Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. [PATCH 4/5] firewall: Adapt to iptables.c IPv6 changes.
(Jussi Laakkonen)
2. [PATCH 5/5] test: Add tests and test tool for IPv6 parts of
iptables.c. (Jussi Laakkonen)
----------------------------------------------------------------------
Message: 1
Date: Thu, 8 Nov 2018 15:23:45 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: [PATCH 4/5] firewall: Adapt to iptables.c IPv6 changes.
Message-ID: <[email protected]>
This commit adapts to the changes caused by the enabling of the IPv6
iptables support (add AF_INET for each used iptables function).
---
src/firewall-iptables.c | 42 +++++++++++++++++++++++------------------
1 file changed, 24 insertions(+), 18 deletions(-)
diff --git a/src/firewall-iptables.c b/src/firewall-iptables.c
index 92f6c86b..1b04648b 100644
--- a/src/firewall-iptables.c
+++ b/src/firewall-iptables.c
@@ -92,15 +92,17 @@ static int insert_managed_chain(const char *table_name, int
id)
managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
builtin_chains[id]);
- err = __connman_iptables_new_chain(table_name, managed_chain);
+ err = __connman_iptables_new_chain(AF_INET, table_name, managed_chain);
if (err < 0)
goto out;
rule = g_strdup_printf("-j %s", managed_chain);
- err = __connman_iptables_insert(table_name, builtin_chains[id], rule);
+ err = __connman_iptables_insert(AF_INET, table_name, builtin_chains[id],
+ rule);
g_free(rule);
if (err < 0) {
- __connman_iptables_delete_chain(table_name, managed_chain);
+ __connman_iptables_delete_chain(AF_INET, table_name,
+ managed_chain);
goto out;
}
@@ -119,13 +121,15 @@ static int delete_managed_chain(const char *table_name,
int id)
builtin_chains[id]);
rule = g_strdup_printf("-j %s", managed_chain);
- err = __connman_iptables_delete(table_name, builtin_chains[id], rule);
+ err = __connman_iptables_delete(AF_INET, table_name, builtin_chains[id],
+ rule);
g_free(rule);
if (err < 0)
goto out;
- err = __connman_iptables_delete_chain(table_name, managed_chain);
+ err = __connman_iptables_delete_chain(AF_INET, table_name,
+ managed_chain);
out:
g_free(managed_chain);
@@ -178,7 +182,7 @@ static int insert_managed_rule(const char *table_name,
chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
out:
- err = __connman_iptables_append(table_name, chain, rule_spec);
+ err = __connman_iptables_append(AF_INET, table_name, chain, rule_spec);
g_free(chain);
@@ -197,14 +201,14 @@ static int delete_managed_rule(const char *table_name,
id = chain_to_index(chain_name);
if (id < 0) {
/* This chain is not managed */
- return __connman_iptables_delete(table_name, chain_name,
- rule_spec);
+ return __connman_iptables_delete(AF_INET, table_name,
+ chain_name, rule_spec);
}
managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX, chain_name);
- err = __connman_iptables_delete(table_name, managed_chain,
- rule_spec);
+ err = __connman_iptables_delete(AF_INET, table_name, managed_chain,
+ rule_spec);
for (list = managed_tables; list; list = list->next) {
mtable = list->data;
@@ -281,7 +285,7 @@ static int enable_rule(struct fw_rule *rule)
if (err < 0)
return err;
- err = __connman_iptables_commit(rule->table);
+ err = __connman_iptables_commit(AF_INET, rule->table);
if (err < 0)
return err;
@@ -304,7 +308,7 @@ static int disable_rule(struct fw_rule *rule)
return err;
}
- err = __connman_iptables_commit(rule->table);
+ err = __connman_iptables_commit(AF_INET, rule->table);
if (err < 0) {
connman_error("Cannot remove previously installed "
"iptables rules: %s", strerror(-err));
@@ -545,8 +549,8 @@ static void flush_table(const char *table_name)
char *rule, *managed_chain;
int id, err;
- __connman_iptables_iterate_chains(table_name, iterate_chains_cb,
- &chains);
