Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / bb38bddb2fc34220081eb09884e7e0387b06e5ce / . / patchpanel / datapath_test.cc
blob: ae76b37eabca7cd640c4b8eb3c2f9b2146297442 [file] [log] [blame]
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]1// Copyright 2019 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]5#include "patchpanel/datapath.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]6
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]7#include <linux/if_tun.h>
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]8#include <linux/sockios.h>
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]9#include <net/if.h>
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]10#include <sys/ioctl.h>
11
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]12#include <memory>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]13#include <utility>
14#include <vector>
15
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]16#include <base/bind.h>
hscham4ce3c992021-02-19 16:37:23 +0900[diff] [blame]17#include <base/callback_helpers.h>
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]18#include <base/strings/string_split.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]19#include <base/strings/string_util.h>
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]20#include <gmock/gmock.h>
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]21#include <gtest/gtest.h>
22
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]23#include "patchpanel/mock_firewall.h"
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]24#include "patchpanel/net_util.h"
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]25
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]26using testing::_;
27using testing::ElementsAre;
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]28using testing::ElementsAreArray;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]29using testing::Return;
30using testing::StrEq;
31
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]32namespace patchpanel {
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]33namespace {
34
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]35// TODO(hugobenichi) Centralize this constant definition
36constexpr pid_t kTestPID = -2;
37
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]38std::vector<ioctl_req_t> ioctl_reqs;
39std::vector<std::pair<std::string, struct rtentry>> ioctl_rtentry_args;
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]40std::vector<std::pair<std::string, struct ifreq>> ioctl_ifreq_args;
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]41
42// Capture all ioctls and succeed.
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]43int ioctl_req_cap(int fd, ioctl_req_t req, ...) {
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]44 ioctl_reqs.push_back(req);
45 return 0;
46}
47
48// Capture ioctls for SIOCADDRT and SIOCDELRT and succeed.
49int ioctl_rtentry_cap(int fd, ioctl_req_t req, struct rtentry* arg) {
50 ioctl_reqs.push_back(req);
51 ioctl_rtentry_args.push_back({"", *arg});
52 // Copy the string poited by rtentry.rt_dev because Add/DeleteIPv4Route pass
53 // this value to ioctl() on the stack.
54 if (arg->rt_dev) {
55 auto& cap = ioctl_rtentry_args.back();
56 cap.first = std::string(arg->rt_dev);
57 cap.second.rt_dev = (char*)cap.first.c_str();
58 }
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]59 return 0;
60}
61
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]62// Capture ifreq ioctls operations and succeed.
63int ioctl_ifreq_cap(int fd, ioctl_req_t req, void* arg) {
64 ioctl_reqs.push_back(req);
65 switch (req) {
66 case SIOCBRADDBR:
67 case SIOCBRDELBR: {
68 ioctl_ifreq_args.push_back({std::string(static_cast<char*>(arg)), {}});
69 break;
70 }
71 case SIOCBRADDIF: {
72 struct ifreq* ifr = static_cast<struct ifreq*>(arg);
73 ioctl_ifreq_args.push_back({std::string(ifr->ifr_name), *ifr});
74 break;
75 }
76 }
77 return 0;
78}
79
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]80std::vector<std::string> SplitCommand(const std::string& command) {
81 return base::SplitString(command, " ",
82 base::WhitespaceHandling::TRIM_WHITESPACE,
83 base::SplitResult::SPLIT_WANT_NONEMPTY);
84}
85
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]86} // namespace
87
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]88using IpFamily::Dual;
89using IpFamily::IPv4;
90using IpFamily::IPv6;
91
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]92class MockProcessRunner : public MinijailedProcessRunner {
93 public:
94 MockProcessRunner() = default;
95 ~MockProcessRunner() = default;
96
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]97 MOCK_METHOD4(ip,
98 int(const std::string& obj,
99 const std::string& cmd,
100 const std::vector<std::string>& args,
101 bool log_failures));
102 MOCK_METHOD4(ip6,
103 int(const std::string& obj,
104 const std::string& cmd,
105 const std::vector<std::string>& args,
106 bool log_failures));
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]107 MOCK_METHOD4(iptables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]108 int(const std::string& table,
109 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]110 bool log_failures,
111 std::string* output));
112 MOCK_METHOD4(ip6tables,
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]113 int(const std::string& table,
114 const std::vector<std::string>& argv,
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]115 bool log_failures,
116 std::string* output));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]117 MOCK_METHOD3(sysctl_w,
118 int(const std::string& key,
119 const std::string& value,
120 bool log_failures));
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]121 MOCK_METHOD3(ip_netns_attach,
122 int(const std::string& netns_name,
123 pid_t netns_pid,
124 bool log_failures));
125 MOCK_METHOD2(ip_netns_delete,
126 int(const std::string& netns_name, bool log_failures));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]127};
128
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]129void Verify_ip(MockProcessRunner& runner, const std::string& command) {
130 auto args = SplitCommand(command);
131 const auto object = args[0];
132 const auto action = args[1];
133 args.erase(args.begin());
134 args.erase(args.begin());
135 EXPECT_CALL(runner,
136 ip(StrEq(object), StrEq(action), ElementsAreArray(args), _));
137}
138
139void Verify_ip6(MockProcessRunner& runner, const std::string& command) {
140 auto args = SplitCommand(command);
141 const auto object = args[0];
142 const auto action = args[1];
143 args.erase(args.begin());
144 args.erase(args.begin());
145 EXPECT_CALL(runner,
146 ip6(StrEq(object), StrEq(action), ElementsAreArray(args), _));
147}
148
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]149void Verify_iptables(MockProcessRunner& runner,
150 IpFamily family,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]151 const std::string& command,
152 int call_count = 1) {
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]153 auto args =
154 base::SplitString(command, " ", base::WhitespaceHandling::TRIM_WHITESPACE,
155 base::SplitResult::SPLIT_WANT_NONEMPTY);
156 const auto table = args[0];
157 args.erase(args.begin());
158 if (family & IPv4)
159 EXPECT_CALL(runner,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]160 iptables(StrEq(table), ElementsAreArray(args), _, nullptr))
161 .Times(call_count);
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]162 if (family & IPv6)
163 EXPECT_CALL(runner,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]164 ip6tables(StrEq(table), ElementsAreArray(args), _, nullptr))
165 .Times(call_count);
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]166}
167
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]168void Verify_sysctl_w(MockProcessRunner& runner,
169 const std::string& key,
170 const std::string& value) {
171 EXPECT_CALL(runner, sysctl_w(StrEq(key), StrEq(value), _));
172}
173
174void Verify_ip_netns_attach(MockProcessRunner& runner,
175 const std::string& netns_name,
176 pid_t pid) {
177 EXPECT_CALL(runner, ip_netns_attach(StrEq(netns_name), pid, _));
178}
179
180void Verify_ip_netns_delete(MockProcessRunner& runner,
181 const std::string& netns_name) {
182 EXPECT_CALL(runner, ip_netns_delete(StrEq(netns_name), _));
183}
184
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]185TEST(DatapathTest, IpFamily) {
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]186 EXPECT_EQ(Dual, IPv4 | IPv6);
187 EXPECT_EQ(Dual & IPv4, IPv4);
188 EXPECT_EQ(Dual & IPv6, IPv6);
189 EXPECT_NE(Dual, IPv4);
190 EXPECT_NE(Dual, IPv6);
191 EXPECT_NE(IPv4, IPv6);
Hugo Benichid82d8832020-08-14 10:05:03 +0900[diff] [blame]192}
193
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]194TEST(DatapathTest, Start) {
195 MockProcessRunner runner;
196 MockFirewall firewall;
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame]197
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]198 // Asserts for sysctl modifications
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]199 Verify_sysctl_w(runner, "net.ipv4.ip_forward", "1");
200 Verify_sysctl_w(runner, "net.ipv4.ip_local_port_range", "32768 47103");
201 Verify_sysctl_w(runner, "net.ipv6.conf.all.forwarding", "1");
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]202
203 std::vector<std::pair<IpFamily, std::string>> iptables_commands = {
204 // Asserts for iptables chain reset.
