Commit 5e43f72b authored by Jussi Laakkonen's avatar Jussi Laakkonen

test: Add tests and test tool for IPv6 parts of iptables.c.

This commit adds tests for IPv6 enabled iptables. The tests are
identical to the existing iptables tests, except IPv6 "nat" table rules
are not tested as IPv6 NAT is not enabled.

Also a test tool for IPv6 iptables (ip6tables-test) has been added,
which is a clone of iptables-test. iptables-test.c has been modified to
support the changes in iptables.c.

Added ip6tables-save program to configure.ac and use of it in
Makefile.am for the updated iptables-unit test.

[connman] Apply our test changes on top of upstream change. JB#42674

Tests for ICMP rules for both IPv4 and IPv6 are added.

Tests for using firewall are retained in our fork as our firewall.c
differs from the upstream one in many ways.
parent 3a6db779
......@@ -384,7 +384,8 @@ noinst_PROGRAMS += tools/supplicant-test \
tools/iptables-test tools/tap-test tools/wpad-test \
tools/stats-tool tools/private-network-test \
tools/session-test tools/iptables-unit \
tools/dnsproxy-test tools/netlink-test
tools/dnsproxy-test tools/netlink-test \
tools/ip6tables-test
tools_supplicant_test_SOURCES = tools/supplicant-test.c \
tools/supplicant-dbus.h tools/supplicant-dbus.c \
......@@ -423,6 +424,11 @@ tools_iptables_test_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c tools/iptables-test.c
tools_iptables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ @LIBIPTC_LIBS@ @DBUS_LIBS@ -ldl
tools_ip6tables_test_CFLAGS = -DDEFAULT_STORAGE_ROOT=\""$(storageroot)\"" @DBUS_CFLAGS@
tools_ip6tables_test_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c tools/ip6tables-test.c
tools_ip6tables_test_LDADD = @GLIB_LIBS@ @XTABLES_LIBS@ @LIBIPTC_LIBS@ @DBUS_LIBS@ -ldl
tools_private_network_test_LDADD = @GLIB_LIBS@ @DBUS_LIBS@
tools_session_test_SOURCES = $(backtrace_sources) src/log.c src/dbus.c src/error.c \
......@@ -433,6 +439,7 @@ tools_session_test_LDADD = gdbus/libgdbus-internal.la \
tools_iptables_unit_CFLAGS = @DBUS_CFLAGS@ @GLIB_CFLAGS@ @XTABLES_CFLAGS@ \
-DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\" \
-DIP6TABLES_SAVE=\""${IP6TABLES_SAVE}"\" \
-DDEFAULT_STORAGE_ROOT=\""$(storageroot)\""
tools_iptables_unit_SOURCES = $(backtrace_sources) src/log.c src/storage.c \
src/inotify.c src/iptables.c src/firewall.c \
......
......@@ -484,11 +484,16 @@ AM_CONDITIONAL(TOOLS, test "${enable_tools}" != "no")
if (test "${enable_tools}" != "no"); then
AC_PATH_PROGS(IPTABLES_SAVE, [iptables-save], [],
$PATH:/sbin:/usr/sbin)
AC_PATH_PROGS(IP6TABLES_SAVE, [ip6tables-save], [],
$PATH:/sbin:/usr/sbin)
IPTABLES_SAVE=$ac_cv_path_IPTABLES_SAVE
IP6TABLES_SAVE=$ac_cv_path_IP6TABLES_SAVE
else
IPTABLES_SAVE=""
IP6TABLES_SAVE=""
fi
AC_SUBST(IPTABLES_SAVE)
AC_SUBST(IP6TABLES_SAVE)
AC_ARG_ENABLE(client, AC_HELP_STRING([--disable-client],
[disable command line client]),
......
/*
* Connection Manager
*
* Copyright (C) 2007-2012 Intel Corporation. All rights reserved.
* Copyright (C) 2013 BMW Car IT GmbH.
* Copyright (C) 2018 Jolla Ltd. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <getopt.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <glib.h>
#include "../src/connman.h"
enum iptables_command {
IPTABLES_COMMAND_APPEND,
IPTABLES_COMMAND_INSERT,
IPTABLES_COMMAND_DELETE,
IPTABLES_COMMAND_POLICY,
IPTABLES_COMMAND_CHAIN_INSERT,
IPTABLES_COMMAND_CHAIN_DELETE,
IPTABLES_COMMAND_CHAIN_FLUSH,
IPTABLES_COMMAND_DUMP,
IPTABLES_COMMAND_UNKNOWN,
};
int main(int argc, char *argv[])
{
enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN;
char *table = NULL, *chain = NULL, *rule = NULL, *tmp;
int err, c, i;
opterr = 0;
while ((c = getopt_long(argc, argv,
"-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) {
switch (c) {
case 'A':
chain = optarg;
cmd = IPTABLES_COMMAND_APPEND;
break;
case 'I':
chain = optarg;
