/*
* Copyright 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ControllersTest.cpp - unit tests for Controllers.cpp
*/
#include <set>
#include <string>
#include <vector>
#include <gmock/gmock.h>
#include <gtest/gtest.h>
#include <android-base/strings.h>
#include "Controllers.h"
#include "IptablesBaseTest.h"
using testing::ContainerEq;
namespace android {
namespace net {
class ControllersTest : public IptablesBaseTest {
public:
ControllersTest() {
Controllers::execIptablesRestore = fakeExecIptablesRestore;
Controllers::execIptablesRestoreWithOutput = fakeExecIptablesRestoreWithOutput;
}
protected:
void initChildChains() { Controllers::initChildChains(); };
std::set<std::string> findExistingChildChains(IptablesTarget a, const char* b, const char*c) {
return Controllers::findExistingChildChains(a, b, c);
}
};
TEST_F(ControllersTest, TestFindExistingChildChains) {
ExpectedIptablesCommands expectedCmds = {
{ V6, "*raw\n-S PREROUTING\nCOMMIT\n" },
};
sIptablesRestoreOutput.push_back(
"-P PREROUTING ACCEPT\n"
"-A PREROUTING -j bw_raw_PREROUTING\n"
"-A PREROUTING -j idletimer_raw_PREROUTING\n"
"-A PREROUTING -j tetherctrl_raw_PREROUTING\n"
);
std::set<std::string> expectedChains = {
"bw_raw_PREROUTING",
"idletimer_raw_PREROUTING",
"tetherctrl_raw_PREROUTING",
};
std::set<std::string> actual = findExistingChildChains(V6, "raw", "PREROUTING");
EXPECT_THAT(expectedChains, ContainerEq(actual));
expectIptablesRestoreCommands(expectedCmds);
}
TEST_F(ControllersTest, TestInitIptablesRules) {
// Test what happens when we boot and there are no rules.
ExpectedIptablesCommands expected = {
{V4V6,
"*filter\n"
":INPUT -\n"
"-F INPUT\n"
":bw_INPUT -\n"
"-A INPUT -j bw_INPUT\n"
":fw_INPUT -\n"
"-A INPUT -j fw_INPUT\n"
"COMMIT\n"},
{V4V6,
"*filter\n"
":FORWARD -\n"
"-F FORWARD\n"
":oem_fwd -\n"
"-A FORWARD -j oem_fwd\n"
":fw_FORWARD -\n"
"-A FORWARD -j fw_FORWARD\n"
":bw_FORWARD -\n"
"-A FORWARD -j bw_FORWARD\n"
":tetherctrl_FORWARD -\n"
"-A FORWARD -j tetherctrl_FORWARD\n"
"COMMIT\n"},
{V4V6,
"*raw\n"
":PREROUTING -\n"
"-F PREROUTING\n"
":clat_raw_PREROUTING -\n"
"-A PREROUTING -j clat_raw_PREROUTING\n"
":bw_raw_PREROUTING -\n"
"-A PREROUTING -j bw_raw_PREROUTING\n"
":idletimer_raw_PREROUTING -\n"
"-A PREROUTING -j idletimer_raw_PREROUTING\n"
":tetherctrl_raw_PREROUTING -\n"
"-A PREROUTING -j tetherctrl_raw_PREROUTING\n"
"COMMIT\n"},
{V4V6,
"*mangle\n"
":FORWARD -\n"
"-F FORWARD\n"
":tetherctrl_mangle_FORWARD -\n"
"-A FORWARD -j tetherctrl_mangle_FORWARD\n"
"COMMIT\n"},
{V4V6,
"*mangle\n"
":INPUT -\n"
"-F INPUT\n"
":wakeupctrl_mangle_INPUT -\n"
"-A INPUT -j wakeupctrl_mangle_INPUT\n"
":routectrl_mangle_INPUT -\n"
"-A INPUT -j routectrl_mangle_INPUT\n"
"COMMIT\n"},
{V4,
"*nat\n"
":PREROUTING -\n"
"-F PREROUTING\n"
":oem_nat_pre -\n"
"-A PREROUTING -j oem_nat_pre\n"
"COMMIT\n"},
{V4,
"*nat\n"
":POSTROUTING -\n"
"-F POSTROUTING\n"
":tetherctrl_nat_POSTROUTING -\n"
"-A POSTROUTING -j tetherctrl_nat_POSTROUTING\n"
"COMMIT\n"},
{V4,
"*filter\n"
"-S OUTPUT\n"
"COMMIT\n"},
{V4,
"*filter\n"
":oem_out -\n"
"-A OUTPUT -j oem_out\n"
":fw_OUTPUT -\n"
"-A OUTPUT -j fw_OUTPUT\n"
":st_OUTPUT -\n"
"-A OUTPUT -j st_OUTPUT\n"
":bw_OUTPUT -\n"
"-A OUTPUT -j bw_OUTPUT\n"
"COMMIT\n"},
{V6,
"*filter\n"
"-S OUTPUT\n"
"COMMIT\n"},
{V6,
"*filter\n"
":oem_out -\n"
"-A OUTPUT -j oem_out\n"
":fw_OUTPUT -\n"
"-A OUTPUT -j fw_OUTPUT\n"
":st_OUTPUT -\n"
"-A OUTPUT -j st_OUTPUT\n"
":bw_OUTPUT -\n"
"-A OUTPUT -j bw_OUTPUT\n"
"COMMIT\n"},
{V4,
"*mangle\n"
"-S POSTROUTING\n"
"COMMIT\n"},
{V4,
"*mangle\n"
":oem_mangle_post -\n"
"-A POSTROUTING -j oem_mangle_post\n"
":bw_mangle_POSTROUTING -\n"
"-A POSTROUTING -j bw_mangle_POSTROUTING\n"
":idletimer_mangle_POSTROUTING -\n"
"-A POSTROUTING -j idletimer_mangle_POSTROUTING\n"
"COMMIT\n"},
{V6,
"*mangle\n"
"-S POSTROUTING\n"
"COMMIT\n"},
{V6,
"*mangle\n"
":oem_mangle_post -\n"
"-A POSTROUTING -j oem_mangle_post\n"
":bw_mangle_POSTROUTING -\n"
"-A POSTROUTING -j bw_mangle_POSTROUTING\n"
":idletimer_mangle_POSTROUTING -\n"
"-A POSTROUTING -j idletimer_mangle_POSTROUTING\n"
"COMMIT\n"},
};
// Check that we run these commands and these only.
