static void test_iptables_rule2(void)
{
int err;
/* Test if the right rule is removed */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 2 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x2 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
static void test_nat_basic1(void)
{
struct connman_service *service;
int err;
service = g_try_new0(struct connman_service, 1);
g_assert(service);
nat_notifier->default_changed(service);
err = __connman_nat_enable("bridge", "192.168.2.1", 24);
g_assert(err == 0);
/* test that table is not empty */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
__connman_nat_disable("bridge");
/* test that table is empty again */
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
g_free(service);
}
static void test_nat_basic0(void)
{
int err;
err = __connman_nat_enable("bridge", "192.168.2.1", 24);
g_assert(err == 0);
/* test that table is empty */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_exists("nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 192.168.2.1/24 -o eth0 -j MASQUERADE");
g_assert(err == 0);
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_not_exists("nat",
"-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE");
__connman_nat_disable("bridge");
}
static void test_iptables_rule0(void)
{
int err;
/* Test simple appending and removing a rule */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1 -j LOG");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter",
"-A INPUT -m mark --mark 0x1 -j LOG");
}
static void test_iptables_target0(void)
{
int err;
/* Test if 'fallthrough' targets work */
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
err = __connman_iptables_append("filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1");
assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2");
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 1");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
err = __connman_iptables_delete("filter", "INPUT",
"-m mark --mark 2");
g_assert(err == 0);
err = __connman_iptables_commit("filter");
g_assert(err == 0);
assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1");
assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2");
}
static int delete_managed_chain(const char *table_name, int id)
{
char *rule, *managed_chain;
int err;
managed_chain = g_strdup_printf("%s%s", CHAIN_PREFIX,
builtin_chains[id]);
rule = g_strdup_printf("-j %s", managed_chain);
err = __connman_iptables_delete(table_name, builtin_chains[id], rule);
g_free(rule);
if (err < 0)
goto out;
err = __connman_iptables_delete_chain(table_name, managed_chain);
out:
g_free(managed_chain);
return err;
}
static void test_iptables_rule1(void)
{
int err;
/* Test if we can do NAT stuff */
err = __connman_iptables_append("nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_exists("nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_delete("nat", "POSTROUTING",
"-s 10.10.1.0/24 -o eth0 -j MASQUERADE");
err = __connman_iptables_commit("nat");
g_assert(err == 0);
assert_rule_not_exists("nat",
"-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE");
}
int main(int argc, char *argv[])
{
enum iptables_command cmd = IPTABLES_COMMAND_UNKNOWN;
char *table = NULL, *chain = NULL, *rule = NULL, *tmp;
int err, c, i;
opterr = 0;
while ((c = getopt_long(argc, argv,
"-A:I:D:P:N:X:F:Lt:", NULL, NULL)) != -1) {
switch (c) {
case 'A':
chain = optarg;
cmd = IPTABLES_COMMAND_APPEND;
break;
case 'I':
chain = optarg;
cmd = IPTABLES_COMMAND_INSERT;
break;
case 'D':
chain = optarg;
cmd = IPTABLES_COMMAND_DELETE;
break;
case 'P':
chain = optarg;
/* The policy will be stored in rule. */
cmd = IPTABLES_COMMAND_POLICY;
break;
case 'N':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_INSERT;
break;
case 'X':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_DELETE;
break;
case 'F':
chain = optarg;
cmd = IPTABLES_COMMAND_CHAIN_FLUSH;
break;
case 'L':
cmd = IPTABLES_COMMAND_DUMP;
break;
case 't':
table = optarg;
break;
default:
goto out;
}
}
out:
if (table == NULL)
table = "filter";
for (i = optind - 1; i < argc; i++) {
if (rule != NULL) {
tmp = rule;
rule = g_strdup_printf("%s %s", rule, argv[i]);
g_free(tmp);
} else
rule = g_strdup(argv[i]);
}
__connman_iptables_init();
switch (cmd) {
case IPTABLES_COMMAND_APPEND:
err = __connman_iptables_append(table, chain, rule);
break;
case IPTABLES_COMMAND_INSERT:
err = __connman_iptables_insert(table, chain, rule);
break;
case IPTABLES_COMMAND_DELETE:
err = __connman_iptables_delete(table, chain, rule);
break;
case IPTABLES_COMMAND_POLICY:
err = __connman_iptables_change_policy(table, chain, rule);
break;
case IPTABLES_COMMAND_CHAIN_INSERT:
err = __connman_iptables_new_chain(table, chain);
break;
case IPTABLES_COMMAND_CHAIN_DELETE:
err = __connman_iptables_delete_chain(table, chain);
break;
case IPTABLES_COMMAND_CHAIN_FLUSH:
err = __connman_iptables_flush_chain(table, chain);
break;
case IPTABLES_COMMAND_DUMP:
__connman_log_init(argv[0], "*", FALSE, FALSE,
"iptables-test", "1");
err = __connman_iptables_dump(table);
break;
case IPTABLES_COMMAND_UNKNOWN:
printf("Missing command\n");
printf("usage: iptables-test [-t table] {-A|-I|-D} chain rule\n");
printf(" iptables-test [-t table] {-N|-X|-F} chain\n");
printf(" iptables-test [-t table] -L\n");
printf(" iptables-test [-t table] -P chain target\n");
exit(-EINVAL);
}
if (err < 0) {
printf("Error: %s\n", strerror(-err));
exit(err);
}
err = __connman_iptables_commit(table);
if (err < 0) {
printf("Failed to commit changes: %s\n", strerror(-err));
exit(err);
}
g_free(rule);
__connman_iptables_cleanup();
return 0;
}