cmd = IPTABLES_COMMAND_INSERT;
break;
case 'D':
chain = optarg;
cmd = IPTABLES_COMMAND_DELETE;
break;
case 'P':
chain = optarg;
/* The policy will be stored in rule. */
cmd = IPTABLES_COMMAND_POLICY;
break;
case 'N':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_INSERT;
break;
case 'X':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_DELETE;
break;
case 'F':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_FLUSH;
break;
case 'L':
cmd = IPTABLES_COMMAND_DUMP;
break;
case 't':
table = optarg;
break;
default:
goto out;
}
}
out:
if (!table)
table = "filter";
for (i = optind - 1; i < argc; i++) {
if (rule) {
tmp = rule;
rule = g_strdup_printf("%s %s", rule, argv[i]);
g_free(tmp);
} else
rule = g_strdup(argv[i]);
}
__connman_iptables_init();
switch (cmd) {
case IPTABLES_COMMAND_APPEND:
err = __connman_iptables_append(AF_INET6, table, chain, rule);
break;
case IPTABLES_COMMAND_INSERT:
err = __connman_iptables_insert(AF_INET6, table, chain, rule);
break;
case IPTABLES_COMMAND_DELETE:
err = __connman_iptables_delete(AF_INET6, table, chain, rule);
break;
case IPTABLES_COMMAND_POLICY:
err = __connman_iptables_change_policy(AF_INET6, table, chain,
rule);
break;
case IPTABLES_COMMAND_CHAIN_INSERT:
err = __connman_iptables_new_chain(AF_INET6, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_DELETE:
err = __connman_iptables_delete_chain(AF_INET6, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_FLUSH:
err = __connman_iptables_flush_chain(AF_INET6, table, chain);
break;
case IPTABLES_COMMAND_DUMP:
__connman_log_init(argv[0], "*", false, false,
"ip6tables-test", "1");
err = __connman_iptables_dump(AF_INET6, table);
break;
case IPTABLES_COMMAND_UNKNOWN:
printf("Missing command\n");
printf("usage: ip6tables-test [-t table] {-A|-I|-D} chain rule\n");
printf(" ip6tables-test [-t table] {-N|-X|-F} chain\n");
printf(" ip6tables-test [-t table] -L\n");
printf(" ip6tables-test [-t table] -P chain target\n");
exit(-EINVAL);
}
if (err < 0) {
printf("Error: %s\n", strerror(-err));
exit(err);
}
err = __connman_iptables_commit(AF_INET6, table);
if (err < 0) {
printf("Failed to commit changes: %s\n", strerror(-err));
exit(err);
}
g_free(rule);
__connman_iptables_cleanup();
return 0;
}
......@@ -108,30 +108,31 @@ out:
switch (cmd) {
case IPTABLES_COMMAND_APPEND:
err = __connman_iptables_append(table, chain, rule);
err = __connman_iptables_append(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_INSERT:
err = __connman_iptables_insert(table, chain, rule);
err = __connman_iptables_insert(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_DELETE:
err = __connman_iptables_delete(table, chain, rule);
err = __connman_iptables_delete(AF_INET, table, chain, rule);
break;
case IPTABLES_COMMAND_POLICY:
err = __connman_iptables_change_policy(table, chain, rule);
err = __connman_iptables_change_policy(AF_INET, table, chain,
rule);
break;
case IPTABLES_COMMAND_CHAIN_INSERT:
err = __connman_iptables_new_chain(table, chain);
err = __connman_iptables_new_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_DELETE:
err = __connman_iptables_delete_chain(table, chain);
err = __connman_iptables_delete_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_CHAIN_FLUSH:
err = __connman_iptables_flush_chain(table, chain);
err = __connman_iptables_flush_chain(AF_INET, table, chain);
break;
case IPTABLES_COMMAND_DUMP:
__connman_log_init(argv[0], "*", false, false,
"iptables-test", "1");
err = __connman_iptables_dump(table);
err = __connman_iptables_dump(AF_INET, table);
break;
case IPTABLES_COMMAND_UNKNOWN:
printf("Missing command\n");
......@@ -147,7 +148,7 @@ out:
exit(err);
}
err = __connman_iptables_commit(table);
err = __connman_iptables_commit(AF_INET, table);
if (err < 0) {
printf("Failed to commit changes: %s\n", strerror(-err));
exit(err);
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment