Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 91ee09f8d27db5bfd9b29e50e34472eb3fd0a33f / . / patchpanel / datapath_test.cc
blob: e9b98fa9a4f818823bd7bb86e2e0112e3847a3b9 [file] [log] [blame]
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1// Copyright 2019 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]5#include "patchpanel/datapath.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]6
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]7#include <linux/if_tun.h>
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]8#include <net/if.h>
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]9#include <sys/ioctl.h>
10
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]11#include <utility>
12#include <vector>
13
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]14#include <base/bind.h>
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]15#include <base/bind_helpers.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]16#include <base/strings/string_util.h>
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]17#include <gmock/gmock.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]18#include <gtest/gtest.h>
19
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]20#include "patchpanel/mock_firewall.h"
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]21#include "patchpanel/net_util.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]22
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]23using testing::_;
24using testing::ElementsAre;
25using testing::Return;
26using testing::StrEq;
27
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]28namespace patchpanel {
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]29namespace {
30
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]31// TODO(hugobenichi) Centralize this constant definition
32constexpr pid_t kTestPID = -2;
33
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]34std::vector<ioctl_req_t> ioctl_reqs;
35std::vector<std::pair<std::string, struct rtentry>> ioctl_rtentry_args;
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]36
37// Capture all ioctls and succeed.
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]38int ioctl_req_cap(int fd, ioctl_req_t req, ...) {
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]39 ioctl_reqs.push_back(req);
40 return 0;
41}
42
43// Capture ioctls for SIOCADDRT and SIOCDELRT and succeed.
44int ioctl_rtentry_cap(int fd, ioctl_req_t req, struct rtentry* arg) {
45 ioctl_reqs.push_back(req);
46 ioctl_rtentry_args.push_back({"", *arg});
47 // Copy the string poited by rtentry.rt_dev because Add/DeleteIPv4Route pass
48 // this value to ioctl() on the stack.
49 if (arg->rt_dev) {
50 auto& cap = ioctl_rtentry_args.back();
51 cap.first = std::string(arg->rt_dev);
52 cap.second.rt_dev = (char*)cap.first.c_str();
53 }
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]54 return 0;
55}
56
57} // namespace
58
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]59class MockProcessRunner : public MinijailedProcessRunner {
60 public:
61 MockProcessRunner() = default;
62 ~MockProcessRunner() = default;
63
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]64 MOCK_METHOD1(WriteSentinelToContainer, int(pid_t pid));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]65 MOCK_METHOD3(brctl,
66 int(const std::string& cmd,
67 const std::vector<std::string>& argv,
68 bool log_failures));
69 MOCK_METHOD4(chown,
70 int(const std::string& uid,
71 const std::string& gid,
72 const std::string& file,
73 bool log_failures));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]74 MOCK_METHOD4(ip,
75 int(const std::string& obj,
76 const std::string& cmd,
77 const std::vector<std::string>& args,
78 bool log_failures));
79 MOCK_METHOD4(ip6,
80 int(const std::string& obj,
81 const std::string& cmd,
82 const std::vector<std::string>& args,
83 bool log_failures));
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]84 MOCK_METHOD4(iptables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]85 int(const std::string& table,
86 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]87 bool log_failures,
88 std::string* output));
89 MOCK_METHOD4(ip6tables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]90 int(const std::string& table,
91 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]92 bool log_failures,
93 std::string* output));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]94 MOCK_METHOD2(modprobe_all,
95 int(const std::vector<std::string>& modules, bool log_failures));
96 MOCK_METHOD3(sysctl_w,
97 int(const std::string& key,
98 const std::string& value,
99 bool log_failures));
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]100 MOCK_METHOD3(ip_netns_attach,
101 int(const std::string& netns_name,
102 pid_t netns_pid,
103 bool log_failures));
104 MOCK_METHOD2(ip_netns_delete,
105 int(const std::string& netns_name, bool log_failures));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]106};
107
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]108TEST(DatapathTest, IpFamily) {
109 EXPECT_EQ(IpFamily::Dual, IpFamily::IPv4 | IpFamily::IPv6);
110 EXPECT_EQ(IpFamily::Dual & IpFamily::IPv4, IpFamily::IPv4);
111 EXPECT_EQ(IpFamily::Dual & IpFamily::IPv6, IpFamily::IPv6);
112 EXPECT_NE(IpFamily::Dual, IpFamily::IPv4);
113 EXPECT_NE(IpFamily::Dual, IpFamily::IPv6);
114 EXPECT_NE(IpFamily::IPv4, IpFamily::IPv6);
115}
116
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]117TEST(DatapathTest, Start) {
118 MockProcessRunner runner;
119 MockFirewall firewall;
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]120
121 // Asserts for iptables chain reset.
122 EXPECT_CALL(runner, iptables(StrEq("filter"),
123 ElementsAre("-D", "OUTPUT", "-j",
124 "drop_guest_ipv4_prefix", "-w"),
125 false, nullptr));
126 EXPECT_CALL(runner,
127 iptables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
128 true, nullptr));
129 EXPECT_CALL(runner,
130 ip6tables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
131 true, nullptr));
132 EXPECT_CALL(runner,
133 iptables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
134 true, nullptr));
135 EXPECT_CALL(runner,
136 ip6tables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
137 true, nullptr));
138 EXPECT_CALL(runner,
139 iptables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
140 nullptr));
141 EXPECT_CALL(runner,
142 ip6tables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
143 nullptr));
144 EXPECT_CALL(runner,
145 iptables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"), true,
146 nullptr));
147 EXPECT_CALL(runner,
148 ip6tables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"),
149 true, nullptr));
150 EXPECT_CALL(runner,
151 iptables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
152 true, nullptr));
153 EXPECT_CALL(runner,
154 ip6tables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
155 true, nullptr));
156 EXPECT_CALL(runner,
157 iptables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
158 true, nullptr));
159 EXPECT_CALL(runner,
160 ip6tables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
161 true, nullptr));
162 EXPECT_CALL(runner,
163 iptables(StrEq("mangle"),
164 ElementsAre("-L", "apply_local_source_mark", "-w"),
165 false, nullptr));
166 EXPECT_CALL(runner,
167 ip6tables(StrEq("mangle"),
168 ElementsAre("-L", "apply_local_source_mark", "-w"),
169 false, nullptr));
170 EXPECT_CALL(runner,
171 iptables(StrEq("mangle"),
172 ElementsAre("-F", "apply_local_source_mark", "-w"), true,
173 nullptr));
174 EXPECT_CALL(runner,
175 ip6tables(StrEq("mangle"),
176 ElementsAre("-F", "apply_local_source_mark", "-w"),
177 true, nullptr));
178 EXPECT_CALL(runner,
179 iptables(StrEq("mangle"),
180 ElementsAre("-X", "apply_local_source_mark", "-w"), true,
181 nullptr));
182 EXPECT_CALL(runner,
183 ip6tables(StrEq("mangle"),
184 ElementsAre("-X", "apply_local_source_mark", "-w"),
185 true, nullptr));
186 EXPECT_CALL(runner, iptables(StrEq("mangle"),
187 ElementsAre("-L", "apply_vpn_mark", "-w"), false,
188 nullptr));
189 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
190 ElementsAre("-L", "apply_vpn_mark", "-w"),
191 false, nullptr));
192 EXPECT_CALL(runner, iptables(StrEq("mangle"),
193 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
194 nullptr));
195 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
196 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
197 nullptr));
198 EXPECT_CALL(runner, iptables(StrEq("mangle"),
199 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
200 nullptr));
201 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
202 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
203 nullptr));
204 EXPECT_CALL(runner, iptables(StrEq("mangle"),
205 ElementsAre("-L", "check_routing_mark", "-w"),
206 false, nullptr));
207 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
208 ElementsAre("-L", "check_routing_mark", "-w"),
209 false, nullptr));
210 EXPECT_CALL(runner, iptables(StrEq("mangle"),
211 ElementsAre("-F", "check_routing_mark", "-w"),
212 true, nullptr));
213 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
214 ElementsAre("-F", "check_routing_mark", "-w"),
215 true, nullptr));
216 EXPECT_CALL(runner, iptables(StrEq("mangle"),
217 ElementsAre("-X", "check_routing_mark", "-w"),
218 true, nullptr));
219 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
220 ElementsAre("-X", "check_routing_mark", "-w"),
221 true, nullptr));
222 EXPECT_CALL(runner,
223 iptables(StrEq("filter"),
224 ElementsAre("-L", "drop_guest_ipv4_prefix", "-w"), false,
225 nullptr));
226 EXPECT_CALL(runner,
227 iptables(StrEq("filter"),
228 ElementsAre("-F", "drop_guest_ipv4_prefix", "-w"), true,
229 nullptr));
230 EXPECT_CALL(runner,
231 iptables(StrEq("filter"),
232 ElementsAre("-X", "drop_guest_ipv4_prefix", "-w"), true,
233 nullptr));
234 EXPECT_CALL(runner,
235 iptables(StrEq("nat"), ElementsAre("-F", "POSTROUTING", "-w"),
236 true, nullptr));
237
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]238 // Asserts for sysctl modifications
239 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("1"), true));
240 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_local_port_range"),
241 StrEq("32768 47103"), true));
242 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv6.conf.all.forwarding"),
243 StrEq("1"), true));
Hugo Benichi561fae42021-01-22 15:28:40 +0900[diff] [blame]244 // Asserts for SNAT rules.
