bool test_filtering_and_updating( void )
{
u_int8_t protocol;
struct tuple tuple;
struct sk_buff *skb;
struct in_addr addr4;
struct in6_addr addr6;
bool success = true;
log_debug(" >>> Errores de ICMP no deben afectar las tablas ");
protocol = IPPROTO_ICMP;
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
icmp_hdr(skb)->type = ICMP_DEST_UNREACH; /* Error packet */
/* Process a tuple generated from a incoming IPv6 packet: */
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can forward an IPv4 ICMP packet.");
kfree_skb(skb);
log_debug(" >>> Get rid of hairpinning loop ");
protocol = IPPROTO_UDP;
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Add pref64 */
success &= str_to_addr6_verbose(INIT_TUPLE_IPV6_HAIR_LOOP_SRC_ADDR , &addr6);
tuple.src.addr.ipv6 = addr6;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of hairpinning loop in IPv6.");
kfree_skb(skb);
log_debug(" >>> Get rid of unwanted packets ");
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Unwanted packet */
success &= str_to_addr6_verbose(INIT_TUPLE_IPV6_HAIR_LOOP_DST_ADDR , &addr6);
tuple.dst.addr.ipv6 = addr6;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of unwanted packets in IPv6.");
kfree_skb(skb);
log_debug(" >>> Get rid of un-expected packets, destined to an address not in pool");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
/* Packet destined to an address not in pool */
success &= str_to_addr4_verbose(INIT_TUPLE_IPV4_NOT_POOL_DST_ADDR , &addr4);
tuple.dst.addr.ipv4 = addr4;
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can get rid of packet destined to an address not in pool.");
kfree_skb(skb);
log_debug(" >>> IPv4 incoming packet --> reject");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_DROP, filtering_and_updating( skb, &tuple),
"See if we can do reject an incoming IPv4 UDP packet.");
kfree_skb(skb);
log_debug(" >>> IPv6 incoming packet --> accept");
success &= init_tuple_for_test_ipv6( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can do filtering and updating on an incoming IPv6 UDP packet.");
kfree_skb(skb);
/* TODO (test) see test_ipv4_udp(). */
/*
log_debug(" >>> IPv4 incoming packet --> accept");
success &= init_tuple_for_test_ipv4( &tuple , protocol );
skb = init_skb_for_test( &tuple, protocol );
success &= assert_not_null(skb, "init_skb_for_test");
success &= assert_equals_int(NF_ACCEPT, filtering_and_updating( skb, &tuple),
"See if we can do filtering and updating on an incoming IPv4 UDP packet.");
kfree_skb(skb);
*/
return success;
}
static bool test_filtering_and_updating(void)
{
struct xlation state;
struct sk_buff *skb;
bool success = true;
xlation_init(&state, &jool);
log_debug("== ICMPv4 errors should succeed but not affect the tables ==");
if (create_skb4_icmp_error("8.7.6.5", "192.0.2.128", 100, 32, &skb))
return false;
if (pkt_init_ipv4(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(CONTINUE, filtering_and_updating(&state), "ICMP error 1");
success &= assert_bib_count(0, L4PROTO_TCP);
success &= assert_bib_count(0, L4PROTO_UDP);
success &= assert_bib_count(0, L4PROTO_ICMP);
success &= assert_session_count(0, L4PROTO_TCP);
success &= assert_session_count(0, L4PROTO_UDP);
success &= assert_session_count(0, L4PROTO_ICMP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== ICMPv6 errors should succeed but not affect the tables ==");
if (create_skb6_icmp_error("1::2", "3::3:4", 100, 32, &skb))
return false;
if (pkt_init_ipv6(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(CONTINUE, filtering_and_updating(&state), "ICMP error 2");
success &= assert_bib_count(0, L4PROTO_TCP);
success &= assert_bib_count(0, L4PROTO_UDP);
success &= assert_bib_count(0, L4PROTO_ICMP);
success &= assert_session_count(0, L4PROTO_TCP);
success &= assert_session_count(0, L4PROTO_UDP);
success &= assert_session_count(0, L4PROTO_ICMP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== Hairpinning loops should be dropped ==");
if (create_skb6_udp("3::1:2", 1212, "3::3:4", 3434, 100, 32, &skb))
return false;
if (pkt_init_ipv6(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(DROP, filtering_and_updating(&state), "Hairpinning");
success &= assert_bib_count(0, L4PROTO_UDP);
success &= assert_session_count(0, L4PROTO_UDP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== Packets not headed to pool6 must not be translated ==");
if (create_skb6_udp("1::2", 1212, "4::1", 3434, 100, 32, &skb))
return false;
if (pkt_init_ipv6(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(UNTRANSLATABLE, filtering_and_updating(&state), "Not pool6 packet");
success &= assert_bib_count(0, L4PROTO_UDP);
success &= assert_session_count(0, L4PROTO_UDP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== Packets not headed to pool4 must not be translated ==");
if (create_skb4_udp("8.7.6.5", 8765, "5.6.7.8", 5678, 100, 32, &skb))
return false;
if (pkt_init_ipv4(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(UNTRANSLATABLE, filtering_and_updating(&state), "Not pool4 packet");
success &= assert_bib_count(0, L4PROTO_UDP);
success &= assert_session_count(0, L4PROTO_UDP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== Other IPv6 packets should survive validations ==");
if (create_skb6_udp("1::2", 1212, "3::3:4", 3434, 100, 32, &skb))
return false;
if (pkt_init_ipv6(&state, skb))
return false;
if (determine_in_tuple(&state) != VERDICT_CONTINUE)
return false;
success &= ASSERT_VERDICT(CONTINUE, filtering_and_updating(&state), "IPv6 success");
success &= assert_bib_count(1, L4PROTO_UDP);
success &= assert_session_count(1, L4PROTO_UDP);
kfree_skb(skb);
if (!success)
return false;
log_debug("== Other IPv4 packets should survive validations ==");
if (!invert_packet(&state, &skb))
return false;
success &= ASSERT_VERDICT(CONTINUE, filtering_and_updating(&state), "IPv4 success");
success &= assert_bib_count(1, L4PROTO_UDP);
success &= assert_session_count(1, L4PROTO_UDP);
kfree_skb(skb);
return success;
}