205 {IPv4, "filter -D OUTPUT -j drop_guest_ipv4_prefix -w"},
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]206 {Dual, "filter -D OUTPUT -j vpn_accept -w"},
207 {Dual, "filter -D FORWARD -j vpn_accept -w"},
208 {Dual, "filter -D OUTPUT -j vpn_lockdown -w"},
209 {Dual, "filter -D FORWARD -j vpn_lockdown -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]210 {Dual, "filter -F FORWARD -w"},
211 {Dual, "mangle -F FORWARD -w"},
212 {Dual, "mangle -F INPUT -w"},
213 {Dual, "mangle -F OUTPUT -w"},
214 {Dual, "mangle -F POSTROUTING -w"},
215 {Dual, "mangle -F PREROUTING -w"},
216 {Dual, "mangle -L apply_local_source_mark -w"},
217 {Dual, "mangle -F apply_local_source_mark -w"},
218 {Dual, "mangle -X apply_local_source_mark -w"},
219 {Dual, "mangle -L apply_vpn_mark -w"},
220 {Dual, "mangle -F apply_vpn_mark -w"},
221 {Dual, "mangle -X apply_vpn_mark -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]222 {IPv4, "filter -L drop_guest_ipv4_prefix -w"},
223 {IPv4, "filter -F drop_guest_ipv4_prefix -w"},
224 {IPv4, "filter -X drop_guest_ipv4_prefix -w"},
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]225 {Dual, "filter -L vpn_accept -w"},
226 {Dual, "filter -F vpn_accept -w"},
227 {Dual, "filter -X vpn_accept -w"},
228 {Dual, "filter -L vpn_lockdown -w"},
229 {Dual, "filter -F vpn_lockdown -w"},
230 {Dual, "filter -X vpn_lockdown -w"},
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]231 {IPv4, "nat -L redirect_dns -w"},
232 {IPv4, "nat -F redirect_dns -w"},
233 {IPv4, "nat -X redirect_dns -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]234 {IPv4, "nat -F POSTROUTING -w"},
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]235 {IPv4, "nat -F OUTPUT -w"},
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]236 // Asserts for SNAT rules of traffic forwarded from downstream interfaces.
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]237 {IPv4,
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]238 "filter -A FORWARD -m mark --mark 0x00000001/0x00000001 -m state "
239 "--state INVALID -j DROP "
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]240 "-w"},
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]241 {IPv4,
242 "nat -A POSTROUTING -m mark --mark 0x00000001/0x00000001 -j MASQUERADE "
243 "-w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]244 // Asserts for AddForwardEstablishedRule
245 {IPv4,
246 "filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -w"},
Hugo Benichiac799a82021-03-25 00:16:16 +0900[diff] [blame]247 {IPv4, "filter -A FORWARD -i arc+ -j ACCEPT -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]248 // Asserts for AddSourceIPv4DropRule() calls.
249 {IPv4, "filter -N drop_guest_ipv4_prefix -w"},
250 {IPv4, "filter -I OUTPUT -j drop_guest_ipv4_prefix -w"},
251 {IPv4,
252 "filter -I drop_guest_ipv4_prefix -o eth+ -s 100.115.92.0/23 -j DROP "
253 "-w"},
254 {IPv4,
255 "filter -I drop_guest_ipv4_prefix -o wlan+ -s 100.115.92.0/23 -j DROP "
256 "-w"},
257 {IPv4,
258 "filter -I drop_guest_ipv4_prefix -o mlan+ -s 100.115.92.0/23 -j DROP "
259 "-w"},
260 {IPv4,
261 "filter -I drop_guest_ipv4_prefix -o usb+ -s 100.115.92.0/23 -j DROP "
262 "-w"},
263 {IPv4,
264 "filter -I drop_guest_ipv4_prefix -o wwan+ -s 100.115.92.0/23 -j DROP "
265 "-w"},
266 {IPv4,
267 "filter -I drop_guest_ipv4_prefix -o rmnet+ -s 100.115.92.0/23 -j DROP "
268 "-w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]269 // Asserts for OUTPUT ndp connmark bypass rule
270 {IPv6,
271 "mangle -I OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT "
272 "-w"},
273 {IPv6,
274 "mangle -I OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j "
275 "ACCEPT -w"},
276 {IPv6,
277 "mangle -I OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j "
278 "ACCEPT -w"},
279 {IPv6,
280 "mangle -I OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j "
281 "ACCEPT -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]282 // Asserts for OUTPUT CONNMARK restore rule
283 {Dual,
284 "mangle -A OUTPUT -j CONNMARK --restore-mark --mask 0xffff0000 -w"},
285 // Asserts for apply_local_source_mark chain
286 {Dual, "mangle -N apply_local_source_mark -w"},
287 {Dual, "mangle -A OUTPUT -j apply_local_source_mark -w"},
288 {Dual,
289 "mangle -A apply_local_source_mark -m owner --uid-owner chronos -j MARK "
290 "--set-mark 0x00008100/0x0000ff00 -w"},
291 {Dual,
292 "mangle -A apply_local_source_mark -m owner --uid-owner debugd -j MARK "
293 "--set-mark 0x00008200/0x0000ff00 -w"},
294 {Dual,
295 "mangle -A apply_local_source_mark -m owner --uid-owner cups -j MARK "
296 "--set-mark 0x00008200/0x0000ff00 -w"},
297 {Dual,
298 "mangle -A apply_local_source_mark -m owner --uid-owner lpadmin -j MARK "
299 "--set-mark 0x00008200/0x0000ff00 -w"},
300 {Dual,
301 "mangle -A apply_local_source_mark -m owner --uid-owner kerberosd -j "
302 "MARK --set-mark 0x00008400/0x0000ff00 -w"},
303 {Dual,
304 "mangle -A apply_local_source_mark -m owner --uid-owner kerberosd-exec "
305 "-j MARK --set-mark 0x00008400/0x0000ff00 -w"},
306 {Dual,
307 "mangle -A apply_local_source_mark -m owner --uid-owner tlsdate -j MARK "
308 "--set-mark 0x00008400/0x0000ff00 -w"},
309 {Dual,
310 "mangle -A apply_local_source_mark -m owner --uid-owner pluginvm -j "
311 "MARK --set-mark 0x00008200/0x0000ff00 -w"},
312 {Dual,
313 "mangle -A apply_local_source_mark -m owner --uid-owner fuse-smbfs -j "
314 "MARK --set-mark 0x00008400/0x0000ff00 -w"},
315 {Dual,
316 "mangle -A apply_local_source_mark -m cgroup --cgroup 0x00010001 -j "
317 "MARK --set-mark 0x00000300/0x0000ff00 -w"},
318 {Dual,
319 "mangle -A apply_local_source_mark -m mark --mark 0x0/0x00003f00 -j "
320 "MARK --set-mark 0x00000400/0x00003f00 -w"},
321 // Asserts for apply_vpn_mark chain
322 {Dual, "mangle -N apply_vpn_mark -w"},
323 {Dual,
324 "mangle -A OUTPUT -m mark --mark 0x00008000/0x0000c000 -j "
325 "apply_vpn_mark -w"},
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]326 // Asserts for redirect_dns chain creation
327 {IPv4, "nat -N redirect_dns -w"},
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]328 // Asserts for VPN filter chain creations
329 {Dual, "filter -N vpn_lockdown -w"},
330 {Dual, "filter -I OUTPUT -j vpn_lockdown -w"},
331 {Dual, "filter -I FORWARD -j vpn_lockdown -w"},
332 {Dual, "filter -N vpn_accept -w"},
333 {Dual, "filter -I OUTPUT -j vpn_accept -w"},
334 {Dual, "filter -I FORWARD -j vpn_accept -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]335 };
336 for (const auto& c : iptables_commands) {
337 Verify_iptables(runner, c.first, c.second);
338 }
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]339
340 Datapath datapath(&runner, &firewall);
341 datapath.Start();
342}
343
344TEST(DatapathTest, Stop) {
345 MockProcessRunner runner;
346 MockFirewall firewall;
347 // Asserts for sysctl modifications
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]348 Verify_sysctl_w(runner, "net.ipv4.ip_local_port_range", "32768 61000");
349 Verify_sysctl_w(runner, "net.ipv6.conf.all.forwarding", "0");
350 Verify_sysctl_w(runner, "net.ipv4.ip_forward", "0");
Hugo Benichi91ee09f2020-12-03 22:24:22 +0900[diff] [blame]351 // Asserts for iptables chain reset.
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]352 std::vector<std::pair<IpFamily, std::string>> iptables_commands = {
353 {IPv4, "filter -D OUTPUT -j drop_guest_ipv4_prefix -w"},
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]354 {Dual, "filter -D OUTPUT -j vpn_accept -w"},
355 {Dual, "filter -D FORWARD -j vpn_accept -w"},
356 {Dual, "filter -D OUTPUT -j vpn_lockdown -w"},
357 {Dual, "filter -D FORWARD -j vpn_lockdown -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]358 {Dual, "filter -F FORWARD -w"},
359 {Dual, "mangle -F FORWARD -w"},
360 {Dual, "mangle -F INPUT -w"},
361 {Dual, "mangle -F OUTPUT -w"},
362 {Dual, "mangle -F POSTROUTING -w"},
363 {Dual, "mangle -F PREROUTING -w"},
364 {Dual, "mangle -L apply_local_source_mark -w"},
365 {Dual, "mangle -F apply_local_source_mark -w"},
366 {Dual, "mangle -X apply_local_source_mark -w"},
367 {Dual, "mangle -L apply_vpn_mark -w"},
368 {Dual, "mangle -F apply_vpn_mark -w"},
369 {Dual, "mangle -X apply_vpn_mark -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]370 {IPv4, "filter -L drop_guest_ipv4_prefix -w"},
371 {IPv4, "filter -F drop_guest_ipv4_prefix -w"},
372 {IPv4, "filter -X drop_guest_ipv4_prefix -w"},
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]373 {Dual, "filter -L vpn_accept -w"},
374 {Dual, "filter -F vpn_accept -w"},
375 {Dual, "filter -X vpn_accept -w"},
376 {Dual, "filter -L vpn_lockdown -w"},
377 {Dual, "filter -F vpn_lockdown -w"},
378 {Dual, "filter -X vpn_lockdown -w"},
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]379 {IPv4, "nat -L redirect_dns -w"},
380 {IPv4, "nat -F redirect_dns -w"},
381 {IPv4, "nat -X redirect_dns -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]382 {IPv4, "nat -F POSTROUTING -w"},
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]383 {IPv4, "nat -F OUTPUT -w"},
Hugo Benichic72b07e2021-01-22 22:55:05 +0900[diff] [blame]384 };
385 for (const auto& c : iptables_commands) {
386 Verify_iptables(runner, c.first, c.second);
387 }
Hugo Benichibf811c62020-09-07 17:30:45 +0900[diff] [blame]388
389 Datapath datapath(&runner, &firewall);
390 datapath.Stop();
391}
392
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]393TEST(DatapathTest, AddTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]394 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]395 MockFirewall firewall;
396 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]397 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]398 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]399 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]400 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]401 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]402 std::vector<ioctl_req_t> expected = {
403 TUNSETIFF, TUNSETPERSIST, SIOCSIFADDR, SIOCSIFNETMASK,
404 SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]405 EXPECT_EQ(ioctl_reqs, expected);
406 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]407 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]408}
409
410TEST(DatapathTest, AddTAPWithOwner) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]411 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]412 MockFirewall firewall;
413 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]414 MacAddress mac = {1, 2, 3, 4, 5, 6};
Qijiang Fane90b8792020-03-09 16:15:41 +0900[diff] [blame]415 Subnet subnet(Ipv4Addr(100, 115, 92, 4), 30, base::DoNothing());
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]416 auto addr = subnet.AllocateAtOffset(0);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]417 auto ifname = datapath.AddTAP("foo0", &mac, addr.get(), "root");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]418 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]419 std::vector<ioctl_req_t> expected = {
420 TUNSETIFF, TUNSETPERSIST, TUNSETOWNER, SIOCSIFADDR,
421 SIOCSIFNETMASK, SIOCSIFHWADDR, SIOCGIFFLAGS, SIOCSIFFLAGS};
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]422 EXPECT_EQ(ioctl_reqs, expected);
423 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]424 ioctl_rtentry_args.clear();
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]425}
426
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]427TEST(DatapathTest, AddTAPNoAddrs) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]428 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]429 MockFirewall firewall;
430 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Garrick Evans4f9f5572019-11-26 10:25:16 +0900[diff] [blame]431 auto ifname = datapath.AddTAP("foo0", nullptr, nullptr, "");
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]432 EXPECT_EQ(ifname, "foo0");
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]433 std::vector<ioctl_req_t> expected = {TUNSETIFF, TUNSETPERSIST, SIOCGIFFLAGS,
434 SIOCSIFFLAGS};
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]435 EXPECT_EQ(ioctl_reqs, expected);
436 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]437 ioctl_rtentry_args.clear();
Garrick Evans621ed262019-11-13 12:28:43 +0900[diff] [blame]438}
439
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]440TEST(DatapathTest, RemoveTAP) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]441 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]442 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]443 Verify_ip(runner, "tuntap del foo0 mode tap");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]444 Datapath datapath(&runner, &firewall);
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]445 datapath.RemoveTAP("foo0");
Garrick Evansc7ae82c2019-09-04 16:25:10 +0900[diff] [blame]446}
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]447
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]448TEST(DatapathTest, NetnsAttachName) {
449 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]450 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]451 Verify_ip_netns_delete(runner, "netns_foo");
452 Verify_ip_netns_attach(runner, "netns_foo", 1234);
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]453 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]454 EXPECT_TRUE(datapath.NetnsAttachName("netns_foo", 1234));
455}
456
457TEST(DatapathTest, NetnsDeleteName) {
458 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]459 MockFirewall firewall;
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]460 EXPECT_CALL(runner, ip_netns_delete(StrEq("netns_foo"), true));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]461 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]462 EXPECT_TRUE(datapath.NetnsDeleteName("netns_foo"));
463}
464
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]465TEST(DatapathTest, AddBridge) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]466 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]467 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]468 Verify_ip(runner, "addr add 1.1.1.1/30 brd 1.1.1.3 dev br");
469 Verify_ip(runner, "link set br up");
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]470
471 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_ifreq_cap);
Garrick Evans7a1a9ee2020-01-28 11:03:57 +0900[diff] [blame]472 datapath.AddBridge("br", Ipv4Addr(1, 1, 1, 1), 30);
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]473
474 EXPECT_EQ(1, ioctl_reqs.size());
475 EXPECT_EQ(SIOCBRADDBR, ioctl_reqs[0]);
476 EXPECT_EQ("br", ioctl_ifreq_args[0].first);
477 ioctl_reqs.clear();
478 ioctl_ifreq_args.clear();
479}
480
481TEST(DatapathTest, RemoveBridge) {