+ __connman_iptables_iterate_chains(AF_INET, table_name,
+ iterate_chains_cb, &chains);
for (list = chains; list; list = list->next) {
id = GPOINTER_TO_INT(list->data);
@@ -555,7 +559,7 @@ static void flush_table(const char *table_name)
builtin_chains[id]);
rule = g_strdup_printf("-j %s", managed_chain);
- err = __connman_iptables_delete(table_name,
+ err = __connman_iptables_delete(AF_INET, table_name,
builtin_chains[id], rule);
if (err < 0) {
connman_warn("Failed to delete jump rule '%s': %s",
@@ -563,12 +567,14 @@ static void flush_table(const char *table_name)
}
g_free(rule);
- err = __connman_iptables_flush_chain(table_name, managed_chain);
+ err = __connman_iptables_flush_chain(AF_INET, table_name,
+ managed_chain);
if (err < 0) {
connman_warn("Failed to flush chain '%s': %s",
managed_chain, strerror(-err));
}
- err = __connman_iptables_delete_chain(table_name,
managed_chain);
+ err = __connman_iptables_delete_chain(AF_INET, table_name,
+ managed_chain);
if (err < 0) {
connman_warn("Failed to delete chain '%s': %s",
managed_chain, strerror(-err));
@@ -577,7 +583,7 @@ static void flush_table(const char *table_name)
g_free(managed_chain);
}
- err = __connman_iptables_commit(table_name);
+ err = __connman_iptables_commit(AF_INET, table_name);
if (err < 0) {
connman_warn("Failed to flush table '%s': %s",
table_name, strerror(-err));
--
2.19.1
------------------------------
Message: 2
Date: Thu, 8 Nov 2018 15:23:46 +0200
From: Jussi Laakkonen <[email protected]>
To: [email protected]
Subject: [PATCH 5/5] test: Add tests and test tool for IPv6 parts of
iptables.c.
Message-ID: <[email protected]>
This commit adds tests for IPv6 enabled iptables. The tests are
identical to the existing iptables tests, except IPv6 "nat" table rules
are not tested as IPv6 NAT is not enabled.
Also a test tool for IPv6 iptables (ip6tables-test) has been added,
which is a clone of iptables-test. iptables-test.c has been modified to
support the changes in iptables.c.
Added ip6tables-save program to configure.ac and use of it in
Makefile.am for the updated iptables-unit test.
---
Makefile.am | 9 +-
configure.ac | 5 +
tools/ip6tables-test.c | 163 ++++++++++++++
tools/iptables-test.c | 19 +-
tools/iptables-unit.c | 486 +++++++++++++++++++++++++++++++++--------
5 files changed, 582 insertions(+), 100 deletions(-)
create mode 100644 tools/ip6tables-test.c
diff --git a/Makefile.am b/Makefile.am
index d6dfbf1c..7b16c5ca 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -380,14 +380,19 @@ tools_session_test_LDADD = gdbus/libgdbus-internal.la \
@GLIB_LIBS@ @DBUS_LIBS@ -ldl
if XTABLES
-noinst_PROGRAMS += tools/iptables-test tools/iptables-unit
+noinst_PROGRAMS += tools/iptables-test tools/ip6tables-test tools/iptables-unit
tools_iptables_test_SOURCES = $(backtrace_sources) src/log.c src/iptables.c \
tools/iptables-test.c
tools_iptables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ -ldl
+tools_ip6tables_test_SOURCES = $(backtrace_sources) src/log.c src/iptables.c \
+ tools/ip6tables-test.c
+tools_ip6tables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ -ldl
+
tools_iptables_unit_CFLAGS = @DBUS_CFLAGS@ @GLIB_CFLAGS@ @XTABLES_CFLAGS@ \
- -DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\"
+ -DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\" \
+ -DIP6TABLES_SAVE=\""${IP6TABLES_SAVE}"\"
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c \
src/iptables.c src/firewall-iptables.c src/nat.c \
tools/iptables-unit.c
diff --git a/configure.ac b/configure.ac
index 984126c2..0bb2a6d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -391,11 +391,16 @@ AM_CONDITIONAL(STATS, test "${enable_stats}" != "no")
if (test "${enable_tools}" != "no"); then
AC_PATH_PROGS(IPTABLES_SAVE, [iptables-save], [],
