Use iptables-restore in StrictController startup.
Bug: 21725996
Change-Id: I2c049a934189f3c87ee15f052abc07d35814f0c9
diff --git a/server/StrictControllerTest.cpp b/server/StrictControllerTest.cpp
index 038c971..b0489bb 100644
--- a/server/StrictControllerTest.cpp
+++ b/server/StrictControllerTest.cpp
@@ -30,6 +30,7 @@
public:
StrictControllerTest() {
StrictController::execIptables = fakeExecIptables;
+ StrictController::execIptablesRestore = fakeExecIptablesRestore;
}
StrictController mStrictCtrl;
};
@@ -37,67 +38,87 @@
TEST_F(StrictControllerTest, TestEnableStrict) {
mStrictCtrl.enableStrict();
- std::vector<std::pair<IptablesTarget, std::string>> expected = {
- { V4V6, "-F st_OUTPUT" },
- { V4V6, "-F st_penalty_log" },
- { V4V6, "-F st_penalty_reject" },
- { V4V6, "-F st_clear_caught" },
- { V4V6, "-F st_clear_detect" },
- { V4V6, "-X st_penalty_log" },
- { V4V6, "-X st_penalty_reject" },
- { V4V6, "-X st_clear_caught" },
- { V4V6, "-X st_clear_detect" },
- { V4V6, "-N st_penalty_log" },
- { V4V6, "-A st_penalty_log -j CONNMARK --or-mark 0x1000000" },
- { V4V6, "-A st_penalty_log -j NFLOG --nflog-group 0" },
- { V4V6, "-N st_penalty_reject" },
- { V4V6, "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000" },
- { V4V6, "-A st_penalty_reject -j NFLOG --nflog-group 0" },
- { V4V6, "-A st_penalty_reject -j REJECT" },
- { V4V6, "-N st_clear_detect" },
- { V4V6, "-N st_clear_caught" },
- { V4V6, "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT" },
- { V4V6, "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN" },
- { V4, "-A st_clear_detect -p tcp -m u32 --u32 "
- "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
- "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000 "
- "-j CONNMARK --or-mark 0x1000000" },
- { V4, "-A st_clear_detect -p udp -m u32 --u32 "
- "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
- "0>>22&0x3C@ 20&0x00FF0000=0x00010000"
- " -j CONNMARK --or-mark 0x1000000" },
- { V6, "-A st_clear_detect -p tcp -m u32 --u32 "
- "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
- "52>>26&0x3C@ 44&0x00FF0000=0x00010000"
- " -j CONNMARK --or-mark 0x1000000" },
- { V6, "-A st_clear_detect -p udp -m u32 --u32 "
- "48&0xFFFF0000=0x16FE0000 &&60&0x00FF0000=0x00010000"
- " -j CONNMARK --or-mark 0x1000000" },
- { V4V6, "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN" },
- { V4, "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
- "0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0"
- " -j st_clear_caught" },
- { V6, "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
- "52>>26&0x3C@ 40&0x0=0x0"
- " -j st_clear_caught" },
- { V4V6, "-A st_clear_detect -p udp -j st_clear_caught" },
+ std::vector<std::string> common = {
+ "*filter",
+ ":st_OUTPUT -",
+ ":st_penalty_log -",
+ ":st_penalty_reject -",
+ ":st_clear_caught -",
+ ":st_clear_detect -",
+ "COMMIT\n\x04"
};
- expectIptablesCommands(expected);
+
+ std::vector<std::string> v4 = {
+ "*filter",
+ "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
+ "-A st_penalty_log -j NFLOG --nflog-group 0",
+ "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
+ "-A st_penalty_reject -j NFLOG --nflog-group 0",
+ "-A st_penalty_reject -j REJECT",
+ "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
+ "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
+ "-A st_clear_detect -p tcp -m u32 --u32 \""
+ "0>>22&0x3C@ 12>>26&0x3C@ 0&0xFFFF0000=0x16030000 &&"
+ "0>>22&0x3C@ 12>>26&0x3C@ 4&0x00FF0000=0x00010000"
+ "\" -j CONNMARK --or-mark 0x1000000",
+ "-A st_clear_detect -p udp -m u32 --u32 \""
+ "0>>22&0x3C@ 8&0xFFFF0000=0x16FE0000 &&"
+ "0>>22&0x3C@ 20&0x00FF0000=0x00010000"
+ "\" -j CONNMARK --or-mark 0x1000000",
+ "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
+ "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
+ "\"0>>22&0x3C@ 12>>26&0x3C@ 0&0x0=0x0\" -j st_clear_caught",
+ "-A st_clear_detect -p udp -j st_clear_caught",
+ "COMMIT\n\x04"
+ };
+
+ std::vector<std::string> v6 = {
+ "*filter",
+ "-A st_penalty_log -j CONNMARK --or-mark 0x1000000",
+ "-A st_penalty_log -j NFLOG --nflog-group 0",
+ "-A st_penalty_reject -j CONNMARK --or-mark 0x2000000",
+ "-A st_penalty_reject -j NFLOG --nflog-group 0",
+ "-A st_penalty_reject -j REJECT",
+ "-A st_clear_detect -m connmark --mark 0x2000000/0x2000000 -j REJECT",
+ "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
+
+ "-A st_clear_detect -p tcp -m u32 --u32 \""
+ "52>>26&0x3C@ 40&0xFFFF0000=0x16030000 &&"
+ "52>>26&0x3C@ 44&0x00FF0000=0x00010000"
+ "\" -j CONNMARK --or-mark 0x1000000",
+ "-A st_clear_detect -p udp -m u32 --u32 \""
+ "48&0xFFFF0000=0x16FE0000 &&"
+ "60&0x00FF0000=0x00010000"
+ "\" -j CONNMARK --or-mark 0x1000000",
+ "-A st_clear_detect -m connmark --mark 0x1000000/0x1000000 -j RETURN",
+ "-A st_clear_detect -p tcp -m state --state ESTABLISHED -m u32 --u32 "
+ "\"52>>26&0x3C@ 40&0x0=0x0\" -j st_clear_caught",
+ "-A st_clear_detect -p udp -j st_clear_caught",
+ "COMMIT\n\x04"
+ };
+
+ std::string commandsCommon = android::base::Join(common, '\n');
+ std::string commands4 = android::base::Join(v4, '\n');
+ std::string commands6 = android::base::Join(v6, '\n');
+
+ std::vector<std::pair<IptablesTarget, std::string>> expected = {
+ { V4V6, commandsCommon },
+ { V4, commands4 },
+ { V6, commands6 },
+ };
+ expectIptablesRestoreCommands(expected);
}
TEST_F(StrictControllerTest, TestDisableStrict) {
mStrictCtrl.disableStrict();
- std::vector<std::string> expected = {
- "-F st_OUTPUT",
- "-F st_penalty_log",
- "-F st_penalty_reject",
- "-F st_clear_caught",
- "-F st_clear_detect",
- "-X st_penalty_log",
- "-X st_penalty_reject",
- "-X st_clear_caught",
- "-X st_clear_detect",
- };
- expectIptablesCommands(expected);
+ const std::string expected =
+ "*filter\n"
+ ":st_OUTPUT -\n"
+ ":st_penalty_log -\n"
+ ":st_penalty_reject -\n"
+ ":st_clear_caught -\n"
+ ":st_clear_detect -\n"
+ "COMMIT\n\x04";
+ expectIptablesRestoreCommands({ expected });
}