firewall: replace `iptables` with `nftables` by georglauterbach · Pull Request #2505 · docker-mailserver/docker-mailserver
Expand Up
@@ -64,14 +64,14 @@ function teardown_file() {
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
assert_output 2
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'dovecot', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'postfix', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'postfix-sasl', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']" done }
Expand All @@ -96,9 +96,9 @@ function teardown_file() { run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'" assert_success
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables and blocktype set to DROP run docker exec mail_fail2ban /bin/sh -c "iptables -n -L f2b-postfix-sasl" assert_output --regexp "DROP.+all.+${FAIL_AUTH_MAILER_IP}" # Checking that FAIL_AUTH_MAILER_IP is banned by nftables and blocktype set to DROP run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null" assert_output --regexp "${FAIL_AUTH_MAILER_IP}" }
@test "checking fail2ban: unban ip works" { Expand All @@ -111,9 +111,9 @@ function teardown_file() { run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'" assert_failure
# Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '${FAIL_AUTH_MAILER_IP}'" assert_failure # Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null" refute_output "${FAIL_AUTH_MAILER_IP}" }
# Expand All @@ -128,13 +128,15 @@ function teardown_file() { sleep 10
run ./setup.sh -c mail_fail2ban debug fail2ban assert_output --regexp "^Banned in dovecot: 192.0.66.5, 192.0.66.4.*" assert_output --partial 'Banned in dovecot:' assert_output --partial '192.0.66.5' assert_output --partial '192.0.66.4'
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 assert_output --partial "Unbanned IP from dovecot: 1"
run ./setup.sh -c mail_fail2ban debug fail2ban assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" assert_output --regexp "^Banned in dovecot:.*192.0.66.5.*"
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 assert_output --partial "Unbanned IP from dovecot: 1" Expand Down
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'dovecot', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'postfix', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'iptables-multiport']\"" assert_output "['set', 'postfix-sasl', 'addaction', 'iptables-multiport']" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\"" assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']" done }
Expand All @@ -96,9 +96,9 @@ function teardown_file() { run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'" assert_success
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables and blocktype set to DROP run docker exec mail_fail2ban /bin/sh -c "iptables -n -L f2b-postfix-sasl" assert_output --regexp "DROP.+all.+${FAIL_AUTH_MAILER_IP}" # Checking that FAIL_AUTH_MAILER_IP is banned by nftables and blocktype set to DROP run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null" assert_output --regexp "${FAIL_AUTH_MAILER_IP}" }
@test "checking fail2ban: unban ip works" { Expand All @@ -111,9 +111,9 @@ function teardown_file() { run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'" assert_failure
# Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '${FAIL_AUTH_MAILER_IP}'" assert_failure # Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null" refute_output "${FAIL_AUTH_MAILER_IP}" }
# Expand All @@ -128,13 +128,15 @@ function teardown_file() { sleep 10
run ./setup.sh -c mail_fail2ban debug fail2ban assert_output --regexp "^Banned in dovecot: 192.0.66.5, 192.0.66.4.*" assert_output --partial 'Banned in dovecot:' assert_output --partial '192.0.66.5' assert_output --partial '192.0.66.4'
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 assert_output --partial "Unbanned IP from dovecot: 1"
run ./setup.sh -c mail_fail2ban debug fail2ban assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" assert_output --regexp "^Banned in dovecot:.*192.0.66.5.*"
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 assert_output --partial "Unbanned IP from dovecot: 1" Expand Down