$PATH:/sbin:/usr/sbin)
+ AC_PATH_PROGS(IP6TABLES_SAVE, [ip6tables-save], [],
+ $PATH:/sbin:/usr/sbin)
IPTABLES_SAVE=$ac_cv_path_IPTABLES_SAVE
+ IP6TABLES_SAVE=$ac_cv_path_IP6TABLES_SAVE
else
IPTABLES_SAVE=""
+ IP6TABLES_SAVE=""
fi
AC_SUBST(IPTABLES_SAVE)
+AC_SUBST(IP6TABLES_SAVE)
AC_ARG_ENABLE(client, AC_HELP_STRING([--disable-client],
[disable command line client]),
diff --git a/tools/ip6tables-test.c b/tools/ip6tables-test.c
new file mode 100644
index 00000000..41e842dd
--- /dev/null
+++ b/tools/ip6tables-test.c
@@ -0,0 +1,163 @@
+/*
+ * Connection Manager
+ *
+ * Copyright (C) 2007-2012 Intel Corporation. All rights reserved.
+ * Copyright (C) 2013 BMW Car IT GmbH.
+ * Copyright (C) 2018 Jolla Ltd. All rights reserved.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ *
+ */
+
+#include <getopt.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <glib.h>
+
+#include "../src/connman.h"
+
+enum iptables_command {
+ IPTABLES_COMMAND_APPEND,
+ IPTABLES_COMMAND_INSERT,
+ IPTABLES_COMMAND_DELETE,
+ IPTABLES_COMMAND_POLICY,
+ IPTABLES_COMMAND_CHAIN_INSERT,
+ IPTABLES_COMMAND_CHAIN_DELETE,
+ IPTABLES_COMMAND_CHAIN_FLUSH,
+ IPTABLES_COMMAND_DUMP,
+ IPTABLES_COMMAND_UNKNOWN,
+};
+
+int main(int argc, char *argv[])
+{
+ enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN;
+ char *table = NULL, *chain = NULL, *rule = NULL, *tmp;
+ int err, c, i;
+
+ opterr = 0;
+
+ while ((c = getopt_long(argc, argv,
+ "-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) {
+ switch (c) {
+ case 'A':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_APPEND;
+ break;
+ case 'I':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_INSERT;
+ break;
+ case 'D':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_DELETE;
+ break;
+ case 'P':
+ chain = optarg;
+ /* The policy will be stored in rule. */
+ cmd = IPTABLES_COMMAND_POLICY;
+ break;
+ case 'N':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_CHAIN_INSERT;
+ break;
+ case 'X':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_CHAIN_DELETE;
+ break;
+ case 'F':
+ chain = optarg;
+ cmd = IPTABLES_COMMAND_CHAIN_FLUSH;
+ break;
+ case 'L':
+ cmd = IPTABLES_COMMAND_DUMP;
+ break;
+ case 't':
+ table = optarg;
+ break;
+ default:
+ goto out;
+ }
+ }
+
+out:
+ if (!table)
+ table = "filter";
+
+ for (i = optind - 1; i < argc; i++) {
+ if (rule) {
+ tmp = rule;
+ rule = g_strdup_printf("%s %s", rule, argv[i]);
+ g_free(tmp);
+ } else
+ rule = g_strdup(argv[i]);
+ }
+
+ __connman_iptables_init();
+
+ switch (cmd) {
+ case IPTABLES_COMMAND_APPEND:
+ err = __connman_iptables_append(AF_INET6, table, chain, rule);
+ break;
+ case IPTABLES_COMMAND_INSERT:
+ err = __connman_iptables_insert(AF_INET6, table, chain, rule);
+ break;
+ case IPTABLES_COMMAND_DELETE:
+ err = __connman_iptables_delete(AF_INET6, table, chain, rule);
+ break;
+ case IPTABLES_COMMAND_POLICY:
+ err = __connman_iptables_change_policy(AF_INET6, table, chain,
+ rule);
+ break;
+ case IPTABLES_COMMAND_CHAIN_INSERT:
+ err = __connman_iptables_new_chain(AF_INET6, table, chain);
+ break;
+ case IPTABLES_COMMAND_CHAIN_DELETE:
+ err = __connman_iptables_delete_chain(AF_INET6, table, chain);
+ break;
+ case IPTABLES_COMMAND_CHAIN_FLUSH:
+ err = __connman_iptables_flush_chain(AF_INET6, table, chain);
+ break;
+ case IPTABLES_COMMAND_DUMP:
+ __connman_log_init(argv[0], "*", false, false,
+ "ip6tables-test", "1");
+ err = __connman_iptables_dump(AF_INET6, table);
+ break;
+ case IPTABLES_COMMAND_UNKNOWN:
+ printf("Missing command\n");
+ printf("usage: ip6tables-test [-t table] {-A|-I|-D} chain
rule\n");
+ printf(" ip6tables-test [-t table] {-N|-X|-F} chain\n");
+ printf(" ip6tables-test [-t table] -L\n");
+ printf(" ip6tables-test [-t table] -P chain target\n");