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]245 EXPECT_CALL(
246 runner,
247 iptables(StrEq("filter"),
248 ElementsAre("-A", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
249 "state", "--state", "INVALID", "-j", "DROP", "-w"),
250 true, nullptr));
251 EXPECT_CALL(runner,
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]252 iptables(StrEq("nat"),
253 ElementsAre("-A", "POSTROUTING", "-m", "mark", "--mark",
254 "1/1", "-j", "MASQUERADE", "-w"),
255 true, nullptr));
256 // Asserts for AddForwardEstablishedRule
257 EXPECT_CALL(runner,
258 iptables(StrEq("filter"),
259 ElementsAre("-A", "FORWARD", "-m", "state", "--state",
260 "ESTABLISHED,RELATED", "-j", "ACCEPT", "-w"),
261 true, nullptr));
262 // Asserts for AddSourceIPv4DropRule() calls.
263 EXPECT_CALL(runner,
264 iptables(StrEq("filter"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]265 ElementsAre("-N", "drop_guest_ipv4_prefix", "-w"), true,
266 nullptr));
267 EXPECT_CALL(runner, iptables(StrEq("filter"),
268 ElementsAre("-I", "OUTPUT", "-j",
269 "drop_guest_ipv4_prefix", "-w"),
270 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]271 EXPECT_CALL(runner,
272 iptables(StrEq("filter"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]273 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "eth+",
274 "-s", "100.115.92.0/23", "-j", "DROP", "-w"),
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]275 true, nullptr));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]276 EXPECT_CALL(runner, iptables(StrEq("filter"),
277 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
278 "wlan+", "-s", "100.115.92.0/23",
279 "-j", "DROP", "-w"),
280 true, nullptr));
281 EXPECT_CALL(runner, iptables(StrEq("filter"),
282 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
283 "mlan+", "-s", "100.115.92.0/23",
284 "-j", "DROP", "-w"),
285 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]286 EXPECT_CALL(runner,
287 iptables(StrEq("filter"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]288 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "usb+",
289 "-s", "100.115.92.0/23", "-j", "DROP", "-w"),
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]290 true, nullptr));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]291 EXPECT_CALL(runner, iptables(StrEq("filter"),
292 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
293 "wwan+", "-s", "100.115.92.0/23",
294 "-j", "DROP", "-w"),
295 true, nullptr));
296 EXPECT_CALL(runner, iptables(StrEq("filter"),
297 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o",
298 "rmnet+", "-s", "100.115.92.0/23",
299 "-j", "DROP", "-w"),
300 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]301 // Asserts for AddOutboundIPv4SNATMark("vmtap+")
302 EXPECT_CALL(runner,
303 iptables(StrEq("mangle"),
304 ElementsAre("-A", "PREROUTING", "-i", "vmtap+", "-j",
305 "MARK", "--set-mark", "1/1", "-w"),
306 true, nullptr));
Taoyu Li78f0c9a2020-12-25 22:58:26 +0900[diff] [blame]307 // Asserts for OUTPUT ndp connmark bypass rule
308 EXPECT_CALL(
309 runner,
310 ip6tables(StrEq("mangle"),
Hugo Benichi52a64992021-01-28 17:47:33 +0900[diff] [blame]311 ElementsAre("-I", "OUTPUT", "-p", "icmpv6", "--icmpv6-type",
Taoyu Li78f0c9a2020-12-25 22:58:26 +0900[diff] [blame]312 "router-solicitation", "-j", "ACCEPT", "-w"),
313 true, nullptr));
314 EXPECT_CALL(
315 runner,
316 ip6tables(StrEq("mangle"),
Hugo Benichi52a64992021-01-28 17:47:33 +0900[diff] [blame]317 ElementsAre("-I", "OUTPUT", "-p", "icmpv6", "--icmpv6-type",
Taoyu Li78f0c9a2020-12-25 22:58:26 +0900[diff] [blame]318 "router-advertisement", "-j", "ACCEPT", "-w"),
319 true, nullptr));
320 EXPECT_CALL(
321 runner,
322 ip6tables(StrEq("mangle"),
Hugo Benichi52a64992021-01-28 17:47:33 +0900[diff] [blame]323 ElementsAre("-I", "OUTPUT", "-p", "icmpv6", "--icmpv6-type",
Taoyu Li78f0c9a2020-12-25 22:58:26 +0900[diff] [blame]324 "neighbour-solicitation", "-j", "ACCEPT", "-w"),
325 true, nullptr));
326 EXPECT_CALL(
327 runner,
328 ip6tables(StrEq("mangle"),
Hugo Benichi52a64992021-01-28 17:47:33 +0900[diff] [blame]329 ElementsAre("-I", "OUTPUT", "-p", "icmpv6", "--icmpv6-type",
Taoyu Li78f0c9a2020-12-25 22:58:26 +0900[diff] [blame]330 "neighbour-advertisement", "-j", "ACCEPT", "-w"),
331 true, nullptr));
Hugo Benichi52a64992021-01-28 17:47:33 +0900[diff] [blame]332 EXPECT_CALL(runner,
333 ip6tables(StrEq("mangle"),
334 ElementsAre("-I", "check_routing_mark", "-p", "icmpv6",
335 "--icmpv6-type", "router-solicitation",
336 "-j", "RETURN", "-w"),
337 true, nullptr));
338 EXPECT_CALL(runner,
339 ip6tables(StrEq("mangle"),
340 ElementsAre("-I", "check_routing_mark", "-p", "icmpv6",
341 "--icmpv6-type", "router-advertisement",
342 "-j", "RETURN", "-w"),
343 true, nullptr));
344 EXPECT_CALL(runner,
345 ip6tables(StrEq("mangle"),
346 ElementsAre("-I", "check_routing_mark", "-p", "icmpv6",
347 "--icmpv6-type", "neighbour-solicitation",
348 "-j", "RETURN", "-w"),
349 true, nullptr));
350 EXPECT_CALL(runner,
351 ip6tables(StrEq("mangle"),
352 ElementsAre("-I", "check_routing_mark", "-p", "icmpv6",
353 "--icmpv6-type", "neighbour-advertisement",
354 "-j", "RETURN", "-w"),
355 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]356 // Asserts for OUTPUT CONNMARK restore rule
357 EXPECT_CALL(runner, iptables(StrEq("mangle"),
358 ElementsAre("-A", "OUTPUT", "-j", "CONNMARK",
359 "--restore-mark", "--mask",
360 "0xffff0000", "-w"),
361 true, nullptr));
362 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
363 ElementsAre("-A", "OUTPUT", "-j", "CONNMARK",
364 "--restore-mark", "--mask",
365 "0xffff0000", "-w"),
366 true, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]367 // Asserts for apply_local_source_mark chain
368 EXPECT_CALL(runner,
369 iptables(StrEq("mangle"),
370 ElementsAre("-N", "apply_local_source_mark", "-w"), true,
371 nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]372 EXPECT_CALL(runner, iptables(StrEq("mangle"),
373 ElementsAre("-A", "OUTPUT", "-j",
374 "apply_local_source_mark", "-w"),
375 true, nullptr));
376 EXPECT_CALL(
377 runner,
378 iptables(StrEq("mangle"),
379 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
380 "--uid-owner", "chronos", "-j", "MARK", "--set-mark",
381 "0x00008100/0x0000ff00", "-w"),
382 true, nullptr));
383 EXPECT_CALL(runner, iptables(StrEq("mangle"),
384 ElementsAre("-A", "apply_local_source_mark",
385 "-m", "owner", "--uid-owner",
386 "debugd", "-j", "MARK", "--set-mark",
387 "0x00008200/0x0000ff00", "-w"),
388 true, nullptr));
389 EXPECT_CALL(runner,
390 iptables(StrEq("mangle"),
391 ElementsAre("-A", "apply_local_source_mark", "-m",
392 "owner", "--uid-owner", "cups", "-j", "MARK",
393 "--set-mark", "0x00008200/0x0000ff00", "-w"),
394 true, nullptr));
395 EXPECT_CALL(
396 runner,
397 iptables(StrEq("mangle"),
398 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
Hugo Benichi9c5516b2021-01-29 09:26:21 +0900[diff] [blame]399 "--uid-owner", "lpadmin", "-j", "MARK", "--set-mark",
400 "0x00008200/0x0000ff00", "-w"),
401 true, nullptr));
402 EXPECT_CALL(
403 runner,
404 iptables(StrEq("mangle"),
405 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]406 "--uid-owner", "kerberosd", "-j", "MARK",
407 "--set-mark", "0x00008400/0x0000ff00", "-w"),
408 true, nullptr));
409 EXPECT_CALL(
410 runner,
411 iptables(StrEq("mangle"),
412 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
413 "--uid-owner", "kerberosd-exec", "-j", "MARK",
