1 /* 2 * Copyright 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 * 16 * StrictControllerTest.cpp - unit tests for StrictController.cpp 17 */ 18 19 #include <string> 20 #include <vector> 21 22 #include <gtest/gtest.h> 23 24 #include <android-base/strings.h> 25 26 #include "StrictController.h" 27 #include "IptablesBaseTest.h" 28 29 class StrictControllerTest : public IptablesBaseTest { 30 public: 31 StrictControllerTest() { 32 StrictController::execIptables = fakeExecIptables; 33 StrictController::execIptablesRestore = fakeExecIptablesRestore; 34 } 35 StrictController mStrictCtrl; 36 }; 37 38 TEST_F(StrictControllerTest, TestEnableStrict) { 39 mStrictCtrl.enableStrict(); 40 41 std::vector<std::string> common = { 42 "*filter", 43 ":st_OUTPUT -", 44 ":st_penalty_log -", 45 ":st_penalty_reject -", 46 ":st_clear_caught -", 47 ":st_clear_detect -", 48 "COMMIT\n\x04" 49 }; 50 51 std::vector<std::string> v4 = { 52 "*filter", 53 "-A st_penalty_log -j CONNMARK --or-mark 0x1000000", 54 "-A st_penalty_log -j NFLOG --nflog-group 0", 55 "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000", 56 "-A st_penalty_reject -j NFLOG --nflog-group 0", 57 "-A st_penalty_reject -j REJECT", 58 "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT", 59 "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN", 60 "-A st_clear_detect -p tcp -m u32 --u32 \"" 61 "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&" 62 "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000" 63 "\" -j CONNMARK --or-mark 0x1000000", 64 "-A st_clear_detect -p udp -m u32 --u32 \"" 65 "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&" 66 "0>>22&0x3C@ 20&0x00FF0000=0x00010000" 67 "\" -j CONNMARK --or-mark 0x1000000", 68 "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN", 69 "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 " 70 "\"0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0\" -j st_clear_caught", 71 "-A st_clear_detect -p udp -j st_clear_caught", 72 "COMMIT\n\x04" 73 }; 74 75 std::vector<std::string> v6 = { 76 "*filter", 77 "-A st_penalty_log -j CONNMARK --or-mark 0x1000000", 78 "-A st_penalty_log -j NFLOG --nflog-group 0", 79 "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000", 80 "-A st_penalty_reject -j NFLOG --nflog-group 0", 81 "-A st_penalty_reject -j REJECT", 82 "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT", 83 "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN", 84 85 "-A st_clear_detect -p tcp -m u32 --u32 \"" 86 "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&" 87 "52>>26&0x3C@ 44&0x00FF0000=0x00010000" 88 "\" -j CONNMARK --or-mark 0x1000000", 89 "-A st_clear_detect -p udp -m u32 --u32 \"" 90 "48&0xFFFF0000=0x16FE0000 &&" 91 "60&0x00FF0000=0x00010000" 92 "\" -j CONNMARK --or-mark 0x1000000", 93 "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN", 94 "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 " 95 "\"52>>26&0x3C@ 40&0x0=0x0\" -j st_clear_caught", 96 "-A st_clear_detect -p udp -j st_clear_caught", 97 "COMMIT\n\x04" 98 }; 99 100 std::string commandsCommon = android::base::Join(common, '\n'); 101 std::string commands4 = android::base::Join(v4, '\n'); 102 std::string commands6 = android::base::Join(v6, '\n'); 103 104 std::vector<std::pair<IptablesTarget, std::string>> expected = { 105 { V4V6, commandsCommon }, 106 { V4, commands4 }, 107 { V6, commands6 }, 108 }; 109 expectIptablesRestoreCommands(expected); 110 } 111 112 TEST_F(StrictControllerTest, TestDisableStrict) { 113 mStrictCtrl.disableStrict(); 114 115 const std::string expected = 116 "*filter\n" 117 ":st_OUTPUT -\n" 118 ":st_penalty_log -\n" 119 ":st_penalty_reject -\n" 120 ":st_clear_caught -\n" 121 ":st_clear_detect -\n" 122 "COMMIT\n\x04"; 123 expectIptablesRestoreCommands({ expected }); 124 } 125