482 MockProcessRunner runner;
483 MockFirewall firewall;
Hugo Benichiaba7e2e2021-02-22 14:47:11 +0900[diff] [blame]484 Verify_ip(runner, "link set br down");
485
486 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_ifreq_cap);
487 datapath.RemoveBridge("br");
488
489 EXPECT_EQ(1, ioctl_reqs.size());
490 EXPECT_EQ(SIOCBRDELBR, ioctl_reqs[0]);
491 EXPECT_EQ("br", ioctl_ifreq_args[0].first);
492 ioctl_reqs.clear();
493 ioctl_ifreq_args.clear();
494}
495
496TEST(DatapathTest, AddToBridge) {
497 MockProcessRunner runner;
498 MockFirewall firewall;
499
500 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_ifreq_cap);
501 datapath.SetIfnameIndex("vethwlan0", 5);
502 datapath.AddToBridge("arcbr0", "vethwlan0");
503
504 EXPECT_EQ(1, ioctl_reqs.size());
505 EXPECT_EQ(SIOCBRADDIF, ioctl_reqs[0]);
506 EXPECT_EQ("arcbr0", ioctl_ifreq_args[0].first);
507 EXPECT_EQ(5, ioctl_ifreq_args[0].second.ifr_ifindex);
508
509 ioctl_reqs.clear();
510 ioctl_ifreq_args.clear();
Garrick Evans8a949dc2019-07-18 16:17:53 +0900[diff] [blame]511}
512
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]513TEST(DatapathTest, ConnectVethPair) {
514 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]515 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]516 Verify_ip(runner,
517 "link add veth_foo type veth peer name peer_foo netns netns_foo");
518 Verify_ip(runner,
519 "addr add 100.115.92.169/30 brd 100.115.92.171 dev peer_foo");
520 Verify_ip(runner,
521 "link set dev peer_foo up addr 01:02:03:04:05:06 multicast on");
522 Verify_ip(runner, "link set veth_foo up");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]523 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]524 EXPECT_TRUE(datapath.ConnectVethPair(kTestPID, "netns_foo", "veth_foo",
525 "peer_foo", {1, 2, 3, 4, 5, 6},
Hugo Benichi76675592020-04-08 14:29:57 +0900[diff] [blame]526 Ipv4Addr(100, 115, 92, 169), 30, true));
527}
528
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]529TEST(DatapathTest, AddVirtualInterfacePair) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]530 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]531 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]532 Verify_ip(runner,
533 "link add veth_foo type veth peer name peer_foo netns netns_foo");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]534 Datapath datapath(&runner, &firewall);
Hugo Benichi33860d72020-07-09 16:34:01 +0900[diff] [blame]535 EXPECT_TRUE(
536 datapath.AddVirtualInterfacePair("netns_foo", "veth_foo", "peer_foo"));
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]537}
538
539TEST(DatapathTest, ToggleInterface) {
540 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]541 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]542 Verify_ip(runner, "link set foo up");
543 Verify_ip(runner, "link set bar down");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]544 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]545 EXPECT_TRUE(datapath.ToggleInterface("foo", true));
546 EXPECT_TRUE(datapath.ToggleInterface("bar", false));
547}
548
549TEST(DatapathTest, ConfigureInterface) {
550 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]551 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]552 Verify_ip(runner, "addr add 1.1.1.1/30 brd 1.1.1.3 dev foo");
553 Verify_ip(runner, "link set dev foo up addr 02:02:02:02:02:02 multicast on");
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]554
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]555 Datapath datapath(&runner, &firewall);
Garrick Evans2470caa2020-03-04 14:15:41 +0900[diff] [blame]556 MacAddress mac_addr = {2, 2, 2, 2, 2, 2};
557 EXPECT_TRUE(datapath.ConfigureInterface("foo", mac_addr, Ipv4Addr(1, 1, 1, 1),
558 30, true, true));
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]559}
560
561TEST(DatapathTest, RemoveInterface) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]562 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]563 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]564 Verify_ip(runner, "link delete foo");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]565 Datapath datapath(&runner, &firewall);
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]566 datapath.RemoveInterface("foo");
Garrick Evans54861622019-07-19 09:05:09 +0900[diff] [blame]567}
568
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]569TEST(DatapathTest, StartRoutingNamespace) {
570 MockProcessRunner runner;
571 MockFirewall firewall;
572 MacAddress mac = {1, 2, 3, 4, 5, 6};
573
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]574 Verify_ip_netns_delete(runner, "netns_foo");
575 Verify_ip_netns_attach(runner, "netns_foo", kTestPID);
576 Verify_ip(runner,
577 "link add arc_ns0 type veth peer name veth0 netns netns_foo");
578 Verify_ip(runner, "addr add 100.115.92.130/30 brd 100.115.92.131 dev veth0");
579 Verify_ip(runner,
580 "link set dev veth0 up addr 01:02:03:04:05:06 multicast off");
581 Verify_ip(runner, "link set arc_ns0 up");
582 Verify_ip(runner,
583 "addr add 100.115.92.129/30 brd 100.115.92.131 dev arc_ns0");
584 Verify_ip(runner,
585 "link set dev arc_ns0 up addr 01:02:03:04:05:06 multicast off");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]586 Verify_iptables(runner, IPv4, "filter -A FORWARD -o arc_ns0 -j ACCEPT -w");
587 Verify_iptables(runner, IPv4, "filter -A FORWARD -i arc_ns0 -j ACCEPT -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]588 Verify_iptables(runner, Dual, "mangle -N PREROUTING_arc_ns0 -w");
589 Verify_iptables(runner, Dual, "mangle -F PREROUTING_arc_ns0 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]590 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]591 "mangle -A PREROUTING -i arc_ns0 -j PREROUTING_arc_ns0 -w");
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]592 Verify_iptables(runner, IPv4,
593 "mangle -A PREROUTING_arc_ns0 -j MARK --set-mark "
594 "0x00000001/0x00000001 -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]595 Verify_iptables(runner, Dual,
596 "mangle -A PREROUTING_arc_ns0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]597 "0x00000200/0x00003f00 -w");
598 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]599 "mangle -A PREROUTING_arc_ns0 -j CONNMARK "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]600 "--restore-mark --mask 0xffff0000 -w");
601 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]602 "mangle -A PREROUTING_arc_ns0 -j apply_vpn_mark -w");
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]603
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]604 ConnectedNamespace nsinfo = {};
605 nsinfo.pid = kTestPID;
606 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]607 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]608 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]609 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]610 nsinfo.host_ifname = "arc_ns0";
611 nsinfo.peer_ifname = "veth0";
612 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
613 base::DoNothing());
614 nsinfo.peer_mac_addr = mac;
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]615 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]616 datapath.StartRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]617 ioctl_reqs.clear();
618 ioctl_rtentry_args.clear();
619}
620
621TEST(DatapathTest, StopRoutingNamespace) {
622 MockProcessRunner runner;
623 MockFirewall firewall;
624
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]625 Verify_iptables(runner, IPv4, "filter -D FORWARD -o arc_ns0 -j ACCEPT -w");
626 Verify_iptables(runner, IPv4, "filter -D FORWARD -i arc_ns0 -j ACCEPT -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]627 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]628 "mangle -D PREROUTING -i arc_ns0 -j PREROUTING_arc_ns0 -w");
629 Verify_iptables(runner, Dual, "mangle -F PREROUTING_arc_ns0 -w");
630 Verify_iptables(runner, Dual, "mangle -X PREROUTING_arc_ns0 -w");
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]631 Verify_ip_netns_delete(runner, "netns_foo");
632 Verify_ip(runner, "link delete arc_ns0");
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]633
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]634 ConnectedNamespace nsinfo = {};
635 nsinfo.pid = kTestPID;
636 nsinfo.netns_name = "netns_foo";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]637 nsinfo.source = TrafficSource::USER;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]638 nsinfo.outbound_ifname = "";
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]639 nsinfo.route_on_vpn = true;
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]640 nsinfo.host_ifname = "arc_ns0";
641 nsinfo.peer_ifname = "veth0";
642 nsinfo.peer_subnet = std::make_unique<Subnet>(Ipv4Addr(100, 115, 92, 128), 30,
643 base::DoNothing());
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]644 Datapath datapath(&runner, &firewall);
Hugo Benichifcf81022020-12-04 11:01:37 +0900[diff] [blame]645 datapath.StopRoutingNamespace(nsinfo);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]646}
647
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]648TEST(DatapathTest, StartRoutingDevice_Arc) {
649 MockProcessRunner runner;
650 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]651 Verify_iptables(
652 runner, IPv4,
653 "nat -A PREROUTING -i eth0 -m socket --nowildcard -j ACCEPT -w");
654 Verify_iptables(
655 runner, IPv4,
656 "nat -A PREROUTING -i eth0 -p tcp -j DNAT --to-destination 1.2.3.4 -w");
657 Verify_iptables(
658 runner, IPv4,
659 "nat -A PREROUTING -i eth0 -p udp -j DNAT --to-destination 1.2.3.4 -w");
660 Verify_iptables(runner, IPv4,
661 "filter -A FORWARD -i eth0 -o arc_eth0 -j ACCEPT -w");
662 Verify_iptables(runner, IPv4,
663 "filter -A FORWARD -i arc_eth0 -o eth0 -j ACCEPT -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]664 Verify_iptables(runner, Dual, "mangle -N PREROUTING_arc_eth0 -w");
665 Verify_iptables(runner, Dual, "mangle -F PREROUTING_arc_eth0 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]666 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]667 "mangle -A PREROUTING -i arc_eth0 -j PREROUTING_arc_eth0 -w");
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]668 Verify_iptables(runner, IPv4,
669 "mangle -A PREROUTING_arc_eth0 -j MARK --set-mark "
670 "0x00000001/0x00000001 -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]671 Verify_iptables(runner, Dual,
672 "mangle -A PREROUTING_arc_eth0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]673 "0x00002000/0x00003f00 -w");
674 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]675 "mangle -A PREROUTING_arc_eth0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]676 "0x03ea0000/0xffff0000 -w");
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]677
678 Datapath datapath(&runner, &firewall);
Hugo Benichiaf9d8a72020-08-26 13:28:13 +0900[diff] [blame]679 datapath.SetIfnameIndex("eth0", 2);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]680 datapath.StartRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]681 TrafficSource::ARC, false);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]682}
683
684TEST(DatapathTest, StartRoutingDevice_CrosVM) {
685 MockProcessRunner runner;
686 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]687 Verify_iptables(runner, IPv4, "filter -A FORWARD -o vmtap0 -j ACCEPT -w");
688 Verify_iptables(runner, IPv4, "filter -A FORWARD -i vmtap0 -j ACCEPT -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]689 Verify_iptables(runner, Dual, "mangle -N PREROUTING_vmtap0 -w");
690 Verify_iptables(runner, Dual, "mangle -F PREROUTING_vmtap0 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]691 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]692 "mangle -A PREROUTING -i vmtap0 -j PREROUTING_vmtap0 -w");
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]693 Verify_iptables(runner, IPv4,
694 "mangle -A PREROUTING_vmtap0 -j MARK --set-mark "
695 "0x00000001/0x00000001 -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]696 Verify_iptables(runner, Dual,
697 "mangle -A PREROUTING_vmtap0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]698 "0x00002100/0x00003f00 -w");
699 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]700 "mangle -A PREROUTING_vmtap0 -j CONNMARK --restore-mark "
701 "--mask 0xffff0000 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]702 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]703 "mangle -A PREROUTING_vmtap0 -j apply_vpn_mark -w");
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]704
705 Datapath datapath(&runner, &firewall);
706 datapath.StartRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]707 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]708}
709
710TEST(DatapathTest, StopRoutingDevice_Arc) {
711 MockProcessRunner runner;
712 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]713 Verify_iptables(
714 runner, IPv4,
715 "nat -D PREROUTING -i eth0 -m socket --nowildcard -j ACCEPT -w");
716 Verify_iptables(
717 runner, IPv4,
718 "nat -D PREROUTING -i eth0 -p tcp -j DNAT --to-destination 1.2.3.4 -w");
719 Verify_iptables(
720 runner, IPv4,
721 "nat -D PREROUTING -i eth0 -p udp -j DNAT --to-destination 1.2.3.4 -w");
722 Verify_iptables(runner, IPv4,
723 "filter -D FORWARD -i eth0 -o arc_eth0 -j ACCEPT -w");
724 Verify_iptables(runner, IPv4,
725 "filter -D FORWARD -i arc_eth0 -o eth0 -j ACCEPT -w");
726 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]727 "mangle -D PREROUTING -i arc_eth0 -j PREROUTING_arc_eth0 -w");
728 Verify_iptables(runner, Dual, "mangle -F PREROUTING_arc_eth0 -w");
729 Verify_iptables(runner, Dual, "mangle -X PREROUTING_arc_eth0 -w");
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]730
731 Datapath datapath(&runner, &firewall);
732 datapath.StopRoutingDevice("eth0", "arc_eth0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]733 TrafficSource::ARC, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]734}
735
736TEST(DatapathTest, StopRoutingDevice_CrosVM) {
737 MockProcessRunner runner;
738 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]739 Verify_iptables(runner, IPv4, "filter -D FORWARD -o vmtap0 -j ACCEPT -w");
740 Verify_iptables(runner, IPv4, "filter -D FORWARD -i vmtap0 -j ACCEPT -w");
741 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]742 "mangle -D PREROUTING -i vmtap0 -j PREROUTING_vmtap0 -w");
743 Verify_iptables(runner, Dual, "mangle -F PREROUTING_vmtap0 -w");
744 Verify_iptables(runner, Dual, "mangle -X PREROUTING_vmtap0 -w");
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]745
746 Datapath datapath(&runner, &firewall);
747 datapath.StopRoutingDevice("", "vmtap0", Ipv4Addr(1, 2, 3, 4),
Hugo Benichi93306e52020-12-04 16:08:00 +0900[diff] [blame]748 TrafficSource::CROSVM, true);
Hugo Benichi8d622b52020-08-13 15:24:12 +0900[diff] [blame]749}
750
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]751TEST(DatapathTest, StartStopConnectionPinning) {
752 MockProcessRunner runner;
753 MockFirewall firewall;