414 "--set-mark", "0x00008400/0x0000ff00", "-w"),
415 true, nullptr));
416 EXPECT_CALL(
417 runner,
418 iptables(StrEq("mangle"),
419 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
420 "--uid-owner", "tlsdate", "-j", "MARK", "--set-mark",
421 "0x00008400/0x0000ff00", "-w"),
422 true, nullptr));
423 EXPECT_CALL(
424 runner,
425 iptables(StrEq("mangle"),
426 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
427 "--uid-owner", "pluginvm", "-j", "MARK",
428 "--set-mark", "0x00008200/0x0000ff00", "-w"),
429 true, nullptr));
430 EXPECT_CALL(
431 runner,
432 iptables(StrEq("mangle"),
433 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
434 "--uid-owner", "fuse-smbfs", "-j", "MARK",
435 "--set-mark", "0x00008400/0x0000ff00", "-w"),
436 true, nullptr));
437 EXPECT_CALL(
438 runner,
439 iptables(StrEq("mangle"),
Hugo Benichi7e3b1fc2020-11-19 15:47:05 +0900[diff] [blame]440 ElementsAre("-A", "apply_local_source_mark", "-m", "cgroup",
441 "--cgroup", "0x00010001", "-j", "MARK", "--set-mark",
442 "0x00000300/0x0000ff00", "-w"),
443 true, nullptr));
444 EXPECT_CALL(
445 runner,
446 iptables(StrEq("mangle"),
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]447 ElementsAre("-A", "apply_local_source_mark", "-m", "mark",
448 "--mark", "0x0/0x00003f00", "-j", "MARK",
449 "--set-mark", "0x00000400/0x00003f00", "-w"),
450 true, nullptr));
451 EXPECT_CALL(runner,
452 ip6tables(StrEq("mangle"),
453 ElementsAre("-N", "apply_local_source_mark", "-w"),
454 true, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]455 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
456 ElementsAre("-A", "OUTPUT", "-j",
457 "apply_local_source_mark", "-w"),
458 true, nullptr));
459 EXPECT_CALL(
460 runner,
461 ip6tables(StrEq("mangle"),
462 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
463 "--uid-owner", "debugd", "-j", "MARK", "--set-mark",
464 "0x00008200/0x0000ff00", "-w"),
465 true, nullptr));
466 EXPECT_CALL(
467 runner,
468 ip6tables(StrEq("mangle"),
469 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
470 "--uid-owner", "chronos", "-j", "MARK",
471 "--set-mark", "0x00008100/0x0000ff00", "-w"),
472 true, nullptr));
473 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
474 ElementsAre("-A", "apply_local_source_mark",
475 "-m", "owner", "--uid-owner",
476 "cups", "-j", "MARK", "--set-mark",
477 "0x00008200/0x0000ff00", "-w"),
478 true, nullptr));
479 EXPECT_CALL(
480 runner,
481 ip6tables(StrEq("mangle"),
482 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
Hugo Benichi9c5516b2021-01-29 09:26:21 +0900[diff] [blame]483 "--uid-owner", "lpadmin", "-j", "MARK",
484 "--set-mark", "0x00008200/0x0000ff00", "-w"),
485 true, nullptr));
486 EXPECT_CALL(
487 runner,
488 ip6tables(StrEq("mangle"),
489 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]490 "--uid-owner", "kerberosd", "-j", "MARK",
491 "--set-mark", "0x00008400/0x0000ff00", "-w"),
492 true, nullptr));
493 EXPECT_CALL(
494 runner,
495 ip6tables(StrEq("mangle"),
496 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
497 "--uid-owner", "kerberosd-exec", "-j", "MARK",
498 "--set-mark", "0x00008400/0x0000ff00", "-w"),
499 true, nullptr));
500 EXPECT_CALL(
501 runner,
502 ip6tables(StrEq("mangle"),
503 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
504 "--uid-owner", "tlsdate", "-j", "MARK",
505 "--set-mark", "0x00008400/0x0000ff00", "-w"),
506 true, nullptr));
507 EXPECT_CALL(
508 runner,
509 ip6tables(StrEq("mangle"),
510 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
511 "--uid-owner", "pluginvm", "-j", "MARK",
512 "--set-mark", "0x00008200/0x0000ff00", "-w"),
513 true, nullptr));
514 EXPECT_CALL(
515 runner,
516 ip6tables(StrEq("mangle"),
517 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
518 "--uid-owner", "fuse-smbfs", "-j", "MARK",
519 "--set-mark", "0x00008400/0x0000ff00", "-w"),
520 true, nullptr));
521 EXPECT_CALL(
522 runner,
523 ip6tables(StrEq("mangle"),
Hugo Benichi7e3b1fc2020-11-19 15:47:05 +0900[diff] [blame]524 ElementsAre("-A", "apply_local_source_mark", "-m", "cgroup",
525 "--cgroup", "0x00010001", "-j", "MARK",
526 "--set-mark", "0x00000300/0x0000ff00", "-w"),
527 true, nullptr));
528 EXPECT_CALL(
529 runner,
530 ip6tables(StrEq("mangle"),
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]531 ElementsAre("-A", "apply_local_source_mark", "-m", "mark",
532 "--mark", "0x0/0x00003f00", "-j", "MARK",
533 "--set-mark", "0x00000400/0x00003f00", "-w"),
534 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]535 // Asserts for apply_vpn_mark chain
536 EXPECT_CALL(runner, iptables(StrEq("mangle"),
537 ElementsAre("-N", "apply_vpn_mark", "-w"), true,
538 nullptr));
539 EXPECT_CALL(runner, iptables(StrEq("mangle"),
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]540 ElementsAre("-A", "OUTPUT", "-m", "mark",
541 "--mark", "0x00008000/0x0000c000",
542 "-j", "apply_vpn_mark", "-w"),
543 true, nullptr));
544 EXPECT_CALL(runner, iptables(StrEq("mangle"),
545 ElementsAre("-A", "apply_vpn_mark", "-m", "mark",
546 "!", "--mark", "0x0/0xffff0000",
547 "-j", "ACCEPT", "-w"),
548 true, nullptr));
549 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
550 ElementsAre("-N", "apply_vpn_mark", "-w"), true,
551 nullptr));
552 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]553 ElementsAre("-A", "OUTPUT", "-m", "mark",
554 "--mark", "0x00008000/0x0000c000",
555 "-j", "apply_vpn_mark", "-w"),
556 true, nullptr));
557 EXPECT_CALL(
558 runner,
559 ip6tables(StrEq("mangle"),
560 ElementsAre("-A", "apply_vpn_mark", "-m", "mark", "!", "--mark",
561 "0x0/0xffff0000", "-j", "ACCEPT", "-w"),
562 true, nullptr));
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]563 // Asserts for check_routing_mark chain
564 EXPECT_CALL(runner, iptables(StrEq("mangle"),
565 ElementsAre("-N", "check_routing_mark", "-w"),
566 true, nullptr));
567 EXPECT_CALL(runner, iptables(StrEq("mangle"),
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]568 ElementsAre("-A", "POSTROUTING", "-j",
569 "CONNMARK", "--restore-mark",
570 "--mask", "0xffff0000", "-w"),
571 true, nullptr));
572 EXPECT_CALL(runner, iptables(StrEq("mangle"),
573 ElementsAre("-A", "POSTROUTING", "-m", "mark",
574 "!", "--mark", "0x0/0xffff0000",
575 "-j", "check_routing_mark", "-w"),
576 true, nullptr));
577 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
578 ElementsAre("-N", "check_routing_mark", "-w"),
579 true, nullptr));
580 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]581 ElementsAre("-A", "POSTROUTING", "-j",
582 "CONNMARK", "--restore-mark",
583 "--mask", "0xffff0000", "-w"),
584 true, nullptr));
585 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
586 ElementsAre("-A", "POSTROUTING", "-m", "mark",
587 "!", "--mark", "0x0/0xffff0000",
588 "-j", "check_routing_mark", "-w"),
589 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]590
591 Datapath datapath(&runner, &firewall);
592 datapath.Start();
593}
594
595TEST(DatapathTest, Stop) {
596 MockProcessRunner runner;
597 MockFirewall firewall;
598 // Asserts for sysctl modifications
599 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_local_port_range"),
600 StrEq("32768 61000"), true));
601 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv6.conf.all.forwarding"),
602 StrEq("0"), true));
603 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("0"), true));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]604 // Asserts for iptables chain reset.
