Commit c2d0b3ea authored by anonym's avatar anonym
Browse files

Convert `iptables_parse()` instance.

parent da339d88
...@@ -163,30 +163,37 @@ Then /^the firewall is configured to only allow the (.+) users? to connect direc ...@@ -163,30 +163,37 @@ Then /^the firewall is configured to only allow the (.+) users? to connect direc
end end
Then /^the firewall's NAT rules only redirect traffic for Tor's TransPort and DNSPort$/ do Then /^the firewall's NAT rules only redirect traffic for Tor's TransPort and DNSPort$/ do
loopback_address = "127.0.0.1/32"
tor_onion_addr_space = "127.192.0.0/10" tor_onion_addr_space = "127.192.0.0/10"
iptables_nat_output = $vm.execute_successfully("iptables -t nat -L -n -v").stdout tor_trans_port = "9040"
chains = iptables_parse(iptables_nat_output) dns_port = "53"
chains.each_pair do |name, chain| tor_dns_port = "5353"
rules = chain["rules"] ip4tables_chains('nat') do |name, _, rules|
if name == "OUTPUT" if name == "OUTPUT"
good_rules = rules.find_all do |rule| good_rules = rules.find_all do |rule|
rule["target"] == "REDIRECT" && redirect = rule.get_elements('actions/*').all? do |action|
( action.name == "REDIRECT"
( end
rule["destination"] == tor_onion_addr_space && destination = try_xml_element_text(rule, "conditions/match/d")
rule["extra"] == "redir ports 9040" redir_port = try_xml_element_text(rule, "actions/REDIRECT/to-ports")
) || redirected_to_trans_port = redir_port == tor_trans_port
rule["extra"] == "udp dpt:53 redir ports 5353" udp_destination_port = try_xml_element_text(rule, "conditions/udp/dport")
) dns_redirected_to_tor_dns_port = (udp_destination_port == dns_port) &&
(redir_port == tor_dns_port)
redirect &&
(
(destination == tor_onion_addr_space && redirected_to_trans_port) ||
(destination == loopback_address && dns_redirected_to_tor_dns_port)
)
end end
assert_equal(rules, good_rules, bad_rules = rules - good_rules
"The NAT table's OUTPUT chain contains some unexpected " \ assert(bad_rules.empty?,
"rules:\n" + "The NAT table's OUTPUT chain contains some unexpected " +
((rules - good_rules).map { |r| r["rule"] }).join("\n")) "rules:\n#{bad_rules}")
else else
assert(rules.empty?, assert(rules.empty?,
"The NAT table contains unexpected rules for the #{name} " \ "The NAT table contains unexpected rules for the #{name} " +
"chain:\n" + (rules.map { |r| r["rule"] }).join("\n")) "chain:\n#{rules}")
end end
end end
end end
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment