diff --git a/source4/torture/smb2/block.c b/source4/torture/smb2/block.c new file mode 100644 index 00000000000..d1e1856bb05 --- /dev/null +++ b/source4/torture/smb2/block.c @@ -0,0 +1,370 @@ +/* + * Unix SMB/CIFS implementation. + * + * block SMB2 transports using iptables + * + * Copyright (C) Guenther Deschner, 2017 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include "includes.h" +#include "libcli/smb2/smb2.h" +#include "torture/torture.h" +#include "torture/smb2/proto.h" +#include "system/network.h" +#include "lib/util/util_net.h" +#include "torture/smb2/block.h" +#include "libcli/smb/smbXcli_base.h" + +/* + * INPUT + * | + * -----> SAMBA_INPUT + * | + * -----> SAMBA_INPUT_transportname1 + * -----> SAMBA_INPUT_transportname2 + */ + + +static bool run_cmd(const char *cmd) +{ + int ret; + + DEBUG(10, ("%s will call '%s'\n", __location__, cmd)); + + ret = system(cmd); + if (ret) { + DEBUG(1, ("%s failed to execute system call: %s: %d\n", + __location__, cmd, ret)); + return false; + } + + return true; +} + +int smbrun(const char *cmd, int *outfd, char * const *env); + +static bool run_cmd_return_buf(TALLOC_CTX *mem_ctx, + const char *cmd, + int *num_lines, char ***buf) +{ + int ret; + int fd = -1; + + DEBUG(10, ("%s will call '%s'\n", __location__, cmd)); + + ret = smbrun(cmd, &fd, NULL); + if (ret) { + DEBUG(1, ("%s failed to execute system call: %s: %d\n", + __location__, cmd, ret)); + if (fd != -1) { + close(fd); + } + return false; + } + + *buf = fd_lines_load(fd, num_lines, 0, mem_ctx); + if (fd != -1) { + close(fd); + } + if (*buf == NULL) { + return false; + } + + return true; +} + +static const char *iptables_command(struct torture_context *tctx) +{ + return torture_setting_string(tctx, "iptables_command", + "/usr/sbin/iptables"); +} + +char *escape_shell_string(const char *src); + +/* + * iptables v1.6.1: chain name `SAMBA_INPUT_tree1->session->transport' + * too long (must be under 29 chars) + * + * maybe truncate chainname ? + */ +static const char *samba_chain_name(struct torture_context *tctx, + const char *name, + const char *prefix) +{ + const char *s; + char *sm; + + s = talloc_asprintf(tctx, "%s_%s", prefix, name); + if (s == NULL) { + return NULL; + } + + sm = escape_shell_string(s); + if (sm == NULL) { + return NULL; + } + + s = talloc_strdup(tctx, sm); + free(sm); + + return s; +} + +static bool filter_tcp_setup(struct torture_context *tctx, + bool unblock) +{ + const char *cmd_in, *cmd_out; + const char *ipt = iptables_command(tctx); + + if (unblock) { + cmd_in = talloc_asprintf(tctx, + "%s -L SAMBA_INPUT > /dev/null 2>&1 && " + "(" + "%s -F SAMBA_INPUT; " + "%s -D INPUT -j SAMBA_INPUT; " + "%s -X SAMBA_INPUT;" + ")", + ipt, ipt, ipt, ipt); + cmd_out = talloc_asprintf(tctx, + "%s -L SAMBA_OUTPUT > /dev/null 2>&1 && " + "(" + "%s -F SAMBA_OUTPUT;" + "%s -D OUTPUT -j SAMBA_OUTPUT;" + "%s -X SAMBA_OUTPUT;" + ")", + ipt, ipt, ipt, ipt); + } else { + cmd_in = talloc_asprintf(tctx, + "%s -L SAMBA_INPUT > /dev/null 2>&1 || " + "(" + "%s -N SAMBA_INPUT && " + "%s -I INPUT -j SAMBA_INPUT " + ")", + ipt, ipt, ipt); + cmd_out = talloc_asprintf(tctx, + "%s -L SAMBA_OUTPUT > /dev/null 2>&1 || " + "(" + "%s -N SAMBA_OUTPUT && " + "%s -I OUTPUT -j SAMBA_OUTPUT;" + ")", + ipt, ipt, ipt); + } + + if (cmd_in == NULL || cmd_out == NULL) { + return false; + } + + if (!run_cmd(cmd_in)) { + return false; + } + /* if (!run_cmd(cmd_out)) { return false; } */ + + return true; +} + +static bool filter_tcp_setup_name(struct torture_context *tctx, + const char *name, bool unblock) +{ + const char *cmd_in, *cmd_out; + const char *chain_in, *chain_out; + const char *ipt = iptables_command(tctx); + + chain_in = samba_chain_name(tctx, name, "SAMBA_INPUT"); + chain_out = samba_chain_name(tctx, name, "SAMBA_OUTPUT"); + if (chain_in == NULL || chain_out == NULL) { + return false; + } + + if (unblock) { + cmd_in = talloc_asprintf(tctx, "%s -F %s; " + "%s -D SAMBA_INPUT -j %s; " + "%s -X %s", + ipt, chain_in, + ipt, chain_in, + ipt, chain_in); + cmd_out = talloc_asprintf(tctx, "%s -F %s; " + "%s -D SAMBA_OUTPUT -j %s; " + "%s -X %s", + ipt, chain_out, + ipt, chain_out, + ipt, chain_out); + } else { + cmd_in = talloc_asprintf(tctx, "%s -L %s > /dev/null 2>&1 || " + "%s -N %s && " + "%s -I SAMBA_INPUT -j %s", + ipt, chain_in, + ipt, chain_in, + ipt, chain_in); + cmd_out = talloc_asprintf(tctx, "%s -L %s > /dev/null 2>&1 || " + "%s -N %s && " + "%s -I SAMBA_OUTPUT -j %s", + ipt, chain_out, + ipt, chain_out, + ipt, chain_out); + } + + if (cmd_in == NULL || cmd_out == NULL) { + return false; + } + + if (!run_cmd(cmd_in)) { + return false; + } + /* if (!run_cmd(cmd_out)) return false; */ + + return true; +} + +/* '11 452 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:43062' */ +static bool get_packet_count(const char *s, uint32_t *count) +{ + int i = 0; + char *p; + + if (s == NULL) { + return false; + } + + while (s[i] == ' ') { + s++; + } + + p = strchr(s, ' '); + if (p == NULL) { + return false; + } + *p = '\0'; + + *count = atoi(s); + + return true; +} + +bool torture_list_tcp_transport_name(struct torture_context *tctx, + const char *name, + uint32_t *_packets) +{ + const char *chain_in, *cmd; + int num_lines; + char **buf; + uint32_t packets = 0; + const char *ipt = iptables_command(tctx); + + chain_in = samba_chain_name(tctx, name, "SAMBA_INPUT"); + if (chain_in == NULL) { + return false; + } + + cmd = talloc_asprintf(tctx, "%s -L %s -v -n", ipt, chain_in); + if (cmd == NULL) { + return false; + } + + if (!run_cmd_return_buf(tctx, cmd, &num_lines, &buf)) { + return false; + } + SMB_ASSERT(num_lines >= 3); + + if (!get_packet_count(buf[2], &packets)) { + return false; + } + + torture_comment(tctx, "chain: '%s', packets: %d\n", name, (int)packets); + + if (_packets != NULL) { + *_packets = packets; + } + + return true; +} + +uint16_t torture_get_local_port_from_transport(struct smb2_transport *t) +{ + const struct sockaddr_storage *local_ss; + + local_ss = smbXcli_conn_local_sockaddr(t->conn); + + return get_sockaddr_port(local_ss); +} + +static bool torture_block_tcp_transport_name_internal( + struct torture_context *tctx, + struct smb2_transport *t, + const char *name, + bool unblock) +{ + char *cmd_in; + char *cmd_out; + const char *chain_in, *chain_out; + uint16_t port = torture_get_local_port_from_transport(t); + const char *ipt = iptables_command(tctx); + + chain_in = samba_chain_name(tctx, name, "SAMBA_INPUT"); + chain_out = samba_chain_name(tctx, name, "SAMBA_OUTPUT"); + if (chain_in == NULL || chain_out == NULL) { + return false; + } + + if (!unblock) { + filter_tcp_setup(tctx, false); + filter_tcp_setup_name(tctx, name, false); + } + + torture_comment(tctx, "%sblocking %s dport %d\n", + unblock ? "un" : "", name, port); + + cmd_in = talloc_asprintf(tctx, + "%s %s %s -p tcp --dport %d -j DROP", + ipt, unblock ? "-D" : "-I", chain_in, port); + cmd_out = talloc_asprintf(tctx, + "%s %s %s -p tcp --sport %d -j DROP", + ipt, unblock ? "-D" : "-I", chain_out, port); + if (cmd_in == NULL || cmd_out == NULL) { + return false; + } + + if (!run_cmd(cmd_in)) { + return false; + } + /* if (!run_cmd(cmd_out)) return false; */ + + if (unblock) { + filter_tcp_setup_name(tctx, name, true); + /* better dont cleanup here */ + /* filter_tcp_setup(tctx, true); */ + } + + return true; +} + +bool torture_block_tcp_transport_name(struct torture_context *tctx, + struct smb2_transport *t, + const char *name) +{ + return torture_block_tcp_transport_name_internal(tctx, t, name, false); +} + +bool torture_unblock_tcp_transport_name(struct torture_context *tctx, + struct smb2_transport *t, + const char *name) +{ + return torture_block_tcp_transport_name_internal(tctx, t, name, true); +} + +void torture_unblock_cleanup(struct torture_context *tctx) +{ + filter_tcp_setup(tctx, true); +} diff --git a/source4/torture/smb2/block.h b/source4/torture/smb2/block.h new file mode 100644 index 00000000000..9278caaa2b7 --- /dev/null +++ b/source4/torture/smb2/block.h @@ -0,0 +1,45 @@ +/* + * Unix SMB/CIFS implementation. + * + * block SMB2 transports using iptables + * + * Copyright (C) Guenther Deschner, 2017 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +bool torture_list_tcp_transport_name(struct torture_context *tctx, + const char *name, + uint32_t *packets); + +bool torture_block_tcp_transport_name(struct torture_context *tctx, + struct smb2_transport *t, + const char *name); + +bool torture_unblock_tcp_transport_name(struct torture_context *tctx, + struct smb2_transport *t, + const char *name); + +void torture_unblock_cleanup(struct torture_context *tctx); + +uint16_t torture_get_local_port_from_transport(struct smb2_transport *t); + +#define torture_block_tcp_transport(_tctx, _t) \ + torture_block_tcp_transport_name(_tctx, _t, #_t) + +#define torture_unblock_tcp_transport(_tctx, _t) \ + torture_unblock_tcp_transport_name(_tctx, _t, #_t) + +#define torture_list_tcp_transport(_tctx, _t, _packets) \ + torture_list_tcp_transport_name(_tctx, #_t, _packets) diff --git a/source4/torture/smb2/wscript_build b/source4/torture/smb2/wscript_build index 1183cb93772..e605a4589ac 100644 --- a/source4/torture/smb2/wscript_build +++ b/source4/torture/smb2/wscript_build @@ -3,6 +3,7 @@ bld.SAMBA_MODULE('TORTURE_SMB2', source=''' acls.c + block.c compound.c connect.c create.c