Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 93306e51479b9fda1c78550d199d7c9469c70df6 / . / patchpanel / datapath_test.cc
blob: 63f470052e31e6392adc0862206c53f354d5007b [file] [log] [blame]
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1// Copyright 2019 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]5#include "patchpanel/datapath.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]6
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]7#include <linux/if_tun.h>
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]8#include <net/if.h>
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]9#include <sys/ioctl.h>
10
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]11#include <utility>
12#include <vector>
13
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]14#include <base/bind.h>
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]15#include <base/bind_helpers.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]16#include <base/strings/string_util.h>
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]17#include <gmock/gmock.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]18#include <gtest/gtest.h>
19
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]20#include "patchpanel/mock_firewall.h"
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]21#include "patchpanel/net_util.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]22
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]23using testing::_;
24using testing::ElementsAre;
25using testing::Return;
26using testing::StrEq;
27
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]28namespace patchpanel {
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]29namespace {
30
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]31// TODO(hugobenichi) Centralize this constant definition
32constexpr pid_t kTestPID = -2;
33
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]34std::vector<ioctl_req_t> ioctl_reqs;
35std::vector<std::pair<std::string, struct rtentry>> ioctl_rtentry_args;
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]36
37// Capture all ioctls and succeed.
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]38int ioctl_req_cap(int fd, ioctl_req_t req, ...) {
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]39 ioctl_reqs.push_back(req);
40 return 0;
41}
42
43// Capture ioctls for SIOCADDRT and SIOCDELRT and succeed.
44int ioctl_rtentry_cap(int fd, ioctl_req_t req, struct rtentry* arg) {
45 ioctl_reqs.push_back(req);
46 ioctl_rtentry_args.push_back({"", *arg});
47 // Copy the string poited by rtentry.rt_dev because Add/DeleteIPv4Route pass
48 // this value to ioctl() on the stack.
49 if (arg->rt_dev) {
50 auto& cap = ioctl_rtentry_args.back();
51 cap.first = std::string(arg->rt_dev);
52 cap.second.rt_dev = (char*)cap.first.c_str();
53 }
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]54 return 0;
55}
56
57} // namespace
58
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]59class MockProcessRunner : public MinijailedProcessRunner {
60 public:
61 MockProcessRunner() = default;
62 ~MockProcessRunner() = default;
63
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]64 MOCK_METHOD1(WriteSentinelToContainer, int(pid_t pid));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]65 MOCK_METHOD3(brctl,
66 int(const std::string& cmd,
67 const std::vector<std::string>& argv,
68 bool log_failures));
69 MOCK_METHOD4(chown,
70 int(const std::string& uid,
71 const std::string& gid,
72 const std::string& file,
73 bool log_failures));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]74 MOCK_METHOD4(ip,
75 int(const std::string& obj,
76 const std::string& cmd,
77 const std::vector<std::string>& args,
78 bool log_failures));
79 MOCK_METHOD4(ip6,
80 int(const std::string& obj,
81 const std::string& cmd,
82 const std::vector<std::string>& args,
83 bool log_failures));
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]84 MOCK_METHOD4(iptables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]85 int(const std::string& table,
86 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]87 bool log_failures,
88 std::string* output));
89 MOCK_METHOD4(ip6tables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]90 int(const std::string& table,
91 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]92 bool log_failures,
93 std::string* output));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]94 MOCK_METHOD2(modprobe_all,
95 int(const std::vector<std::string>& modules, bool log_failures));
96 MOCK_METHOD3(sysctl_w,
97 int(const std::string& key,
98 const std::string& value,
99 bool log_failures));
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]100 MOCK_METHOD3(ip_netns_attach,
101 int(const std::string& netns_name,
102 pid_t netns_pid,
103 bool log_failures));
104 MOCK_METHOD2(ip_netns_delete,
105 int(const std::string& netns_name, bool log_failures));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]106};
107
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]108TEST(DatapathTest, IpFamily) {
109 EXPECT_EQ(IpFamily::Dual, IpFamily::IPv4 | IpFamily::IPv6);
110 EXPECT_EQ(IpFamily::Dual & IpFamily::IPv4, IpFamily::IPv4);
111 EXPECT_EQ(IpFamily::Dual & IpFamily::IPv6, IpFamily::IPv6);
112 EXPECT_NE(IpFamily::Dual, IpFamily::IPv4);
113 EXPECT_NE(IpFamily::Dual, IpFamily::IPv6);
114 EXPECT_NE(IpFamily::IPv4, IpFamily::IPv6);
115}
116
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]117TEST(DatapathTest, Start) {
118 MockProcessRunner runner;
119 MockFirewall firewall;
120 // Asserts for sysctl modifications
121 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("1"), true));
122 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_local_port_range"),
123 StrEq("32768 47103"), true));
124 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv6.conf.all.forwarding"),
125 StrEq("1"), true));
126 // Asserts for AddSNATMarkRules
127 EXPECT_CALL(
128 runner,
129 iptables(StrEq("filter"),
130 ElementsAre("-A", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
131 "state", "--state", "INVALID", "-j", "DROP", "-w"),
132 true, nullptr));
133 EXPECT_CALL(runner,
134 iptables(StrEq("filter"),
135 ElementsAre("-A", "FORWARD", "-m", "mark", "--mark",
136 "1/1", "-j", "ACCEPT", "-w"),
137 true, nullptr));
138 EXPECT_CALL(runner,
139 iptables(StrEq("nat"),
140 ElementsAre("-A", "POSTROUTING", "-m", "mark", "--mark",
141 "1/1", "-j", "MASQUERADE", "-w"),
142 true, nullptr));
143 // Asserts for AddForwardEstablishedRule
144 EXPECT_CALL(runner,
145 iptables(StrEq("filter"),
146 ElementsAre("-A", "FORWARD", "-m", "state", "--state",
147 "ESTABLISHED,RELATED", "-j", "ACCEPT", "-w"),
148 true, nullptr));
149 // Asserts for AddSourceIPv4DropRule() calls.
