diff options
| author | Jorge Lucangeli Obes <jorgelo@chromium.org> | 2014-12-05 15:28:04 -0800 |
|---|---|---|
| committer | Gilad Arnold <garnold@google.com> | 2015-08-10 23:11:52 -0700 |
| commit | 8620868c44d58dc0632df3a7be7c48be1eb2421b (patch) | |
| tree | ee2c83fc2de05844fe83d411c88573ab15555f15 /iptables_unittest.cc | |
| parent | 9a56a8ea3c09e7b98cd167bad0008b81152e0772 (diff) | |
| download | firewalld-8620868c44d58dc0632df3a7be7c48be1eb2421b.tar.gz | |
firewalld: add IpTables wrapper.
Implement firewall functionality.
Split up part of FirewallService's functionality into a class
that can be easily unit-tested.
TODO: allow punching holes for UDP ports as well.
BUG=chromium:435400
TEST=New unit tests pass.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PunchHole uint16:80 twice, success.
TEST='iptables -S' shows the new rule.
TEST=dbus-send --system --dest=org.chromium.firewalld --print-reply \
/org/chromium/firewalld \
org.chromium.firewalld.PlugHole uint16:80 once, success.
TEST='iptables -S' no longer shows the new rule.
TEST=Second time, error.
Change-Id: Ic8fc9d1fb3ac3deecde304922a709befa55015fb
Reviewed-on: https://chromium-review.googlesource.com/233723
Trybot-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org>
Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Jorge Lucangeli Obes <jorgelo@chromium.org>
Diffstat (limited to 'iptables_unittest.cc')
| -rw-r--r-- | iptables_unittest.cc | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/iptables_unittest.cc b/iptables_unittest.cc new file mode 100644 index 0000000..c51876f --- /dev/null +++ b/iptables_unittest.cc @@ -0,0 +1,66 @@ +// Copyright 2014 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "firewalld/iptables.h" + +#include <gtest/gtest.h> + +namespace firewalld { + +class IpTablesTest : public testing::Test { + public: + IpTablesTest() + : iptables_succeeds{"/bin/true"}, iptables_fails{"/bin/false"} {} + ~IpTablesTest() override = default; + + protected: + IpTables iptables_succeeds; + IpTables iptables_fails; + + private: + DISALLOW_COPY_AND_ASSIGN(IpTablesTest); +}; + +TEST_F(IpTablesTest, Port0Fails) { + bool success = false; + // Try to punch hole for port 0. + ASSERT_TRUE(iptables_succeeds.PunchHole(nullptr, 0, &success)); + // Port 0 is not a valid port. + ASSERT_FALSE(success); +} + +TEST_F(IpTablesTest, PunchHoleSucceeds) { + bool success = false; + // Punch hole for port 80, should succeed. + ASSERT_TRUE(iptables_succeeds.PunchHole(nullptr, 80, &success)); + ASSERT_TRUE(success); + // Punch again, should still succeed. + ASSERT_TRUE(iptables_succeeds.PunchHole(nullptr, 80, &success)); + ASSERT_TRUE(success); + // Plug the hole, should succeed. + ASSERT_TRUE(iptables_succeeds.PlugHole(nullptr, 80, &success)); + ASSERT_TRUE(success); +} + +TEST_F(IpTablesTest, PlugHoleSucceeds) { + bool success = false; + // Punch hole for port 80, should succeed. + ASSERT_TRUE(iptables_succeeds.PunchHole(nullptr, 80, &success)); + ASSERT_TRUE(success); + // Plug the hole, should succeed. + ASSERT_TRUE(iptables_succeeds.PlugHole(nullptr, 80, &success)); + ASSERT_TRUE(success); + // Plug again, should fail. + ASSERT_TRUE(iptables_succeeds.PlugHole(nullptr, 80, &success)); + ASSERT_FALSE(success); +} + +TEST_F(IpTablesTest, PunchHoleFails) { + bool success = false; + // Punch hole for port 80, should fail. + ASSERT_TRUE(iptables_fails.PunchHole(nullptr, 80, &success)); + ASSERT_FALSE(success); +} + +} // namespace firewalld |