Skip to content

Commit

Permalink
fix(linux.net): Added check for existing file before iptables restore (
Browse files Browse the repository at this point in the history 
…#4889)

* Check for existing file before restore

Signed-off-by: pierantoniomerlino <[email protected]>

* Fixed comment formatting

Signed-off-by: pierantoniomerlino <[email protected]>

---------

Signed-off-by: pierantoniomerlino <[email protected]>
  • Loading branch information
@pierantoniomerlino
pierantoniomerlino committed Oct 20, 2023
1 parent 8fbf6f9 commit 1aea966
Show file tree
Hide file tree
Showing 3 changed files with 190 additions and 61 deletions.
62 changes: 35 additions & 27 deletions ...ipse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/IptablesConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,15 +245,16 @@ private void internalFlush(String chain, String table) {
}

/*
* Saves (using iptables-save) the current iptables config into /etc/sysconfig/iptables
* Saves (using iptables-save) the current iptables config into
* /etc/sysconfig/iptables
*/
public void save() {
internalSave(null);
}

/*
* Saves rules from the localRules, portForwardRules, natRules, and autoNatRules into the Kura chains in
* /etc/sysconfig/iptables
* Saves rules from the localRules, portForwardRules, natRules, and autoNatRules
* into the Kura chains in /etc/sysconfig/iptables
*/
public void saveKuraChains() throws KuraException {
try (FileOutputStream fos = new FileOutputStream(getFirewallConfigTmpFileName());
Expand Down Expand Up @@ -362,7 +363,8 @@ private CommandStatus execute(String commandLine) {
}

/*
* Restores (using iptables-restore) firewall settings from temporary iptables configuration file.
* Restores (using iptables-restore) firewall settings from temporary iptables
* configuration file.
* Temporary configuration file is deleted upon completion.
*/
public void restore(String filename) {
Expand All @@ -389,8 +391,8 @@ public void restore(String filename) {
}

/*
* Saves current configurations from the localRules, portForwardRules, natRules, and autoNatRules
* into specified temporary file
* Saves current configurations from the localRules, portForwardRules, natRules,
* and autoNatRules into specified temporary file
*/
public void save(String filename) {
internalSave(filename);
Expand Down Expand Up @@ -623,14 +625,19 @@ private void writeAdditionalRulesToMangleTable(PrintWriter writer) {
}

/*
* Populates the localRules, portForwardRules, natRules, and autoNatRules by parsing
* the iptables configuration file. Only Kura chains are used.
* Populates the localRules, portForwardRules, natRules, and autoNatRules by
* parsing the iptables configuration file. Only Kura chains are used.
*/
public void restore() throws KuraException {
File iptablesFile = new File(getFirewallConfigFileName());
if (!iptablesFile.exists()) {
return;
}
List<NatPreroutingChainRule> natPreroutingChain = new ArrayList<>();
List<NatPostroutingChainRule> natPostroutingChain = new ArrayList<>();
List<FilterForwardChainRule> filterForwardChain = new ArrayList<>();
try (FileReader fr = new FileReader(getFirewallConfigFileName()); BufferedReader br = new BufferedReader(fr)) {
try (FileReader fr = new FileReader(getFirewallConfigFileName());
BufferedReader br = new BufferedReader(fr)) {
parseIptablesRules(natPreroutingChain, natPostroutingChain, filterForwardChain, br);
// ! done parsing !
parsePortForwardingRules(natPreroutingChain, natPostroutingChain);
Expand Down Expand Up @@ -855,8 +862,9 @@ private void parsePortForwardingRules(List<NatPreroutingChainRule> natPrerouting
}

