Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / netd / cd28377ac7736aa18700ffdc075e3b16c1d1f656 / . / server / IptablesRestoreControllerTest.cpp
blob: 813028da20de6565d2514b068b415c1aab18ac5c [file] [log] [blame]
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]1/*
2 * Copyright 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <string>
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]18#include <fcntl.h>
19#include <signal.h>
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]20
21#include <gtest/gtest.h>
22
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]23#define LOG_TAG "IptablesRestoreControllerTest"
24#include <cutils/log.h>
25#include <android-base/stringprintf.h>
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]26#include <android-base/strings.h>
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]27
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]28#include "IptablesRestoreController.h"
29#include "NetdConstants.h"
30
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]31using android::base::Join;
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]32using android::base::StringPrintf;
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]33
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]34class IptablesRestoreControllerTest : public ::testing::Test {
35public:
36 IptablesRestoreController con;
37
38 pid_t getIpRestorePid(const IptablesRestoreController::IptablesProcessType type) {
39 return con.getIpRestorePid(type);
40 };
41
42 void expectNoIptablesRestoreProcess(pid_t pid) {
43 // We can't readlink /proc/PID/exe, because zombie processes don't have it.
44 // Parse /proc/PID/stat instead.
45 std::string statPath = StringPrintf("/proc/%d/stat", pid);
46 int fd = open(statPath.c_str(), O_RDONLY);
47 if (fd == -1) {
48 // ENOENT means the process is gone (expected).
49 ASSERT_EQ(errno, ENOENT)
50 << "Unexpected error opening " << statPath << ": " << strerror(errno);
51 return;
52 }
53
54 // If the PID exists, it's possible (though very unlikely) that the PID was reused. Check the
55 // binary name as well, to ensure the test isn't flaky.
56 char statBuf[1024];
57 ASSERT_NE(-1, read(fd, statBuf, sizeof(statBuf)))
58 << "Could not read from " << statPath << ": " << strerror(errno);
59 close(fd);
60
61 std::string statString(statBuf);
62 EXPECT_FALSE(statString.find("iptables-restor") || statString.find("ip6tables-resto"))
63 << "Previous iptables-restore pid " << pid << " still alive: " << statString;
64 }
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]65};
66
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]67TEST_F(IptablesRestoreControllerTest, TestBasicCommand) {
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]68 std::string output;
69
70 EXPECT_EQ(0, con.execute(IptablesTarget::V4V6, "#Test\n", nullptr));
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]71
72 pid_t pid4 = getIpRestorePid(IptablesRestoreController::IPTABLES_PROCESS);
73 pid_t pid6 = getIpRestorePid(IptablesRestoreController::IP6TABLES_PROCESS);
74
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]75 EXPECT_EQ(0, con.execute(IptablesTarget::V6, "#Test\n", nullptr));
76 EXPECT_EQ(0, con.execute(IptablesTarget::V4, "#Test\n", nullptr));
77
78 EXPECT_EQ(0, con.execute(IptablesTarget::V4V6, "#Test\n", &output));
79 EXPECT_EQ("#Test\n#Test\n", output); // One for IPv4 and one for IPv6.
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]80
81 // Check the PIDs are the same as they were before. If they're not, the child processes were
82 // restarted, which causes a 30-60ms delay.
83 EXPECT_EQ(pid4, getIpRestorePid(IptablesRestoreController::IPTABLES_PROCESS));
84 EXPECT_EQ(pid6, getIpRestorePid(IptablesRestoreController::IP6TABLES_PROCESS));
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]85}
86
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]87TEST_F(IptablesRestoreControllerTest, TestRestartOnMalformedCommand) {
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]88 std::string buffer;
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]89 for (int i = 0; i < 50; i++) {
90 IptablesTarget target = (IptablesTarget) (i % 3);
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]91 std::string *output = (i % 2) ? &buffer : nullptr;
92 ASSERT_EQ(-1, con.execute(target, "malformed command\n", output)) <<
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]93 "Malformed command did not fail at iteration " << i;
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]94 ASSERT_EQ(0, con.execute(target, "#Test\n", output)) <<
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]95 "No-op command did not succeed at iteration " << i;
96 }
97}
98
99TEST_F(IptablesRestoreControllerTest, TestRestartOnProcessDeath) {
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]100 std::string output;
101
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]102 // Run a command to ensure that the processes are running.