605 EXPECT_CALL(runner, iptables(StrEq("filter"),
606 ElementsAre("-D", "OUTPUT", "-j",
607 "drop_guest_ipv4_prefix", "-w"),
608 false, nullptr));
609 EXPECT_CALL(runner,
610 iptables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
611 true, nullptr));
612 EXPECT_CALL(runner,
613 ip6tables(StrEq("filter"), ElementsAre("-F", "FORWARD", "-w"),
614 true, nullptr));
615 EXPECT_CALL(runner,
616 iptables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
617 true, nullptr));
618 EXPECT_CALL(runner,
619 ip6tables(StrEq("mangle"), ElementsAre("-F", "FORWARD", "-w"),
620 true, nullptr));
621 EXPECT_CALL(runner,
622 iptables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
623 nullptr));
624 EXPECT_CALL(runner,
625 ip6tables(StrEq("mangle"), ElementsAre("-F", "INPUT", "-w"), true,
626 nullptr));
627 EXPECT_CALL(runner,
628 iptables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"), true,
629 nullptr));
630 EXPECT_CALL(runner,
631 ip6tables(StrEq("mangle"), ElementsAre("-F", "OUTPUT", "-w"),
632 true, nullptr));
633 EXPECT_CALL(runner,
634 iptables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
635 true, nullptr));
636 EXPECT_CALL(runner,
637 ip6tables(StrEq("mangle"), ElementsAre("-F", "POSTROUTING", "-w"),
638 true, nullptr));
639 EXPECT_CALL(runner,
640 iptables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
641 true, nullptr));
642 EXPECT_CALL(runner,
643 ip6tables(StrEq("mangle"), ElementsAre("-F", "PREROUTING", "-w"),
644 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]645 EXPECT_CALL(runner,
646 iptables(StrEq("mangle"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]647 ElementsAre("-L", "apply_local_source_mark", "-w"),
648 false, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]649 EXPECT_CALL(runner,
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]650 ip6tables(StrEq("mangle"),
651 ElementsAre("-L", "apply_local_source_mark", "-w"),
652 false, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]653 EXPECT_CALL(runner,
654 iptables(StrEq("mangle"),
655 ElementsAre("-F", "apply_local_source_mark", "-w"), true,
656 nullptr));
657 EXPECT_CALL(runner,
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]658 ip6tables(StrEq("mangle"),
659 ElementsAre("-F", "apply_local_source_mark", "-w"),
660 true, nullptr));
661 EXPECT_CALL(runner,
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]662 iptables(StrEq("mangle"),
663 ElementsAre("-X", "apply_local_source_mark", "-w"), true,
664 nullptr));
665 EXPECT_CALL(runner,
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]666 ip6tables(StrEq("mangle"),
667 ElementsAre("-X", "apply_local_source_mark", "-w"),
668 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]669 EXPECT_CALL(runner, iptables(StrEq("mangle"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]670 ElementsAre("-L", "apply_vpn_mark", "-w"), false,
671 nullptr));
672 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
673 ElementsAre("-L", "apply_vpn_mark", "-w"),
674 false, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]675 EXPECT_CALL(runner, iptables(StrEq("mangle"),
676 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
677 nullptr));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]678 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
679 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
680 nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]681 EXPECT_CALL(runner, iptables(StrEq("mangle"),
682 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
683 nullptr));
684 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]685 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
686 nullptr));
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]687 EXPECT_CALL(runner, iptables(StrEq("mangle"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]688 ElementsAre("-L", "check_routing_mark", "-w"),
689 false, nullptr));
690 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
691 ElementsAre("-L", "check_routing_mark", "-w"),
692 false, nullptr));
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]693 EXPECT_CALL(runner, iptables(StrEq("mangle"),
694 ElementsAre("-F", "check_routing_mark", "-w"),
695 true, nullptr));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]696 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
697 ElementsAre("-F", "check_routing_mark", "-w"),
698 true, nullptr));
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]699 EXPECT_CALL(runner, iptables(StrEq("mangle"),
700 ElementsAre("-X", "check_routing_mark", "-w"),
701 true, nullptr));
702 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]703 ElementsAre("-X", "check_routing_mark", "-w"),
704 true, nullptr));
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]705 EXPECT_CALL(runner,
706 iptables(StrEq("filter"),
707 ElementsAre("-L", "drop_guest_ipv4_prefix", "-w"), false,
708 nullptr));
709 EXPECT_CALL(runner,
710 iptables(StrEq("filter"),
711 ElementsAre("-F", "drop_guest_ipv4_prefix", "-w"), true,
712 nullptr));
713 EXPECT_CALL(runner,
714 iptables(StrEq("filter"),
715 ElementsAre("-X", "drop_guest_ipv4_prefix", "-w"), true,
716 nullptr));
717 EXPECT_CALL(runner,
718 iptables(StrEq("nat"), ElementsAre("-F", "POSTROUTING", "-w"),
719 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]720
721 Datapath datapath(&runner, &firewall);
722 datapath.Stop();
723}
724
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]725TEST(DatapathTest, AddTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]726 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]727 MockFirewall firewall;
728 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]729 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]730 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]731 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]732 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]733 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]734 std::vector<ioctl_req_t> expected = {
735 TUNSETIFF, TUNSETPERSIST, SIOCSIFADDR, SIOCSIFNETMASK,
736 SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]737 EXPECT_EQ(ioctl_reqs, expected);
738 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]739 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]740}
741
742TEST(DatapathTest, AddTAPWithOwner) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]743 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]744 MockFirewall firewall;
745 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]746 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]747 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]748 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]749 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "root");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]750 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]751 std::vector<ioctl_req_t> expected = {
752 TUNSETIFF, TUNSETPERSIST, TUNSETOWNER, SIOCSIFADDR,
753 SIOCSIFNETMASK, SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]754 EXPECT_EQ(ioctl_reqs, expected);
755 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]756 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]757}
758
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]759TEST(DatapathTest, AddTAPNoAddrs) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]760 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]761 MockFirewall firewall;
762 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]763 auto ifname = datapath.AddTAP("foo0", nullptr, nullptr, "");
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]764 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]765 std::vector<ioctl_req_t> expected = {TUNSETIFF, TUNSETPERSIST, SIOCGIFFLAGS,
766 SIOCSIFFLAGS};
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]767 EXPECT_EQ(ioctl_reqs, expected);
768 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]769 ioctl_rtentry_args.clear();
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]770}
771
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]772TEST(DatapathTest, RemoveTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]773 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]774 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]775 EXPECT_CALL(runner, ip(StrEq("tuntap"), StrEq("del"),
776 ElementsAre("foo0", "mode", "tap"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]777 Datapath datapath(&runner, &firewall);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]778 datapath.RemoveTAP("foo0");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]779}
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]780
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]781TEST(DatapathTest, NetnsAttachName) {
782 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]783 MockFirewall firewall;
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]784 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), false));
785 EXPECT_CALL(runner, ip_netns_attach(StrEq("netns_foo"), 1234, true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]786 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]787 EXPECT_TRUE(datapath.NetnsAttachName("netns_foo", 1234));
788}
789
790TEST(DatapathTest, NetnsDeleteName) {
791 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]792 MockFirewall firewall;
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]793 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]794 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]795 EXPECT_TRUE(datapath.NetnsDeleteName("netns_foo"));
796}
797
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]798TEST(DatapathTest, AddBridge) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]799 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]800 MockFirewall firewall;
801 Datapath datapath(&runner, &firewall);
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]802 EXPECT_CALL(runner, brctl(StrEq("addbr"), ElementsAre("br"), true));
Garrick Evans6f4fa3a2020-02-10 16:15:09 +0900[diff] [blame]803 EXPECT_CALL(
804 runner,
805 ip(StrEq("addr"), StrEq("add"),
806 ElementsAre("1.1.1.1/30", "brd", "1.1.1.3", "dev", "br"), true));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]807 EXPECT_CALL(runner,
808 ip(StrEq("link"), StrEq("set"), ElementsAre("br", "up"), true));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]809 EXPECT_CALL(runner, iptables(StrEq("mangle"),
810 ElementsAre("-A", "PREROUTING", "-i", "br", "-j",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]811 "MARK", "--set-mark", "1/1", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]812 true, nullptr));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]813 datapath.AddBridge("br", Ipv4Addr(1, 1, 1, 1), 30);
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]814}
815
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]816TEST(DatapathTest, ConnectVethPair) {
817 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]818 MockFirewall firewall;
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]819 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
820 ElementsAre("veth_foo", "type", "veth", "peer", "name",
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]821 "peer_foo", "netns", "netns_foo"),
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]822 true));
823 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
824 ElementsAre("100.115.92.169/30", "brd",
825 "100.115.92.171", "dev", "peer_foo"),
826 true))
827 .WillOnce(Return(0));
828 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
829 ElementsAre("dev", "peer_foo", "up", "addr",
830 "01:02:03:04:05:06", "multicast", "on"),
831 true))
832 .WillOnce(Return(0));
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]833 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
834 ElementsAre("veth_foo", "up"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]835 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]836 EXPECT_TRUE(datapath.ConnectVethPair(kTestPID, "netns_foo", "veth_foo",
837 "peer_foo", {1, 2, 3, 4, 5, 6},
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]838 Ipv4Addr(100, 115, 92, 169), 30, true));
839}
840
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]841TEST(DatapathTest, AddVirtualInterfacePair) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]842 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]843 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]844 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
845 ElementsAre("veth_foo", "type", "veth", "peer", "name",
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]846 "peer_foo", "netns", "netns_foo"),
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]847 true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]848 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]849 EXPECT_TRUE(