150 EXPECT_CALL(runner,
151 iptables(StrEq("filter"),
152 ElementsAre("-I", "OUTPUT", "-o", "eth+", "-s",
153 "100.115.92.0/23", "-j", "DROP", "-w"),
154 true, nullptr));
155 EXPECT_CALL(runner,
156 iptables(StrEq("filter"),
157 ElementsAre("-I", "OUTPUT", "-o", "wlan+", "-s",
158 "100.115.92.0/23", "-j", "DROP", "-w"),
159 true, nullptr));
160 EXPECT_CALL(runner,
161 iptables(StrEq("filter"),
162 ElementsAre("-I", "OUTPUT", "-o", "mlan+", "-s",
163 "100.115.92.0/23", "-j", "DROP", "-w"),
164 true, nullptr));
165 EXPECT_CALL(runner,
166 iptables(StrEq("filter"),
167 ElementsAre("-I", "OUTPUT", "-o", "usb+", "-s",
168 "100.115.92.0/23", "-j", "DROP", "-w"),
169 true, nullptr));
170 EXPECT_CALL(runner,
171 iptables(StrEq("filter"),
172 ElementsAre("-I", "OUTPUT", "-o", "wwan+", "-s",
173 "100.115.92.0/23", "-j", "DROP", "-w"),
174 true, nullptr));
175 EXPECT_CALL(runner,
176 iptables(StrEq("filter"),
177 ElementsAre("-I", "OUTPUT", "-o", "rmnet+", "-s",
178 "100.115.92.0/23", "-j", "DROP", "-w"),
179 true, nullptr));
180 // Asserts for AddOutboundIPv4SNATMark("vmtap+")
181 EXPECT_CALL(runner,
182 iptables(StrEq("mangle"),
183 ElementsAre("-A", "PREROUTING", "-i", "vmtap+", "-j",
184 "MARK", "--set-mark", "1/1", "-w"),
185 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]186 // Asserts for OUTPUT CONNMARK restore rule
187 EXPECT_CALL(runner, iptables(StrEq("mangle"),
188 ElementsAre("-A", "OUTPUT", "-j", "CONNMARK",
189 "--restore-mark", "--mask",
190 "0xffff0000", "-w"),
191 true, nullptr));
192 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
193 ElementsAre("-A", "OUTPUT", "-j", "CONNMARK",
194 "--restore-mark", "--mask",
195 "0xffff0000", "-w"),
196 true, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]197 // Asserts for apply_local_source_mark chain
198 EXPECT_CALL(runner,
199 iptables(StrEq("mangle"),
200 ElementsAre("-N", "apply_local_source_mark", "-w"), true,
201 nullptr));
202 EXPECT_CALL(runner,
203 iptables(StrEq("mangle"),
204 ElementsAre("-F", "apply_local_source_mark", "-w"), true,
205 nullptr));
206 EXPECT_CALL(runner, iptables(StrEq("mangle"),
207 ElementsAre("-A", "OUTPUT", "-j",
208 "apply_local_source_mark", "-w"),
209 true, nullptr));
210 EXPECT_CALL(
211 runner,
212 iptables(StrEq("mangle"),
213 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
214 "--uid-owner", "chronos", "-j", "MARK", "--set-mark",
215 "0x00008100/0x0000ff00", "-w"),
216 true, nullptr));
217 EXPECT_CALL(runner, iptables(StrEq("mangle"),
218 ElementsAre("-A", "apply_local_source_mark",
219 "-m", "owner", "--uid-owner",
220 "debugd", "-j", "MARK", "--set-mark",
221 "0x00008200/0x0000ff00", "-w"),
222 true, nullptr));
223 EXPECT_CALL(runner,
224 iptables(StrEq("mangle"),
225 ElementsAre("-A", "apply_local_source_mark", "-m",
226 "owner", "--uid-owner", "cups", "-j", "MARK",
227 "--set-mark", "0x00008200/0x0000ff00", "-w"),
228 true, nullptr));
229 EXPECT_CALL(
230 runner,
231 iptables(StrEq("mangle"),
232 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
233 "--uid-owner", "kerberosd", "-j", "MARK",
234 "--set-mark", "0x00008400/0x0000ff00", "-w"),
235 true, nullptr));
236 EXPECT_CALL(
237 runner,
238 iptables(StrEq("mangle"),
239 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
240 "--uid-owner", "kerberosd-exec", "-j", "MARK",
241 "--set-mark", "0x00008400/0x0000ff00", "-w"),
242 true, nullptr));
243 EXPECT_CALL(
244 runner,
245 iptables(StrEq("mangle"),
246 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
247 "--uid-owner", "tlsdate", "-j", "MARK", "--set-mark",
248 "0x00008400/0x0000ff00", "-w"),
249 true, nullptr));
250 EXPECT_CALL(
251 runner,
252 iptables(StrEq("mangle"),
253 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
254 "--uid-owner", "pluginvm", "-j", "MARK",
255 "--set-mark", "0x00008200/0x0000ff00", "-w"),
256 true, nullptr));
257 EXPECT_CALL(
258 runner,
259 iptables(StrEq("mangle"),
260 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
261 "--uid-owner", "fuse-smbfs", "-j", "MARK",
262 "--set-mark", "0x00008400/0x0000ff00", "-w"),
263 true, nullptr));
264 EXPECT_CALL(
265 runner,
266 iptables(StrEq("mangle"),
Hugo Benichi7e3b1fc2020-11-19 15:47:05 +0900[diff] [blame]267 ElementsAre("-A", "apply_local_source_mark", "-m", "cgroup",
268 "--cgroup", "0x00010001", "-j", "MARK", "--set-mark",
269 "0x00000300/0x0000ff00", "-w"),
270 true, nullptr));
271 EXPECT_CALL(
272 runner,
273 iptables(StrEq("mangle"),
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]274 ElementsAre("-A", "apply_local_source_mark", "-m", "mark",
275 "--mark", "0x0/0x00003f00", "-j", "MARK",
276 "--set-mark", "0x00000400/0x00003f00", "-w"),
277 true, nullptr));
278 EXPECT_CALL(runner,
279 ip6tables(StrEq("mangle"),
280 ElementsAre("-N", "apply_local_source_mark", "-w"),
281 true, nullptr));
282 EXPECT_CALL(runner,
283 ip6tables(StrEq("mangle"),
284 ElementsAre("-F", "apply_local_source_mark", "-w"),
285 true, nullptr));
286 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
287 ElementsAre("-A", "OUTPUT", "-j",
288 "apply_local_source_mark", "-w"),
289 true, nullptr));
290 EXPECT_CALL(
291 runner,
292 ip6tables(StrEq("mangle"),
293 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
294 "--uid-owner", "debugd", "-j", "MARK", "--set-mark",
295 "0x00008200/0x0000ff00", "-w"),
296 true, nullptr));
297 EXPECT_CALL(
298 runner,
299 ip6tables(StrEq("mangle"),
300 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
301 "--uid-owner", "chronos", "-j", "MARK",
302 "--set-mark", "0x00008100/0x0000ff00", "-w"),
303 true, nullptr));
304 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
305 ElementsAre("-A", "apply_local_source_mark",
306 "-m", "owner", "--uid-owner",
307 "cups", "-j", "MARK", "--set-mark",
308 "0x00008200/0x0000ff00", "-w"),
309 true, nullptr));
310 EXPECT_CALL(
311 runner,
312 ip6tables(StrEq("mangle"),
313 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
314 "--uid-owner", "kerberosd", "-j", "MARK",
315 "--set-mark", "0x00008400/0x0000ff00", "-w"),
316 true, nullptr));
317 EXPECT_CALL(
318 runner,
319 ip6tables(StrEq("mangle"),
320 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
321 "--uid-owner", "kerberosd-exec", "-j", "MARK",
322 "--set-mark", "0x00008400/0x0000ff00", "-w"),
323 true, nullptr));
324 EXPECT_CALL(
325 runner,
326 ip6tables(StrEq("mangle"),
327 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
328 "--uid-owner", "tlsdate", "-j", "MARK",
329 "--set-mark", "0x00008400/0x0000ff00", "-w"),
330 true, nullptr));
331 EXPECT_CALL(
332 runner,
333 ip6tables(StrEq("mangle"),
334 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
335 "--uid-owner", "pluginvm", "-j", "MARK",
336 "--set-mark", "0x00008200/0x0000ff00", "-w"),
337 true, nullptr));
338 EXPECT_CALL(
339 runner,
340 ip6tables(StrEq("mangle"),
341 ElementsAre("-A", "apply_local_source_mark", "-m", "owner",
342 "--uid-owner", "fuse-smbfs", "-j", "MARK",
343 "--set-mark", "0x00008400/0x0000ff00", "-w"),
344 true, nullptr));
345 EXPECT_CALL(
346 runner,
347 ip6tables(StrEq("mangle"),
Hugo Benichi7e3b1fc2020-11-19 15:47:05 +0900[diff] [blame]348 ElementsAre("-A", "apply_local_source_mark", "-m", "cgroup",
349 "--cgroup", "0x00010001", "-j", "MARK",
350 "--set-mark", "0x00000300/0x0000ff00", "-w"),
351 true, nullptr));
352 EXPECT_CALL(
353 runner,
354 ip6tables(StrEq("mangle"),
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]355 ElementsAre("-A", "apply_local_source_mark", "-m", "mark",
356 "--mark", "0x0/0x00003f00", "-j", "MARK",
357 "--set-mark", "0x00000400/0x00003f00", "-w"),
358 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]359 // Asserts for apply_vpn_mark chain
360 EXPECT_CALL(runner, iptables(StrEq("mangle"),
361 ElementsAre("-N", "apply_vpn_mark", "-w"), true,
362 nullptr));
363 EXPECT_CALL(runner, iptables(StrEq("mangle"),
364 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
365 nullptr));
366 EXPECT_CALL(runner, iptables(StrEq("mangle"),
367 ElementsAre("-A", "OUTPUT", "-m", "mark",
368 "--mark", "0x00008000/0x0000c000",
369 "-j", "apply_vpn_mark", "-w"),
370 true, nullptr));
371 EXPECT_CALL(runner, iptables(StrEq("mangle"),
372 ElementsAre("-A", "apply_vpn_mark", "-m", "mark",
373 "!", "--mark", "0x0/0xffff0000",
374 "-j", "ACCEPT", "-w"),
375 true, nullptr));
376 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
377 ElementsAre("-N", "apply_vpn_mark", "-w"), true,
378 nullptr));
379 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
380 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
381 nullptr));
382 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
383 ElementsAre("-A", "OUTPUT", "-m", "mark",
384 "--mark", "0x00008000/0x0000c000",
385 "-j", "apply_vpn_mark", "-w"),
386 true, nullptr));
387 EXPECT_CALL(
388 runner,
389 ip6tables(StrEq("mangle"),
390 ElementsAre("-A", "apply_vpn_mark", "-m", "mark", "!", "--mark",
391 "0x0/0xffff0000", "-j", "ACCEPT", "-w"),
392 true, nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]393
394 Datapath datapath(&runner, &firewall);
395 datapath.Start();
396}
397
398TEST(DatapathTest, Stop) {
399 MockProcessRunner runner;
400 MockFirewall firewall;
401 // Asserts for sysctl modifications
