From 13f8cf1bc70cc6b9c8fa82119e6509aa4465b37a Mon Sep 17 00:00:00 2001
From: Nicolas Fort <nicolasfort1988@gmail.com>
Date: Sun, 5 Jun 2022 18:35:44 +0000
Subject: T4387: add more firewall checks for WLB smoketests.

---
 smoketest/scripts/cli/test_load_balancning_wan.py | 72 ++++++++++++++++++++++-
 1 file changed, 70 insertions(+), 2 deletions(-)

diff --git a/smoketest/scripts/cli/test_load_balancning_wan.py b/smoketest/scripts/cli/test_load_balancning_wan.py
index 8e54f66a3..303dece86 100755
--- a/smoketest/scripts/cli/test_load_balancning_wan.py
+++ b/smoketest/scripts/cli/test_load_balancning_wan.py
@@ -64,28 +64,39 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
 
         ns1 = 'ns201'
         ns2 = 'ns202'
+        ns3 = 'ns203'
         iface1 = 'eth201'
         iface2 = 'eth202'
+        iface3 = 'eth203'
         container_iface1 = 'ceth0'
         container_iface2 = 'ceth1'
+        container_iface3 = 'ceth2'
 
         # Create network namespeces
         create_netns(ns1)
         create_netns(ns2)
+        create_netns(ns3)
         create_veth_pair(iface1, container_iface1)
         create_veth_pair(iface2, container_iface2)
+        create_veth_pair(iface3, container_iface3)
         move_interface_to_netns(container_iface1, ns1)
         move_interface_to_netns(container_iface2, ns2)
+        move_interface_to_netns(container_iface3, ns3)
         call(f'sudo ip address add 203.0.113.10/24 dev {iface1}')
         call(f'sudo ip address add 192.0.2.10/24 dev {iface2}')
+        call(f'sudo ip address add 198.51.100.10/24 dev {iface3}')
         call(f'sudo ip link set dev {iface1} up')
         call(f'sudo ip link set dev {iface2} up')
+        call(f'sudo ip link set dev {iface3} up')
         cmd_in_netns(ns1, f'ip link set {container_iface1} name eth0')
         cmd_in_netns(ns2, f'ip link set {container_iface2} name eth0')
+        cmd_in_netns(ns3, f'ip link set {container_iface3} name eth0')
         cmd_in_netns(ns1, 'ip address add 203.0.113.1/24 dev eth0')
         cmd_in_netns(ns2, 'ip address add 192.0.2.1/24 dev eth0')
+        cmd_in_netns(ns3, 'ip address add 198.51.100.1/24 dev eth0')
         cmd_in_netns(ns1, 'ip link set dev eth0 up')
         cmd_in_netns(ns2, 'ip link set dev eth0 up')
+        cmd_in_netns(ns3, 'ip link set dev eth0 up')
 
         # Set load-balancing configuration
         self.cli_set(base_path + ['wan', 'interface-health', iface1, 'failure-count', '2'])
@@ -95,6 +106,10 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
         self.cli_set(base_path + ['wan', 'interface-health', iface2, 'nexthop', '192.0.2.1'])
         self.cli_set(base_path + ['wan', 'interface-health', iface2, 'success-count', '1'])
 
+        self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', iface3])
+        self.cli_set(base_path + ['wan', 'rule', '10', 'source', 'address', '198.51.100.0/24'])
+
+
         # commit changes
         self.cli_commit()
 
@@ -120,10 +135,13 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
 
         ns1 = 'nsA'
         ns2 = 'nsB'
+        ns3 = 'nsC'
         iface1 = 'veth1'
         iface2 = 'veth2'
+        iface3 = 'veth3'
         container_iface1 = 'ceth0'
         container_iface2 = 'ceth1'
+        container_iface3 = 'ceth2'
         mangle_isp1 = """table ip mangle {
 	chain ISP_veth1 {
 		counter ct mark set 0xc9 
@@ -138,24 +156,57 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
 		counter accept
 	}
 }"""
+        mangle_prerouting = """table ip mangle {
+	chain PREROUTING {
+		type filter hook prerouting priority mangle; policy accept;
+		counter jump WANLOADBALANCE_PRE
+	}
+}"""
+        mangle_wanloadbalance_pre = """table ip mangle {
+	chain WANLOADBALANCE_PRE {
+		iifname "veth3" ip saddr 198.51.100.0/24 ct state new  counter jump ISP_veth1
+		iifname "veth3" ip saddr 198.51.100.0/24 ct state new counter jump ISP_veth2
+		iifname "veth3" ip saddr 198.51.100.0/24 counter meta mark set ct mark
+	}
+}"""
+        nat_wanloadbalance = """table ip nat {
+	chain WANLOADBALANCE {
+		ct mark 0xc9 counter snat to 203.0.113.10
+		ct mark 0xca counter snat to 192.0.2.10
+	}
+}"""
+        nat_vyos_pre_snat_hook = """table ip nat {
+	chain VYOS_PRE_SNAT_HOOK {
+		counter jump WANLOADBALANCE
+		return
+	}
+}"""
 
