164 lines
6.3 KiB
C++
164 lines
6.3 KiB
C++
|
// Copyright 2020 The gVisor Authors.
|
||
|
//
|
||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
|
// you may not use this file except in compliance with the License.
|
||
|
// You may obtain a copy of the License at
|
||
|
//
|
||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||
|
//
|
||
|
// Unless required by applicable law or agreed to in writing, software
|
||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
// See the License for the specific language governing permissions and
|
||
|
// limitations under the License.
|
||
|
|
||
|
#include <linux/capability.h>
|
||
|
#include <sys/socket.h>
|
||
|
|
||
|
#include "gtest/gtest.h"
|
||
|
#include "test/syscalls/linux/iptables.h"
|
||
|
#include "test/syscalls/linux/socket_test_util.h"
|
||
|
#include "test/util/capability_util.h"
|
||
|
#include "test/util/file_descriptor.h"
|
||
|
#include "test/util/test_util.h"
|
||
|
|
||
|
namespace gvisor {
|
||
|
namespace testing {
|
||
|
|
||
|
namespace {
|
||
|
|
||
|
constexpr char kNatTablename[] = "nat";
|
||
|
constexpr char kErrorTarget[] = "ERROR";
|
||
|
constexpr size_t kEmptyStandardEntrySize =
|
||
|
sizeof(struct ip6t_entry) + sizeof(struct xt_standard_target);
|
||
|
constexpr size_t kEmptyErrorEntrySize =
|
||
|
sizeof(struct ip6t_entry) + sizeof(struct xt_error_target);
|
||
|
|
||
|
// This tests the initial state of a machine with empty ip6tables via
|
||
|
// getsockopt(IP6T_SO_GET_INFO). We don't have a guarantee that the iptables are
|
||
|
// empty when running in native, but we can test that gVisor has the same
|
||
|
// initial state that a newly-booted Linux machine would have.
|
||
|
TEST(IP6TablesTest, InitialInfo) {
|
||
|
// TODO(gvisor.dev/issue/3549): Enable for ip6tables.
|
||
|
SKIP_IF(true);
|
||
|
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
|
||
|
|
||
|
FileDescriptor sock =
|
||
|
ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET6, SOCK_RAW, IPPROTO_RAW));
|
||
|
|
||
|
// Get info via sockopt.
|
||
|
struct ipt_getinfo info = {};
|
||
|
snprintf(info.name, XT_TABLE_MAXNAMELEN, "%s", kNatTablename);
|
||
|
socklen_t info_size = sizeof(info);
|
||
|
ASSERT_THAT(
|
||
|
getsockopt(sock.get(), SOL_IPV6, IP6T_SO_GET_INFO, &info, &info_size),
|
||
|
SyscallSucceeds());
|
||
|
|
||
|
// The nat table supports PREROUTING, and OUTPUT.
|
||
|
unsigned int valid_hooks =
|
||
|
(1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_OUT) |
|
||
|
(1 << NF_IP6_POST_ROUTING) | (1 << NF_IP6_LOCAL_IN);
|
||
|
EXPECT_EQ(info.valid_hooks, valid_hooks);
|
||
|
|
||
|
// Each chain consists of an empty entry with a standard target..
|
||
|
EXPECT_EQ(info.hook_entry[NF_IP6_PRE_ROUTING], 0);
|
||
|
EXPECT_EQ(info.hook_entry[NF_IP6_LOCAL_IN], kEmptyStandardEntrySize);
|
||
|
EXPECT_EQ(info.hook_entry[NF_IP6_LOCAL_OUT], kEmptyStandardEntrySize * 2);
|
||
|
EXPECT_EQ(info.hook_entry[NF_IP6_POST_ROUTING], kEmptyStandardEntrySize * 3);
|
||
|
|
||
|
// The underflow points are the same as the entry points.
|
||
|
EXPECT_EQ(info.underflow[NF_IP6_PRE_ROUTING], 0);
|
||
|
EXPECT_EQ(info.underflow[NF_IP6_LOCAL_IN], kEmptyStandardEntrySize);
|
||
|
EXPECT_EQ(info.underflow[NF_IP6_LOCAL_OUT], kEmptyStandardEntrySize * 2);
|
||
|
EXPECT_EQ(info.underflow[NF_IP6_POST_ROUTING], kEmptyStandardEntrySize * 3);
|
||
|
|
||
|
// One entry for each chain, plus an error entry at the end.
|
||
|
EXPECT_EQ(info.num_entries, 5);
|
||
|
|
||
|
EXPECT_EQ(info.size, 4 * kEmptyStandardEntrySize + kEmptyErrorEntrySize);
|
||
|
EXPECT_EQ(strcmp(info.name, kNatTablename), 0);
|
||
|
}
|
||
|
|
||
|
// This tests the initial state of a machine with empty ip6tables via
|
||
|
// getsockopt(IP6T_SO_GET_ENTRIES). We don't have a guarantee that the iptables
|
||
|
// are empty when running in native, but we can test that gVisor has the same
|
||
|
// initial state that a newly-booted Linux machine would have.