+ exit(-EINVAL);
+ }
+
+ if (err < 0) {
+ printf("Error: %s\n", strerror(-err));
+ exit(err);
+ }
+
+ err = __connman_iptables_commit(AF_INET6, table);
+ if (err < 0) {
+ printf("Failed to commit changes: %s\n", strerror(-err));
+ exit(err);
+ }
+
+ g_free(rule);
+
+ __connman_iptables_cleanup();
+
+ return 0;
+}
diff --git a/tools/iptables-test.c b/tools/iptables-test.c
index 2df53ccd..e9b7cb22 100644
--- a/tools/iptables-test.c
+++ b/tools/iptables-test.c
@@ -108,30 +108,31 @@ out:
switch (cmd) {
case IPTABLES_COMMAND_APPEND:
- err = __connman_iptables_append(table, chain, rule);
+ err = __connman_iptables_append(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_INSERT:
- err = __connman_iptables_insert(table, chain, rule);
+ err = __connman_iptables_insert(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_DELETE:
- err = __connman_iptables_delete(table, chain, rule);
+ err = __connman_iptables_delete(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_POLICY:
- err = __connman_iptables_change_policy(table, chain, rule);
+ err = __connman_iptables_change_policy(AF_INET, table, chain,
+ rule);
break;
case IPTABLES_COMMAND_CHAIN_INSERT:
- err = __connman_iptables_new_chain(table, chain);
+ err = __connman_iptables_new_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_DELETE:
- err = __connman_iptables_delete_chain(table, chain);
+ err = __connman_iptables_delete_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_FLUSH:
- err = __connman_iptables_flush_chain(table, chain);
+ err = __connman_iptables_flush_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_DUMP:
__connman_log_init(argv[0], "*", false, false,
"iptables-test", "1");
- err = __connman_iptables_dump(table);
+ err = __connman_iptables_dump(AF_INET, table);
break;
case IPTABLES_COMMAND_UNKNOWN:
printf("Missing command\n");
@@ -147,7 +148,7 @@ out:
exit(err);
}
- err = __connman_iptables_commit(table);
+ err = __connman_iptables_commit(AF_INET, table);
if (err < 0) {
printf("Failed to commit changes: %s\n", strerror(-err));
exit(err);
diff --git a/tools/iptables-unit.c b/tools/iptables-unit.c
index 0ab42491..b91591f2 100644
--- a/tools/iptables-unit.c
+++ b/tools/iptables-unit.c
@@ -28,14 +28,24 @@
#include "../src/connman.h"
-static bool assert_rule(const char *table_name, const char *rule)
+static bool assert_rule(int type, const char *table_name, const char *rule)
{
char *cmd, *output, **lines;
GError **error = NULL;
int i;
bool ret = true;
- cmd = g_strdup_printf(IPTABLES_SAVE " -t %s", table_name);
+ switch (type) {
+ case AF_INET:
+ cmd = g_strdup_printf(IPTABLES_SAVE " -t %s", table_name);
+ break;
+ case AF_INET6:
+ cmd = g_strdup_printf(IP6TABLES_SAVE " -t %s", table_name);
+ break;
+ default:
+ return false;
+ }
+
g_spawn_command_line_sync(cmd, &output, NULL, NULL, error);
g_free(cmd);
@@ -57,67 +67,87 @@ static bool assert_rule(const char *table_name, const char
*rule)
return ret;
}
-static void assert_rule_exists(const char *table_name, const char *rule)
+static void assert_rule_exists(int type, const char *table_name,
+ const char *rule)
{
- if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
- DBG("iptables-save is missing, no assertion possible");
- return;
+ if (type == AF_INET) {
+ if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
+ DBG("iptables-save is missing, no assertion possible");
+ return;
+ }
}
- g_assert(assert_rule(table_name, rule));
+ if (type == AF_INET6) {
+ if (g_strcmp0(IP6TABLES_SAVE, "") == 0) {
+ DBG("ip6tables-save is missing, no assertion possible");
+ return;
+ }
+ }
+
+ g_assert(assert_rule(type, table_name, rule));
}
-static void assert_rule_not_exists(const char *table_name, const char *rule)
+static void assert_rule_not_exists(int type, const char *table_name,