         # Create network namespeces
         create_netns(ns1)
         create_netns(ns2)
+        create_netns(ns3)
         create_veth_pair(iface1, container_iface1)
         create_veth_pair(iface2, container_iface2)
+        create_veth_pair(iface3, container_iface3)
         move_interface_to_netns(container_iface1, ns1)
         move_interface_to_netns(container_iface2, ns2)
+        move_interface_to_netns(container_iface3, ns3)
         call(f'sudo ip address add 203.0.113.10/24 dev {iface1}')
         call(f'sudo ip address add 192.0.2.10/24 dev {iface2}')
+        call(f'sudo ip address add 198.51.100.10/24 dev {iface3}')
         call(f'sudo ip link set dev {iface1} up')
         call(f'sudo ip link set dev {iface2} up')
+        call(f'sudo ip link set dev {iface3} up')
         cmd_in_netns(ns1, f'ip link set {container_iface1} name eth0')
         cmd_in_netns(ns2, f'ip link set {container_iface2} name eth0')
+        cmd_in_netns(ns3, f'ip link set {container_iface3} name eth0')
         cmd_in_netns(ns1, 'ip address add 203.0.113.1/24 dev eth0')
         cmd_in_netns(ns2, 'ip address add 192.0.2.1/24 dev eth0')
+        cmd_in_netns(ns3, 'ip address add 198.51.100.1/24 dev eth0')
         cmd_in_netns(ns1, 'ip link set dev eth0 up')
         cmd_in_netns(ns2, 'ip link set dev eth0 up')
+        cmd_in_netns(ns3, 'ip link set dev eth0 up')
 
         # Set load-balancing configuration
         self.cli_set(base_path + ['wan', 'interface-health', iface1, 'failure-count', '2'])
@@ -164,19 +215,36 @@ class TestLoadBalancingWan(VyOSUnitTestSHIM.TestCase):
         self.cli_set(base_path + ['wan', 'interface-health', iface2, 'failure-count', '2'])
         self.cli_set(base_path + ['wan', 'interface-health', iface2, 'nexthop', '192.0.2.1'])
         self.cli_set(base_path + ['wan', 'interface-health', iface2, 'success-count', '1'])
+        self.cli_set(base_path + ['wan', 'rule', '10', 'inbound-interface', iface3])
+        self.cli_set(base_path + ['wan', 'rule', '10', 'source', 'address', '198.51.100.0/24'])
+        self.cli_set(base_path + ['wan', 'rule', '10', 'interface', iface1])
+        self.cli_set(base_path + ['wan', 'rule', '10', 'interface', iface2])
 
         # commit changes
         self.cli_commit()
 
         time.sleep(5)
-        # Check chains
-        #call('sudo nft list ruleset')
+
+        # Check mangle chains
         tmp = cmd(f'sudo nft -s list chain mangle ISP_{iface1}')
         self.assertEqual(tmp, mangle_isp1)
 
         tmp = cmd(f'sudo nft -s list chain mangle ISP_{iface2}')
         self.assertEqual(tmp, mangle_isp2)
 
+        tmp = cmd(f'sudo nft -s list chain mangle PREROUTING')
+        self.assertEqual(tmp, mangle_prerouting)
+
+        tmp = cmd(f'sudo nft -s list chain mangle WANLOADBALANCE_PRE')
+        self.assertEqual(tmp, mangle_wanloadbalance_pre)
+
+        # Check nat chains
+        tmp = cmd(f'sudo nft -s list chain nat WANLOADBALANCE')
+        self.assertEqual(tmp, nat_wanloadbalance)
+
+        tmp = cmd(f'sudo nft -s list chain nat VYOS_PRE_SNAT_HOOK')
+        self.assertEqual(tmp, nat_vyos_pre_snat_hook)
+
         # Delete veth interfaces and netns
         for iface in [iface1, iface2]:
             call(f'sudo ip link del dev {iface}')
-- 
cgit v1.2.3