morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

test-firewall-util: use assert_se() at most places

Browse Source 
Otherwise, we cannot notice any failures...
This commit is contained in:
Yu Watanabe
2021-03-22 22:44:25 +09:00
parent 0c4363a005
commit b5d2f4e757
1 changed files with 78 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

160
src/test/test-firewall-util.c
View File

@@ -1,114 +1,110 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <unistd.h>
#include "firewall-util.h"
#include "firewall-util-private.h"
#include "log.h"
#include "random-util.h"
#include "socket-util.h"
#include "tests.h"
#define MAKE_IN_ADDR_UNION(a,b,c,d) (union in_addr_union) { .in.s_addr = htobe32((uint32_t) (a) << 24 | (uint32_t) (b) << 16 | (uint32_t) (c) << 8 | (uint32_t) (d))}
#define MAKE_IN6_ADDR_UNION(str, u) assert_se(in_addr_from_string(AF_INET6, str, u) >= 0)
static void test_v6(FirewallContext **ctx) {
union in_addr_union u = {}, u2 = {};
static void test_v6(FirewallContext *ctx) {
union in_addr_union u1, u2, u3;
uint8_t prefixlen;
int r;
MAKE_IN6_ADDR_UNION("dead::beef", &u);
log_info("/* %s(backend=%s) */", __func__, firewall_backend_to_string(ctx->backend));
r = fw_add_masquerade(ctx, true, AF_INET6, &u, 128);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
if (!socket_ipv6_is_supported())
return log_info("IPv6 is not supported by kernel, skipping tests.");
r = fw_add_masquerade(ctx, false, AF_INET6, &u, 128);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
assert_se(in_addr_from_string(AF_INET6, "dead::beef", &u1) >= 0);
assert_se(in_addr_from_string(AF_INET6, "1c3::c01d", &u2) >= 0);
r = fw_add_masquerade(ctx, true, AF_INET6, &u, 64);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
prefixlen = random_u64_range(128 + 1 - 8) + 8;
pseudo_random_bytes(&u3, sizeof(u3));
r = fw_add_masquerade(ctx, false, AF_INET6, &u, 64);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u1, 128) >= 0);
assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u1, 128) >= 0);
assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u1, 64) >= 0);
assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u1, 64) >= 0);
assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u3, prefixlen) >= 0);
assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u3, prefixlen) >= 0);
r = fw_add_local_dnat(ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u, 815, NULL);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_local_dnat(&ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u1, 815, NULL);
if (r == -EOPNOTSUPP) {
log_info("IPv6 DNAT seems not supported, skipping the following tests.");
return;
}
assert_se(r >= 0);
MAKE_IN6_ADDR_UNION("1c3::c01d", &u2);
r = fw_add_local_dnat(ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, &u);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
assert_se(fw_add_local_dnat(&ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, &u1) >= 0);
assert_se(fw_add_local_dnat(&ctx, false, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, NULL) >= 0);
r = fw_add_local_dnat(ctx, false, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, NULL);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
}
prefixlen = random_u32() % (128 + 1 - 8);
prefixlen += 8;
pseudo_random_bytes(&u, sizeof(u));
static union in_addr_union *parse_addr(const char *str, union in_addr_union *u) {
assert(str);
assert_se(in_addr_from_string(AF_INET, str, u) >= 0);
return u;
}
r = fw_add_masquerade(ctx, true, AF_INET6, &u, prefixlen);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
static bool test_v4(FirewallContext *ctx) {
union in_addr_union u, v;
int r;
r = fw_add_masquerade(ctx, false, AF_INET6, &u, prefixlen);
if (r < 0)
log_error_errno(r, "Failed to modify ipv6 firewall: %m");
log_info("/* %s(backend=%s) */", __func__, firewall_backend_to_string(ctx->backend));
assert_se(fw_add_masquerade(&ctx, true, AF_INET, NULL, 0) == -EINVAL);
assert_se(fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.1.2.0", &u), 0) == -EINVAL);
r = fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.1.2.3", &u), 32);
if (r < 0) {
bool ignore = IN_SET(r, -EPERM, -EOPNOTSUPP, -ENOPROTOOPT);
log_full_errno(ignore ? LOG_DEBUG : LOG_ERR, r,
"Failed to add IPv4 masquerade%s: %m",
ignore ? ", skipping following tests" : "");
if (ignore)
return false;
}
assert(r >= 0);
assert_se(fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.0.2.0", &u), 28) >= 0);
assert_se(fw_add_masquerade(&ctx, false, AF_INET, parse_addr("10.0.2.0", &u), 28) >= 0);
assert_se(fw_add_masquerade(&ctx, false, AF_INET, parse_addr("10.1.2.3", &u), 32) >= 0);
assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.4", &u), 815, NULL) >= 0);
assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.4", &u), 815, NULL) >= 0);
assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.5", &u), 815, parse_addr("1.2.3.4", &v)) >= 0);
assert_se(fw_add_local_dnat(&ctx, false, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.5", &u), 815, NULL) >= 0);
return true;
}
int main(int argc, char *argv[]) {
_cleanup_(fw_ctx_freep) FirewallContext *ctx;
int r;
_cleanup_(fw_ctx_freep) FirewallContext *ctx = NULL;
test_setup_logging(LOG_DEBUG);
uint8_t prefixlen = 32;
r = fw_ctx_new(&ctx);
if (r < 0)
return log_error_errno(r, "Failed to init firewall: %m");
if (getuid() != 0)
return log_tests_skipped("not root");
r = fw_add_masquerade(&ctx, true, AF_INET, NULL, 0);
if (r == 0)
log_error("Expected failure: NULL source");
assert_se(fw_ctx_new(&ctx) >= 0);
r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,0), 0);
if (r == 0)
log_error("Expected failure: 0 prefixlen");
if (ctx->backend == FW_BACKEND_NONE)
return EXIT_TEST_SKIP;
r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), prefixlen);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
if (test_v4(ctx) && ctx->backend == FW_BACKEND_NFTABLES)
test_v6(ctx);
prefixlen = 28;
r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_masquerade(&ctx, false, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_masquerade(&ctx, false, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), 32);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 4), 815, NULL);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 4), 815, NULL);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 5), 815, &MAKE_IN_ADDR_UNION(1, 2, 3, 4));
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
r = fw_add_local_dnat(&ctx, false, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 5), 815, NULL);
if (r < 0)
log_error_errno(r, "Failed to modify firewall: %m");
test_v6(&ctx);
#if HAVE_LIBIPTC
if (ctx->backend != FW_BACKEND_IPTABLES) {
ctx->backend = FW_BACKEND_IPTABLES;
test_v4(ctx);
}
#endif
return 0;
}