/*
* Applies the rules contained in the localRules, portForwardRules, natRules, and autoNatRules,
* force the polices for input and forward chains and apply flooding protection rules if needed.
* Applies the rules contained in the localRules, portForwardRules, natRules,
* and autoNatRules, force the polices for input and forward chains and apply
* flooding protection rules if needed.
*/
public void applyRules() {
applyPolicies();
Expand Down Expand Up @@ -884,7 +892,7 @@ private void applyPolicies() {
}
if (!execute(
getIptablesCommand() + " " + String.join(" ", IptablesConfigConstants.IPTABLES_FORWARD_DROP_POLICY))
.getExitStatus().isSuccessful()) {
.getExitStatus().isSuccessful()) {
logger.error("Failed to apply policy to chain FORWARD");
}
}
Expand All @@ -902,7 +910,7 @@ private void createKuraMangleChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_INPUT_KURA_CHAIN + " -t " + MANGLE;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_INPUT_KURA_CHAIN_MANGLE)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -912,7 +920,7 @@ private void createKuraMangleChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_OUTPUT_KURA_CHAIN + " -t " + MANGLE;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_OUTPUT_KURA_CHAIN_MANGLE)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -922,7 +930,7 @@ private void createKuraMangleChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_FORWARD_KURA_CHAIN + " -t " + MANGLE;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_FORWARD_KURA_CHAIN_MANGLE)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -932,7 +940,7 @@ private void createKuraMangleChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_PREROUTING_KURA_CHAIN + " -t " + MANGLE;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_PREROUTING_KURA_CHAIN_MANGLE)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -942,7 +950,7 @@ private void createKuraMangleChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_POSTROUTING_KURA_CHAIN + " -t " + MANGLE;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_POSTROUTING_KURA_CHAIN_MANGLE))
.getExitStatus().isSuccessful()
.getExitStatus().isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -956,7 +964,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_INPUT_KURA_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_INPUT_KURA_CHAIN_NAT)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -966,7 +974,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_OUTPUT_KURA_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_OUTPUT_KURA_CHAIN_NAT)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -976,7 +984,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_PREROUTING_KURA_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_PREROUTING_KURA_CHAIN)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -986,7 +994,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_PREROUTING_KURA_PF_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_PREROUTING_KURA_PF_CHAIN)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -996,7 +1004,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_POSTROUTING_KURA_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_POSTROUTING_KURA_CHAIN)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -1006,7 +1014,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_POSTROUTING_KURA_PF_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_POSTROUTING_KURA_PF_CHAIN)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -1016,7 +1024,7 @@ private void createKuraNatChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_POSTROUTING_KURA_IPF_CHAIN + " -t " + NAT;
if (!execute(getIptablesCommand() + " "
+ String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_POSTROUTING_KURA_IPF_CHAIN)).getExitStatus()
.isSuccessful()
.isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -1028,7 +1036,7 @@ private void createKuraFilterChains() {
String rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_INPUT_KURA_CHAIN + " -t " + FILTER;
if (!execute(
getIptablesCommand() + " " + String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_INPUT_KURA_CHAIN))
.getExitStatus().isSuccessful()
.getExitStatus().isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand All @@ -1038,7 +1046,7 @@ private void createKuraFilterChains() {
rule = getIptablesCommand() + " " + IptablesConfigConstants.ADD_OUTPUT_KURA_CHAIN + " -t " + FILTER;
if (!execute(
getIptablesCommand() + " " + String.join(" ", IptablesConfigConstants.IPTABLES_CHECK_OUTPUT_KURA_CHAIN))
.getExitStatus().isSuccessful()
.getExitStatus().isSuccessful()
&& !execute(rule).getExitStatus().isSuccessful()) {
logger.error(CHAIN_CREATION_FAILED_MESSAGE);
}
Expand Down Expand Up @@ -1071,7 +1079,7 @@ private void createKuraFilterChains() {
private void applyLoopbackRules() {
if (!execute(
(getIptablesCommand() + " " + IptablesConfigConstants.ALLOW_ALL_TRAFFIC_TO_LOOPBACK + " -t " + FILTER))
.getExitStatus().isSuccessful()) {
.getExitStatus().isSuccessful()) {
logger.error("Failed to apply rules to loopback interface");
}
}
Expand Down
94 changes: 94 additions & 0 deletions ...a.linux.net.test/src/test/java/org/eclipse/kura/linux/net/iptables/FirewallTestUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -294,4 +294,98 @@ protected static void setUpMock() {
testCommandList.stream().forEach(c -> when(executorServiceMock.execute(c)).thenReturn(successStatus));
}

