Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: os: add check for iptables rules #3398

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tests: os: add check for iptables rules #3398

wants to merge 1 commit into from

Conversation

rcooke-warwick
Copy link
Contributor

Change-type: patch

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

kb2ma
kb2ma reviewed Apr 1, 2024
View reviewed changes
Copy link
Contributor

@kb2ma kb2ma left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is useful to verify content is present for the BALENA-FIREWALL chain in the filter table. This tells us that the Supervisor was able to create and add some rules in a way that balenaOS sees them. Supervisor also performs more detailed mock tests.

I also would add a comment in the code that states why we are running this test -- to ensure Supervisor rule generation is working.

Does OS testing include any other checking of firewall rules? If not, consider adding a sanity check. For example, we expect to see the MASQUERADE target used in the nat table POSTROUTING chain for the balena0 network, like below.

root@c5be172:~# iptables -t nat -L -vn
...
Chain POSTROUTING (policy ACCEPT 46 packets, 3058 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !balena0  10.114.101.0/24      0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !supervisor0  10.114.104.0/25      0.0.0.0/0

tests/suites/os/tests/iptables/index.js Outdated Show resolved Hide resolved
@rcooke-warwick
Copy link
Contributor Author

assuming new tests are currently failing as expected due to issue with supervisor - waiting on #3390 to rebase over it

@rcooke-warwick
Copy link
Contributor Author

@resin-jenkins retest this please

@rcooke-warwick
Copy link
Contributor Author

@resin-jenkins retest this please

@kb2ma
Copy link
Contributor

kb2ma commented Apr 5, 2024

Revisions look good, and the comments do a great job explaining why the tests are composed as they are.

@rcooke-warwick
Copy link
Contributor Author

@resin-jenkins retest this please

1 similar comment
@rcooke-warwick
Copy link
Contributor Author

@resin-jenkins retest this please

@rcooke-warwick rcooke-warwick marked this pull request as ready for review April 9, 2024 10:18
@rcooke-warwick
Copy link
Contributor Author

@resin-jenkins retest this please

@flowzone-app flowzone-app bot enabled auto-merge April 15, 2024 10:30
@rcooke-warwick @vipulgupta2048
tests: os: add check for iptables rules
0e3e4ce 
Change-type: patch
Signed-off-by: Ryan Cooke <ryan@balena.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kb2ma kb2ma kb2ma left review comments

@mtoman mtoman Awaiting requested review from mtoman

@vipulgupta2048 vipulgupta2048 Awaiting requested review from vipulgupta2048

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rcooke-warwick @kb2ma