402 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_local_port_range"),
403 StrEq("32768 61000"), true));
404 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv6.conf.all.forwarding"),
405 StrEq("0"), true));
406 EXPECT_CALL(runner, sysctl_w(StrEq("net.ipv4.ip_forward"), StrEq("0"), true));
407 // Asserts for RemoveOutboundIPv4SNATMark("vmtap+")
408 EXPECT_CALL(runner,
409 iptables(StrEq("mangle"),
410 ElementsAre("-D", "PREROUTING", "-i", "vmtap+", "-j",
411 "MARK", "--set-mark", "1/1", "-w"),
412 true, nullptr));
413 // Asserts for RemoveForwardEstablishedRule
414 EXPECT_CALL(runner,
415 iptables(StrEq("filter"),
416 ElementsAre("-D", "FORWARD", "-m", "state", "--state",
417 "ESTABLISHED,RELATED", "-j", "ACCEPT", "-w"),
418 true, nullptr));
419 // Asserts for RemoveSNATMarkRules
420 EXPECT_CALL(
421 runner,
422 iptables(StrEq("filter"),
423 ElementsAre("-D", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
424 "state", "--state", "INVALID", "-j", "DROP", "-w"),
425 true, nullptr));
426 EXPECT_CALL(runner,
427 iptables(StrEq("filter"),
428 ElementsAre("-D", "FORWARD", "-m", "mark", "--mark",
429 "1/1", "-j", "ACCEPT", "-w"),
430 true, nullptr));
431 EXPECT_CALL(runner,
432 iptables(StrEq("nat"),
433 ElementsAre("-D", "POSTROUTING", "-m", "mark", "--mark",
434 "1/1", "-j", "MASQUERADE", "-w"),
435 true, nullptr));
436 // Asserts for RemoveSourceIPv4DropRule() calls.
437 EXPECT_CALL(runner,
438 iptables(StrEq("filter"),
439 ElementsAre("-D", "OUTPUT", "-o", "eth+", "-s",
440 "100.115.92.0/23", "-j", "DROP", "-w"),
441 true, nullptr));
442 EXPECT_CALL(runner,
443 iptables(StrEq("filter"),
444 ElementsAre("-D", "OUTPUT", "-o", "wlan+", "-s",
445 "100.115.92.0/23", "-j", "DROP", "-w"),
446 true, nullptr));
447 EXPECT_CALL(runner,
448 iptables(StrEq("filter"),
449 ElementsAre("-D", "OUTPUT", "-o", "mlan+", "-s",
450 "100.115.92.0/23", "-j", "DROP", "-w"),
451 true, nullptr));
452 EXPECT_CALL(runner,
453 iptables(StrEq("filter"),
454 ElementsAre("-D", "OUTPUT", "-o", "usb+", "-s",
455 "100.115.92.0/23", "-j", "DROP", "-w"),
456 true, nullptr));
457 EXPECT_CALL(runner,
458 iptables(StrEq("filter"),
459 ElementsAre("-D", "OUTPUT", "-o", "wwan+", "-s",
460 "100.115.92.0/23", "-j", "DROP", "-w"),
461 true, nullptr));
462 EXPECT_CALL(runner,
463 iptables(StrEq("filter"),
464 ElementsAre("-D", "OUTPUT", "-o", "rmnet+", "-s",
465 "100.115.92.0/23", "-j", "DROP", "-w"),
466 true, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]467 // Asserts for apply_local_source_mark chain
468 EXPECT_CALL(runner, iptables(StrEq("mangle"),
469 ElementsAre("-D", "OUTPUT", "-j",
470 "apply_local_source_mark", "-w"),
471 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]472 // Asserts for OUTPUT CONNMARK restore rule
473 EXPECT_CALL(runner, iptables(StrEq("mangle"),
474 ElementsAre("-D", "OUTPUT", "-j", "CONNMARK",
475 "--restore-mark", "--mask",
476 "0xffff0000", "-w"),
477 true, nullptr));
478 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
479 ElementsAre("-D", "OUTPUT", "-j", "CONNMARK",
480 "--restore-mark", "--mask",
481 "0xffff0000", "-w"),
482 true, nullptr));
Hugo Benichi3a9162b2020-09-09 15:47:40 +0900[diff] [blame]483 EXPECT_CALL(runner,
484 iptables(StrEq("mangle"),
485 ElementsAre("-F", "apply_local_source_mark", "-w"), true,
486 nullptr));
487 EXPECT_CALL(runner,
488 iptables(StrEq("mangle"),
489 ElementsAre("-X", "apply_local_source_mark", "-w"), true,
490 nullptr));
491 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
492 ElementsAre("-D", "OUTPUT", "-j",
493 "apply_local_source_mark", "-w"),
494 true, nullptr));
495 EXPECT_CALL(runner,
496 ip6tables(StrEq("mangle"),
497 ElementsAre("-F", "apply_local_source_mark", "-w"),
498 true, nullptr));
499 EXPECT_CALL(runner,
500 ip6tables(StrEq("mangle"),
501 ElementsAre("-X", "apply_local_source_mark", "-w"),
502 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]503 // Asserts for apply_vpn_mark chain
504 EXPECT_CALL(runner, iptables(StrEq("mangle"),
505 ElementsAre("-D", "OUTPUT", "-m", "mark",
506 "--mark", "0x00008000/0x0000c000",
507 "-j", "apply_vpn_mark", "-w"),
508 true, nullptr));
509 EXPECT_CALL(runner, iptables(StrEq("mangle"),
510 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
511 nullptr));
512 EXPECT_CALL(runner, iptables(StrEq("mangle"),
513 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
514 nullptr));
515 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
516 ElementsAre("-D", "OUTPUT", "-m", "mark",
517 "--mark", "0x00008000/0x0000c000",
518 "-j", "apply_vpn_mark", "-w"),
519 true, nullptr));
520 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
521 ElementsAre("-F", "apply_vpn_mark", "-w"), true,
522 nullptr));
523 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
524 ElementsAre("-X", "apply_vpn_mark", "-w"), true,
525 nullptr));
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]526
527 Datapath datapath(&runner, &firewall);
528 datapath.Stop();
529}
530
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]531TEST(DatapathTest, AddTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]532 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]533 MockFirewall firewall;
534 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]535 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]536 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]537 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]538 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]539 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]540 std::vector<ioctl_req_t> expected = {
541 TUNSETIFF, TUNSETPERSIST, SIOCSIFADDR, SIOCSIFNETMASK,
542 SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]543 EXPECT_EQ(ioctl_reqs, expected);
544 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]545 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]546}
547
548TEST(DatapathTest, AddTAPWithOwner) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]549 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]550 MockFirewall firewall;
551 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]552 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]553 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]554 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]555 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "root");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]556 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]557 std::vector<ioctl_req_t> expected = {
558 TUNSETIFF, TUNSETPERSIST, TUNSETOWNER, SIOCSIFADDR,
559 SIOCSIFNETMASK, SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]560 EXPECT_EQ(ioctl_reqs, expected);
561 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]562 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]563}
564
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]565TEST(DatapathTest, AddTAPNoAddrs) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]566 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]567 MockFirewall firewall;
568 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]569 auto ifname = datapath.AddTAP("foo0", nullptr, nullptr, "");
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]570 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]571 std::vector<ioctl_req_t> expected = {TUNSETIFF, TUNSETPERSIST, SIOCGIFFLAGS,
572 SIOCSIFFLAGS};
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]573 EXPECT_EQ(ioctl_reqs, expected);
574 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]575 ioctl_rtentry_args.clear();
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]576}
577
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]578TEST(DatapathTest, RemoveTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]579 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]580 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]581 EXPECT_CALL(runner, ip(StrEq("tuntap"), StrEq("del"),
582 ElementsAre("foo0", "mode", "tap"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]583 Datapath datapath(&runner, &firewall);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]584 datapath.RemoveTAP("foo0");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]585}
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]586
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]587TEST(DatapathTest, NetnsAttachName) {
588 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]589 MockFirewall firewall;
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]590 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), false));
591 EXPECT_CALL(runner, ip_netns_attach(StrEq("netns_foo"), 1234, true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]592 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]593 EXPECT_TRUE(datapath.NetnsAttachName("netns_foo", 1234));
594}
595
596TEST(DatapathTest, NetnsDeleteName) {
597 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]598 MockFirewall firewall;
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]599 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]600 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]601 EXPECT_TRUE(datapath.NetnsDeleteName("netns_foo"));
602}
603
