static void test_nat_basic1(void) { struct connman_service *service; int err; service = g_try_new0(struct connman_service, 1); g_assert(service); nat_notifier->default_changed(service); err = __connman_nat_enable("bridge", "192.168.2.1", 24); g_assert(err == 0); /* test that table is not empty */ err = __connman_iptables_append("nat", "POSTROUTING", "-s 192.168.2.1/24 -o eth0 -j MASQUERADE"); g_assert(err == 0); err = __connman_iptables_commit("nat"); g_assert(err == 0); __connman_nat_disable("bridge"); /* test that table is empty again */ err = __connman_iptables_delete("nat", "POSTROUTING", "-s 192.168.2.1/24 -o eth0 -j MASQUERADE"); g_assert(err == 0); err = __connman_iptables_commit("nat"); g_assert(err == 0); g_free(service); }
static void test_iptables_rule0(void) { int err; /* Test simple appending and removing a rule */ err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); }
static void test_nat_basic0(void) { int err; err = __connman_nat_enable("bridge", "192.168.2.1", 24); g_assert(err == 0); /* test that table is empty */ err = __connman_iptables_append("nat", "POSTROUTING", "-s 192.168.2.1/24 -o eth0 -j MASQUERADE"); g_assert(err == 0); err = __connman_iptables_commit("nat"); g_assert(err == 0); assert_rule_exists("nat", "-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE"); err = __connman_iptables_delete("nat", "POSTROUTING", "-s 192.168.2.1/24 -o eth0 -j MASQUERADE"); g_assert(err == 0); err = __connman_iptables_commit("nat"); g_assert(err == 0); assert_rule_not_exists("nat", "-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE"); __connman_nat_disable("bridge"); }
static void test_iptables_rule2(void) { int err; /* Test if the right rule is removed */ err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 2 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2 -j LOG"); err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 2 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2 -j LOG"); err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1 -j LOG"); }
static int enable_nat(const char *interface) { int err; if (interface == NULL) return 0; /* Enable IPv4 forwarding */ err = enable_ip_forward(TRUE); if (err < 0) return err; /* POSTROUTING flush */ err = __connman_iptables_command("-t nat -F POSTROUTING"); if (err < 0) return err; /* Enable masquerading */ err = __connman_iptables_command("-t nat -A POSTROUTING " "-o %s -j MASQUERADE", interface); if (err < 0) return err; return __connman_iptables_commit("nat"); }
static void test_iptables_chain2(void) { int err; err = __connman_iptables_change_policy("filter", "INPUT", "DROP"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); err = __connman_iptables_change_policy("filter", "INPUT", "ACCEPT"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); }
static int enable_nat(struct connman_nat *nat) { int err; g_free(nat->interface); nat->interface = g_strdup(default_interface); if (nat->interface == NULL) return 0; /* Enable masquerading */ if(nat->address) { err = __connman_iptables_command("-t nat -A POSTROUTING " "-s %s/%d -o %s -j MASQUERADE", nat->address, nat->prefixlen, nat->interface); if (err < 0) return err; } else { err = __connman_iptables_command("-t nat -A POSTROUTING " "-o %s -j MASQUERADE", nat->interface); if (err < 0) return err; } return __connman_iptables_commit("nat"); }
static void disable_nat(struct connman_nat *nat) { int err; if (nat->interface == NULL) return; /* Disable masquerading */ if(nat->address) { err = __connman_iptables_command("-t nat -D POSTROUTING " "-s %s/%d -o %s -j MASQUERADE", nat->address, nat->prefixlen, nat->interface); if (err < 0) return; } else { err = __connman_iptables_command("-t nat -D POSTROUTING " "-o %s -j MASQUERADE", nat->interface); if (err < 0) return; } __connman_iptables_commit("nat"); }
static void test_iptables_chain0(void) { int err; err = __connman_iptables_new_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", ":foo - [0:0]"); err = __connman_iptables_delete_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_not_exists("filter", ":foo - [0:0]"); }
static void test_iptables_chain1(void) { int err; err = __connman_iptables_new_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); err = __connman_iptables_flush_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); err = __connman_iptables_delete_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); }
static void flush_nat(void) { int err; err = __connman_iptables_command("-t nat -F POSTROUTING"); if (err < 0) { DBG("Flushing the nat table failed"); return; } __connman_iptables_commit("nat"); }
static void test_iptables_chain3(void) { int err; err = __connman_iptables_new_chain("filter", "user-chain-0"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", ":user-chain-0 - [0:0]"); err = __connman_iptables_new_chain("filter", "user-chain-1"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", ":user-chain-0 - [0:0]"); assert_rule_exists("filter", ":user-chain-1 - [0:0]"); err = __connman_iptables_delete_chain("filter", "user-chain-1"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", ":user-chain-0 - [0:0]"); assert_rule_not_exists("filter", ":user-chain-1 - [0:0]"); err = __connman_iptables_delete_chain("filter", "user-chain-0"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_not_exists("filter", ":user-chain-0 - [0:0]"); }
static void disable_nat(const char *interface) { int err; /* Disable IPv4 forwarding */ enable_ip_forward(FALSE); /* POSTROUTING flush */ err = __connman_iptables_command("-t nat -F POSTROUTING"); if (err < 0) return; __connman_iptables_commit("nat"); }
static void test_iptables_target0(void) { int err; /* Test if 'fallthrough' targets work */ err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 1"); g_assert(err == 0); err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 2"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1"); assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2"); err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 2"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1"); assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2"); }
static void test_iptables_rule1(void) { int err; /* Test if we can do NAT stuff */ err = __connman_iptables_append("nat", "POSTROUTING", "-s 10.10.1.0/24 -o eth0 -j MASQUERADE"); err = __connman_iptables_commit("nat"); g_assert(err == 0); assert_rule_exists("nat", "-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE"); err = __connman_iptables_delete("nat", "POSTROUTING", "-s 10.10.1.0/24 -o eth0 -j MASQUERADE"); err = __connman_iptables_commit("nat"); g_assert(err == 0); assert_rule_not_exists("nat", "-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE"); }
int main(int argc, char *argv[]) { enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN; char *table = NULL, *chain = NULL, *rule = NULL, *tmp; int err, c, i; opterr = 0; while ((c = getopt_long(argc, argv, "-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) { switch (c) { case 'A': chain = optarg; cmd = IPTABLES_COMMAND_APPEND; break; case 'I': chain = optarg; cmd = IPTABLES_COMMAND_INSERT; break; case 'D': chain = optarg; cmd = IPTABLES_COMMAND_DELETE; break; case 'P': chain = optarg; /* The policy will be stored in rule. */ cmd = IPTABLES_COMMAND_POLICY; break; case 'N': chain = optarg; cmd = IPTABLES_COMMAND_CHAIN_INSERT; break; case 'X': chain = optarg; cmd = IPTABLES_COMMAND_CHAIN_DELETE; break; case 'F': chain = optarg; cmd = IPTABLES_COMMAND_CHAIN_FLUSH; break; case 'L': cmd = IPTABLES_COMMAND_DUMP; break; case 't': table = optarg; break; default: goto out; } } out: if (table == NULL) table = "filter"; for (i = optind - 1; i < argc; i++) { if (rule != NULL) { tmp = rule; rule = g_strdup_printf("%s %s", rule, argv[i]); g_free(tmp); } else rule = g_strdup(argv[i]); } __connman_iptables_init(); switch (cmd) { case IPTABLES_COMMAND_APPEND: err = __connman_iptables_append(table, chain, rule); break; case IPTABLES_COMMAND_INSERT: err = __connman_iptables_insert(table, chain, rule); break; case IPTABLES_COMMAND_DELETE: err = __connman_iptables_delete(table, chain, rule); break; case IPTABLES_COMMAND_POLICY: err = __connman_iptables_change_policy(table, chain, rule); break; case IPTABLES_COMMAND_CHAIN_INSERT: err = __connman_iptables_new_chain(table, chain); break; case IPTABLES_COMMAND_CHAIN_DELETE: err = __connman_iptables_delete_chain(table, chain); break; case IPTABLES_COMMAND_CHAIN_FLUSH: err = __connman_iptables_flush_chain(table, chain); break; case IPTABLES_COMMAND_DUMP: __connman_log_init(argv[0], "*", FALSE, FALSE, "iptables-test", "1"); err = __connman_iptables_dump(table); break; case IPTABLES_COMMAND_UNKNOWN: printf("Missing command\n"); printf("usage: iptables-test [-t table] {-A|-I|-D} chain rule\n"); printf(" iptables-test [-t table] {-N|-X|-F} chain\n"); printf(" iptables-test [-t table] -L\n"); printf(" iptables-test [-t table] -P chain target\n"); exit(-EINVAL); } if (err < 0) { printf("Error: %s\n", strerror(-err)); exit(err); } err = __connman_iptables_commit(table); if (err < 0) { printf("Failed to commit changes: %s\n", strerror(-err)); exit(err); } g_free(rule); __connman_iptables_cleanup(); return 0; }