+ const char *rule)
{
- if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
- DBG("iptables-save is missing, no assertion possible");
- return;
+ if (type == AF_INET) {
+ if (g_strcmp0(IPTABLES_SAVE, "") == 0) {
+ DBG("iptables-save is missing, no assertion possible");
+ return;
+ }
+ }
+
+ if (type == AF_INET6) {
+ if (g_strcmp0(IP6TABLES_SAVE, "") == 0) {
+ DBG("ip6tables-save is missing, no assertion possible");
+ return;
+ }
}
- g_assert(!assert_rule(table_name, rule));
+ g_assert(!assert_rule(type, table_name, rule));
}
static void test_iptables_chain0(void)
{
int err;
- err = __connman_iptables_new_chain("filter", "foo");
+ err = __connman_iptables_new_chain(AF_INET, "filter", "foo");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter", ":foo - [0:0]");
+ assert_rule_exists(AF_INET, "filter", ":foo - [0:0]");
- err = __connman_iptables_delete_chain("filter", "foo");
+ err = __connman_iptables_delete_chain(AF_INET, "filter", "foo");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_not_exists("filter", ":foo - [0:0]");
+ assert_rule_not_exists(AF_INET, "filter", ":foo - [0:0]");
}
static void test_iptables_chain1(void)
{
int err;
- err = __connman_iptables_new_chain("filter", "foo");
+ err = __connman_iptables_new_chain(AF_INET, "filter", "foo");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- err = __connman_iptables_flush_chain("filter", "foo");
+ err = __connman_iptables_flush_chain(AF_INET, "filter", "foo");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- err = __connman_iptables_delete_chain("filter", "foo");
+ err = __connman_iptables_delete_chain(AF_INET, "filter", "foo");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
}
@@ -125,16 +155,16 @@ static void test_iptables_chain2(void)
{
int err;
- err = __connman_iptables_change_policy("filter", "INPUT", "DROP");
+ err = __connman_iptables_change_policy(AF_INET, "filter", "INPUT",
"DROP");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- err = __connman_iptables_change_policy("filter", "INPUT", "ACCEPT");
+ err = __connman_iptables_change_policy(AF_INET, "filter", "INPUT",
"ACCEPT");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
}
@@ -142,39 +172,39 @@ static void test_iptables_chain3(void)
{
int err;
- err = __connman_iptables_new_chain("filter", "user-chain-0");
+ err = __connman_iptables_new_chain(AF_INET, "filter", "user-chain-0");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter", ":user-chain-0 - [0:0]");
+ assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
- err = __connman_iptables_new_chain("filter", "user-chain-1");
+ err = __connman_iptables_new_chain(AF_INET, "filter", "user-chain-1");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter", ":user-chain-0 - [0:0]");
- assert_rule_exists("filter", ":user-chain-1 - [0:0]");
+ assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
+ assert_rule_exists(AF_INET, "filter", ":user-chain-1 - [0:0]");
- err = __connman_iptables_delete_chain("filter", "user-chain-1");
+ err = __connman_iptables_delete_chain(AF_INET, "filter",
"user-chain-1");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter", ":user-chain-0 - [0:0]");
- assert_rule_not_exists("filter", ":user-chain-1 - [0:0]");
+ assert_rule_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
+ assert_rule_not_exists(AF_INET, "filter", ":user-chain-1 - [0:0]");
- err = __connman_iptables_delete_chain("filter", "user-chain-0");
+ err = __connman_iptables_delete_chain(AF_INET, "filter",
"user-chain-0");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_not_exists("filter", ":user-chain-0 - [0:0]");
+ assert_rule_not_exists(AF_INET, "filter", ":user-chain-0 - [0:0]");
}
static void test_iptables_rule0(void)
