• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  * http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  *
16  * StrictControllerTest.cpp - unit tests for StrictController.cpp
17  */
18 
19 #include <string>
20 #include <vector>
21 
22 #include <gtest/gtest.h>
23 
24 #include <android-base/strings.h>
25 
26 #include "StrictController.h"
27 #include "IptablesBaseTest.h"
28 
29 class StrictControllerTest : public IptablesBaseTest {
30 public:
StrictControllerTest()31     StrictControllerTest() {
32         StrictController::execIptables = fakeExecIptables;
33         StrictController::execIptablesRestore = fakeExecIptablesRestore;
34     }
35     StrictController mStrictCtrl;
36 };
37 
TEST_F(StrictControllerTest,TestEnableStrict)38 TEST_F(StrictControllerTest, TestEnableStrict) {
39     mStrictCtrl.enableStrict();
40 
41     std::vector<std::string> common = {
42         "*filter",
43         ":st_OUTPUT -",
44         ":st_penalty_log -",
45         ":st_penalty_reject -",
46         ":st_clear_caught -",
47         ":st_clear_detect -",
48         "COMMIT\n\x04"
49     };
50 
51     std::vector<std::string> v4 = {
52         "*filter",
53         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
54         "-A st_penalty_log -j NFLOG --nflog-group 0",
55         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
56         "-A st_penalty_reject -j NFLOG --nflog-group 0",
57         "-A st_penalty_reject -j REJECT",
58         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
59         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
60         "-A st_clear_detect -p tcp -m u32 --u32 \""
61             "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
62             "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000"
63             "\" -j CONNMARK --or-mark 0x1000000",
64         "-A st_clear_detect -p udp -m u32 --u32 \""
65             "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
66             "0>>22&0x3C@ 20&0x00FF0000=0x00010000"
67             "\" -j CONNMARK --or-mark 0x1000000",
68         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
69         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
70             "\"0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0\" -j st_clear_caught",
71         "-A st_clear_detect -p udp -j st_clear_caught",
72         "COMMIT\n\x04"
73     };
74 
75     std::vector<std::string> v6 = {
76         "*filter",
77         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
78         "-A st_penalty_log -j NFLOG --nflog-group 0",
79         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
80         "-A st_penalty_reject -j NFLOG --nflog-group 0",
81         "-A st_penalty_reject -j REJECT",
82         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
83         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
84 
85         "-A st_clear_detect -p tcp -m u32 --u32 \""
86             "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
87             "52>>26&0x3C@ 44&0x00FF0000=0x00010000"
88             "\" -j CONNMARK --or-mark 0x1000000",
89         "-A st_clear_detect -p udp -m u32 --u32 \""
90             "48&0xFFFF0000=0x16FE0000 &&"
91             "60&0x00FF0000=0x00010000"
92             "\" -j CONNMARK --or-mark 0x1000000",
93         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
94         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
95             "\"52>>26&0x3C@ 40&0x0=0x0\" -j st_clear_caught",
96         "-A st_clear_detect -p udp -j st_clear_caught",
97         "COMMIT\n\x04"
98     };
99 
100     std::string commandsCommon = android::base::Join(common, '\n');
101     std::string commands4 = android::base::Join(v4, '\n');
102     std::string commands6 = android::base::Join(v6, '\n');
103 
104     std::vector<std::pair<IptablesTarget, std::string>> expected = {
105         { V4V6, commandsCommon },
106         { V4, commands4 },
107         { V6, commands6 },
108     };
109     expectIptablesRestoreCommands(expected);
110 }
111 
TEST_F(StrictControllerTest,TestDisableStrict)112 TEST_F(StrictControllerTest, TestDisableStrict) {
113     mStrictCtrl.disableStrict();
114 
115     const std::string expected =
116         "*filter\n"
117         ":st_OUTPUT -\n"
118         ":st_penalty_log -\n"
119         ":st_penalty_reject -\n"
120         ":st_clear_caught -\n"
121         ":st_clear_detect -\n"
122         "COMMIT\n\x04";
123     expectIptablesRestoreCommands({ expected });
124 }
125