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]754
755 // Setup
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]756 Verify_iptables(runner, Dual, "mangle -N POSTROUTING_eth0 -w");
757 Verify_iptables(runner, Dual, "mangle -F POSTROUTING_eth0 -w",
758 2 /* Start and Stop */);
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]759 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]760 "mangle -A POSTROUTING -o eth0 -j POSTROUTING_eth0 -w");
761 Verify_iptables(runner, Dual,
762 "mangle -A POSTROUTING_eth0 -j CONNMARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]763 "0x03eb0000/0xffff0000 -w");
764 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]765 "mangle -A POSTROUTING_eth0 -j CONNMARK "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]766 "--save-mark --mask 0x00003f00 -w");
767 Verify_iptables(runner, Dual,
768 "mangle -A PREROUTING -i eth0 -j CONNMARK "
769 "--restore-mark --mask 0x00003f00 -w");
Hugo Benichi155de002021-01-19 16:45:46 +0900[diff] [blame]770
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]771 // Teardown
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]772 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]773 "mangle -D POSTROUTING -o eth0 -j POSTROUTING_eth0 -w");
774 Verify_iptables(runner, Dual, "mangle -X POSTROUTING_eth0 -w");
775 Verify_iptables(runner, Dual,
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]776 "mangle -D PREROUTING -i eth0 -j CONNMARK "
777 "--restore-mark --mask 0x00003f00 -w");
Hugo Benichi1af52392020-11-27 18:09:32 +0900[diff] [blame]778
Hugo Benichi76be34a2020-08-26 22:35:54 +0900[diff] [blame]779 Datapath datapath(&runner, &firewall);
780 datapath.SetIfnameIndex("eth0", 3);
781 datapath.StartConnectionPinning("eth0");
782 datapath.StopConnectionPinning("eth0");
783}
784
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]785TEST(DatapathTest, StartStopVpnRouting_ArcVpn) {
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]786 MockProcessRunner runner;
787 MockFirewall firewall;
788
789 // Setup
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]790 Verify_iptables(runner, Dual, "mangle -N POSTROUTING_arcbr0 -w");
791 Verify_iptables(runner, Dual, "mangle -F POSTROUTING_arcbr0 -w",
792 2 /* Start and Stop */);
793 Verify_iptables(runner, Dual,
794 "mangle -A POSTROUTING -o arcbr0 -j POSTROUTING_arcbr0 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]795 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]796 "mangle -A POSTROUTING_arcbr0 -j CONNMARK "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]797 "--set-mark 0x03ed0000/0xffff0000 -w");
798 Verify_iptables(
799 runner, Dual,
Hugo Benichi3540c7f2021-03-29 13:14:42 +0900[diff] [blame]800 "mangle -A apply_vpn_mark -m mark ! --mark 0x0/0xffff0000 -j ACCEPT -w");
801 Verify_iptables(
802 runner, Dual,
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]803 "mangle -A apply_vpn_mark -j MARK --set-mark 0x03ed0000/0xffff0000 -w");
804 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]805 "mangle -A POSTROUTING_arcbr0 -j CONNMARK "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]806 "--save-mark --mask 0x00003f00 -w");
807 Verify_iptables(runner, Dual,
808 "mangle -A PREROUTING -i arcbr0 -j CONNMARK "
809 "--restore-mark --mask 0x00003f00 -w");
810 Verify_iptables(runner, IPv4,
811 "nat -A POSTROUTING -o arcbr0 -j MASQUERADE -w");
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]812 Verify_iptables(runner, IPv4,
813 "nat -A OUTPUT -m mark ! --mark 0x00008000/0x0000c000 -j "
814 "redirect_dns -w");
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]815 Verify_iptables(runner, Dual,
816 "filter -A vpn_accept -m mark "
817 "--mark 0x03ed0000/0xffff0000 -j ACCEPT -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]818
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]819 // Teardown
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]820 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]821 "mangle -D POSTROUTING -o arcbr0 -j POSTROUTING_arcbr0 -w");
822 Verify_iptables(runner, Dual, "mangle -X POSTROUTING_arcbr0 -w");
Hugo Benichi3540c7f2021-03-29 13:14:42 +0900[diff] [blame]823 Verify_iptables(runner, Dual, "mangle -F apply_vpn_mark -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]824 Verify_iptables(runner, Dual,
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]825 "mangle -D PREROUTING -i arcbr0 -j CONNMARK "
826 "--restore-mark --mask 0x00003f00 -w");
827 Verify_iptables(runner, IPv4,
828 "nat -D POSTROUTING -o arcbr0 -j MASQUERADE -w");
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]829 Verify_iptables(runner, IPv4,
830 "nat -D OUTPUT -m mark ! --mark 0x00008000/0x0000c000 -j "
831 "redirect_dns -w");
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]832 Verify_iptables(runner, Dual, "filter -F vpn_accept -w");
Hugo Benichi2a940542020-10-26 18:50:49 +0900[diff] [blame]833
834 Datapath datapath(&runner, &firewall);
835 datapath.SetIfnameIndex("arcbr0", 5);
836 datapath.StartVpnRouting("arcbr0");
837 datapath.StopVpnRouting("arcbr0");
838}
839
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]840TEST(DatapathTest, StartStopVpnRouting_HostVpn) {
841 MockProcessRunner runner;
842 MockFirewall firewall;
843
844 // Setup
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]845 Verify_iptables(runner, Dual, "mangle -N POSTROUTING_tun0 -w");
846 Verify_iptables(runner, Dual, "mangle -F POSTROUTING_tun0 -w",
847 2 /* Start and Stop */);
848 Verify_iptables(runner, Dual,
849 "mangle -A POSTROUTING -o tun0 -j POSTROUTING_tun0 -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]850 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]851 "mangle -A POSTROUTING_tun0 -j CONNMARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]852 "0x03ed0000/0xffff0000 -w");
853 Verify_iptables(
854 runner, Dual,
Hugo Benichi3540c7f2021-03-29 13:14:42 +0900[diff] [blame]855 "mangle -A apply_vpn_mark -m mark ! --mark 0x0/0xffff0000 -j ACCEPT -w");
856 Verify_iptables(
857 runner, Dual,
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]858 "mangle -A apply_vpn_mark -j MARK --set-mark 0x03ed0000/0xffff0000 -w");
859 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]860 "mangle -A POSTROUTING_tun0 -j CONNMARK "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]861 "--save-mark --mask 0x00003f00 -w");
862 Verify_iptables(runner, Dual,
863 "mangle -A PREROUTING -i tun0 -j CONNMARK "
864 "--restore-mark --mask 0x00003f00 -w");
865 Verify_iptables(runner, IPv4, "nat -A POSTROUTING -o tun0 -j MASQUERADE -w");
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]866 Verify_iptables(runner, IPv4,
867 "nat -A OUTPUT -m mark ! --mark 0x00008000/0x0000c000 -j "
868 "redirect_dns -w");
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]869 Verify_iptables(runner, Dual,
870 "filter -A vpn_accept -m mark "
871 "--mark 0x03ed0000/0xffff0000 -j ACCEPT -w");
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]872 // Teardown
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]873 Verify_iptables(runner, Dual,
Hugo Benichi50fe47f2021-03-29 11:33:25 +0900[diff] [blame]874 "mangle -D POSTROUTING -o tun0 -j POSTROUTING_tun0 -w");
875 Verify_iptables(runner, Dual, "mangle -X POSTROUTING_tun0 -w");
Hugo Benichi3540c7f2021-03-29 13:14:42 +0900[diff] [blame]876 Verify_iptables(runner, Dual, "mangle -F apply_vpn_mark -w");
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]877 Verify_iptables(runner, Dual,
