From 59caa66dba2b1d1c0bc1149333baed2a9bbb2515 Mon Sep 17 00:00:00 2001 From: Bartosz Oleaczek Date: Thu, 12 Dec 2024 14:54:28 +0100 Subject: [PATCH 1/5] log iptables rules --- daemon/firewall/iptables/iptables.go | 21 +++++++++++++++++++++ test/qa/test_connect.py | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go index 7b24dfb0..9ffe4444 100644 --- a/daemon/firewall/iptables/iptables.go +++ b/daemon/firewall/iptables/iptables.go @@ -106,6 +106,16 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { continue } for _, ipTableRule := range ipTablesRules { + if !rule.Allow { + prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-pre-%s\" --log-level 4", rule.Name) + log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) + logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) + args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) + out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput() + if err != nil { + log.Printf(internal.ErrorPrefix+" [iptables-debug]"+" failed to add rule: %ss: %s", err, string(out)) + } + } // -w does not accept arguments on older iptables versions args := fmt.Sprintf("%s %s -w "+internal.SecondsToWaitForIptablesLock, flag, ipTableRule) // #nosec G204 -- input is properly sanitized @@ -116,6 +126,17 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } return fmt.Errorf("%s %s rule '%s': %w: %s", errStr, iptableVersion, ipTableRule, err, string(out)) } + + if !rule.Allow { + prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-post-%s\" --log-level 4", rule.Name) + log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) + logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) + args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) + out, err := exec.Command(iptableVersion, strings.Split(args, " ")...).CombinedOutput() + if err != nil { + log.Printf(internal.ErrorPrefix+"[iptables-debug]"+" failed to add rule: %s: %s", err, string(out)) + } + } } } return nil diff --git a/test/qa/test_connect.py b/test/qa/test_connect.py index 31e4b4d3..ffad9d2a 100644 --- a/test/qa/test_connect.py +++ b/test/qa/test_connect.py @@ -23,6 +23,12 @@ def teardown_function(function): # noqa: ARG001 logging.log(data=info.collect()) logging.log() + kernel_logs = sh.sudo.dmesg() + # Write the logs to the output file + with open("/opt/dist/logs/dmesg.log", "w") as file: + file.write("dmesg logs") + file.write(str(kernel_logs)) + sh.nordvpn.logout("--persist-token") sh.nordvpn.set.defaults() daemon.stop() From 5c17b17baf11e7aecd8ce81a2709f60284acecde Mon Sep 17 00:00:00 2001 From: Bartosz Oleaczek Date: Thu, 12 Dec 2024 15:26:22 +0100 Subject: [PATCH 2/5] fix hardcoded path --- test/qa/test_connect.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/qa/test_connect.py b/test/qa/test_connect.py index ffad9d2a..40a3fcc3 100644 --- a/test/qa/test_connect.py +++ b/test/qa/test_connect.py @@ -7,6 +7,7 @@ import lib from lib import daemon, info, logging, login, network, server +import os CONNECT_ALIAS = [ "connect", @@ -24,8 +25,9 @@ def teardown_function(function): # noqa: ARG001 logging.log() kernel_logs = sh.sudo.dmesg() + project_root = os.environ["WORKDIR"] # Write the logs to the output file - with open("/opt/dist/logs/dmesg.log", "w") as file: + with open(f"{project_root}/dist/logs/dmesg.log", "w") as file: file.write("dmesg logs") file.write(str(kernel_logs)) From 073c4b7ac10345f5d6d3fcff2a7d02ba0764dbbf Mon Sep 17 00:00:00 2001 From: Bartosz Oleaczek Date: Fri, 13 Dec 2024 14:41:45 +0100 Subject: [PATCH 3/5] use ulog/iptables logs to debug connectivity issues in CI --- ci/docker/tester/Dockerfile | 6 ++++-- daemon/firewall/iptables/iptables.go | 4 ++-- magefiles/mage.go | 2 +- test/qa/test_connect.py | 15 ++++++++++----- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/ci/docker/tester/Dockerfile b/ci/docker/tester/Dockerfile index 9aa2c625..8642dc2f 100644 --- a/ci/docker/tester/Dockerfile +++ b/ci/docker/tester/Dockerfile @@ -6,9 +6,9 @@ COPY requirements.txt /tmp/requirements.txt # Install Debian packages RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ + DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install vim linux-modules-6.8.0-49-generic \ # linux app - apt-utils curl git iputils-ping sudo kmod systemd \ + apt-utils curl git iputils-ping sudo kmod systemd ulogd2 \ # preinstall deps required by nordvpn libxml2 iproute2 iptables \ # install wireguard tools for tests @@ -23,6 +23,8 @@ RUN apt-get update && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* +RUN modprobe nfnetlink_log + # Install Python packages for tests RUN python3 -m pip install --no-cache-dir -r /tmp/requirements.txt && rm -rf /tmp/* diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go index 9ffe4444..aaa447f9 100644 --- a/daemon/firewall/iptables/iptables.go +++ b/daemon/firewall/iptables/iptables.go @@ -107,7 +107,7 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } for _, ipTableRule := range ipTablesRules { if !rule.Allow { - prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-pre-%s\" --log-level 4", rule.Name) + prefix := fmt.Sprintf("-j ULOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) @@ -128,7 +128,7 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } if !rule.Allow { - prefix := fmt.Sprintf("-j LOG --log-prefix \"LOG-post-%s\" --log-level 4", rule.Name) + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-post-%s\"", rule.Name) log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) diff --git a/magefiles/mage.go b/magefiles/mage.go index ffd65b95..4aa679b0 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -23,7 +23,7 @@ const ( imageSnapPackager = registryPrefix + "snaper:0.0.4" imageProtobufGenerator = registryPrefix + "generator:1.4.1" imageScanner = registryPrefix + "scanner:1.1.0" - imageTester = registryPrefix + "tester:1.3.2" + imageTester = registryPrefix + "tester:ulog" imageQAPeer = registryPrefix + "qa-peer:1.0.4" imageRuster = registryPrefix + "ruster:1.3.0" diff --git a/test/qa/test_connect.py b/test/qa/test_connect.py index 40a3fcc3..2f84ed43 100644 --- a/test/qa/test_connect.py +++ b/test/qa/test_connect.py @@ -9,11 +9,18 @@ from lib import daemon, info, logging, login, network, server import os +import shutil +import subprocess + CONNECT_ALIAS = [ "connect", "c" ] +def setup_module(): + subprocess.call(['sudo','/etc/init.d/ulogd2','start']) + time.sleep(5) + def setup_function(function): # noqa: ARG001 daemon.start() login.login_as("default") @@ -24,12 +31,10 @@ def teardown_function(function): # noqa: ARG001 logging.log(data=info.collect()) logging.log() - kernel_logs = sh.sudo.dmesg() project_root = os.environ["WORKDIR"] - # Write the logs to the output file - with open(f"{project_root}/dist/logs/dmesg.log", "w") as file: - file.write("dmesg logs") - file.write(str(kernel_logs)) + + # shutil.copy("/var/log/syslogemu.log", f"{project_root}/dist/logs") + subprocess.call(['sudo','cp', "/var/log/ulog/syslogemu.log", f"{project_root}/dist/logs"]) sh.nordvpn.logout("--persist-token") sh.nordvpn.set.defaults() From 90e621c87d10a5f0b7a67e91476fcb75689b1ef6 Mon Sep 17 00:00:00 2001 From: Bartosz Oleaczek Date: Tue, 17 Dec 2024 10:01:09 +0100 Subject: [PATCH 4/5] fix log target --- daemon/firewall/iptables/iptables.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go index aaa447f9..f17cd816 100644 --- a/daemon/firewall/iptables/iptables.go +++ b/daemon/firewall/iptables/iptables.go @@ -107,7 +107,7 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } for _, ipTableRule := range ipTablesRules { if !rule.Allow { - prefix := fmt.Sprintf("-j ULOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) From 0e9f4ded6cb33f4b50c06f7b9d632513952335d4 Mon Sep 17 00:00:00 2001 From: Bartosz Oleaczek Date: Tue, 17 Dec 2024 10:49:41 +0100 Subject: [PATCH 5/5] fix --- daemon/firewall/iptables/iptables.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemon/firewall/iptables/iptables.go b/daemon/firewall/iptables/iptables.go index f17cd816..605652fa 100644 --- a/daemon/firewall/iptables/iptables.go +++ b/daemon/firewall/iptables/iptables.go @@ -107,7 +107,7 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } for _, ipTableRule := range ipTablesRules { if !rule.Allow { - prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-post-%s\"", rule.Name) log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule) @@ -128,7 +128,7 @@ func (ipt *IPTables) applyRule(rule firewall.Rule, add bool) error { } if !rule.Allow { - prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-post-%s\"", rule.Name) + prefix := fmt.Sprintf("-j NFLOG --nflog-prefix \"LOG-pre-%s\"", rule.Name) log.Println(internal.DebugPrefix, "[iptables-debug], add rule: ", prefix) logRule := strings.Replace(ipTableRule, "-j DROP", prefix, -1) args := fmt.Sprintf("%s %s -w"+internal.SecondsToWaitForIptablesLock, flag, logRule)