protected static final String IPTABLES_FILE_CONTENT = "*filter\n"
+ ":INPUT DROP [0:0]\n"
+ ":FORWARD DROP [0:0]\n"
+ ":OUTPUT ACCEPT [0:0]\n"
+ ":input-kura - [0:0]\n"
+ ":output-kura - [0:0]\n"
+ ":forward-kura - [0:0]\n"
+ ":forward-kura-pf - [0:0]\n"
+ ":forward-kura-ipf - [0:0]\n"
+ "-I INPUT -j input-kura\n"
+ "-I OUTPUT -j output-kura\n"
+ "-I FORWARD -j forward-kura\n"
+ "-I forward-kura -j forward-kura-pf\n"
+ "-I forward-kura -j forward-kura-ipf\n"
+ "-A input-kura -i lo -j ACCEPT\n"
+ "-A input-kura -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A input-kura -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A output-kura -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A input-kura -p tcp -s 0.0.0.0/0 -i eth0 --dport 22 -j ACCEPT\n"
+ "-A input-kura -p tcp -s 10.234.0.0/16 -i tun0 --dport 22 -j ACCEPT\n"
+ "-A input-kura -p tcp -s 0.0.0.0/0 -i eth0 --dport 443 -j ACCEPT\n"
+ "-A input-kura -p tcp -s 10.234.0.0/16 -i tun0 --dport 443 -j ACCEPT\n"
+ "-A input-kura -p tcp -s 0.0.0.0/0 -i eth0 --dport 4443 -j ACCEPT\n"
+ "-A input-kura -p tcp -s 10.234.0.0/16 -i tun0 --dport 4443 -j ACCEPT\n"
+ "-A input-kura -p udp -s 0.0.0.0/0 -i eth0 --dport 53 -j ACCEPT\n"
+ "-A input-kura -p udp -s 0.0.0.0/0 -i wlan0 --dport 53 -j ACCEPT\n"
+ "-A input-kura -p udp -s 0.0.0.0/0 -i eth0 --dport 67 -j ACCEPT\n"
+ "-A input-kura -p udp -s 0.0.0.0/0 -i wlan0 --dport 67 -j ACCEPT\n"
+ "-A forward-kura-pf -s 0.0.0.0/0 -d 172.16.0.1/32 -i eth0 -o wlan0 -p tcp -m tcp -j ACCEPT\n"
+ "-A forward-kura-pf -s 172.16.0.1/32 -i wlan0 -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A forward-kura -i wlan0 -o eth0 -j ACCEPT\n"
+ "-A forward-kura -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A forward-kura-ipf -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth0 -o wlan0 -p tcp -m tcp -j ACCEPT\n"
+ "-A forward-kura-ipf -s 0.0.0.0/0 -i wlan0 -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+ "-A input-kura -j RETURN\n"
+ "-A output-kura -j RETURN\n"
+ "-A forward-kura -j RETURN\n"
+ "-A forward-kura-pf -j RETURN\n"
+ "-A forward-kura-ipf -j RETURN\n"
+ "COMMIT\n"
+ "*nat\n"
+ ":INPUT ACCEPT [0:0]\n"
+ ":OUTPUT ACCEPT [0:0]\n"
+ ":PREROUTING ACCEPT [0:0]\n"
+ ":POSTROUTING ACCEPT [0:0]\n"
+ ":prerouting-kura - [0:0]\n"
+ ":prerouting-kura-pf - [0:0]\n"
+ ":postrouting-kura - [0:0]\n"
+ ":postrouting-kura-pf - [0:0]\n"
+ ":postrouting-kura-ipf - [0:0]\n"
+ ":input-kura - [0:0]\n"
+ ":output-kura - [0:0]\n"
+ "-I PREROUTING -j prerouting-kura\n"
+ "-I prerouting-kura -j prerouting-kura-pf\n"
+ "-I POSTROUTING -j postrouting-kura\n"
+ "-I postrouting-kura -j postrouting-kura-pf\n"
+ "-I postrouting-kura -j postrouting-kura-ipf\n"
+ "-I INPUT -j input-kura\n"
+ "-I OUTPUT -j output-kura\n"
+ "-A prerouting-kura-pf -i eth0 -p tcp -m tcp --dport 2020 -j DNAT --to-destination 172.16.0.1:1010\n"
+ "-A postrouting-kura-pf -d 172.16.0.1/32 -o wlan0 -p tcp -j MASQUERADE\n"
+ "-A postrouting-kura -o eth0 -j MASQUERADE\n"
+ "-A postrouting-kura-ipf -s 0.0.0.0/0 -d 0.0.0.0/0 -o wlan0 -p tcp -j MASQUERADE\n"
+ "-A postrouting-kura -j RETURN\n"
+ "-A postrouting-kura-pf -j RETURN\n"
+ "-A postrouting-kura-ipf -j RETURN\n"
+ "-A prerouting-kura -j RETURN\n"
+ "-A prerouting-kura-pf -j RETURN\n"
+ "-A input-kura -j RETURN\n"
+ "-A output-kura -j RETURN\n"
+ "COMMIT\n"
+ "*mangle\n"
+ ":INPUT ACCEPT [0:0]\n"
+ ":OUTPUT ACCEPT [0:0]\n"
+ ":FORWARD ACCEPT [0:0]\n"
+ ":PREROUTING ACCEPT [0:0]\n"
+ ":POSTROUTING ACCEPT [0:0]\n"
+ ":prerouting-kura - [0:0]\n"
+ ":postrouting-kura - [0:0]\n"
+ ":input-kura - [0:0]\n"
+ ":output-kura - [0:0]\n"
+ ":forward-kura - [0:0]\n"
+ "-I PREROUTING -j prerouting-kura\n"
+ "-I POSTROUTING -j postrouting-kura\n"
+ "-I INPUT -j input-kura\n"
+ "-I OUTPUT -j output-kura\n"
+ "-I FORWARD -j forward-kura\n"
+ "-A postrouting-kura -j RETURN\n"
+ "-A prerouting-kura -j RETURN\n"
+ "-A input-kura -j RETURN\n"
+ "-A output-kura -j RETURN\n"
+ "-A forward-kura -j RETURN\n"
+ "COMMIT\n";

}
Loading

0 comments on commit 1aea966

Please sign in to comment.