Home | History | Annotate | Download | only in server 
      1 /*
      2  * Copyright 2016 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  * http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  *
     16  * StrictControllerTest.cpp - unit tests for StrictController.cpp
     17  */
     18 
     19 #include <string>
     20 #include <vector>
     21 
     22 #include <gtest/gtest.h>
     23 
     24 #include <android-base/strings.h>
     25 
     26 #include "StrictController.h"
     27 #include "IptablesBaseTest.h"
     28 
     29 class StrictControllerTest : public IptablesBaseTest {
     30 public:
     31     StrictControllerTest() {
     32         StrictController::execIptables = fakeExecIptables;
     33         StrictController::execIptablesRestore = fakeExecIptablesRestore;
     34     }
     35     StrictController mStrictCtrl;
     36 };
     37 
     38 TEST_F(StrictControllerTest, TestEnableStrict) {
     39     mStrictCtrl.enableStrict();
     40 
     41     std::vector<std::string> common = {
     42         "*filter",
     43         ":st_OUTPUT -",
     44         ":st_penalty_log -",
     45         ":st_penalty_reject -",
     46         ":st_clear_caught -",
     47         ":st_clear_detect -",
     48         "COMMIT\n"
     49     };
     50 
     51     std::vector<std::string> v4 = {
     52         "*filter",
     53         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
     54         "-A st_penalty_log -j NFLOG --nflog-group 0",
     55         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
     56         "-A st_penalty_reject -j NFLOG --nflog-group 0",
     57         "-A st_penalty_reject -j REJECT",
     58         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
     59         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
     60         "-A st_clear_detect -p tcp -m u32 --u32 \""
     61             "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
     62             "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000"
     63             "\" -j CONNMARK --or-mark 0x1000000",
     64         "-A st_clear_detect -p udp -m u32 --u32 \""
     65             "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
     66             "0>>22&0x3C@ 20&0x00FF0000=0x00010000"
     67             "\" -j CONNMARK --or-mark 0x1000000",
     68         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
     69         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
     70             "\"0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0\" -j st_clear_caught",
     71         "-A st_clear_detect -p udp -j st_clear_caught",
     72         "COMMIT\n"
     73     };
     74 
     75     std::vector<std::string> v6 = {
     76         "*filter",
     77         "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
     78         "-A st_penalty_log -j NFLOG --nflog-group 0",
     79         "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
     80         "-A st_penalty_reject -j NFLOG --nflog-group 0",
     81         "-A st_penalty_reject -j REJECT",
     82         "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
     83         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
     84 
     85         "-A st_clear_detect -p tcp -m u32 --u32 \""
     86             "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
     87             "52>>26&0x3C@ 44&0x00FF0000=0x00010000"
     88             "\" -j CONNMARK --or-mark 0x1000000",
     89         "-A st_clear_detect -p udp -m u32 --u32 \""
     90             "48&0xFFFF0000=0x16FE0000 &&"
     91             "60&0x00FF0000=0x00010000"
     92             "\" -j CONNMARK --or-mark 0x1000000",
     93         "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
     94         "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
     95             "\"52>>26&0x3C@ 40&0x0=0x0\" -j st_clear_caught",
     96         "-A st_clear_detect -p udp -j st_clear_caught",
     97         "COMMIT\n"
     98     };
     99 
    100     std::string commandsCommon = android::base::Join(common, '\n');
    101     std::string commands4 = android::base::Join(v4, '\n');
    102     std::string commands6 = android::base::Join(v6, '\n');
    103 
    104     std::vector<std::pair<IptablesTarget, std::string>> expected = {
    105         { V4V6, commandsCommon },
    106         { V4, commands4 },
    107         { V6, commands6 },
    108     };
    109     expectIptablesRestoreCommands(expected);
    110 }
    111 
    112 TEST_F(StrictControllerTest, TestDisableStrict) {
    113     mStrictCtrl.disableStrict();
    114 
    115     const std::string expected =
    116         "*filter\n"
    117         ":st_OUTPUT -\n"
    118         ":st_penalty_log -\n"
    119         ":st_penalty_reject -\n"
    120         ":st_clear_caught -\n"
    121         ":st_clear_detect -\n"
    122         "COMMIT\n";
    123     expectIptablesRestoreCommands({ expected });
    124 }
    125