@@ -183,24 +213,24 @@ static void test_iptables_rule0(void)
/* Test simple appending and removing a rule */
- err = __connman_iptables_append("filter", "INPUT",
+ err = __connman_iptables_append(AF_INET, "filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter",
+ assert_rule_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
- err = __connman_iptables_delete("filter", "INPUT",
+ err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_not_exists("filter",
+ assert_rule_not_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
@@ -210,22 +240,22 @@ static void test_iptables_rule1(void)
/* Test if we can do NAT stuff */
- err = __connman_iptables_append("nat", "POSTROUTING",
+ err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
- assert_rule_exists("nat",
+ assert_rule_exists(AF_INET, "nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
- err = __connman_iptables_delete("nat", "POSTROUTING",
+ err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
- assert_rule_not_exists("nat",
+ assert_rule_not_exists(AF_INET, "nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
}
@@ -235,48 +265,48 @@ static void test_iptables_rule2(void)
/* Test if the right rule is removed */
- err = __connman_iptables_append("filter", "INPUT",
+ err = __connman_iptables_append(AF_INET, "filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter",
+ assert_rule_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
- err = __connman_iptables_append("filter", "INPUT",
+ err = __connman_iptables_append(AF_INET, "filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter",
+ assert_rule_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
- assert_rule_exists("filter",
+ assert_rule_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
- err = __connman_iptables_delete("filter", "INPUT",
+ err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_exists("filter",
+ assert_rule_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
- assert_rule_not_exists("filter",
+ assert_rule_not_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
- err = __connman_iptables_delete("filter", "INPUT",
+ err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET, "filter");
g_assert(err == 0);
- assert_rule_not_exists("filter",
+ assert_rule_not_exists(AF_INET, "filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
@@ -286,36 +316,306 @@ static void test_iptables_target0(void)
/* Test if 'fallthrough' targets work */
- err = __connman_iptables_append("filter", "INPUT",
+ err = __connman_iptables_append(AF_INET, "filter", "INPUT",
+ "-m mark --mark 1");
+ g_assert(err == 0);
+
+ err = __connman_iptables_append(AF_INET, "filter", "INPUT",
+ "-m mark --mark 2");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET, "filter", "-A INPUT -m mark --mark 0x1");
+ assert_rule_exists(AF_INET, "filter", "-A INPUT -m mark --mark 0x2");
+
+ err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
+ "-m mark --mark 1");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET, "filter");
+ g_assert(err == 0);
+
+ err = __connman_iptables_delete(AF_INET, "filter", "INPUT",
+ "-m mark --mark 2");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET, "filter");
+ g_assert(err == 0);
+
+ assert_rule_not_exists(AF_INET, "filter",
+ "-A INPUT -m mark --mark 0x1");
+ assert_rule_not_exists(AF_INET, "filter",
+ "-A INPUT -m mark --mark 0x2");
+}
+
+static void test_ip6tables_chain0(void)
+{
+ int err;
+
+ err = __connman_iptables_new_chain(AF_INET6, "filter", "foo");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", ":foo - [0:0]");
+
+ err = __connman_iptables_delete_chain(AF_INET6, "filter", "foo");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_not_exists(AF_INET6, "filter", ":foo - [0:0]");
+}
+