850 datapath.AddVirtualInterfacePair("netns_foo", "veth_foo", "peer_foo"));
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]851}
852
853TEST(DatapathTest, ToggleInterface) {
854 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]855 MockFirewall firewall;
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]856 EXPECT_CALL(runner,
857 ip(StrEq("link"), StrEq("set"), ElementsAre("foo", "up"), true));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]858 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]859 ElementsAre("bar", "down"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]860 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]861 EXPECT_TRUE(datapath.ToggleInterface("foo", true));
862 EXPECT_TRUE(datapath.ToggleInterface("bar", false));
863}
864
865TEST(DatapathTest, ConfigureInterface) {
866 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]867 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]868 EXPECT_CALL(
869 runner,
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]870 ip(StrEq("addr"), StrEq("add"),
871 ElementsAre("1.1.1.1/30", "brd", "1.1.1.3", "dev", "foo"), true))
872 .WillOnce(Return(0));
873 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
874 ElementsAre("dev", "foo", "up", "addr",
875 "02:02:02:02:02:02", "multicast", "on"),
876 true))
877 .WillOnce(Return(0));
878
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]879 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]880 MacAddress mac_addr = {2, 2, 2, 2, 2, 2};
881 EXPECT_TRUE(datapath.ConfigureInterface("foo", mac_addr, Ipv4Addr(1, 1, 1, 1),
882 30, true, true));
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]883}
884
885TEST(DatapathTest, RemoveInterface) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]886 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]887 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]888 EXPECT_CALL(runner,
889 ip(StrEq("link"), StrEq("delete"), ElementsAre("foo"), false));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]890 Datapath datapath(&runner, &firewall);
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]891 datapath.RemoveInterface("foo");
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]892}
893
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]894TEST(DatapathTest, RemoveBridge) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]895 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]896 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]897 EXPECT_CALL(runner, iptables(StrEq("mangle"),
898 ElementsAre("-D", "PREROUTING", "-i", "br", "-j",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]899 "MARK", "--set-mark", "1/1", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]900 true, nullptr));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]901 EXPECT_CALL(runner,
902 ip(StrEq("link"), StrEq("set"), ElementsAre("br", "down"), true));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]903 EXPECT_CALL(runner, brctl(StrEq("delbr"), ElementsAre("br"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]904 Datapath datapath(&runner, &firewall);
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]905 datapath.RemoveBridge("br");
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]906}
907
Hugo Benichi321f23b2020-09-25 15:42:05 +0900[diff] [blame]908TEST(DatapathTest, AddRemoveSourceIPv4DropRule) {
909 MockProcessRunner runner;
910 MockFirewall firewall;
911 EXPECT_CALL(runner,
912 iptables(StrEq("filter"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]913 ElementsAre("-I", "drop_guest_ipv4_prefix", "-o", "eth+",
914 "-s", "100.115.92.0/24", "-j", "DROP", "-w"),
Hugo Benichi321f23b2020-09-25 15:42:05 +0900[diff] [blame]915 true, nullptr));
916 EXPECT_CALL(runner,
917 iptables(StrEq("filter"),
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame^]918 ElementsAre("-D", "drop_guest_ipv4_prefix", "-o", "eth+",
919 "-s", "100.115.92.0/24", "-j", "DROP", "-w"),
Hugo Benichi321f23b2020-09-25 15:42:05 +0900[diff] [blame]920 true, nullptr));
921 Datapath datapath(&runner, &firewall);
922 datapath.AddSourceIPv4DropRule("eth+", "100.115.92.0/24");
923 datapath.RemoveSourceIPv4DropRule("eth+", "100.115.92.0/24");
924}
925
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]926TEST(DatapathTest, StartRoutingNamespace) {
927 MockProcessRunner runner;
928 MockFirewall firewall;
929 MacAddress mac = {1, 2, 3, 4, 5, 6};
930
931 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), false));
932 EXPECT_CALL(runner, ip_netns_attach(StrEq("netns_foo"), kTestPID, true));
933 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
934 ElementsAre("arc_ns0", "type", "veth", "peer", "name",
935 "veth0", "netns", "netns_foo"),
936 true));
937 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
938 ElementsAre("100.115.92.130/30", "brd",
939 "100.115.92.131", "dev", "veth0"),
940 true))
941 .WillOnce(Return(0));
942 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
943 ElementsAre("dev", "veth0", "up", "addr",
944 "01:02:03:04:05:06", "multicast", "off"),
945 true))
946 .WillOnce(Return(0));
947 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
948 ElementsAre("arc_ns0", "up"), true));
949 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
950 ElementsAre("100.115.92.129/30", "brd",
951 "100.115.92.131", "dev", "arc_ns0"),
952 true))
953 .WillOnce(Return(0));
954 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
955 ElementsAre("dev", "arc_ns0", "up", "addr",
956 "01:02:03:04:05:06", "multicast", "off"),
957 true))
958 .WillOnce(Return(0));
959 EXPECT_CALL(runner, iptables(StrEq("filter"),
960 ElementsAre("-A", "FORWARD", "-o", "arc_ns0",
961 "-j", "ACCEPT", "-w"),
962 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]963 EXPECT_CALL(runner, iptables(StrEq("filter"),
964 ElementsAre("-A", "FORWARD", "-i", "arc_ns0",
965 "-j", "ACCEPT", "-w"),
966 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]967 EXPECT_CALL(runner,
968 iptables(StrEq("mangle"),
969 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0", "-j",
970 "MARK", "--set-mark", "1/1", "-w"),
971 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]972 EXPECT_CALL(runner, iptables(StrEq("mangle"),
973 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
974 "-j", "MARK", "--set-mark",
975 "0x00000200/0x00003f00", "-w"),
976 true, nullptr));
977 EXPECT_CALL(runner, iptables(StrEq("mangle"),
978 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
979 "-j", "CONNMARK", "--restore-mark",
980 "--mask", "0xffff0000", "-w"),
981 true, nullptr));
982 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
983 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
984 "-j", "MARK", "--set-mark",
985 "0x00000200/0x00003f00", "-w"),
986 true, nullptr));
987 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
988 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
989 "-j", "CONNMARK", "--restore-mark",
990 "--mask", "0xffff0000", "-w"),
991 true, nullptr));
992 EXPECT_CALL(runner, iptables(StrEq("mangle"),
993 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
994 "-j", "apply_vpn_mark", "-w"),
995 true, nullptr));
996 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
997 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
998 "-j", "apply_vpn_mark", "-w"),
999 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1000
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1001 ConnectedNamespace nsinfo = {};
1002 nsinfo.pid = kTestPID;
1003 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1004 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1005 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1006 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1007 nsinfo.host_ifname = "arc_ns0";
1008 nsinfo.peer_ifname = "veth0";
1009 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
1010 base::DoNothing());
1011 nsinfo.peer_mac_addr = mac;
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1012 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1013 datapath.StartRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1014 ioctl_reqs.clear();
1015 ioctl_rtentry_args.clear();
1016}
1017
1018TEST(DatapathTest, StopRoutingNamespace) {
1019 MockProcessRunner runner;
1020 MockFirewall firewall;
1021
1022 EXPECT_CALL(runner, iptables(StrEq("filter"),
1023 ElementsAre("-D", "FORWARD", "-o", "arc_ns0",
1024 "-j", "ACCEPT", "-w"),
1025 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1026 EXPECT_CALL(runner, iptables(StrEq("filter"),
1027 ElementsAre("-D", "FORWARD", "-i", "arc_ns0",
1028 "-j", "ACCEPT", "-w"),
1029 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1030 EXPECT_CALL(runner,
1031 iptables(StrEq("mangle"),
1032 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0", "-j",
1033 "MARK", "--set-mark", "1/1", "-w"),
1034 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1035 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1036 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1037 "-j", "MARK", "--set-mark",
1038 "0x00000200/0x00003f00", "-w"),
1039 true, nullptr));
1040 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1041 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1042 "-j", "CONNMARK", "--restore-mark",
1043 "--mask", "0xffff0000", "-w"),
1044 true, nullptr));
1045 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1046 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1047 "-j", "MARK", "--set-mark",
1048 "0x00000200/0x00003f00", "-w"),
1049 true, nullptr));
1050 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1051 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1052 "-j", "CONNMARK", "--restore-mark",
1053 "--mask", "0xffff0000", "-w"),
1054 true, nullptr));
1055 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1056 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1057 "-j", "apply_vpn_mark", "-w"),
1058 true, nullptr));
1059 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1060 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
1061 "-j", "apply_vpn_mark", "-w"),
1062 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1063 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), true));
1064 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("delete"), ElementsAre("arc_ns0"),
1065 false));
1066
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1067 ConnectedNamespace nsinfo = {};
1068 nsinfo.pid = kTestPID;
1069 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1070 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1071 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1072 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1073 nsinfo.host_ifname = "arc_ns0";
1074 nsinfo.peer_ifname = "veth0";
1075 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
1076 base::DoNothing());
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1077 Datapath datapath(&runner, &firewall);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]1078 datapath.StopRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1079}
1080
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1081TEST(DatapathTest, StartRoutingDevice_Arc) {
1082 MockProcessRunner runner;
1083 MockFirewall firewall;
1084 EXPECT_CALL(runner, iptables(StrEq("nat"),
1085 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1086 "-m", "socket", "--nowildcard", "-j",
1087 "ACCEPT", "-w"),
1088 true, nullptr));
1089 EXPECT_CALL(runner, iptables(StrEq("nat"),
1090 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1091 "-p", "tcp", "-j", "DNAT",
1092 "--to-destination", "1.2.3.4", "-w"),
1093 true, nullptr));
1094 EXPECT_CALL(runner, iptables(StrEq("nat"),
1095 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1096 "-p", "udp", "-j", "DNAT",
1097 "--to-destination", "1.2.3.4", "-w"),
1098 true, nullptr));
1099 EXPECT_CALL(runner, iptables(StrEq("filter"),
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1100 ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
1101 "arc_eth0", "-j", "ACCEPT", "-w"),
1102 true, nullptr));
1103 EXPECT_CALL(runner, iptables(StrEq("filter"),
1104 ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
1105 "-o", "eth0", "-j", "ACCEPT", "-w"),
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1106 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1107 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1108 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0",
1109 "-j", "MARK", "--set-mark",
1110 "0x00002000/0x00003f00", "-w"),
1111 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1112 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1113 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0",
1114 "-j", "MARK", "--set-mark",