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]604TEST(DatapathTest, AddBridge) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]605 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]606 MockFirewall firewall;
607 Datapath datapath(&runner, &firewall);
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]608 EXPECT_CALL(runner, brctl(StrEq("addbr"), ElementsAre("br"), true));
Garrick Evans6f4fa3a2020-02-10 16:15:09 +0900[diff] [blame]609 EXPECT_CALL(
610 runner,
611 ip(StrEq("addr"), StrEq("add"),
612 ElementsAre("1.1.1.1/30", "brd", "1.1.1.3", "dev", "br"), true));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]613 EXPECT_CALL(runner,
614 ip(StrEq("link"), StrEq("set"), ElementsAre("br", "up"), true));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]615 EXPECT_CALL(runner, iptables(StrEq("mangle"),
616 ElementsAre("-A", "PREROUTING", "-i", "br", "-j",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]617 "MARK", "--set-mark", "1/1", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]618 true, nullptr));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]619 datapath.AddBridge("br", Ipv4Addr(1, 1, 1, 1), 30);
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]620}
621
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]622TEST(DatapathTest, ConnectVethPair) {
623 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]624 MockFirewall firewall;
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]625 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
626 ElementsAre("veth_foo", "type", "veth", "peer", "name",
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]627 "peer_foo", "netns", "netns_foo"),
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]628 true));
629 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
630 ElementsAre("100.115.92.169/30", "brd",
631 "100.115.92.171", "dev", "peer_foo"),
632 true))
633 .WillOnce(Return(0));
634 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
635 ElementsAre("dev", "peer_foo", "up", "addr",
636 "01:02:03:04:05:06", "multicast", "on"),
637 true))
638 .WillOnce(Return(0));
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]639 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
640 ElementsAre("veth_foo", "up"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]641 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]642 EXPECT_TRUE(datapath.ConnectVethPair(kTestPID, "netns_foo", "veth_foo",
643 "peer_foo", {1, 2, 3, 4, 5, 6},
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]644 Ipv4Addr(100, 115, 92, 169), 30, true));
645}
646
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]647TEST(DatapathTest, AddVirtualInterfacePair) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]648 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]649 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]650 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
651 ElementsAre("veth_foo", "type", "veth", "peer", "name",
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]652 "peer_foo", "netns", "netns_foo"),
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]653 true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]654 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]655 EXPECT_TRUE(
656 datapath.AddVirtualInterfacePair("netns_foo", "veth_foo", "peer_foo"));
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]657}
658
659TEST(DatapathTest, ToggleInterface) {
660 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]661 MockFirewall firewall;
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]662 EXPECT_CALL(runner,
663 ip(StrEq("link"), StrEq("set"), ElementsAre("foo", "up"), true));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]664 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]665 ElementsAre("bar", "down"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]666 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]667 EXPECT_TRUE(datapath.ToggleInterface("foo", true));
668 EXPECT_TRUE(datapath.ToggleInterface("bar", false));
669}
670
671TEST(DatapathTest, ConfigureInterface) {
672 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]673 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]674 EXPECT_CALL(
675 runner,
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]676 ip(StrEq("addr"), StrEq("add"),
677 ElementsAre("1.1.1.1/30", "brd", "1.1.1.3", "dev", "foo"), true))
678 .WillOnce(Return(0));
679 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
680 ElementsAre("dev", "foo", "up", "addr",
681 "02:02:02:02:02:02", "multicast", "on"),
682 true))
683 .WillOnce(Return(0));
684
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]685 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]686 MacAddress mac_addr = {2, 2, 2, 2, 2, 2};
687 EXPECT_TRUE(datapath.ConfigureInterface("foo", mac_addr, Ipv4Addr(1, 1, 1, 1),
688 30, true, true));
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]689}
690
691TEST(DatapathTest, RemoveInterface) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]692 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]693 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]694 EXPECT_CALL(runner,
695 ip(StrEq("link"), StrEq("delete"), ElementsAre("foo"), false));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]696 Datapath datapath(&runner, &firewall);
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]697 datapath.RemoveInterface("foo");
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]698}
699
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]700TEST(DatapathTest, RemoveBridge) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]701 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]702 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]703 EXPECT_CALL(runner, iptables(StrEq("mangle"),
704 ElementsAre("-D", "PREROUTING", "-i", "br", "-j",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]705 "MARK", "--set-mark", "1/1", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]706 true, nullptr));
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]707 EXPECT_CALL(runner,
708 ip(StrEq("link"), StrEq("set"), ElementsAre("br", "down"), true));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]709 EXPECT_CALL(runner, brctl(StrEq("delbr"), ElementsAre("br"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]710 Datapath datapath(&runner, &firewall);
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]711 datapath.RemoveBridge("br");
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]712}
713
Hugo Benichi321f23b2020-09-25 15:42:05 +0900[diff] [blame]714TEST(DatapathTest, AddRemoveSourceIPv4DropRule) {
715 MockProcessRunner runner;
716 MockFirewall firewall;
717 EXPECT_CALL(runner,
718 iptables(StrEq("filter"),
719 ElementsAre("-I", "OUTPUT", "-o", "eth+", "-s",
720 "100.115.92.0/24", "-j", "DROP", "-w"),
721 true, nullptr));
722 EXPECT_CALL(runner,
723 iptables(StrEq("filter"),
724 ElementsAre("-D", "OUTPUT", "-o", "eth+", "-s",
725 "100.115.92.0/24", "-j", "DROP", "-w"),
726 true, nullptr));
727 Datapath datapath(&runner, &firewall);
728 datapath.AddSourceIPv4DropRule("eth+", "100.115.92.0/24");
729 datapath.RemoveSourceIPv4DropRule("eth+", "100.115.92.0/24");
730}
731
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]732TEST(DatapathTest, StartRoutingNamespace) {
733 MockProcessRunner runner;
734 MockFirewall firewall;
735 MacAddress mac = {1, 2, 3, 4, 5, 6};
736
737 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), false));
738 EXPECT_CALL(runner, ip_netns_attach(StrEq("netns_foo"), kTestPID, true));
739 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("add"),
740 ElementsAre("arc_ns0", "type", "veth", "peer", "name",
741 "veth0", "netns", "netns_foo"),
742 true));
743 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
744 ElementsAre("100.115.92.130/30", "brd",
745 "100.115.92.131", "dev", "veth0"),
746 true))
747 .WillOnce(Return(0));
748 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
749 ElementsAre("dev", "veth0", "up", "addr",
750 "01:02:03:04:05:06", "multicast", "off"),
751 true))
752 .WillOnce(Return(0));
753 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
754 ElementsAre("arc_ns0", "up"), true));
755 EXPECT_CALL(runner, ip(StrEq("addr"), StrEq("add"),
756 ElementsAre("100.115.92.129/30", "brd",
757 "100.115.92.131", "dev", "arc_ns0"),
758 true))
759 .WillOnce(Return(0));
760 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("set"),
761 ElementsAre("dev", "arc_ns0", "up", "addr",
762 "01:02:03:04:05:06", "multicast", "off"),
763 true))
764 .WillOnce(Return(0));
765 EXPECT_CALL(runner, iptables(StrEq("filter"),
766 ElementsAre("-A", "FORWARD", "-o", "arc_ns0",
767 "-j", "ACCEPT", "-w"),
768 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]769 EXPECT_CALL(runner, iptables(StrEq("filter"),
770 ElementsAre("-A", "FORWARD", "-i", "arc_ns0",
771 "-j", "ACCEPT", "-w"),
772 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]773 EXPECT_CALL(runner,
774 iptables(StrEq("mangle"),
775 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0", "-j",
776 "MARK", "--set-mark", "1/1", "-w"),
777 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]778 EXPECT_CALL(runner, iptables(StrEq("mangle"),
779 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
