static void test_nat_basic1(void)
{
struct connman_service *service;
int err;
service = g_try_new0(struct connman_service, 1);
g_assert(service);
nat_notifier->default_changed(service);
err = __connman_nat_enable("bridge", "192.168.2.1", 24);
g_assert(err == 0);
/* test that table is not empty */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
__connman_nat_disable("bridge");
/* test that table is empty again */
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
g_free(service);
}
static void test_iptables_rule0(void)
{
int err;
/* Test simple appending and removing a rule */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
static void test_nat_basic0(void)
{
int err;
err = __connman_nat_enable("bridge", "192.168.2.1", 24);
g_assert(err == 0);
/* test that table is empty */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_exists("nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_not_exists("nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
__connman_nat_disable("bridge");
}
static void test_iptables_rule2(void)
{
int err;
/* Test if the right rule is removed */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
static int enable_nat(const char *interface)
{
int err;
if (interface == NULL)
return 0;
/* Enable IPv4 forwarding */
err = enable_ip_forward(TRUE);
if (err < 0)
return err;
/* POSTROUTING flush */
err = __connman_iptables_command("-t nat -F POSTROUTING");
if (err < 0)
return err;
/* Enable masquerading */
err = __connman_iptables_command("-t nat -A POSTROUTING "
"-o %s -j MASQUERADE", interface);
if (err < 0)
return err;
return __connman_iptables_commit("nat");
}
static void test_iptables_chain2(void)
{
int err;
err = __connman_iptables_change_policy("filter", "INPUT", "DROP");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
err = __connman_iptables_change_policy("filter", "INPUT", "ACCEPT");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
}
static int enable_nat(struct connman_nat *nat)
{
int err;
g_free(nat->interface);
nat->interface = g_strdup(default_interface);
if (nat->interface == NULL)
return 0;
/* Enable masquerading */
if(nat->address) {
err = __connman_iptables_command("-t nat -A POSTROUTING "
"-s %s/%d -o %s -j MASQUERADE",
nat->address,
nat->prefixlen,
nat->interface);
if (err < 0)
return err;
}
else {
err = __connman_iptables_command("-t nat -A POSTROUTING "
"-o %s -j MASQUERADE",
nat->interface);
if (err < 0)
return err;
}
return __connman_iptables_commit("nat");
}
static void disable_nat(struct connman_nat *nat)
{
int err;
if (nat->interface == NULL)
return;
/* Disable masquerading */
if(nat->address) {
err = __connman_iptables_command("-t nat -D POSTROUTING "
"-s %s/%d -o %s -j MASQUERADE",
nat->address,
nat->prefixlen,
nat->interface);
if (err < 0)
return;
}
else {
err = __connman_iptables_command("-t nat -D POSTROUTING "
"-o %s -j MASQUERADE",
nat->interface);
if (err < 0)
return;
}
__connman_iptables_commit("nat");
}
static void test_iptables_chain0(void)
{
int err;
err = __connman_iptables_new_chain("filter", "foo");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", ":foo - [0:0]");
err = __connman_iptables_delete_chain("filter", "foo");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter", ":foo - [0:0]");
}
static void test_iptables_chain1(void)
{
int err;
err = __connman_iptables_new_chain("filter", "foo");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
err = __connman_iptables_flush_chain("filter", "foo");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
err = __connman_iptables_delete_chain("filter", "foo");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
}
static void flush_nat(void)
{
int err;
err = __connman_iptables_command("-t nat -F POSTROUTING");
if (err < 0) {
DBG("Flushing the nat table failed");
return;
}
__connman_iptables_commit("nat");
}
static void test_iptables_chain3(void)
{
int err;
