping_fail_one test-veth-1 2001:db8::2 "$@"
+}
+
+ping_ok
+ping_ok -p IPAddressDeny=any -p IPAddressDeny=
+ping_ok -p IPAddressDeny=any -p IPAddressDeny= -p IPAddressDeny=link-local
+ping_ok -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64
+ping_ok -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 \
+        -p IPAddressAllow= -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64
+
+ping_fail -p IPAddressDeny=any
+ping_fail -p IPAddressDeny=any -p IPAddressDeny= -p IPAddressDeny=localhost -p IPAddressDeny=192.0.2.0/24 -p IPAddressDeny=2001:db8::/64
+ping_fail -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 -p IPAddressAllow=
+ping_fail -p IPAddressDeny=any -p IPAddressAllow=localhost -p IPAddressAllow=192.0.2.0/24 -p IPAddressAllow=2001:db8::/64 -p IPAddressAllow= -p IPAddressAllow=link-local
+
+ip link del test-veth-1
+ip netns exec test-ns ip link del test-veth-2 || :
+ip netns del test-ns
--- a/test/units/util.sh
+++ b/test/units/util.sh
@ -6,19 +6,30 @@
 # shellcheck disable=SC2034
 [[ -e /var/tmp/.systemd_reboot_count ]] && REBOOT_COUNT="$(</var/tmp/.systemd_reboot_count)" || REBOOT_COUNT=0

-assert_true() {(
+assert_ok() {(
    set +ex

    local rc

    "$@"
    rc=$?
-    if [[ $rc -ne 0 ]]; then
+    if [[ "$rc" -ne 0 ]]; then
        echo "FAIL: command '$*' failed with exit code $rc" >&2
        exit 1
    fi
 )}

+assert_fail() {(
+    set +ex
+
+    local rc
+
+    if "$@"; then
+        echo "FAIL: command '$*' unexpectedly succeeded" >&2
+        exit 1
+    fi
+)}
+
 assert_eq() {(
    set +ex