1115 "0x03ea0000/0xffff0000", "-w"),
1116 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1117 EXPECT_CALL(
1118 runner,
1119 ip6tables(StrEq("mangle"),
1120 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1121 "--set-mark", "0x00002000/0x00003f00", "-w"),
1122 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1123 EXPECT_CALL(
1124 runner,
1125 ip6tables(StrEq("mangle"),
1126 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1127 "--set-mark", "0x03ea0000/0xffff0000", "-w"),
1128 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1129
1130 Datapath datapath(&runner, &firewall);
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1131 datapath.SetIfnameIndex("eth0", 2);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1132 datapath.StartRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1133 TrafficSource::ARC, false);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1134}
1135
1136TEST(DatapathTest, StartRoutingDevice_CrosVM) {
1137 MockProcessRunner runner;
1138 MockFirewall firewall;
1139 EXPECT_CALL(runner, iptables(StrEq("filter"),
1140 ElementsAre("-A", "FORWARD", "-o", "vmtap0",
1141 "-j", "ACCEPT", "-w"),
1142 true, nullptr));
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1143 EXPECT_CALL(runner, iptables(StrEq("filter"),
1144 ElementsAre("-A", "FORWARD", "-i", "vmtap0",
1145 "-j", "ACCEPT", "-w"),
1146 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1147 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1148 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1149 "-j", "MARK", "--set-mark",
1150 "0x00002100/0x00003f00", "-w"),
1151 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1152 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1153 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1154 "-j", "CONNMARK", "--restore-mark",
1155 "--mask", "0xffff0000", "-w"),
1156 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1157 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1158 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1159 "-j", "MARK", "--set-mark",
1160 "0x00002100/0x00003f00", "-w"),
1161 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1162 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1163 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1164 "-j", "CONNMARK", "--restore-mark",
1165 "--mask", "0xffff0000", "-w"),
1166 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]1167 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1168 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1169 "-j", "apply_vpn_mark", "-w"),
1170 true, nullptr));
1171 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1172 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
1173 "-j", "apply_vpn_mark", "-w"),
1174 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1175
1176 Datapath datapath(&runner, &firewall);
1177 datapath.StartRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1178 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1179}
1180
1181TEST(DatapathTest, StopRoutingDevice_Arc) {
1182 MockProcessRunner runner;
1183 MockFirewall firewall;
1184 EXPECT_CALL(runner, iptables(StrEq("nat"),
1185 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1186 "-m", "socket", "--nowildcard", "-j",
1187 "ACCEPT", "-w"),
1188 true, nullptr));
1189 EXPECT_CALL(runner, iptables(StrEq("nat"),
1190 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1191 "-p", "tcp", "-j", "DNAT",
1192 "--to-destination", "1.2.3.4", "-w"),
1193 true, nullptr));
1194 EXPECT_CALL(runner, iptables(StrEq("nat"),
1195 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1196 "-p", "udp", "-j", "DNAT",
1197 "--to-destination", "1.2.3.4", "-w"),
1198 true, nullptr));
1199 EXPECT_CALL(runner, iptables(StrEq("filter"),
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1200 ElementsAre("-D", "FORWARD", "-i", "eth0", "-o",
1201 "arc_eth0", "-j", "ACCEPT", "-w"),
1202 true, nullptr));
1203 EXPECT_CALL(runner, iptables(StrEq("filter"),
1204 ElementsAre("-D", "FORWARD", "-i", "arc_eth0",
1205 "-o", "eth0", "-j", "ACCEPT", "-w"),
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1206 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1207 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1208 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0",
1209 "-j", "MARK", "--set-mark",
1210 "0x00002000/0x00003f00", "-w"),
1211 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1212 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1213 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0",
1214 "-j", "MARK", "--set-mark",
1215 "0x03ea0000/0xffff0000", "-w"),
1216 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1217 EXPECT_CALL(
1218 runner,
1219 ip6tables(StrEq("mangle"),
1220 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1221 "--set-mark", "0x00002000/0x00003f00", "-w"),
1222 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1223 EXPECT_CALL(
1224 runner,
1225 ip6tables(StrEq("mangle"),
1226 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1227 "--set-mark", "0x03ea0000/0xffff0000", "-w"),
1228 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1229
1230 Datapath datapath(&runner, &firewall);
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1231 datapath.SetIfnameIndex("eth0", 2);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1232 datapath.StopRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1233 TrafficSource::ARC, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1234}
1235
1236TEST(DatapathTest, StopRoutingDevice_CrosVM) {
1237 MockProcessRunner runner;
1238 MockFirewall firewall;
1239 EXPECT_CALL(runner, iptables(StrEq("filter"),
1240 ElementsAre("-D", "FORWARD", "-o", "vmtap0",
1241 "-j", "ACCEPT", "-w"),
1242 true, nullptr));
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1243 EXPECT_CALL(runner, iptables(StrEq("filter"),
1244 ElementsAre("-D", "FORWARD", "-i", "vmtap0",
1245 "-j", "ACCEPT", "-w"),
1246 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1247 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1248 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1249 "-j", "MARK", "--set-mark",
1250 "0x00002100/0x00003f00", "-w"),
1251 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1252 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1253 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1254 "-j", "CONNMARK", "--restore-mark",
1255 "--mask", "0xffff0000", "-w"),
1256 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1257 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1258 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1259 "-j", "MARK", "--set-mark",
1260 "0x00002100/0x00003f00", "-w"),
1261 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1262 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1263 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1264 "-j", "CONNMARK", "--restore-mark",
1265 "--mask", "0xffff0000", "-w"),
1266 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]1267 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1268 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1269 "-j", "apply_vpn_mark", "-w"),
1270 true, nullptr));
1271 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1272 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1273 "-j", "apply_vpn_mark", "-w"),
1274 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1275
1276 Datapath datapath(&runner, &firewall);
1277 datapath.StopRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]1278 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1279}
1280
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]1281TEST(DatapathTest, StartStopIpForwarding) {
1282 struct {
1283 IpFamily family;
1284 std::string iif;
1285 std::string oif;
1286 std::vector<std::string> start_args;
1287 std::vector<std::string> stop_args;
1288 bool result;
1289 } testcases[] = {
1290 {IpFamily::IPv4, "", "", {}, {}, false},
1291 {IpFamily::NONE, "foo", "bar", {}, {}, false},
1292 {IpFamily::IPv4,
1293 "foo",
1294 "bar",
1295 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1296 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1297 true},
1298 {IpFamily::IPv4,
1299 "",
1300 "bar",
1301 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1302 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1303 true},
1304 {IpFamily::IPv4,
1305 "foo",
1306 "",
1307 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1308 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1309 true},
1310 {IpFamily::IPv6,
1311 "foo",
1312 "bar",
1313 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1314 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1315 true},
1316 {IpFamily::IPv6,
1317 "",
1318 "bar",
1319 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1320 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1321 true},
1322 {IpFamily::IPv6,
1323 "foo",
1324 "",
1325 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1326 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1327 true},
1328 {IpFamily::Dual,
1329 "foo",
1330 "bar",
1331 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1332 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1333 true},
1334 {IpFamily::Dual,
1335 "",
1336 "bar",
1337 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1338 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1339 true},
1340 {IpFamily::Dual,
1341 "foo",
1342 "",
1343 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1344 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1345 true},
1346 };
1347
1348 for (const auto& tt : testcases) {
1349 MockProcessRunner runner;
1350 MockFirewall firewall;
1351 if (tt.result) {
1352 if (tt.family & IpFamily::IPv4) {
1353 EXPECT_CALL(runner,
1354 iptables(StrEq("filter"), tt.start_args, true, nullptr))
1355 .WillOnce(Return(0));
1356 EXPECT_CALL(runner,
1357 iptables(StrEq("filter"), tt.stop_args, true, nullptr))
1358 .WillOnce(Return(0));
1359 }
1360 if (tt.family & IpFamily::IPv6) {
1361 EXPECT_CALL(runner,
1362 ip6tables(StrEq("filter"), tt.start_args, true, nullptr))
1363 .WillOnce(Return(0));
1364 EXPECT_CALL(runner,
1365 ip6tables(StrEq("filter"), tt.stop_args, true, nullptr))
1366 .WillOnce(Return(0));
1367 }
1368 }
1369 Datapath datapath(&runner, &firewall);
1370
1371 EXPECT_EQ(tt.result, datapath.StartIpForwarding(tt.family, tt.iif, tt.oif));
1372 EXPECT_EQ(tt.result, datapath.StopIpForwarding(tt.family, tt.iif, tt.oif));
1373 }
1374}
1375
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1376TEST(DatapathTest, StartStopConnectionPinning) {
1377 MockProcessRunner runner;
1378 MockFirewall firewall;
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1379
1380 // Setup
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1381 EXPECT_CALL(runner,
1382 iptables(StrEq("mangle"),
1383 ElementsAre("-A", "check_routing_mark", "-o", "eth0",
1384 "-m", "mark", "!", "--mark",
1385 "0x03eb0000/0xffff0000", "-j", "DROP", "-w"),
1386 true, nullptr));
1387 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1388 ElementsAre("-A", "check_routing_mark", "-o",
1389 "eth0", "-m", "mark", "!", "--mark",
1390 "0x03eb0000/0xffff0000", "-j",
1391 "DROP", "-w"),
1392 true, nullptr));
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1393 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1394 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1395 "-j", "CONNMARK", "--set-mark",
1396 "0x03eb0000/0xffff0000", "-w"),
1397 true, nullptr));
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1398 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1399 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1400 "-j", "CONNMARK", "--set-mark",
1401 "0x03eb0000/0xffff0000", "-w"),
1402 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1403 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1404 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1405 "-j", "CONNMARK", "--save-mark",
1406 "--mask", "0x00003f00", "-w"),
1407 true, nullptr));
1408 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1409 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1410 "-j", "CONNMARK", "--save-mark",
1411 "--mask", "0x00003f00", "-w"),
1412 true, nullptr));
1413 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1414 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1415 "-j", "CONNMARK", "--restore-mark",
1416 "--mask", "0x00003f00", "-w"),
1417 true, nullptr));
1418 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1419 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1420 "-j", "CONNMARK", "--restore-mark",
1421 "--mask", "0x00003f00", "-w"),
1422 true, nullptr));
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1423
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1424 // Teardown
