1 /*
2 * Copyright 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 *
16 * FirewallControllerTest.cpp - unit tests for FirewallController.cpp
17 */
18
19 #include <string>
20 #include <vector>
21 #include <stdio.h>
22
23 #include <gtest/gtest.h>
24
25 #include "FirewallController.h"
26 #include "IptablesBaseTest.h"
27
28 namespace android {
29 namespace net {
30
31 class FirewallControllerTest : public IptablesBaseTest {
32 protected:
FirewallControllerTest()33 FirewallControllerTest() {
34 FirewallController::execIptablesRestore = fakeExecIptablesRestore;
35 }
36 FirewallController mFw;
37 };
38
TEST_F(FirewallControllerTest,TestFirewall)39 TEST_F(FirewallControllerTest, TestFirewall) {
40 std::vector<std::string> enableCommands = {
41 "*filter\n"
42 "-A fw_INPUT -j DROP\n"
43 "-A fw_OUTPUT -j REJECT\n"
44 "-A fw_FORWARD -j REJECT\n"
45 "COMMIT\n"};
46 std::vector<std::string> disableCommands = {
47 "*filter\n"
48 ":fw_INPUT -\n"
49 ":fw_OUTPUT -\n"
50 ":fw_FORWARD -\n"
51 "-6 -A fw_OUTPUT ! -o lo -s ::1 -j DROP\n"
52 "COMMIT\n"};
53 std::vector<std::string> noCommands = {};
54
55 EXPECT_EQ(0, mFw.resetFirewall());
56 expectIptablesRestoreCommands(disableCommands);
57
58 EXPECT_EQ(0, mFw.resetFirewall());
59 expectIptablesRestoreCommands(disableCommands);
60
61 EXPECT_EQ(0, mFw.setFirewallType(DENYLIST));
62 expectIptablesRestoreCommands(disableCommands);
63
64 EXPECT_EQ(0, mFw.setFirewallType(DENYLIST));
65 expectIptablesRestoreCommands(noCommands);
66
67 std::vector<std::string> disableEnableCommands;
68 disableEnableCommands.insert(
69 disableEnableCommands.end(), disableCommands.begin(), disableCommands.end());
70 disableEnableCommands.insert(
71 disableEnableCommands.end(), enableCommands.begin(), enableCommands.end());
72
73 EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
74 expectIptablesRestoreCommands(disableEnableCommands);
75
76 std::vector<std::string> ifaceCommands = {
77 "*filter\n"
78 "-I fw_INPUT -i rmnet_data0 -j RETURN\n"
79 "-I fw_OUTPUT -o rmnet_data0 -j RETURN\n"
80 "COMMIT\n"
81 };
82 EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", ALLOW));
83 expectIptablesRestoreCommands(ifaceCommands);
84
85 EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", ALLOW));
86 expectIptablesRestoreCommands(noCommands);
87
88 ifaceCommands = {
89 "*filter\n"
90 "-D fw_INPUT -i rmnet_data0 -j RETURN\n"
91 "-D fw_OUTPUT -o rmnet_data0 -j RETURN\n"
92 "COMMIT\n"
93 };
94 EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", DENY));
95 expectIptablesRestoreCommands(ifaceCommands);
96
97 EXPECT_EQ(0, mFw.setInterfaceRule("rmnet_data0", DENY));
98 expectIptablesRestoreCommands(noCommands);
99
100 EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
101 expectIptablesRestoreCommands(noCommands);
102
103 EXPECT_EQ(0, mFw.resetFirewall());
104 expectIptablesRestoreCommands(disableCommands);
105
106 // TODO: calling resetFirewall and then setFirewallType(ALLOWLIST) does
107 // nothing. This seems like a clear bug.
108 EXPECT_EQ(0, mFw.setFirewallType(ALLOWLIST));
109 expectIptablesRestoreCommands(noCommands);
110 }
111
112 } // namespace net
113 } // namespace android
114