err = __connman_iptables_new_chain("filter", "user-chain-0");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", ":user-chain-0 - [0:0]");
err = __connman_iptables_new_chain("filter", "user-chain-1");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", ":user-chain-0 - [0:0]");
assert_rule_exists("filter", ":user-chain-1 - [0:0]");
err = __connman_iptables_delete_chain("filter", "user-chain-1");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", ":user-chain-0 - [0:0]");
assert_rule_not_exists("filter", ":user-chain-1 - [0:0]");
err = __connman_iptables_delete_chain("filter", "user-chain-0");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter", ":user-chain-0 - [0:0]");
}
static void disable_nat(const char *interface)
{
int err;
/* Disable IPv4 forwarding */
enable_ip_forward(FALSE);
/* POSTROUTING flush */
err = __connman_iptables_command("-t nat -F POSTROUTING");
if (err < 0)
return;
__connman_iptables_commit("nat");
}
static void test_iptables_target0(void)
{
int err;
/* Test if 'fallthrough' targets work */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1");
assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1");
assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2");
}
static void test_iptables_rule1(void)
{
int err;
/* Test if we can do NAT stuff */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_exists("nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_not_exists("nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
}
int main(int argc, char *argv[])
{
enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN;
char *table = NULL, *chain = NULL, *rule = NULL, *tmp;
int err, c, i;
opterr = 0;
while ((c = getopt_long(argc, argv,
"-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) {
switch (c) {
case 'A':
chain = optarg;
cmd = IPTABLES_COMMAND_APPEND;
break;
case 'I':
chain = optarg;
cmd = IPTABLES_COMMAND_INSERT;
break;
case 'D':
chain = optarg;
cmd = IPTABLES_COMMAND_DELETE;
break;
case 'P':
chain = optarg;
/* The policy will be stored in rule. */
cmd = IPTABLES_COMMAND_POLICY;
break;
case 'N':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_INSERT;
break;
case 'X':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_DELETE;
break;
case 'F':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_FLUSH;
break;
case 'L':
cmd = IPTABLES_COMMAND_DUMP;
break;
case 't':
table = optarg;
break;
default:
goto out;
}
}
out:
if (table == NULL)
table = "filter";
for (i = optind - 1; i < argc; i++) {
if (rule != NULL) {
tmp = rule;
rule = g_strdup_printf("%s %s", rule, argv[i]);
g_free(tmp);
} else
rule = g_strdup(argv[i]);
}
__connman_iptables_init();
switch (cmd) {
case IPTABLES_COMMAND_APPEND:
err = __connman_iptables_append(table, chain, rule);
break;
case IPTABLES_COMMAND_INSERT:
err = __connman_iptables_insert(table, chain, rule);
break;
case IPTABLES_COMMAND_DELETE:
err = __connman_iptables_delete(table, chain, rule);
break;
case IPTABLES_COMMAND_POLICY:
err = __connman_iptables_change_policy(table, chain, rule);
break;
case IPTABLES_COMMAND_CHAIN_INSERT:
err = __connman_iptables_new_chain(table, chain);
break;
case IPTABLES_COMMAND_CHAIN_DELETE:
err = __connman_iptables_delete_chain(table, chain);
break;
case IPTABLES_COMMAND_CHAIN_FLUSH:
err = __connman_iptables_flush_chain(table, chain);
break;
case IPTABLES_COMMAND_DUMP:
__connman_log_init(argv[0], "*", FALSE, FALSE,
"iptables-test", "1");
err = __connman_iptables_dump(table);
break;
case IPTABLES_COMMAND_UNKNOWN:
printf("Missing command\n");
printf("usage: iptables-test [-t table] {-A|-I|-D} chain rule\n");
printf(" iptables-test [-t table] {-N|-X|-F} chain\n");
printf(" iptables-test [-t table] -L\n");
printf(" iptables-test [-t table] -P chain target\n");
exit(-EINVAL);
}
if (err < 0) {
printf("Error: %s\n", strerror(-err));
exit(err);
}
err = __connman_iptables_commit(table);
if (err < 0) {
printf("Failed to commit changes: %s\n", strerror(-err));
exit(err);
}
g_free(rule);
__connman_iptables_cleanup();
return 0;
}
