#!/bin/sh # # Copyright (c) 2023 Peter Pentchev # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. set -e set -x check() { if [ "$#" -lt 2 ]; then echo 'Internal error: check() invoked with too few arguments' 1>&2 exit 1 fi local ipaddr="$1" shift env TCPREMOTEIP="$ipaddr" tcprulescheck rules.cdb > result.txt cat result.txt local arg='' for arg; do grep -Fe "$arg" result.txt grep -Fqe "$arg" result.txt done } # First, make sure the package is installed dpkg-query -W -f '${Package}\t${Version}\n' ucspi-tcp-ipv6 | grep -Fe '1:0.88-' # Create a temporary directory tempd="$(mktemp -d -t test-tcprules.XXXXXX)" trap "rm -rf -- '$tempd'" HUP INT QUIT TERM EXIT cd -- "$tempd" # Create the input file cat <<'EOINPUT' > rules.txt 127.0.0.:allow,SOURCE="localnet" 127.0.1.:deny,SOURCE="localnet2" 128.:deny,SOURCE="weird" ::1:allow,SOURCE="localhost6" 2001:4898:e0:66:82fa:5bff:fe0f:c0c9:allow,WHITELISTED="yes" 2002:4898:e0:66:82fa:5bff:fe0f:c0c9:allow,WHITELISTED="not really" EOINPUT # Create the rules database tcprules rules.cdb rules.cdb.tmp < rules.txt # Run a couple of tests check 127.0.0.1 'rule 127.0.0.:' 'SOURCE=localnet' 'allow connection' check 127.0.1.1 'rule 127.0.1.:' 'deny connection' check 128.2.3.4 'rule 128.:' 'deny connection' check 1.2.3.4 'default:' 'allow connection' check ::1 'rule ::1:' 'SOURCE=localhost6' 'allow connection' check 2001:4898:e0:66:82fa:5bff:fe0f:c0c9 'WHITELISTED=yes' 'allow connection' check 2002:4898:e0:66:82fa:5bff:fe0f:c0c9 'WHITELISTED=not really' 'allow connection' set +x echo 'Seems fine!'