|
||
|
TEST(IP6TablesTest, InitialEntries) {
|
||
|
// TODO(gvisor.dev/issue/3549): Enable for ip6tables.
|
||
|
SKIP_IF(true);
|
||
|
SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
|
||
|
|
||
|
FileDescriptor sock =
|
||
|
ASSERT_NO_ERRNO_AND_VALUE(Socket(AF_INET6, SOCK_RAW, IPPROTO_RAW));
|
||
|
|
||
|
// Get info via sockopt.
|
||
|
struct ipt_getinfo info = {};
|
||
|
snprintf(info.name, XT_TABLE_MAXNAMELEN, "%s", kNatTablename);
|
||
|
socklen_t info_size = sizeof(info);
|
||
|
ASSERT_THAT(
|
||
|
getsockopt(sock.get(), SOL_IPV6, IP6T_SO_GET_INFO, &info, &info_size),
|
||
|
SyscallSucceeds());
|
||
|
|
||
|
// Use info to get entries.
|
||
|
socklen_t entries_size = sizeof(struct ip6t_get_entries) + info.size;
|
||
|
struct ip6t_get_entries* entries =
|
||
|
static_cast<struct ip6t_get_entries*>(malloc(entries_size));
|
||
|
snprintf(entries->name, XT_TABLE_MAXNAMELEN, "%s", kNatTablename);
|
||
|
entries->size = info.size;
|
||
|
ASSERT_THAT(getsockopt(sock.get(), SOL_IPV6, IP6T_SO_GET_ENTRIES, entries,
|
||
|
&entries_size),
|
||
|
SyscallSucceeds());
|
||
|
|
||
|
// Verify the name and size.
|
||
|
ASSERT_EQ(info.size, entries->size);
|
||
|
ASSERT_EQ(strcmp(entries->name, kNatTablename), 0);
|
||
|
|
||
|
// Verify that the entrytable is 4 entries with accept targets and no matches
|
||
|
// followed by a single error target.
|
||
|
size_t entry_offset = 0;
|
||
|
while (entry_offset < entries->size) {
|
||
|
struct ip6t_entry* entry = reinterpret_cast<struct ip6t_entry*>(
|
||
|
reinterpret_cast<char*>(entries->entrytable) + entry_offset);
|
||
|
|
||
|
// ipv6 should be zeroed.
|
||
|
struct ip6t_ip6 zeroed = {};
|
||
|
ASSERT_EQ(memcmp(static_cast<void*>(&zeroed),
|
||
|
static_cast<void*>(&entry->ipv6), sizeof(zeroed)),
|
||
|
0);
|
||
|
|
||
|
// target_offset should be zero.
|
||
|
EXPECT_EQ(entry->target_offset, sizeof(ip6t_entry));
|
||
|
|
||
|
if (entry_offset < kEmptyStandardEntrySize * 4) {
|
||
|
// The first 4 entries are standard targets
|
||
|
struct xt_standard_target* target =
|
||
|
reinterpret_cast<struct xt_standard_target*>(entry->elems);
|
||
|
EXPECT_EQ(entry->next_offset, kEmptyStandardEntrySize);
|
||
|
EXPECT_EQ(target->target.u.user.target_size, sizeof(*target));
|
||
|
EXPECT_EQ(strcmp(target->target.u.user.name, ""), 0);
|
||
|
EXPECT_EQ(target->target.u.user.revision, 0);
|
||
|
// This is what's returned for an accept verdict. I don't know why.
|
||
|
EXPECT_EQ(target->verdict, -NF_ACCEPT - 1);
|
||
|
} else {
|
||
|
// The last entry is an error target
|
||
|
struct xt_error_target* target =
|
||
|
reinterpret_cast<struct xt_error_target*>(entry->elems);
|
||
|
EXPECT_EQ(entry->next_offset, kEmptyErrorEntrySize);
|
||
|
EXPECT_EQ(target->target.u.user.target_size, sizeof(*target));
|
||
|
EXPECT_EQ(strcmp(target->target.u.user.name, kErrorTarget), 0);
|
||
|
EXPECT_EQ(target->target.u.user.revision, 0);
|
||
|
EXPECT_EQ(strcmp(target->errorname, kErrorTarget), 0);
|
||
|
}
|
||
|
|
||
|
entry_offset += entry->next_offset;
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
free(entries);
|
||
|
}
|
||
|
|
||
|
} // namespace
|
||
|
|
||
|
} // namespace testing
|
||
|
} // namespace gvisor
|