initChildChains();
expectIptablesRestoreCommands(expected);
expectIptablesRestoreCommands(ExpectedIptablesCommands{});
// Now test what happens when some rules exist (e.g., if we crash and restart).
// First, explicitly tell the iptables test code to return empty output to all the commands we
// send. This allows us to tell it to return non-empty output to particular commands in the
// following code.
for (size_t i = 0; i < expected.size(); i++) {
sIptablesRestoreOutput.push_back("");
}
// Define a macro to remove a substring from a string. We use a macro instead of a function so
// we can assert in it. In the following code, we use ASSERT_* to check for programming errors
// in the test code, and EXPECT_* to check for errors in the actual code.
#define DELETE_SUBSTRING(substr, str) { \
size_t start = (str).find((substr)); \
ASSERT_NE(std::string::npos, start); \
(str).erase(start, strlen((substr))); \
ASSERT_EQ(std::string::npos, (str).find((substr))); \
}
// Now set test expectations.
// 1. Test that if we find rules that we don't create ourselves, we ignore them.
// First check that command #7 is where we list the OUTPUT chain in the (IPv4) filter table:
ASSERT_NE(std::string::npos, expected[7].second.find("*filter\n-S OUTPUT\n"));
// ... and pretend that when we run that command, we find the following rules. Because we don't
// create any of these rules ourselves, our behaviour is unchanged.
sIptablesRestoreOutput[7] =
"-P OUTPUT ACCEPT\n"
"-A OUTPUT -o r_rmnet_data8 -p udp -m udp --dport 1900 -j DROP\n";
// 2. Test that rules that we create ourselves are not added if they already exist.
// Pretend that when we list the OUTPUT chain in the (IPv6) filter table, we find the oem_out
// and st_OUTPUT chains:
ASSERT_NE(std::string::npos, expected[9].second.find("*filter\n-S OUTPUT\n"));
sIptablesRestoreOutput[9] =
"-A OUTPUT -j oem_out\n"
"-A OUTPUT -j st_OUTPUT\n";
// ... and expect that when we populate the OUTPUT chain, we do not re-add them.
DELETE_SUBSTRING("-A OUTPUT -j oem_out\n", expected[10].second);
DELETE_SUBSTRING("-A OUTPUT -j st_OUTPUT\n", expected[10].second);
// 3. Now test that when we list the POSTROUTING chain in the mangle table, we find a mixture of
// netd-created rules and vendor rules:
ASSERT_NE(std::string::npos, expected[13].second.find("*mangle\n-S POSTROUTING\n"));
sIptablesRestoreOutput[13] =
"-P POSTROUTING ACCEPT\n"
"-A POSTROUTING -j oem_mangle_post\n"
"-A POSTROUTING -j bw_mangle_POSTROUTING\n"
"-A POSTROUTING -j idletimer_mangle_POSTROUTING\n"
"-A POSTROUTING -j qcom_qos_reset_POSTROUTING\n"
"-A POSTROUTING -j qcom_qos_filter_POSTROUTING\n";
// and expect that we don't re-add the netd-created rules that already exist.
DELETE_SUBSTRING("-A POSTROUTING -j oem_mangle_post\n", expected[14].second);
DELETE_SUBSTRING("-A POSTROUTING -j bw_mangle_POSTROUTING\n", expected[14].second);
DELETE_SUBSTRING("-A POSTROUTING -j idletimer_mangle_POSTROUTING\n", expected[14].second);
// In this last case, also check that our expectations are reasonable.
std::string expectedCmd14 =
"*mangle\n"
":oem_mangle_post -\n"
":bw_mangle_POSTROUTING -\n"
":idletimer_mangle_POSTROUTING -\n"
"COMMIT\n";
ASSERT_EQ(expectedCmd14, expected[14].second);
// Finally, actually test that initChildChains runs the expected commands, and nothing more.
initChildChains();
expectIptablesRestoreCommands(expected);
expectIptablesRestoreCommands(ExpectedIptablesCommands{});
}
} // namespace net
} // namespace android