+static void test_ip6tables_chain1(void)
+{
+ int err;
+
+ err = __connman_iptables_new_chain(AF_INET6, "filter", "foo");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ err = __connman_iptables_flush_chain(AF_INET6, "filter", "foo");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ err = __connman_iptables_delete_chain(AF_INET6, "filter", "foo");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+}
+
+static void test_ip6tables_chain2(void)
+{
+ int err;
+
+ err = __connman_iptables_change_policy(AF_INET6, "filter", "INPUT",
+ "DROP");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ err = __connman_iptables_change_policy(AF_INET6, "filter", "INPUT",
+ "ACCEPT");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+}
+
+static void test_ip6tables_chain3(void)
+{
+ int err;
+
+ err = __connman_iptables_new_chain(AF_INET6, "filter", "user-chain-0");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+
+ err = __connman_iptables_new_chain(AF_INET6, "filter", "user-chain-1");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+ assert_rule_exists(AF_INET6, "filter", ":user-chain-1 - [0:0]");
+
+ err = __connman_iptables_delete_chain(AF_INET6, "filter",
+ "user-chain-1");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+ assert_rule_not_exists(AF_INET6, "filter", ":user-chain-1 - [0:0]");
+
+ err = __connman_iptables_delete_chain(AF_INET6, "filter",
+ "user-chain-0");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_not_exists(AF_INET6, "filter", ":user-chain-0 - [0:0]");
+}
+
+static void test_ip6tables_rule0(void)
+{
+ int err;
+
+ /* Test simple appending and removing a rule */
+
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 1 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 1 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_not_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+}
+
+static void test_ip6tables_rule1(void)
+{
+ int err;
+
+ /* Test if the right rule is removed */
+
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 1 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 2 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+ assert_rule_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x2 -j LOG");
+
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 2 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+ assert_rule_not_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x2 -j LOG");
+
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+ "-m mark --mark 1 -j LOG");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+ g_assert(err == 0);
+
+ assert_rule_not_exists(AF_INET6, "filter",
+ "-A INPUT -m mark --mark 0x1 -j LOG");
+}
+
+static void test_ip6tables_rule2(void)
+{
+ int err;
+
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
+ "-p icmpv6 -m icmpv6 "
+ "--icmpv6-type 128/0 -j DROP");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", "-A INPUT -p ipv6-icmp "
+ "-m icmp6 --icmpv6-type 128/0 -j DROP");
+
+ err = __connman_iptables_append(AF_INET6, "filter", "OUTPUT",
+ "-p icmpv6 -m icmpv6 "
+ "--icmpv6-type 129/0 -j DROP");
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+
+ g_assert(err == 0);
+
+ assert_rule_exists(AF_INET6, "filter", "-A OUTPUT -p ipv6-icmp "
+ "-m icmp6 --icmpv6-type 129/0 -j DROP");
+
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
+ "-p icmpv6 -m icmpv6 "
+ "--icmpv6-type 128/0 -j DROP");
+
+ g_assert(err == 0);
+
+ err = __connman_iptables_delete(AF_INET6, "filter", "OUTPUT",
+ "-p icmpv6 -m icmpv6 "
+ "--icmpv6-type 129/0 -j DROP");
+
+ g_assert(err == 0);
+
+ err = __connman_iptables_commit(AF_INET6, "filter");
+
+ g_assert(err == 0);
+
+}
+
+static void test_ip6tables_target0(void)
+{
+ int err;
+
+ /* Test if 'fallthrough' targets work */
+
