From 55858c64cc89f427335a59bee81b9e36b3df57d0 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Fri, 26 Jun 2020 13:46:51 -0400 Subject: [PATCH] smoke test: test firewall inbound / outbound (#240) Test that basic inbound / outbound firewall rules work during the smoke test. This change sets an inbound firewall rule on host3, and a new host4 with outbound firewall rules. It also tests that conntrack allows packets once the connection has been established. --- .github/workflows/smoke.yml | 2 +- .github/workflows/smoke/build.sh | 27 +++++++++++++++++++++------ .github/workflows/smoke/genconfig.sh | 12 +++--------- .github/workflows/smoke/smoke.sh | 27 ++++++++++++++++++++++++++- 4 files changed, 51 insertions(+), 17 deletions(-) diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml index eb883c5..ad094d5 100644 --- a/.github/workflows/smoke.yml +++ b/.github/workflows/smoke.yml @@ -14,7 +14,7 @@ on: jobs: smoke: - name: Run 3 node smoke test + name: Run multi node smoke test runs-on: ubuntu-latest steps: diff --git a/.github/workflows/smoke/build.sh b/.github/workflows/smoke/build.sh index 2841b8d..6d66d67 100755 --- a/.github/workflows/smoke/build.sh +++ b/.github/workflows/smoke/build.sh @@ -11,14 +11,29 @@ mkdir ./build cp ../../../../nebula . cp ../../../../nebula-cert . - HOST="lighthouse1" AM_LIGHTHOUSE=true ../genconfig.sh >lighthouse1.yml - HOST="host2" LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" ../genconfig.sh >host2.yml - HOST="host3" LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" ../genconfig.sh >host3.yml + HOST="lighthouse1" \ + AM_LIGHTHOUSE=true \ + ../genconfig.sh >lighthouse1.yml + + HOST="host2" \ + LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \ + ../genconfig.sh >host2.yml + + HOST="host3" \ + LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \ + INBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \ + ../genconfig.sh >host3.yml + + HOST="host4" \ + LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \ + OUTBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \ + ../genconfig.sh >host4.yml ./nebula-cert ca -name "Smoke Test" - ./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24" - ./nebula-cert sign -name "host2" -ip "192.168.100.2/24" - ./nebula-cert sign -name "host3" -ip "192.168.100.3/24" + ./nebula-cert sign -name "lighthouse1" -groups "lighthouse,lighthouse1" -ip "192.168.100.1/24" + ./nebula-cert sign -name "host2" -groups "host,host2" -ip "192.168.100.2/24" + ./nebula-cert sign -name "host3" -groups "host,host3" -ip "192.168.100.3/24" + ./nebula-cert sign -name "host4" -groups "host,host4" -ip "192.168.100.4/24" ) docker build -t nebula:smoke . diff --git a/.github/workflows/smoke/genconfig.sh b/.github/workflows/smoke/genconfig.sh index cc9a3f2..81ace79 100755 --- a/.github/workflows/smoke/genconfig.sh +++ b/.github/workflows/smoke/genconfig.sh @@ -2,6 +2,7 @@ set -e +FIREWALL_ALL='[{"port": "any", "proto": "any", "host": "any"}]' if [ "$STATIC_HOSTS" ] || [ "$LIGHTHOUSES" ] then @@ -48,13 +49,6 @@ tun: dev: ${TUN_DEV:-nebula1} firewall: - outbound: - - port: any - proto: any - host: any - - inbound: - - port: any - proto: any - host: any + outbound: ${OUTBOUND:-$FIREWALL_ALL} + inbound: ${INBOUND:-$FIREWALL_ALL} EOF diff --git a/.github/workflows/smoke/smoke.sh b/.github/workflows/smoke/smoke.sh index df73ea1..2e06f7d 100755 --- a/.github/workflows/smoke/smoke.sh +++ b/.github/workflows/smoke/smoke.sh @@ -5,6 +5,7 @@ set -e -x docker run --name lighthouse1 --rm nebula:smoke -config lighthouse1.yml -test docker run --name host2 --rm nebula:smoke -config host2.yml -test docker run --name host3 --rm nebula:smoke -config host3.yml -test +docker run --name host4 --rm nebula:smoke -config host4.yml -test docker run --name lighthouse1 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config lighthouse1.yml & sleep 1 @@ -12,6 +13,8 @@ docker run --name host2 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN - sleep 1 docker run --name host3 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config host3.yml & sleep 1 +docker run --name host4 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config host4.yml & +sleep 1 set +x echo @@ -27,7 +30,8 @@ echo " *** Testing ping from host2" echo set -x docker exec host2 ping -c1 192.168.100.1 -docker exec host2 ping -c1 192.168.100.3 +# Should fail because not allowed by host3 inbound firewall +! docker exec host2 ping -c1 192.168.100.3 -w5 || exit 1 set +x echo @@ -36,3 +40,24 @@ echo set -x docker exec host3 ping -c1 192.168.100.1 docker exec host3 ping -c1 192.168.100.2 + +set +x +echo +echo " *** Testing ping from host4" +echo +set -x +docker exec host4 ping -c1 192.168.100.1 +# Should fail because not allowed by host4 outbound firewall +! docker exec host4 ping -c1 192.168.100.2 -w5 || exit 1 +! docker exec host4 ping -c1 192.168.100.3 -w5 || exit 1 + +set +x +echo +echo " *** Testing conntrack" +echo +set -x +# host2 can ping host3 now that host3 pinged it first +docker exec host2 ping -c1 192.168.100.3 +# host4 can ping host2 once conntrack established +docker exec host2 ping -c1 192.168.100.4 +docker exec host4 ping -c1 192.168.100.2