Merge pull request #1560 from nser77/nser77-patch-8

FIRE-4508 - Enhancements
2025-07-26 07:15:07 +02:00 · 2024-10-15 14:24:10 +02:00 · 2024-10-15 14:24:10 +02:00 · a058d3062e
commit a058d3062e
parent 21b85f2196 b6bbbf4ac8
1 changed files with 80 additions and 34 deletions
--- a/include/tests_firewalls
+++ b/include/tests_firewalls
@ -109,43 +109,89 @@
    Register --test-no FIRE-4508 --preqs-met ${PREQS_MET} --os Linux --weight L --network NO --root-only YES --category security --description "Check used policies of iptables chains"
    if [ ${SKIPTEST} -eq 0 ]; then
        Display --indent 4 --text "- Checking iptables policies of chains" --result "${STATUS_FOUND}" --color GREEN
-        TABLES="filter nat mangle raw security"
+        IPTABLES_TABLES="filter nat mangle raw security"
-        for TABLE in ${TABLES}; do
+        for IPTABLES_TABLE in ${IPTABLES_TABLES}
-            LogText "Test: gathering information from table ${TABLE}"
+        do
-            FIND="$FIND"$(${IPTABLESBINARY} -t ${TABLE} --numeric --list | ${GREPBINARY} -E -o -w  '[A-Z]+' | tr -d '\0' | ${AWKBINARY} -v t=${TABLE} 'NR%2 {printf "%s %s ",t, $0 ; next;}1')
+            ${IPTABLESBINARY} -t "${IPTABLES_TABLE}" --list-rules --wait 1 2>/dev/zero |
-        done
+            {
-
+                IPTABLES_OUTPUT_QUEUE=""
-        echo "${FIND}" | sort | uniq | while read -r line; do
+                while IFS="$(printf '\n')" read -r IPTABLES_LINES
-            table=$(echo ${line} | ${AWKBINARY} '{ print $1 }')
+                do
-            chainname=$(echo ${line} | ${AWKBINARY} '{ print $2 }')
+                    set -- ${IPTABLES_LINES}
-            policy=$(echo ${line} | ${AWKBINARY} '{ print $3 }')
+                    while [ $# -gt 0 ]
-            LogText "Result: iptables  ${table}  -- ${chainname} policy is ${policy}."
+                    do
-            LogText "Result: ${policy}"
+                        if [ "${1}" = "-P" ]
-
+                        then
-            if [ "${table}" = "filter" ]; then
+                            IPTABLES_CHAIN="${2}"
-                if [ "${chainname}" = "INPUT" ]; then
+                            IPTABLES_TARGET="${3}"
-                    case ${policy} in
+                            shift 3
-                        "ACCEPT")
+                        elif [ "${1}" = "-A" ] || [ "${1}" = "-N" ]
-                             LogText "Result: Found ACCEPT for ${chainname} (table: ${table})"
+                        then
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "ACCEPT" --color YELLOW
+                            IPTABLES_CHAIN="${2}"
-                             #ReportSuggestion "${TEST_NO}" "Consider settings default chain policy to DROP (iptables chain ${chainname}, table: ${table})"
+                            shift 2
-                             AddHP 1 3
+                        elif [ "${1}" = "-j" ]
-                             ;;
+                        then
-                         "DROP")
+                            IPTABLES_TARGET="${2}"
-                             LogText "Result: Found DROP for ${chainname} (table: ${table})"
+                            shift
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "DROP" --color GREEN
+                        else
-                             AddHP 3 3
+                            shift
-                             ;;
+                        fi
-                         *)
+                    done
-                             Display --indent 6 --text "- Checking chain ${chainname} (table: ${table}, policy ${policy})" --result "other" --color YELLOW
+                    # logics
-                             LogText "Result: Unknown policy: ${policy}"
+                    if [ "${IPTABLES_TABLE}" = "filter" ] || [ "${IPTABLES_TABLE}" = "security" ]
-                             #ReportSuggestion "${TEST_NO}" "Check iptables ${chainname} (table: ${table}) chain policy"
+                    then
-                             ;;
+                        if [ "${IPTABLES_CHAIN}" = "INPUT" ]
-                    esac
+                        then
                            if [ "${IPTABLES_TARGET}" = "ACCEPT" ]
                            then
                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} YELLOW"
                                AddHP 1 3
                            elif [ "${IPTABLES_TARGET}" = "DROP" ]
                            then
                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} GREEN"
                                AddHP 3 3
                            fi
                        fi
                        if [ "${IPTABLES_CHAIN}" = "INPUT" ] || [ "${IPTABLES_CHAIN}" = "FORWARD" ] || [ "${IPTABLES_CHAIN}" = "OUTPUT" ]
                        then
                            if [ "${IPTABLES_TARGET}" = "NFQUEUE" ]
                            then
                                IPTABLES_OUTPUT_QUEUE="${IPTABLES_OUTPUT_QUEUE} ${IPTABLES_TABLE} ${IPTABLES_CHAIN} ${IPTABLES_TARGET} RED"
                                AddHP 0 3
                            fi
                        fi
                    fi
                done
                # resume
                if [ ! "${SORTBINARY}" = "" ]
                then
                    IPTABLES_OUTPUT="$( echo "${IPTABLES_OUTPUT_QUEUE}" | ${SORTBINARY} -u )"
                else
                    IPTABLES_OUTPUT="${IPTABLES_OUTPUT_QUEUE}"
                fi
-            fi
+                echo "${IPTABLES_OUTPUT}" | while IFS="$(printf '\n')" read -r IPTABLES_OUTPUT_LINE
                do
                    if [ ! "$IPTABLES_OUTPUT_LINE" = "" ]
                    then
                        set -- ${IPTABLES_OUTPUT_LINE}
                        while [ $# -gt 0 ]
                        do
                            LogText "Result: Found ${3} for ${2} (table: ${1})"
                            Display --indent 6 --text "- Checking chain ${2} (table: ${1}, target: ${3})" --result "${3}" --color "${4}"
                            if [ "${3}" = "NFQUEUE" ]
                            then
                                ReportSuggestion "${TEST_NO}" "Consider avoid ${3} target if possible (iptables chain ${2}, table: ${1})"
                            fi
                            shift 4
                        done
                    fi
                done
            }
            unset IPTABLES_TABLE
        done
        unset IPTABLES_TABLES
    fi
    unset PREQS_MET
 #
 #################################################################################
 #