780 "-j", "MARK", "--set-mark",
781 "0x00000200/0x00003f00", "-w"),
782 true, nullptr));
783 EXPECT_CALL(runner, iptables(StrEq("mangle"),
784 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
785 "-j", "CONNMARK", "--restore-mark",
786 "--mask", "0xffff0000", "-w"),
787 true, nullptr));
788 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
789 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
790 "-j", "MARK", "--set-mark",
791 "0x00000200/0x00003f00", "-w"),
792 true, nullptr));
793 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
794 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
795 "-j", "CONNMARK", "--restore-mark",
796 "--mask", "0xffff0000", "-w"),
797 true, nullptr));
798 EXPECT_CALL(runner, iptables(StrEq("mangle"),
799 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
800 "-j", "apply_vpn_mark", "-w"),
801 true, nullptr));
802 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
803 ElementsAre("-A", "PREROUTING", "-i", "arc_ns0",
804 "-j", "apply_vpn_mark", "-w"),
805 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]806
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]807 ConnectedNamespace nsinfo = {};
808 nsinfo.pid = kTestPID;
809 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]810 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]811 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]812 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]813 nsinfo.host_ifname = "arc_ns0";
814 nsinfo.peer_ifname = "veth0";
815 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
816 base::DoNothing());
817 nsinfo.peer_mac_addr = mac;
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]818 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]819 datapath.StartRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]820 ioctl_reqs.clear();
821 ioctl_rtentry_args.clear();
822}
823
824TEST(DatapathTest, StopRoutingNamespace) {
825 MockProcessRunner runner;
826 MockFirewall firewall;
827
828 EXPECT_CALL(runner, iptables(StrEq("filter"),
829 ElementsAre("-D", "FORWARD", "-o", "arc_ns0",
830 "-j", "ACCEPT", "-w"),
831 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]832 EXPECT_CALL(runner, iptables(StrEq("filter"),
833 ElementsAre("-D", "FORWARD", "-i", "arc_ns0",
834 "-j", "ACCEPT", "-w"),
835 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]836 EXPECT_CALL(runner,
837 iptables(StrEq("mangle"),
838 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0", "-j",
839 "MARK", "--set-mark", "1/1", "-w"),
840 true, nullptr));
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]841 EXPECT_CALL(runner, iptables(StrEq("mangle"),
842 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
843 "-j", "MARK", "--set-mark",
844 "0x00000200/0x00003f00", "-w"),
845 true, nullptr));
846 EXPECT_CALL(runner, iptables(StrEq("mangle"),
847 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
848 "-j", "CONNMARK", "--restore-mark",
849 "--mask", "0xffff0000", "-w"),
850 true, nullptr));
851 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
852 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
853 "-j", "MARK", "--set-mark",
854 "0x00000200/0x00003f00", "-w"),
855 true, nullptr));
856 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
857 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
858 "-j", "CONNMARK", "--restore-mark",
859 "--mask", "0xffff0000", "-w"),
860 true, nullptr));
861 EXPECT_CALL(runner, iptables(StrEq("mangle"),
862 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
863 "-j", "apply_vpn_mark", "-w"),
864 true, nullptr));
865 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
866 ElementsAre("-D", "PREROUTING", "-i", "arc_ns0",
867 "-j", "apply_vpn_mark", "-w"),
868 true, nullptr));
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]869 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), true));
870 EXPECT_CALL(runner, ip(StrEq("link"), StrEq("delete"), ElementsAre("arc_ns0"),
871 false));
872
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]873 ConnectedNamespace nsinfo = {};
874 nsinfo.pid = kTestPID;
875 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]876 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]877 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]878 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]879 nsinfo.host_ifname = "arc_ns0";
880 nsinfo.peer_ifname = "veth0";
881 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
882 base::DoNothing());
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]883 Datapath datapath(&runner, &firewall);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]884 datapath.StopRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]885}
886
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]887TEST(DatapathTest, StartRoutingDevice_Arc) {
888 MockProcessRunner runner;
889 MockFirewall firewall;
890 EXPECT_CALL(runner, iptables(StrEq("nat"),
891 ElementsAre("-A", "PREROUTING", "-i", "eth0",
892 "-m", "socket", "--nowildcard", "-j",
893 "ACCEPT", "-w"),
894 true, nullptr));
895 EXPECT_CALL(runner, iptables(StrEq("nat"),
896 ElementsAre("-A", "PREROUTING", "-i", "eth0",
897 "-p", "tcp", "-j", "DNAT",
898 "--to-destination", "1.2.3.4", "-w"),
899 true, nullptr));
900 EXPECT_CALL(runner, iptables(StrEq("nat"),
901 ElementsAre("-A", "PREROUTING", "-i", "eth0",
902 "-p", "udp", "-j", "DNAT",
903 "--to-destination", "1.2.3.4", "-w"),
904 true, nullptr));
905 EXPECT_CALL(runner, iptables(StrEq("filter"),
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]906 ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
907 "arc_eth0", "-j", "ACCEPT", "-w"),
908 true, nullptr));
909 EXPECT_CALL(runner, iptables(StrEq("filter"),
910 ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
911 "-o", "eth0", "-j", "ACCEPT", "-w"),
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]912 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]913 EXPECT_CALL(runner, iptables(StrEq("mangle"),
914 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0",
915 "-j", "MARK", "--set-mark",
916 "0x00002000/0x00003f00", "-w"),
917 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]918 EXPECT_CALL(runner, iptables(StrEq("mangle"),
919 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0",
920 "-j", "MARK", "--set-mark",
921 "0x03ea0000/0xffff0000", "-w"),
922 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]923 EXPECT_CALL(
924 runner,
925 ip6tables(StrEq("mangle"),
926 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
927 "--set-mark", "0x00002000/0x00003f00", "-w"),
928 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]929 EXPECT_CALL(
930 runner,
931 ip6tables(StrEq("mangle"),
932 ElementsAre("-A", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
933 "--set-mark", "0x03ea0000/0xffff0000", "-w"),
934 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]935
936 Datapath datapath(&runner, &firewall);
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]937 datapath.SetIfnameIndex("eth0", 2);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]938 datapath.StartRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]939 TrafficSource::ARC, false);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]940}
941
942TEST(DatapathTest, StartRoutingDevice_CrosVM) {
943 MockProcessRunner runner;
944 MockFirewall firewall;
945 EXPECT_CALL(runner, iptables(StrEq("filter"),
946 ElementsAre("-A", "FORWARD", "-o", "vmtap0",
947 "-j", "ACCEPT", "-w"),
948 true, nullptr));
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]949 EXPECT_CALL(runner, iptables(StrEq("filter"),
950 ElementsAre("-A", "FORWARD", "-i", "vmtap0",
951 "-j", "ACCEPT", "-w"),
952 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]953 EXPECT_CALL(runner, iptables(StrEq("mangle"),
954 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
955 "-j", "MARK", "--set-mark",
956 "0x00002100/0x00003f00", "-w"),
957 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]958 EXPECT_CALL(runner, iptables(StrEq("mangle"),
959 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
960 "-j", "CONNMARK", "--restore-mark",
961 "--mask", "0xffff0000", "-w"),
962 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]963 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
964 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
965 "-j", "MARK", "--set-mark",
966 "0x00002100/0x00003f00", "-w"),
967 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]968 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
969 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
970 "-j", "CONNMARK", "--restore-mark",
971 "--mask", "0xffff0000", "-w"),
972 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]973 EXPECT_CALL(runner, iptables(StrEq("mangle"),
974 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
975 "-j", "apply_vpn_mark", "-w"),
976 true, nullptr));
977 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
978 ElementsAre("-A", "PREROUTING", "-i", "vmtap0",
979 "-j", "apply_vpn_mark", "-w"),
980 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]981
982 Datapath datapath(&runner, &firewall);
983 datapath.StartRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]984 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]985}