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
- err = __connman_iptables_append("filter", "INPUT",
+ err = __connman_iptables_append(AF_INET6, "filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET6, "filter");
g_assert(err == 0);
- assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1");
- assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2");
+ assert_rule_exists(AF_INET6, "filter", "-A INPUT -m mark --mark 0x1");
+ assert_rule_exists(AF_INET6, "filter", "-A INPUT -m mark --mark 0x2");
- err = __connman_iptables_delete("filter", "INPUT",
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET6, "filter");
g_assert(err == 0);
- err = __connman_iptables_delete("filter", "INPUT",
+ err = __connman_iptables_delete(AF_INET6, "filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
- err = __connman_iptables_commit("filter");
+ err = __connman_iptables_commit(AF_INET6, "filter");
g_assert(err == 0);
- assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1");
- assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2");
+ assert_rule_not_exists(AF_INET6, "filter", "-A INPUT "
+ "-m mark --mark 0x1");
+ assert_rule_not_exists(AF_INET6, "filter", "-A INPUT "
+ "-m mark --mark 0x2");
}
const struct connman_notifier *nat_notifier;
@@ -349,24 +649,24 @@ static void test_nat_basic0(void)
g_assert(err == 0);
/* test that table is empty */
- err = __connman_iptables_append("nat", "POSTROUTING",
+ err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j
MASQUERADE");
g_assert(err == 0);
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
- assert_rule_exists("nat",
+ assert_rule_exists(AF_INET, "nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
- err = __connman_iptables_delete("nat", "POSTROUTING",
+ err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j
MASQUERADE");
g_assert(err == 0);
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
- assert_rule_not_exists("nat",
+ assert_rule_not_exists(AF_INET, "nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
__connman_nat_disable("bridge");
@@ -386,21 +686,21 @@ static void test_nat_basic1(void)
g_assert(err == 0);
/* test that table is not empty */
- err = __connman_iptables_append("nat", "POSTROUTING",
+ err = __connman_iptables_append(AF_INET, "nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j
MASQUERADE");
g_assert(err == 0);
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
__connman_nat_disable("bridge");
/* test that table is empty again */
- err = __connman_iptables_delete("nat", "POSTROUTING",
+ err = __connman_iptables_delete(AF_INET, "nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j
MASQUERADE");
g_assert(err == 0);
- err = __connman_iptables_commit("nat");
+ err = __connman_iptables_commit(AF_INET, "nat");
g_assert(err == 0);
g_free(service);
@@ -462,6 +762,14 @@ int main(int argc, char *argv[])
g_test_add_func("/iptables/rule1", test_iptables_rule1);
g_test_add_func("/iptables/rule2", test_iptables_rule2);
g_test_add_func("/iptables/target0", test_iptables_target0);
+ g_test_add_func("/ip6tables/chain0", test_ip6tables_chain0);
+ g_test_add_func("/ip6tables/chain1", test_ip6tables_chain1);
+ g_test_add_func("/ip6tables/chain2", test_ip6tables_chain2);
+ g_test_add_func("/ip6tables/chain3", test_ip6tables_chain3);
+ g_test_add_func("/ip6tables/rule0", test_ip6tables_rule0);
+ g_test_add_func("/ip6tables/rule1", test_ip6tables_rule1);
+ g_test_add_func("/ip6tables/rule2", test_ip6tables_rule2);
+ g_test_add_func("/ip6tables/target0", test_ip6tables_target0);
g_test_add_func("/nat/basic0", test_nat_basic0);
g_test_add_func("/nat/basic1", test_nat_basic1);
--
2.19.1
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 37, Issue 5
**************************************