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]103 EXPECT_EQ(0, con.execute(IptablesTarget::V4V6, "#Test\n", &output));
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]104
105 pid_t pid4 = getIpRestorePid(IptablesRestoreController::IPTABLES_PROCESS);
106 pid_t pid6 = getIpRestorePid(IptablesRestoreController::IP6TABLES_PROCESS);
107
108 ASSERT_EQ(0, kill(pid4, 0)) << "iptables-restore pid " << pid4 << " does not exist";
109 ASSERT_EQ(0, kill(pid6, 0)) << "ip6tables-restore pid " << pid6 << " does not exist";
110 ASSERT_EQ(0, kill(pid4, SIGTERM)) << "Failed to send SIGTERM to iptables-restore pid " << pid4;
111 ASSERT_EQ(0, kill(pid6, SIGTERM)) << "Failed to send SIGTERM to ip6tables-restore pid " << pid6;
112
113 // Wait 100ms for processes to terminate.
114 TEMP_FAILURE_RETRY(usleep(100 * 1000));
115
116 // Ensure that running a new command properly restarts the processes.
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]117 EXPECT_EQ(0, con.execute(IptablesTarget::V4V6, "#Test\n", nullptr));
Lorenzo Colitti173da322017-02-05 01:56:40 +0900[diff] [blame]118 EXPECT_NE(pid4, getIpRestorePid(IptablesRestoreController::IPTABLES_PROCESS));
119 EXPECT_NE(pid6, getIpRestorePid(IptablesRestoreController::IP6TABLES_PROCESS));
120
121 // Check there are no zombies.
122 expectNoIptablesRestoreProcess(pid4);
123 expectNoIptablesRestoreProcess(pid6);
Narayan Kamatha5ace892017-01-06 15:10:02 +0000[diff] [blame]124}
Lorenzo Colitticd283772017-01-31 19:00:49 +0900[diff] [blame^]125
126TEST_F(IptablesRestoreControllerTest, TestOutput) {
127 const char *chainName = StringPrintf("netd_unit_test_%u", arc4random_uniform(10000)).c_str();
128
129 // Create a chain to list.
130 std::vector<std::string> createCommands = {
131 "*filter",
132 StringPrintf(":%s -", chainName),
133 StringPrintf("-A %s -j RETURN", chainName),
134 "COMMIT",
135 ""
136 };
137 EXPECT_EQ(0, con.execute(V4V6, Join(createCommands, "\n"), nullptr));
138
139 // Expected contents of the chain.
140 std::vector<std::string> expectedLines = {
141 StringPrintf("Chain %s (0 references)", chainName),
142 "target prot opt source destination ",
143 "RETURN all -- 0.0.0.0/0 0.0.0.0/0 ",
144 StringPrintf("Chain %s (0 references)", chainName),
145 "target prot opt source destination ",
146 "RETURN all ::/0 ::/0 ",
147 ""
148 };
149 std::string expected = Join(expectedLines, "\n");
150
151 // List and delete the chain.
152 std::vector<std::string> listCommands = {
153 "*filter",
154 StringPrintf("-n -L %s", chainName), // List chain.
155 StringPrintf(":%s -", chainName), // Flush chain (otherwise we can't delete it).
156 StringPrintf("-X %s", chainName), // Delete chain.
157 "COMMIT",
158 ""
159 };
160
161 std::string output;
162 EXPECT_EQ(0, con.execute(V4V6, Join(listCommands, "\n"), &output));
163 EXPECT_EQ(expected, output);
164}