986
987TEST(DatapathTest, StopRoutingDevice_Arc) {
988 MockProcessRunner runner;
989 MockFirewall firewall;
990 EXPECT_CALL(runner, iptables(StrEq("nat"),
991 ElementsAre("-D", "PREROUTING", "-i", "eth0",
992 "-m", "socket", "--nowildcard", "-j",
993 "ACCEPT", "-w"),
994 true, nullptr));
995 EXPECT_CALL(runner, iptables(StrEq("nat"),
996 ElementsAre("-D", "PREROUTING", "-i", "eth0",
997 "-p", "tcp", "-j", "DNAT",
998 "--to-destination", "1.2.3.4", "-w"),
999 true, nullptr));
1000 EXPECT_CALL(runner, iptables(StrEq("nat"),
1001 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1002 "-p", "udp", "-j", "DNAT",
1003 "--to-destination", "1.2.3.4", "-w"),
1004 true, nullptr));
1005 EXPECT_CALL(runner, iptables(StrEq("filter"),
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1006 ElementsAre("-D", "FORWARD", "-i", "eth0", "-o",
1007 "arc_eth0", "-j", "ACCEPT", "-w"),
1008 true, nullptr));
1009 EXPECT_CALL(runner, iptables(StrEq("filter"),
1010 ElementsAre("-D", "FORWARD", "-i", "arc_eth0",
1011 "-o", "eth0", "-j", "ACCEPT", "-w"),
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1012 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1013 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1014 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0",
1015 "-j", "MARK", "--set-mark",
1016 "0x00002000/0x00003f00", "-w"),
1017 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1018 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1019 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0",
1020 "-j", "MARK", "--set-mark",
1021 "0x03ea0000/0xffff0000", "-w"),
1022 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1023 EXPECT_CALL(
1024 runner,
1025 ip6tables(StrEq("mangle"),
1026 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1027 "--set-mark", "0x00002000/0x00003f00", "-w"),
1028 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1029 EXPECT_CALL(
1030 runner,
1031 ip6tables(StrEq("mangle"),
1032 ElementsAre("-D", "PREROUTING", "-i", "arc_eth0", "-j", "MARK",
1033 "--set-mark", "0x03ea0000/0xffff0000", "-w"),
1034 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1035
1036 Datapath datapath(&runner, &firewall);
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1037 datapath.SetIfnameIndex("eth0", 2);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1038 datapath.StopRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]1039 TrafficSource::ARC, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1040}
1041
1042TEST(DatapathTest, StopRoutingDevice_CrosVM) {
1043 MockProcessRunner runner;
1044 MockFirewall firewall;
1045 EXPECT_CALL(runner, iptables(StrEq("filter"),
1046 ElementsAre("-D", "FORWARD", "-o", "vmtap0",
1047 "-j", "ACCEPT", "-w"),
1048 true, nullptr));
Hugo Benichic6ae67c2020-08-14 15:02:13 +0900[diff] [blame]1049 EXPECT_CALL(runner, iptables(StrEq("filter"),
1050 ElementsAre("-D", "FORWARD", "-i", "vmtap0",
1051 "-j", "ACCEPT", "-w"),
1052 true, nullptr));
Hugo Benichi9be19b12020-08-14 15:33:40 +0900[diff] [blame]1053 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1054 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1055 "-j", "MARK", "--set-mark",
1056 "0x00002100/0x00003f00", "-w"),
1057 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1058 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1059 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1060 "-j", "CONNMARK", "--restore-mark",
1061 "--mask", "0xffff0000", "-w"),
1062 true, nullptr));
Hugo Benichi5c9c11c2020-09-15 17:25:26 +0900[diff] [blame]1063 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1064 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1065 "-j", "MARK", "--set-mark",
1066 "0x00002100/0x00003f00", "-w"),
1067 true, nullptr));
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]1068 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1069 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1070 "-j", "CONNMARK", "--restore-mark",
1071 "--mask", "0xffff0000", "-w"),
1072 true, nullptr));
Hugo Benichi3ef370b2020-11-16 19:07:17 +0900[diff] [blame]1073 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1074 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1075 "-j", "apply_vpn_mark", "-w"),
1076 true, nullptr));
1077 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1078 ElementsAre("-D", "PREROUTING", "-i", "vmtap0",
1079 "-j", "apply_vpn_mark", "-w"),
1080 true, nullptr));
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1081
1082 Datapath datapath(&runner, &firewall);
1083 datapath.StopRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame^]1084 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]1085}
1086
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]1087TEST(DatapathTest, StartStopIpForwarding) {
1088 struct {
1089 IpFamily family;
1090 std::string iif;
1091 std::string oif;
1092 std::vector<std::string> start_args;
1093 std::vector<std::string> stop_args;
1094 bool result;
1095 } testcases[] = {
1096 {IpFamily::IPv4, "", "", {}, {}, false},
1097 {IpFamily::NONE, "foo", "bar", {}, {}, false},
1098 {IpFamily::IPv4,
1099 "foo",
1100 "bar",
1101 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1102 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1103 true},
1104 {IpFamily::IPv4,
1105 "",
1106 "bar",
1107 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1108 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1109 true},
1110 {IpFamily::IPv4,
1111 "foo",
1112 "",
1113 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1114 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1115 true},
1116 {IpFamily::IPv6,
1117 "foo",
1118 "bar",
1119 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1120 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1121 true},
1122 {IpFamily::IPv6,
1123 "",
1124 "bar",
1125 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1126 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1127 true},
1128 {IpFamily::IPv6,
1129 "foo",
1130 "",
1131 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1132 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1133 true},
1134 {IpFamily::Dual,
1135 "foo",
1136 "bar",
1137 {"-A", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1138 {"-D", "FORWARD", "-i", "foo", "-o", "bar", "-j", "ACCEPT", "-w"},
1139 true},
1140 {IpFamily::Dual,
1141 "",
1142 "bar",
1143 {"-A", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1144 {"-D", "FORWARD", "-o", "bar", "-j", "ACCEPT", "-w"},
1145 true},
1146 {IpFamily::Dual,
1147 "foo",
1148 "",
1149 {"-A", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1150 {"-D", "FORWARD", "-i", "foo", "-j", "ACCEPT", "-w"},
1151 true},
1152 };
1153
1154 for (const auto& tt : testcases) {
1155 MockProcessRunner runner;
1156 MockFirewall firewall;
1157 if (tt.result) {
1158 if (tt.family & IpFamily::IPv4) {
1159 EXPECT_CALL(runner,
1160 iptables(StrEq("filter"), tt.start_args, true, nullptr))
1161 .WillOnce(Return(0));
1162 EXPECT_CALL(runner,
1163 iptables(StrEq("filter"), tt.stop_args, true, nullptr))
1164 .WillOnce(Return(0));
1165 }
1166 if (tt.family & IpFamily::IPv6) {
1167 EXPECT_CALL(runner,
1168 ip6tables(StrEq("filter"), tt.start_args, true, nullptr))
1169 .WillOnce(Return(0));
1170 EXPECT_CALL(runner,
1171 ip6tables(StrEq("filter"), tt.stop_args, true, nullptr))
1172 .WillOnce(Return(0));
1173 }
1174 }
1175 Datapath datapath(&runner, &firewall);
1176
1177 EXPECT_EQ(tt.result, datapath.StartIpForwarding(tt.family, tt.iif, tt.oif));
1178 EXPECT_EQ(tt.result, datapath.StopIpForwarding(tt.family, tt.iif, tt.oif));
1179 }
1180}
1181
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1182TEST(DatapathTest, StartStopConnectionPinning) {
1183 MockProcessRunner runner;
1184 MockFirewall firewall;
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1185
1186 // Setup
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1187 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1188 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1189 "-j", "CONNMARK", "--set-mark",
1190 "0x03eb0000/0xffff0000", "-w"),
1191 true, nullptr));
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1192 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1193 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1194 "-j", "CONNMARK", "--set-mark",
1195 "0x03eb0000/0xffff0000", "-w"),
1196 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1197 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1198 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1199 "-j", "CONNMARK", "--save-mark",
1200 "--mask", "0x00003f00", "-w"),
1201 true, nullptr));
1202 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1203 ElementsAre("-A", "POSTROUTING", "-o", "eth0",
1204 "-j", "CONNMARK", "--save-mark",
1205 "--mask", "0x00003f00", "-w"),
1206 true, nullptr));
1207 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1208 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1209 "-j", "CONNMARK", "--restore-mark",
1210 "--mask", "0x00003f00", "-w"),
1211 true, nullptr));
1212 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1213 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1214 "-j", "CONNMARK", "--restore-mark",
