From: Daniel Wagner <daniel.wag...@bmw-carit.de> Instead just relying on the error code return by ConnMan's iptables API we use iptables-save to check if the rules either are installed or removed. --- Makefile.am | 2 + configure.ac | 6 +++ tools/iptables-unit.c | 112 +++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 119 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am index 5d5f63a..d54c693 100644 --- a/Makefile.am +++ b/Makefile.am @@ -309,6 +309,8 @@ tools_session_test_SOURCES = $(gdbus_sources) src/log.c src/dbus.c \ tools/session-api.c tools/session-test.h tools_session_test_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ -ldl +tools_iptables_unit_CFLAGS = @DBUS_CFLAGS@ @GLIB_CFLAGS@ @XTABLES_CFLAGS@ \ + -DIPTABLES_SAVE=\""${IPTABLES_SAVE}"\" tools_iptables_unit_SOURCES = $(gdbus_sources) src/log.c \ src/iptables.c src/nat.c tools/iptables-unit.c tools_iptables_unit_LDADD = @GLIB_LIBS@ @DBUS_LIBS@ @XTABLES_LIBS@ -ldl diff --git a/configure.ac b/configure.ac index 2be097d..078210f 100644 --- a/configure.ac +++ b/configure.ac @@ -340,6 +340,12 @@ AC_ARG_ENABLE(tools, AC_HELP_STRING([--disable-tools], [enable_tools=${enableval}]) AM_CONDITIONAL(TOOLS, test "${enable_tools}" != "no") +if (test "${enable_tools}" != "no"); then + AC_PATH_PROGS(IPTABLES_SAVE, [iptables-save], [], + $PATH:/sbin:/usr/sbin) + AC_SUBST(IPTABLES_SAVE, $ac_cv_path_IPTABLES_SAVE) +fi + AC_ARG_ENABLE(client, AC_HELP_STRING([--disable-client], [disable command line client]), [enable_client=${enableval}]) diff --git a/tools/iptables-unit.c b/tools/iptables-unit.c index 49b05e0..14f58ad 100644 --- a/tools/iptables-unit.c +++ b/tools/iptables-unit.c @@ -27,6 +27,56 @@ #include "../src/connman.h" +#ifdef IPTABLES_SAVE + +static connman_bool_t assert_rule(const char *table_name, const char *rule) +{ + char *cmd, *output, **lines; + GError **error = NULL; + int i; + + cmd = g_strdup_printf(IPTABLES_SAVE " -t %s", table_name); + g_spawn_command_line_sync(cmd, &output, NULL, NULL, error); + g_free(cmd); + + lines = g_strsplit(output, "\n", 0); + g_free(output); + + for (i = 0; lines[i] != NULL; i++) { + DBG("lines[%02d]: %s\n", i, lines[i]); + if (g_strcmp0(lines[i], rule) == 0) + break; + } + g_strfreev(lines); + + if (lines[i] == NULL) + return FALSE; + + return TRUE; +} + +static void assert_rule_exists(const char *table_name, const char *rule) +{ + g_assert(assert_rule(table_name, rule)); +} + +static void assert_rule_not_exists(const char *table_name, const char *rule) +{ + g_assert(!assert_rule(table_name, rule)); +} + +#else + +static void assert_rule_exists(const char *table_name, const char *rule) +{ +} + +static void assert_rule_not_exists(const char *table_name, const char *rule) +{ +} + +#endif + static void test_iptables_chain0(void) { int err; @@ -37,11 +87,15 @@ static void test_iptables_chain0(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", ":foo - [0:0]"); + err = __connman_iptables_delete_chain("filter", "foo"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); + + assert_rule_not_exists("filter", ":foo - [0:0]"); } static void test_iptables_chain1(void) @@ -94,23 +148,33 @@ static void test_iptables_chain3(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", ":user-chain-0 - [0:0]"); + err = __connman_iptables_new_chain("filter", "user-chain-1"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", ":user-chain-0 - [0:0]"); + assert_rule_exists("filter", ":user-chain-1 - [0:0]"); + err = __connman_iptables_delete_chain("filter", "user-chain-1"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", ":user-chain-0 - [0:0]"); + assert_rule_not_exists("filter", ":user-chain-1 - [0:0]"); + err = __connman_iptables_delete_chain("filter", "user-chain-0"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); + + assert_rule_not_exists("filter", ":user-chain-0 - [0:0]"); } static void test_iptables_rule0(void) @@ -126,14 +190,19 @@ static void test_iptables_rule0(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); + err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); -} + assert_rule_not_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); +} static void test_iptables_rule1(void) { @@ -147,11 +216,17 @@ static void test_iptables_rule1(void) err = __connman_iptables_commit("nat"); g_assert(err == 0); + assert_rule_exists("nat", + "-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE"); + err = __connman_iptables_delete("nat", "POSTROUTING", "-s 10.10.1.0/24 -o eth0 -j MASQUERADE"); err = __connman_iptables_commit("nat"); g_assert(err == 0); + + assert_rule_not_exists("nat", + "-A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE"); } static void test_iptables_rule2(void) @@ -167,6 +242,9 @@ static void test_iptables_rule2(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); + err = __connman_iptables_append("filter", "INPUT", "-m mark --mark 2 -j LOG"); g_assert(err == 0); @@ -174,6 +252,11 @@ static void test_iptables_rule2(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); + assert_rule_exists("filter", + "-A INPUT -m mark --mark 0x2 -j LOG"); + err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 2 -j LOG"); g_assert(err == 0); @@ -181,12 +264,20 @@ static void test_iptables_rule2(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); + assert_rule_not_exists("filter", + "-A INPUT -m mark --mark 0x2 -j LOG"); + err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1 -j LOG"); g_assert(err == 0); err = __connman_iptables_commit("filter"); g_assert(err == 0); + + assert_rule_not_exists("filter", + "-A INPUT -m mark --mark 0x1 -j LOG"); } static void test_iptables_target0(void) @@ -206,6 +297,9 @@ static void test_iptables_target0(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + assert_rule_exists("filter", "-A INPUT -m mark --mark 0x1"); + assert_rule_exists("filter", "-A INPUT -m mark --mark 0x2"); + err = __connman_iptables_delete("filter", "INPUT", "-m mark --mark 1"); g_assert(err == 0); @@ -219,6 +313,9 @@ static void test_iptables_target0(void) err = __connman_iptables_commit("filter"); g_assert(err == 0); + + assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x1"); + assert_rule_not_exists("filter", "-A INPUT -m mark --mark 0x2"); } struct connman_notifier *nat_notifier; @@ -259,6 +356,19 @@ static void test_nat_basic0(void) err = __connman_iptables_commit("nat"); g_assert(err == 0); + assert_rule_exists("nat", + "-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE"); + + err = __connman_iptables_delete("nat", "POSTROUTING", + "-s 192.168.2.1/24 -o eth0 -j MASQUERADE"); + g_assert(err == 0); + + err = __connman_iptables_commit("nat"); + g_assert(err == 0); + + assert_rule_not_exists("nat", + "-A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE"); + __connman_nat_disable("bridge"); } -- 1.8.1.3.566.gaa39828 _______________________________________________ connman mailing list connman@connman.net http://lists.connman.net/listinfo/connman