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]878 "mangle -D PREROUTING -i tun0 -j CONNMARK "
879 "--restore-mark --mask 0x00003f00 -w");
880 Verify_iptables(runner, IPv4, "nat -D POSTROUTING -o tun0 -j MASQUERADE -w");
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]881 Verify_iptables(runner, IPv4,
882 "nat -D OUTPUT -m mark ! --mark 0x00008000/0x0000c000 -j "
883 "redirect_dns -w");
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]884 Verify_iptables(runner, Dual, "filter -F vpn_accept -w");
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]885 // Start tun0 <-> arcbr0 routing
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]886 Verify_iptables(runner, IPv4,
887 "filter -A FORWARD -i tun0 -o arcbr0 -j ACCEPT -w");
888 Verify_iptables(runner, IPv4,
889 "filter -A FORWARD -i arcbr0 -o tun0 -j ACCEPT -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]890 Verify_iptables(runner, Dual, "mangle -N PREROUTING_arcbr0 -w");
891 Verify_iptables(runner, Dual, "mangle -F PREROUTING_arcbr0 -w",
892 2 /* Start and Stop */);
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]893 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]894 "mangle -A PREROUTING -i arcbr0 -j PREROUTING_arcbr0 -w");
Hugo Benichi7a066242021-04-07 23:47:32 +0900[diff] [blame]895 Verify_iptables(runner, IPv4,
896 "mangle -A PREROUTING_arcbr0 -j MARK --set-mark "
897 "0x00000001/0x00000001 -w");
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]898 Verify_iptables(runner, Dual,
899 "mangle -A PREROUTING_arcbr0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]900 "0x00002000/0x00003f00 -w");
901 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]902 "mangle -A PREROUTING_arcbr0 -j MARK --set-mark "
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]903 "0x03ed0000/0xffff0000 -w");
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]904 // Stop tun0 <-> arcbr0 routing
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]905 Verify_iptables(runner, IPv4,
906 "filter -D FORWARD -i tun0 -o arcbr0 -j ACCEPT -w");
907 Verify_iptables(runner, IPv4,
908 "filter -D FORWARD -i arcbr0 -o tun0 -j ACCEPT -w");
909 Verify_iptables(runner, Dual,
Hugo Benichid872d3d2021-03-29 10:20:53 +0900[diff] [blame]910 "mangle -D PREROUTING -i arcbr0 -j PREROUTING_arcbr0 -w");
911 Verify_iptables(runner, Dual, "mangle -X PREROUTING_arcbr0 -w");
Hugo Benichibfc49112020-12-14 12:54:44 +0900[diff] [blame]912
913 Datapath datapath(&runner, &firewall);
914 datapath.SetIfnameIndex("tun0", 5);
915 datapath.StartVpnRouting("tun0");
916 datapath.StopVpnRouting("tun0");
917}
918
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]919TEST(DatapathTest, AddInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]920 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]921 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]922 Verify_iptables(
923 runner, IPv4,
924 "nat -A PREROUTING -i eth0 -m socket --nowildcard -j ACCEPT -w");
925 Verify_iptables(
926 runner, IPv4,
927 "nat -A PREROUTING -i eth0 -p tcp -j DNAT --to-destination 1.2.3.4 -w");
928 Verify_iptables(
929 runner, IPv4,
930 "nat -A PREROUTING -i eth0 -p udp -j DNAT --to-destination 1.2.3.4 -w");
931
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]932 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]933 datapath.AddInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]934}
935
936TEST(DatapathTest, RemoveInboundIPv4DNAT) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]937 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]938 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]939 Verify_iptables(
940 runner, IPv4,
941 "nat -D PREROUTING -i eth0 -m socket --nowildcard -j ACCEPT -w");
942 Verify_iptables(
943 runner, IPv4,
944 "nat -D PREROUTING -i eth0 -p tcp -j DNAT --to-destination 1.2.3.4 -w");
945 Verify_iptables(
946 runner, IPv4,
947 "nat -D PREROUTING -i eth0 -p udp -j DNAT --to-destination 1.2.3.4 -w");
948
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]949 Datapath datapath(&runner, &firewall);
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]950 datapath.RemoveInboundIPv4DNAT("eth0", "1.2.3.4");
Garrick Evansf0ab7132019-06-18 14:50:42 +0900[diff] [blame]951}
952
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]953TEST(DatapathTest, MaskInterfaceFlags) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]954 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]955 MockFirewall firewall;
956 Datapath datapath(&runner, &firewall, ioctl_req_cap);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]957
Garrick Evans664a82f2019-12-17 12:18:05 +0900[diff] [blame]958 bool result = datapath.MaskInterfaceFlags("foo0", IFF_DEBUG);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]959 EXPECT_TRUE(result);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]960 std::vector<ioctl_req_t> expected = {SIOCGIFFLAGS, SIOCSIFFLAGS};
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]961 EXPECT_EQ(ioctl_reqs, expected);
962 ioctl_reqs.clear();
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]963 ioctl_rtentry_args.clear();
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]964}
965
966TEST(DatapathTest, AddIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]967 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]968 MockFirewall firewall;
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]969 // Return 1 on iptables -C to simulate rule not existing case
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]970 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
971 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
972 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]973 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]974 .WillOnce(Return(1));
975 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
976 ElementsAre("-A", "FORWARD", "-i", "eth0", "-o",
977 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]978 true, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]979 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
980 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
981 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]982 false, nullptr))
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]983 .WillOnce(Return(1));
984 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
985 ElementsAre("-A", "FORWARD", "-i", "arc_eth0",
986 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]987 true, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]988 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]989 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]990}
991
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]992TEST(DatapathTest, AddIPv6ForwardingRuleExists) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]993 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]994 MockFirewall firewall;
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]995 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
996 ElementsAre("-C", "FORWARD", "-i", "eth0", "-o",
997 "arc_eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]998 false, nullptr));
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]999 EXPECT_CALL(runner, ip6tables(StrEq("filter"),
1000 ElementsAre("-C", "FORWARD", "-i", "arc_eth0",
1001 "-o", "eth0", "-j", "ACCEPT", "-w"),
Jie Jiangcf5ce9c2020-07-14 17:22:03 +0900[diff] [blame]1002 false, nullptr));
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1003 Datapath datapath(&runner, &firewall);
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1004 datapath.AddIPv6Forwarding("eth0", "arc_eth0");
Taoyu Lica49c832019-12-06 17:56:43 +0900[diff] [blame]1005}
1006
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1007TEST(DatapathTest, RemoveIPv6Forwarding) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1008 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1009 MockFirewall firewall;
Hugo Benichi860ef532021-01-25 17:19:36 +0900[diff] [blame]1010 Verify_iptables(runner, IPv6,
1011 "filter -D FORWARD -i eth0 -o arc_eth0 -j ACCEPT -w");
1012 Verify_iptables(runner, IPv6,
1013 "filter -D FORWARD -i arc_eth0 -o eth0 -j ACCEPT -w");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1014 Datapath datapath(&runner, &firewall);
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1015 datapath.RemoveIPv6Forwarding("eth0", "arc_eth0");
Taoyu Li90c13912019-11-26 17:56:54 +0900[diff] [blame]1016}
1017
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1018TEST(DatapathTest, AddIPv6HostRoute) {
Garrick Evans8e8e3472020-01-23 14:03:50 +0900[diff] [blame]1019 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1020 MockFirewall firewall;
Hugo Benichi1e3bab52021-01-25 22:41:58 +0900[diff] [blame]1021 Verify_ip6(runner, "route replace 2001:da8:e00::1234/128 dev eth0");
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1022 Datapath datapath(&runner, &firewall);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1023 datapath.AddIPv6HostRoute("eth0", "2001:da8:e00::1234", 128);
Taoyu Lieb6cc8f2019-12-09 15:53:04 +0900[diff] [blame]1024}
1025
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1026TEST(DatapathTest, AddIPv4Route) {
1027 MockProcessRunner runner;
Jason Jeremy Imana7273a32020-08-04 11:25:31 +0900[diff] [blame]1028 MockFirewall firewall;
1029 Datapath datapath(&runner, &firewall, (ioctl_t)ioctl_rtentry_cap);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1030
1031 datapath.AddIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1032 Ipv4Addr(255, 255, 255, 0));
1033 datapath.DeleteIPv4Route(Ipv4Addr(192, 168, 1, 1), Ipv4Addr(100, 115, 93, 0),
1034 Ipv4Addr(255, 255, 255, 0));
1035 datapath.AddIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1036 Ipv4Addr(255, 255, 255, 252));
1037 datapath.DeleteIPv4Route("eth0", Ipv4Addr(100, 115, 92, 8),
1038 Ipv4Addr(255, 255, 255, 252));
1039
1040 std::vector<ioctl_req_t> expected_reqs = {SIOCADDRT, SIOCDELRT, SIOCADDRT,
1041 SIOCDELRT};
1042 EXPECT_EQ(expected_reqs, ioctl_reqs);
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1043
1044 std::string route1 =
1045 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.93.0}, rt_genmask: "
1046 "{family: AF_INET, port: 0, addr: 255.255.255.0}, rt_gateway: {family: "
1047 "AF_INET, port: 0, addr: 192.168.1.1}, rt_dev: null, rt_flags: RTF_UP | "
1048 "RTF_GATEWAY}";
1049 std::string route2 =
1050 "{rt_dst: {family: AF_INET, port: 0, addr: 100.115.92.8}, rt_genmask: "
1051 "{family: AF_INET, port: 0, addr: 255.255.255.252}, rt_gateway: {unset}, "
1052 "rt_dev: eth0, rt_flags: RTF_UP | RTF_GATEWAY}";
1053 std::vector<std::string> captured_routes;
1054 for (const auto& route : ioctl_rtentry_args) {
1055 std::ostringstream stream;
1056 stream << route.second;
1057 captured_routes.emplace_back(stream.str());
1058 }
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1059 EXPECT_EQ(route1, captured_routes[0]);
1060 EXPECT_EQ(route1, captured_routes[1]);
1061 EXPECT_EQ(route2, captured_routes[2]);
1062 EXPECT_EQ(route2, captured_routes[3]);
Hugo Benichi7c342672020-09-08 09:18:14 +0900[diff] [blame]1063 ioctl_reqs.clear();
1064 ioctl_rtentry_args.clear();
Hugo Benichie8758b52020-04-03 14:49:01 +0900[diff] [blame]1065}
1066
Hugo Benichi1e0656f2021-02-15 15:43:38 +0900[diff] [blame]1067TEST(DatapathTest, RedirectDnsRules) {
1068 MockProcessRunner runner;
1069 MockFirewall firewall;
1070
1071 Verify_iptables(runner, IPv4,
1072 "nat -I redirect_dns -p tcp --dport 53 -o eth0 -j DNAT "
1073 "--to-destination 192.168.1.1 -w");
1074 Verify_iptables(runner, IPv4,
1075 "nat -I redirect_dns -p udp --dport 53 -o eth0 -j DNAT "
1076 "--to-destination 192.168.1.1 -w");
1077 Verify_iptables(runner, IPv4,
1078 "nat -I redirect_dns -p tcp --dport 53 -o wlan0 -j DNAT "
1079 "--to-destination 1.1.1.1 -w");
1080 Verify_iptables(runner, IPv4,
1081 "nat -I redirect_dns -p udp --dport 53 -o wlan0 -j DNAT "
1082 "--to-destination 1.1.1.1 -w");
1083 Verify_iptables(runner, IPv4,
1084 "nat -D redirect_dns -p tcp --dport 53 -o wlan0 -j DNAT "
1085 "--to-destination 1.1.1.1 -w");
1086 Verify_iptables(runner, IPv4,
1087 "nat -D redirect_dns -p udp --dport 53 -o wlan0 -j DNAT "
1088 "--to-destination 1.1.1.1 -w");
1089 Verify_iptables(runner, IPv4,
1090 "nat -I redirect_dns -p tcp --dport 53 -o wlan0 -j DNAT "
1091 "--to-destination 8.8.8.8 -w");
1092 Verify_iptables(runner, IPv4,
1093 "nat -I redirect_dns -p udp --dport 53 -o wlan0 -j DNAT "
1094 "--to-destination 8.8.8.8 -w");
1095 Verify_iptables(runner, IPv4,
1096 "nat -D redirect_dns -p tcp --dport 53 -o eth0 -j DNAT "
1097 "--to-destination 192.168.1.1 -w");
1098 Verify_iptables(runner, IPv4,
1099 "nat -D redirect_dns -p udp --dport 53 -o eth0 -j DNAT "
1100 "--to-destination 192.168.1.1 -w");
1101 Verify_iptables(runner, IPv4,
1102 "nat -D redirect_dns -p tcp --dport 53 -o wlan0 -j DNAT "
1103 "--to-destination 8.8.8.8 -w");
1104 Verify_iptables(runner, IPv4,
1105 "nat -D redirect_dns -p udp --dport 53 -o wlan0 -j DNAT "
1106 "--to-destination 8.8.8.8 -w");
1107
1108 Datapath datapath(&runner, &firewall);
1109 datapath.RemoveRedirectDnsRule("wlan0");
1110 datapath.RemoveRedirectDnsRule("unknown");
1111 datapath.AddRedirectDnsRule("eth0", "192.168.1.1");
1112 datapath.AddRedirectDnsRule("wlan0", "1.1.1.1");
1113 datapath.AddRedirectDnsRule("wlan0", "8.8.8.8");
1114 datapath.RemoveRedirectDnsRule("eth0");
1115 datapath.RemoveRedirectDnsRule("wlan0");
1116}
1117
Hugo Benichibb38bdd2021-05-14 10:36:11 +0900[diff] [blame^]1118TEST(DatapathTest, SetVpnLockdown) {
1119 MockProcessRunner runner;
1120 MockFirewall firewall;
1121
1122 Verify_iptables(runner, Dual,
1123 "filter -A vpn_lockdown -m mark --mark 0x00008000/0x0000c000 "
1124 "-j REJECT -w");
1125 Verify_iptables(runner, Dual, "filter -F vpn_lockdown -w");
1126
1127 Datapath datapath(&runner, &firewall);
1128 datapath.SetVpnLockdown(true);
1129 datapath.SetVpnLockdown(false);
1130}
1131
Garrick Evans2f581a02020-05-11 10:43:35 +0900[diff] [blame]1132TEST(DatapathTest, ArcVethHostName) {
1133 EXPECT_EQ("vetheth0", ArcVethHostName("eth0"));
1134 EXPECT_EQ("vethrmnet0", ArcVethHostName("rmnet0"));
1135 EXPECT_EQ("vethrmnet_data0", ArcVethHostName("rmnet_data0"));
1136 EXPECT_EQ("vethifnamsiz_i0", ArcVethHostName("ifnamsiz_ifnam0"));
1137 auto ifname = ArcVethHostName("exceeds_ifnamesiz_checkanyway");
1138 EXPECT_EQ("vethexceeds_ify", ifname);
1139 EXPECT_LT(ifname.length(), IFNAMSIZ);
1140}
1141
Garrick Evans8a067562020-05-11 12:47:30 +0900[diff] [blame]1142TEST(DatapathTest, ArcBridgeName) {
1143 EXPECT_EQ("arc_eth0", ArcBridgeName("eth0"));
1144 EXPECT_EQ("arc_rmnet0", ArcBridgeName("rmnet0"));
1145 EXPECT_EQ("arc_rmnet_data0", ArcBridgeName("rmnet_data0"));
1146 EXPECT_EQ("arc_ifnamsiz_i0", ArcBridgeName("ifnamsiz_ifnam0"));
1147 auto ifname = ArcBridgeName("exceeds_ifnamesiz_checkanyway");
1148 EXPECT_EQ("arc_exceeds_ify", ifname);
1149 EXPECT_LT(ifname.length(), IFNAMSIZ);
1150}
1151
Garrick Evans3388a032020-03-24 11:25:55 +0900[diff] [blame]1152} // namespace patchpanel