1215 "--mask", "0x00003f00", "-w"),
1216 true, nullptr));
1217 // Teardown
1218 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1219 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1220 "-j", "CONNMARK", "--set-mark",
1221 "0x03eb0000/0xffff0000", "-w"),
1222 true, nullptr));
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1223 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1224 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1225 "-j", "CONNMARK", "--set-mark",
1226 "0x03eb0000/0xffff0000", "-w"),
1227 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1228 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1229 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1230 "-j", "CONNMARK", "--save-mark",
1231 "--mask", "0x00003f00", "-w"),
1232 true, nullptr));
1233 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1234 ElementsAre("-D", "POSTROUTING", "-o", "eth0",
1235 "-j", "CONNMARK", "--save-mark",
1236 "--mask", "0x00003f00", "-w"),
1237 true, nullptr));
1238 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1239 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1240 "-j", "CONNMARK", "--restore-mark",
1241 "--mask", "0x00003f00", "-w"),
1242 true, nullptr));
1243 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1244 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1245 "-j", "CONNMARK", "--restore-mark",
1246 "--mask", "0x00003f00", "-w"),
1247 true, nullptr));
1248
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]1249 Datapath datapath(&runner, &firewall);
1250 datapath.SetIfnameIndex("eth0", 3);
1251 datapath.StartConnectionPinning("eth0");
1252 datapath.StopConnectionPinning("eth0");
1253}
1254
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1255TEST(DatapathTest, StartStopVpnRouting_NoVirtualDevices) {
1256 MockProcessRunner runner;
1257 MockFirewall firewall;
1258
1259 // Setup
1260 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1261 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1262 "-j", "CONNMARK", "--set-mark",
1263 "0x03ed0000/0xffff0000", "-w"),
1264 true, nullptr));
1265 EXPECT_CALL(runner,
1266 iptables(StrEq("mangle"),
1267 ElementsAre("-A", "apply_vpn_mark", "-j", "MARK",
1268 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1269 true, nullptr));
1270 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1271 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1272 "-j", "CONNMARK", "--set-mark",
1273 "0x03ed0000/0xffff0000", "-w"),
1274 true, nullptr));
1275 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1276 ElementsAre("-A", "apply_vpn_mark", "-j",
1277 "MARK", "--set-mark",
1278 "0x03ed0000/0xffff0000", "-w"),
1279 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1280 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1281 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1282 "-j", "CONNMARK", "--save-mark",
1283 "--mask", "0x00003f00", "-w"),
1284 true, nullptr));
1285 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1286 ElementsAre("-A", "POSTROUTING", "-o", "arcbr0",
1287 "-j", "CONNMARK", "--save-mark",
1288 "--mask", "0x00003f00", "-w"),
1289 true, nullptr));
1290 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1291 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1292 "-j", "CONNMARK", "--restore-mark",
1293 "--mask", "0x00003f00", "-w"),
1294 true, nullptr));
1295 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1296 ElementsAre("-A", "PREROUTING", "-i", "arcbr0",
1297 "-j", "CONNMARK", "--restore-mark",
1298 "--mask", "0x00003f00", "-w"),
1299 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1300 // Teardown
1301 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1302 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1303 "-j", "CONNMARK", "--set-mark",
1304 "0x03ed0000/0xffff0000", "-w"),
1305 true, nullptr));
1306 EXPECT_CALL(runner,
1307 iptables(StrEq("mangle"),
1308 ElementsAre("-D", "apply_vpn_mark", "-j", "MARK",
1309 "--set-mark", "0x03ed0000/0xffff0000", "-w"),
1310 true, nullptr));
1311 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1312 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1313 "-j", "CONNMARK", "--set-mark",
1314 "0x03ed0000/0xffff0000", "-w"),
1315 true, nullptr));
1316 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1317 ElementsAre("-D", "apply_vpn_mark", "-j",
1318 "MARK", "--set-mark",
1319 "0x03ed0000/0xffff0000", "-w"),
1320 true, nullptr));
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]1321 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1322 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1323 "-j", "CONNMARK", "--save-mark",
1324 "--mask", "0x00003f00", "-w"),
1325 true, nullptr));
1326 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1327 ElementsAre("-D", "POSTROUTING", "-o", "arcbr0",
1328 "-j", "CONNMARK", "--save-mark",
1329 "--mask", "0x00003f00", "-w"),
1330 true, nullptr));
1331 EXPECT_CALL(runner, iptables(StrEq("mangle"),
1332 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1333 "-j", "CONNMARK", "--restore-mark",
1334 "--mask", "0x00003f00", "-w"),
1335 true, nullptr));
1336 EXPECT_CALL(runner, ip6tables(StrEq("mangle"),
1337 ElementsAre("-D", "PREROUTING", "-i", "arcbr0",
1338 "-j", "CONNMARK", "--restore-mark",
1339 "--mask", "0x00003f00", "-w"),
1340 true, nullptr));
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]1341
1342 Datapath datapath(&runner, &firewall);
1343 datapath.SetIfnameIndex("arcbr0", 5);
1344 datapath.StartVpnRouting("arcbr0");
1345 datapath.StopVpnRouting("arcbr0");
1346}
1347
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1348TEST(DatapathTest, AddInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1349 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1350 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1351 EXPECT_CALL(runner, iptables(StrEq("nat"),
1352 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1353 "-m", "socket", "--nowildcard", "-j",
1354 "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1355 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1356 EXPECT_CALL(runner, iptables(StrEq("nat"),
1357 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1358 "-p", "tcp", "-j", "DNAT",
1359 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1360 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1361 EXPECT_CALL(runner, iptables(StrEq("nat"),
1362 ElementsAre("-A", "PREROUTING", "-i", "eth0",
1363 "-p", "udp", "-j", "DNAT",
1364 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1365 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1366 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1367 datapath.AddInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1368}
1369
1370TEST(DatapathTest, RemoveInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1371 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1372 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1373 EXPECT_CALL(runner, iptables(StrEq("nat"),
1374 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1375 "-m", "socket", "--nowildcard", "-j",
1376 "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1377 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1378 EXPECT_CALL(runner, iptables(StrEq("nat"),
1379 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1380 "-p", "tcp", "-j", "DNAT",
1381 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1382 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1383 EXPECT_CALL(runner, iptables(StrEq("nat"),
1384 ElementsAre("-D", "PREROUTING", "-i", "eth0",
1385 "-p", "udp", "-j", "DNAT",
1386 "--to-destination", "1.2.3.4", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1387 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1388 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1389 datapath.RemoveInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1390}
1391
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]1392TEST(DatapathTest, MaskInterfaceFlags) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1393 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1394 MockFirewall firewall;
1395 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1396
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]1397 bool result = datapath.MaskInterfaceFlags("foo0", IFF_DEBUG);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1398 EXPECT_TRUE(result);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1399 std::vector<ioctl_req_t> expected = {SIOCGIFFLAGS, SIOCSIFFLAGS};
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1400 EXPECT_EQ(ioctl_reqs, expected);
1401 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1402 ioctl_rtentry_args.clear();
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1403}
1404
1405TEST(DatapathTest, AddIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1406 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1407 MockFirewall firewall;
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1408 // Return 1 on iptables -C to simulate rule not existing case
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1409 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1410 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