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1425 EXPECT_CALL(runner,
1426 iptables(StrEq("mangle"),
1427 ElementsAre("-D", "check_routing_mark", "-o", "eth0",
1428 "-m", "mark", "!", "--mark",
1429 "0x03eb0000/0xffff0000", "-j", "DROP", "-w"),
1430 true, nullptr));
1431 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1432 ElementsAre("-D", "check_routing_mark", "-o",
1433 "eth0", "-m", "mark", "!", "--mark",
1434 "0x03eb0000/0xffff0000", "-j",
1435 "DROP", "-w"),
1436 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1437 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1438 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1439 "-j", "CONNMARK", "--set-mark",
1440 "0x03eb0000/0xffff0000", "-w"),
1441 true, nullptr));
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1442 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1443 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1444 "-j", "CONNMARK", "--set-mark",
1445 "0x03eb0000/0xffff0000", "-w"),
1446 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1447 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1448 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1449 "-j", "CONNMARK", "--save-mark",
1450 "--mask", "0x00003f00", "-w"),
1451 true, nullptr));
1452 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1453 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1454 "-j", "CONNMARK", "--save-mark",
1455 "--mask", "0x00003f00", "-w"),
1456 true, nullptr));
1457 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1458 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1459 "-j", "CONNMARK", "--restore-mark",
1460 "--mask", "0x00003f00", "-w"),
1461 true, nullptr));
1462 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1463 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1464 "-j", "CONNMARK", "--restore-mark",
1465 "--mask", "0x00003f00", "-w"),
1466 true, nullptr));
1467
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1468 Datapath datapath(&runner, &firewall);
1469 datapath.SetIfnameIndex("eth0", 3);
1470 datapath.StartConnectionPinning("eth0");
1471 datapath.StopConnectionPinning("eth0");
1472}
1473
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1474TEST(DatapathTest, StartStopVpnRouting_ArcVpn) {
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1475 MockProcessRunner runner;
1476 MockFirewall firewall;
1477
1478 // Setup
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1479 EXPECT_CALL(runner,
1480 iptables(StrEq("mangle"),
1481 ElementsAre("-A", "check_routing_mark", "-o", "arcbr0",
1482 "-m", "mark", "!", "--mark",
1483 "0x03ed0000/0xffff0000", "-j", "DROP", "-w"),
1484 true, nullptr));
1485 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1486 ElementsAre("-A", "check_routing_mark", "-o",
1487 "arcbr0", "-m", "mark", "!",
1488 "--mark", "0x03ed0000/0xffff0000",
1489 "-j", "DROP", "-w"),
1490 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1491 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1492 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1493 "-j", "CONNMARK", "--set-mark",
1494 "0x03ed0000/0xffff0000", "-w"),
1495 true, nullptr));
1496 EXPECT_CALL(runner,
1497 iptables(StrEq("mangle"),
1498 ElementsAre("-A", "apply_vpn_mark", "-j", "MARK",
1499 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1500 true, nullptr));
1501 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1502 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1503 "-j", "CONNMARK", "--set-mark",
1504 "0x03ed0000/0xffff0000", "-w"),
1505 true, nullptr));
1506 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1507 ElementsAre("-A", "apply_vpn_mark", "-j",
1508 "MARK", "--set-mark",
1509 "0x03ed0000/0xffff0000", "-w"),
1510 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1511 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1512 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1513 "-j", "CONNMARK", "--save-mark",
1514 "--mask", "0x00003f00", "-w"),
1515 true, nullptr));
1516 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1517 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1518 "-j", "CONNMARK", "--save-mark",
1519 "--mask", "0x00003f00", "-w"),
1520 true, nullptr));
1521 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1522 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1523 "-j", "CONNMARK", "--restore-mark",
1524 "--mask", "0x00003f00", "-w"),
1525 true, nullptr));
1526 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1527 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1528 "-j", "CONNMARK", "--restore-mark",
1529 "--mask", "0x00003f00", "-w"),
1530 true, nullptr));
Hugo Benichi891275e2020-12-16 10:35:34 +0900[diff] [blame]1531 EXPECT_CALL(runner, iptables(StrEq("nat"),
1532 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1533 "-j", "MASQUERADE", "-w"),
1534 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1535 // Teardown
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1536 EXPECT_CALL(runner,
1537 iptables(StrEq("mangle"),
1538 ElementsAre("-D", "check_routing_mark", "-o", "arcbr0",
1539 "-m", "mark", "!", "--mark",
1540 "0x03ed0000/0xffff0000", "-j", "DROP", "-w"),
1541 true, nullptr));
1542 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1543 ElementsAre("-D", "check_routing_mark", "-o",
1544 "arcbr0", "-m", "mark", "!",
1545 "--mark", "0x03ed0000/0xffff0000",
1546 "-j", "DROP", "-w"),
1547 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1548 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1549 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1550 "-j", "CONNMARK", "--set-mark",
1551 "0x03ed0000/0xffff0000", "-w"),
1552 true, nullptr));
1553 EXPECT_CALL(runner,
1554 iptables(StrEq("mangle"),
1555 ElementsAre("-D", "apply_vpn_mark", "-j", "MARK",
1556 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1557 true, nullptr));
1558 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1559 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1560 "-j", "CONNMARK", "--set-mark",
1561 "0x03ed0000/0xffff0000", "-w"),
1562 true, nullptr));
1563 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1564 ElementsAre("-D", "apply_vpn_mark", "-j",
1565 "MARK", "--set-mark",
1566 "0x03ed0000/0xffff0000", "-w"),
1567 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1568 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1569 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1570 "-j", "CONNMARK", "--save-mark",
1571 "--mask", "0x00003f00", "-w"),
1572 true, nullptr));
1573 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1574 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1575 "-j", "CONNMARK", "--save-mark",
1576 "--mask", "0x00003f00", "-w"),
1577 true, nullptr));
1578 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1579 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1580 "-j", "CONNMARK", "--restore-mark",
1581 "--mask", "0x00003f00", "-w"),
1582 true, nullptr));
1583 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1584 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1585 "-j", "CONNMARK", "--restore-mark",
1586 "--mask", "0x00003f00", "-w"),
1587 true, nullptr));
Hugo Benichi891275e2020-12-16 10:35:34 +0900[diff] [blame]1588 EXPECT_CALL(runner, iptables(StrEq("nat"),
1589 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1590 "-j", "MASQUERADE", "-w"),
1591 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1592
1593 Datapath datapath(&runner, &firewall);
1594 datapath.SetIfnameIndex("arcbr0", 5);
1595 datapath.StartVpnRouting("arcbr0");
1596 datapath.StopVpnRouting("arcbr0");
1597}
1598
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1599TEST(DatapathTest, StartStopVpnRouting_HostVpn) {
1600 MockProcessRunner runner;
1601 MockFirewall firewall;
1602
1603 // Setup
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1604 EXPECT_CALL(runner,
1605 iptables(StrEq("mangle"),
1606 ElementsAre("-A", "check_routing_mark", "-o", "tun0",
1607 "-m", "mark", "!", "--mark",
1608
1609 "0x03ed0000/0xffff0000", "-j", "DROP", "-w"),
1610 true, nullptr));
1611 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1612 ElementsAre("-A", "check_routing_mark", "-o",
1613 "tun0", "-m", "mark", "!", "--mark",
1614
1615 "0x03ed0000/0xffff0000", "-j",
1616 "DROP", "-w"),
1617 true, nullptr));
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1618 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1619 ElementsAre("-A", "POSTROUTING", "-o", "tun0",
1620 "-j", "CONNMARK", "--set-mark",
1621 "0x03ed0000/0xffff0000", "-w"),
1622 true, nullptr));
1623 EXPECT_CALL(runner,
1624 iptables(StrEq("mangle"),
1625 ElementsAre("-A", "apply_vpn_mark", "-j", "MARK",
1626 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1627 true, nullptr));
1628 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1629 ElementsAre("-A", "POSTROUTING", "-o", "tun0",
1630 "-j", "CONNMARK", "--set-mark",
1631 "0x03ed0000/0xffff0000", "-w"),
1632 true, nullptr));
1633 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1634 ElementsAre("-A", "apply_vpn_mark", "-j",
1635 "MARK", "--set-mark",
1636 "0x03ed0000/0xffff0000", "-w"),
1637 true, nullptr));
1638 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1639 ElementsAre("-A", "POSTROUTING", "-o", "tun0",
1640 "-j", "CONNMARK", "--save-mark",
1641 "--mask", "0x00003f00", "-w"),
1642 true, nullptr));
1643 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1644 ElementsAre("-A", "POSTROUTING", "-o", "tun0",
1645 "-j", "CONNMARK", "--save-mark",
1646 "--mask", "0x00003f00", "-w"),
1647 true, nullptr));
1648 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1649 ElementsAre("-A", "PREROUTING", "-i", "tun0",
1650 "-j", "CONNMARK", "--restore-mark",
1651 "--mask", "0x00003f00", "-w"),
1652 true, nullptr));
1653 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1654 ElementsAre("-A", "PREROUTING", "-i", "tun0",
1655 "-j", "CONNMARK", "--restore-mark",
1656 "--mask", "0x00003f00", "-w"),
1657 true, nullptr));
Hugo Benichi891275e2020-12-16 10:35:34 +0900[diff] [blame]1658 EXPECT_CALL(runner, iptables(StrEq("nat"),
1659 ElementsAre("-A", "POSTROUTING", "-o", "tun0",
1660 "-j", "MASQUERADE", "-w"),
1661 true, nullptr));
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1662 // Teardown
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]1663 EXPECT_CALL(runner,
1664 iptables(StrEq("mangle"),
1665 ElementsAre("-D", "check_routing_mark", "-o", "tun0",
1666 "-m", "mark", "!", "--mark",
1667
1668 "0x03ed0000/0xffff0000", "-j", "DROP", "-w"),
1669 true, nullptr));
1670 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1671 ElementsAre("-D", "check_routing_mark", "-o",
1672 "tun0", "-m", "mark", "!", "--mark",
1673
1674 "0x03ed0000/0xffff0000", "-j",
1675 "DROP", "-w"),
1676 true, nullptr));
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1677 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1678 ElementsAre("-D", "POSTROUTING", "-o", "tun0",
1679 "-j", "CONNMARK", "--set-mark",
1680 "0x03ed0000/0xffff0000", "-w"),
1681 true, nullptr));
1682 EXPECT_CALL(runner,
1683 iptables(StrEq("mangle"),
1684 ElementsAre("-D", "apply_vpn_mark", "-j", "MARK",
1685 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1686 true, nullptr));
1687 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1688 ElementsAre("-D", "POSTROUTING", "-o", "tun0",
1689 "-j", "CONNMARK", "--set-mark",
1690 "0x03ed0000/0xffff0000", "-w"),
1691 true, nullptr));
1692 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1693 ElementsAre("-D", "apply_vpn_mark", "-j",
1694 "MARK", "--set-mark",
1695 "0x03ed0000/0xffff0000", "-w"),
1696 true, nullptr));
1697 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1698 ElementsAre("-D", "POSTROUTING", "-o", "tun0",
1699 "-j", "CONNMARK", "--save-mark",
1700 "--mask", "0x00003f00", "-w"),
1701 true, nullptr));
1702 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1703 ElementsAre("-D", "POSTROUTING", "-o", "tun0",
1704 "-j", "CONNMARK", "--save-mark",
1705 "--mask", "0x00003f00", "-w"),
1706 true, nullptr));
1707 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1708 ElementsAre("-D", "PREROUTING", "-i", "tun0",
1709 "-j", "CONNMARK", "--restore-mark",
1710 "--mask", "0x00003f00", "-w"),
1711 true, nullptr));
1712 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1713 ElementsAre("-D", "PREROUTING", "-i", "tun0",
1714 "-j", "CONNMARK", "--restore-mark",
1715 "--mask", "0x00003f00", "-w"),
1716 true, nullptr));
Hugo Benichi891275e2020-12-16 10:35:34 +0900[diff] [blame]1717 EXPECT_CALL(runner, iptables(StrEq("nat"),
1718 ElementsAre("-D", "POSTROUTING", "-o", "tun0",
1719 "-j", "MASQUERADE", "-w"),
1720 true, nullptr));
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]1721 // Start tun0 <-> arcbr0 routing
