diff --git a/ci/docker/tester/Dockerfile b/ci/docker/tester/Dockerfile index 9aa2c625..8642dc2f 100644 --- a/ci/docker/tester/Dockerfile +++ b/ci/docker/tester/Dockerfile @@ -6,9 +6,9 @@ COPY requirements.txt /tmp/requirements.txt # Install Debian packages RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ + DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install vim linux-modules-6.8.0-49-generic \ # linux app - apt-utils curl git iputils-ping sudo kmod systemd \ + apt-utils curl git iputils-ping sudo kmod systemd ulogd2 \ # preinstall deps required by nordvpn libxml2 iproute2 iptables \ # install wireguard tools for tests @@ -23,6 +23,8 @@ RUN apt-get update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* +RUN modprobe nfnetlink_log + # Install Python packages for tests RUN python3 -m pip install --no-cache-dir -r /tmp/requirements.txt && rm -rf /tmp/* diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go index 7b24dfb0..605652fa 100644 --- a/daemon/firewall/iptables/iptables.go +++ b/daemon/firewall/iptables/iptables.go @@ -106,6 +106,16 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { continue } for _, ipTableRule := range ipTablesRules { + if !rule.Allow { + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-post-%s\"", rule.Name) + log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) + logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) + args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) + out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput() + if err != nil { + log.Printf(internal.ErrorPrefix+" [iptables-debug]"+" failed to add rule: %ss: %s", err, string(out)) + } + } // -w does not accept arguments on older iptables versions args := fmt.Sprintf("%s %s -w "+internal.SecondsToWaitForIptablesLock, flag, ipTableRule) // #nosec G204 -- input is properly sanitized @@ -116,6 +126,17 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } return fmt.Errorf("%s %s rule '%s': %w: %s", errStr, iptableVersion, ipTableRule, err, string(out)) } + + if !rule.Allow { + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) + log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) + logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) + args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) + out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput() + if err != nil { + log.Printf(internal.ErrorPrefix+"[iptables-debug]"+" failed to add rule: %s: %s", err, string(out)) + } + } } } return nil diff --git a/magefiles/mage.go b/magefiles/mage.go index ffd65b95..4aa679b0 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -23,7 +23,7 @@ const ( imageSnapPackager = registryPrefix + "snaper:0.0.4" imageProtobufGenerator = registryPrefix + "generator:1.4.1" imageScanner = registryPrefix + "scanner:1.1.0" - imageTester = registryPrefix + "tester:1.3.2" + imageTester = registryPrefix + "tester:ulog" imageQAPeer = registryPrefix + "qa-peer:1.0.4" imageRuster = registryPrefix + "ruster:1.3.0" diff --git a/test/qa/test_connect.py b/test/qa/test_connect.py index 31e4b4d3..2f84ed43 100644 --- a/test/qa/test_connect.py +++ b/test/qa/test_connect.py @@ -7,12 +7,20 @@ import lib from lib import daemon, info, logging, login, network, server +import os + +import shutil +import subprocess CONNECT_ALIAS = [ "connect", "c" ] +def setup_module(): + subprocess.call(['sudo','/etc/init.d/ulogd2','start']) + time.sleep(5) + def setup_function(function): # noqa: ARG001 daemon.start() login.login_as("default") @@ -23,6 +31,11 @@ def teardown_function(function): # noqa: ARG001 logging.log(data=info.collect()) logging.log() + project_root = os.environ["WORKDIR"] + + # shutil.copy("/var/log/syslogemu.log", f"{project_root}/dist/logs") + subprocess.call(['sudo','cp', "/var/log/ulog/syslogemu.log", f"{project_root}/dist/logs"]) + sh.nordvpn.logout("--persist-token") sh.nordvpn.set.defaults() daemon.stop()