1411 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1412 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1413 .WillOnce(Return(1));
1414 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1415 ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
1416 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1417 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1418 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1419 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
1420 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1421 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1422 .WillOnce(Return(1));
1423 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1424 ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
1425 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1426 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1427 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1428 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1429}
1430
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1431TEST(DatapathTest, AddIPv6ForwardingRuleExists) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1432 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1433 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1434 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1435 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
1436 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1437 false, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1438 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1439 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
1440 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1441 false, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1442 Datapath datapath(&runner, &firewall);
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1443 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1444}
1445
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1446TEST(DatapathTest, RemoveIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1447 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1448 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1449 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1450 ElementsAre("-D", "FORWARD", "-i", "eth0", "-o",
1451 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1452 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1453 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1454 ElementsAre("-D", "FORWARD", "-i", "arc_eth0",
1455 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1456 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1457 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1458 datapath.RemoveIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1459}
1460
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1461TEST(DatapathTest, AddIPv6HostRoute) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1462 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1463 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1464 EXPECT_CALL(runner,
1465 ip6(StrEq("route"), StrEq("replace"),
1466 ElementsAre("2001:da8:e00::1234/128", "dev", "eth0"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1467 Datapath datapath(&runner, &firewall);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1468 datapath.AddIPv6HostRoute("eth0", "2001:da8:e00::1234", 128);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1469}
1470
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1471TEST(DatapathTest, AddIPv4Route) {
1472 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1473 MockFirewall firewall;
1474 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1475
1476 datapath.AddIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1477 Ipv4Addr(255, 255, 255, 0));
1478 datapath.DeleteIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1479 Ipv4Addr(255, 255, 255, 0));
1480 datapath.AddIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1481 Ipv4Addr(255, 255, 255, 252));
1482 datapath.DeleteIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1483 Ipv4Addr(255, 255, 255, 252));
1484
1485 std::vector<ioctl_req_t> expected_reqs = {SIOCADDRT, SIOCDELRT, SIOCADDRT,
1486 SIOCDELRT};
1487 EXPECT_EQ(expected_reqs, ioctl_reqs);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1488
1489 std::string route1 =
1490 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.93.0}, rt_genmask: "
1491 "{family: AF_INET, port: 0, addr: 255.255.255.0}, rt_gateway: {family: "
1492 "AF_INET, port: 0, addr: 192.168.1.1}, rt_dev: null, rt_flags: RTF_UP | "
1493 "RTF_GATEWAY}";
1494 std::string route2 =
1495 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.92.8}, rt_genmask: "
1496 "{family: AF_INET, port: 0, addr: 255.255.255.252}, rt_gateway: {unset}, "
1497 "rt_dev: eth0, rt_flags: RTF_UP | RTF_GATEWAY}";
1498 std::vector<std::string> captured_routes;
1499 for (const auto& route : ioctl_rtentry_args) {
1500 std::ostringstream stream;
1501 stream << route.second;
1502 captured_routes.emplace_back(stream.str());
1503 }
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1504 EXPECT_EQ(route1, captured_routes[0]);
1505 EXPECT_EQ(route1, captured_routes[1]);
1506 EXPECT_EQ(route2, captured_routes[2]);
1507 EXPECT_EQ(route2, captured_routes[3]);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1508 ioctl_reqs.clear();
1509 ioctl_rtentry_args.clear();
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1510}
1511
Garrick Evansd291af62020-05-25 10:39:06 +0900[diff] [blame]1512TEST(DatapathTest, AddSNATMarkRules) {
1513 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1514 MockFirewall firewall;
Taoyu Li79871c92020-07-02 16:09:39 +0900[diff] [blame]1515 EXPECT_CALL(
1516 runner,
1517 iptables(StrEq("filter"),
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1518 ElementsAre("-A", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
Taoyu Li79871c92020-07-02 16:09:39 +0900[diff] [blame]1519 "state", "--state", "INVALID", "-j", "DROP", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1520 true, nullptr));
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1521 EXPECT_CALL(runner,
1522 iptables(StrEq("filter"),
1523 ElementsAre("-A", "FORWARD", "-m", "mark", "--mark",
1524 "1/1", "-j", "ACCEPT", "-w"),
1525 true, nullptr));
Garrick Evansd291af62020-05-25 10:39:06 +0900[diff] [blame]1526 EXPECT_CALL(runner,
1527 iptables(StrEq("nat"),
1528 ElementsAre("-A", "POSTROUTING", "-m", "mark", "--mark",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1529 "1/1", "-j", "MASQUERADE", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1530 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1531 Datapath datapath(&runner, &firewall);
Garrick Evansd291af62020-05-25 10:39:06 +0900[diff] [blame]1532 datapath.AddSNATMarkRules();
1533}
1534
1535TEST(DatapathTest, RemoveSNATMarkRules) {
1536 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1537 MockFirewall firewall;
Taoyu Li79871c92020-07-02 16:09:39 +0900[diff] [blame]1538 EXPECT_CALL(
1539 runner,
1540 iptables(StrEq("filter"),
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1541 ElementsAre("-D", "FORWARD", "-m", "mark", "--mark", "1/1", "-m",
Taoyu Li79871c92020-07-02 16:09:39 +0900[diff] [blame]1542 "state", "--state", "INVALID", "-j", "DROP", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1543 true, nullptr));
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1544 EXPECT_CALL(runner,
1545 iptables(StrEq("filter"),
1546 ElementsAre("-D", "FORWARD", "-m", "mark", "--mark",
1547 "1/1", "-j", "ACCEPT", "-w"),
1548 true, nullptr));
Garrick Evansd291af62020-05-25 10:39:06 +0900[diff] [blame]1549 EXPECT_CALL(runner,
1550 iptables(StrEq("nat"),
1551 ElementsAre("-D", "POSTROUTING", "-m", "mark", "--mark",
Hugo Benichi6c445322020-08-12 16:46:19 +0900[diff] [blame]1552 "1/1", "-j", "MASQUERADE", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1553 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1554 Datapath datapath(&runner, &firewall);
Garrick Evansd291af62020-05-25 10:39:06 +0900[diff] [blame]1555 datapath.RemoveSNATMarkRules();
1556}
1557
Garrick Evans2f581a02020-05-11 10:43:35 +0900[diff] [blame]1558TEST(DatapathTest, ArcVethHostName) {
1559 EXPECT_EQ("vetheth0", ArcVethHostName("eth0"));
1560 EXPECT_EQ("vethrmnet0", ArcVethHostName("rmnet0"));
1561 EXPECT_EQ("vethrmnet_data0", ArcVethHostName("rmnet_data0"));
1562 EXPECT_EQ("vethifnamsiz_i0", ArcVethHostName("ifnamsiz_ifnam0"));
1563 auto ifname = ArcVethHostName("exceeds_ifnamesiz_checkanyway");
1564 EXPECT_EQ("vethexceeds_ify", ifname);
1565 EXPECT_LT(ifname.length(), IFNAMSIZ);
1566}
1567
Garrick Evans8a067562020-05-11 12:47:30 +0900[diff] [blame]1568TEST(DatapathTest, ArcBridgeName) {
1569 EXPECT_EQ("arc_eth0", ArcBridgeName("eth0"));
1570 EXPECT_EQ("arc_rmnet0", ArcBridgeName("rmnet0"));
1571 EXPECT_EQ("arc_rmnet_data0", ArcBridgeName("rmnet_data0"));
1572 EXPECT_EQ("arc_ifnamsiz_i0", ArcBridgeName("ifnamsiz_ifnam0"));
1573 auto ifname = ArcBridgeName("exceeds_ifnamesiz_checkanyway");
1574 EXPECT_EQ("arc_exceeds_ify", ifname);
1575 EXPECT_LT(ifname.length(), IFNAMSIZ);
1576}
1577
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]1578} // namespace patchpanel