1722 EXPECT_CALL(runner, iptables(StrEq("filter"),
1723 ElementsAre("-A", "FORWARD", "-i", "tun0", "-o",
1724 "arcbr0", "-j", "ACCEPT", "-w"),
1725 true, nullptr));
1726 EXPECT_CALL(runner, iptables(StrEq("filter"),
1727 ElementsAre("-A", "FORWARD", "-i", "arcbr0",
1728 "-o", "tun0", "-j", "ACCEPT", "-w"),
1729 true, nullptr));
1730 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1731 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1732 "-j", "MARK", "--set-mark",
1733 "0x00002000/0x00003f00", "-w"),
1734 true, nullptr));
1735 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1736 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1737 "-j", "MARK", "--set-mark",
1738 "0x03ed0000/0xffff0000", "-w"),
1739 true, nullptr));
1740 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1741 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1742 "-j", "MARK", "--set-mark",
1743 "0x00002000/0x00003f00", "-w"),
1744 true, nullptr));
1745 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1746 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1747 "-j", "MARK", "--set-mark",
1748 "0x03ed0000/0xffff0000", "-w"),
1749 true, nullptr));
1750 // Stop tun0 <-> arcbr0 routing
1751 EXPECT_CALL(runner, iptables(StrEq("filter"),
1752 ElementsAre("-D", "FORWARD", "-i", "tun0", "-o",
1753 "arcbr0", "-j", "ACCEPT", "-w"),
1754 true, nullptr));
1755 EXPECT_CALL(runner, iptables(StrEq("filter"),
1756 ElementsAre("-D", "FORWARD", "-i", "arcbr0",
1757 "-o", "tun0", "-j", "ACCEPT", "-w"),
1758 true, nullptr));
1759 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1760 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1761 "-j", "MARK", "--set-mark",
1762 "0x00002000/0x00003f00", "-w"),
1763 true, nullptr));
1764 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1765 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1766 "-j", "MARK", "--set-mark",
1767 "0x03ed0000/0xffff0000", "-w"),
1768 true, nullptr));
1769 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1770 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1771 "-j", "MARK", "--set-mark",
1772 "0x00002000/0x00003f00", "-w"),
1773 true, nullptr));
1774 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1775 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1776 "-j", "MARK", "--set-mark",
1777 "0x03ed0000/0xffff0000", "-w"),
1778 true, nullptr));
1779
1780 Datapath datapath(&runner, &firewall);
1781 datapath.SetIfnameIndex("tun0", 5);
1782 datapath.StartVpnRouting("tun0");
1783 datapath.StopVpnRouting("tun0");
1784}
1785
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1786TEST(DatapathTest, AddInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1787 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1788 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1789 EXPECT_CALL(runner, iptables(StrEq("nat"),
1790 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1791 "-m", "socket", "--nowildcard", "-j",
1792 "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1793 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1794 EXPECT_CALL(runner, iptables(StrEq("nat"),
1795 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1796 "-p", "tcp", "-j", "DNAT",
1797 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1798 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1799 EXPECT_CALL(runner, iptables(StrEq("nat"),
1800 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1801 "-p", "udp", "-j", "DNAT",
1802 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1803 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1804 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1805 datapath.AddInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1806}
1807
1808TEST(DatapathTest, RemoveInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1809 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1810 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1811 EXPECT_CALL(runner, iptables(StrEq("nat"),
1812 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1813 "-m", "socket", "--nowildcard", "-j",
1814 "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1815 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1816 EXPECT_CALL(runner, iptables(StrEq("nat"),
1817 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1818 "-p", "tcp", "-j", "DNAT",
1819 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1820 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1821 EXPECT_CALL(runner, iptables(StrEq("nat"),
1822 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1823 "-p", "udp", "-j", "DNAT",
1824 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1825 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1826 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1827 datapath.RemoveInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1828}
1829
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]1830TEST(DatapathTest, MaskInterfaceFlags) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1831 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1832 MockFirewall firewall;
1833 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1834
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]1835 bool result = datapath.MaskInterfaceFlags("foo0", IFF_DEBUG);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1836 EXPECT_TRUE(result);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1837 std::vector<ioctl_req_t> expected = {SIOCGIFFLAGS, SIOCSIFFLAGS};
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1838 EXPECT_EQ(ioctl_reqs, expected);
1839 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1840 ioctl_rtentry_args.clear();
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1841}
1842
1843TEST(DatapathTest, AddIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1844 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1845 MockFirewall firewall;
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1846 // Return 1 on iptables -C to simulate rule not existing case
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1847 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1848 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
1849 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1850 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1851 .WillOnce(Return(1));
1852 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1853 ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
1854 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1855 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1856 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1857 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
1858 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1859 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1860 .WillOnce(Return(1));
1861 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1862 ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
1863 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1864 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1865 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1866 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1867}
1868
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1869TEST(DatapathTest, AddIPv6ForwardingRuleExists) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1870 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1871 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1872 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1873 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
1874 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1875 false, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1876 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1877 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
1878 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1879 false, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1880 Datapath datapath(&runner, &firewall);
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1881 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1882}
1883
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1884TEST(DatapathTest, RemoveIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1885 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1886 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1887 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1888 ElementsAre("-D", "FORWARD", "-i", "eth0", "-o",
1889 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1890 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1891 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1892 ElementsAre("-D", "FORWARD", "-i", "arc_eth0",
1893 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1894 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1895 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1896 datapath.RemoveIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1897}
1898
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1899TEST(DatapathTest, AddIPv6HostRoute) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1900 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1901 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1902 EXPECT_CALL(runner,
1903 ip6(StrEq("route"), StrEq("replace"),
1904 ElementsAre("2001:da8:e00::1234/128", "dev", "eth0"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1905 Datapath datapath(&runner, &firewall);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1906 datapath.AddIPv6HostRoute("eth0", "2001:da8:e00::1234", 128);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1907}
1908
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1909TEST(DatapathTest, AddIPv4Route) {
1910 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1911 MockFirewall firewall;
1912 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1913
1914 datapath.AddIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1915 Ipv4Addr(255, 255, 255, 0));
1916 datapath.DeleteIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1917 Ipv4Addr(255, 255, 255, 0));
1918 datapath.AddIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1919 Ipv4Addr(255, 255, 255, 252));
1920 datapath.DeleteIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1921 Ipv4Addr(255, 255, 255, 252));
1922
1923 std::vector<ioctl_req_t> expected_reqs = {SIOCADDRT, SIOCDELRT, SIOCADDRT,
1924 SIOCDELRT};
1925 EXPECT_EQ(expected_reqs, ioctl_reqs);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1926
1927 std::string route1 =
1928 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.93.0}, rt_genmask: "
1929 "{family: AF_INET, port: 0, addr: 255.255.255.0}, rt_gateway: {family: "
1930 "AF_INET, port: 0, addr: 192.168.1.1}, rt_dev: null, rt_flags: RTF_UP | "
1931 "RTF_GATEWAY}";
1932 std::string route2 =
1933 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.92.8}, rt_genmask: "
1934 "{family: AF_INET, port: 0, addr: 255.255.255.252}, rt_gateway: {unset}, "
1935 "rt_dev: eth0, rt_flags: RTF_UP | RTF_GATEWAY}";
1936 std::vector<std::string> captured_routes;
1937 for (const auto& route : ioctl_rtentry_args) {
1938 std::ostringstream stream;
1939 stream << route.second;
1940 captured_routes.emplace_back(stream.str());
1941 }
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1942 EXPECT_EQ(route1, captured_routes[0]);
1943 EXPECT_EQ(route1, captured_routes[1]);
1944 EXPECT_EQ(route2, captured_routes[2]);
1945 EXPECT_EQ(route2, captured_routes[3]);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1946 ioctl_reqs.clear();
1947 ioctl_rtentry_args.clear();
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1948}
1949
Garrick Evans2f581a02020-05-11 10:43:35 +0900[diff] [blame]1950TEST(DatapathTest, ArcVethHostName) {
1951 EXPECT_EQ("vetheth0", ArcVethHostName("eth0"));
1952 EXPECT_EQ("vethrmnet0", ArcVethHostName("rmnet0"));
1953 EXPECT_EQ("vethrmnet_data0", ArcVethHostName("rmnet_data0"));
1954 EXPECT_EQ("vethifnamsiz_i0", ArcVethHostName("ifnamsiz_ifnam0"));
1955 auto ifname = ArcVethHostName("exceeds_ifnamesiz_checkanyway");
1956 EXPECT_EQ("vethexceeds_ify", ifname);
1957 EXPECT_LT(ifname.length(), IFNAMSIZ);
1958}
1959
Garrick Evans8a067562020-05-11 12:47:30 +0900[diff] [blame]1960TEST(DatapathTest, ArcBridgeName) {
1961 EXPECT_EQ("arc_eth0", ArcBridgeName("eth0"));
1962 EXPECT_EQ("arc_rmnet0", ArcBridgeName("rmnet0"));
1963 EXPECT_EQ("arc_rmnet_data0", ArcBridgeName("rmnet_data0"));
1964 EXPECT_EQ("arc_ifnamsiz_i0", ArcBridgeName("ifnamsiz_ifnam0"));
1965 auto ifname = ArcBridgeName("exceeds_ifnamesiz_checkanyway");
1966 EXPECT_EQ("arc_exceeds_ify", ifname);
1967 EXPECT_LT(ifname.length(), IFNAMSIZ);
1968}
1969
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]1970} // namespace patchpanel