diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2016-05-13 11:25:54 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2016-05-16 20:35:37 +0900 |
| commit | f157caf303ab397b3d350b33c842f79902058d16 (patch) | |
| tree | e1d9382d1b19d5f0d40cdc501228823ff3ae3c58 /server/FirewallControllerTest.cpp | |
| parent | 54ecf16d8effb5feedb7138254c880bd9f7a26b3 (diff) | |
Make firewallReplaceUidChain match the behaviour of createChain.
The behaviour of the firewallReplaceUidChain was incorrect in
several ways:
1. It was missing the "always allow TCP RST packets" rules which
were added in http://ag/963000 .
2. It included a RETURN statement at the end of blacklist chains,
which is superfluous since all user-defined chains implicitly
return, and became incorrect when http://ag/963000 switched the
behaviour of blacklist chains from inserting new rules at the
beginning to appending them at the end.
3. It was missing the rules to allow the types of ICMPv6 packets
that are critical in maintaining connectivity.
By itself, this change is a no-op since nothing currently calls
firewallReplaceUidRule.
Bug: 26675191
Change-Id: I985e6861812908cbe7eaf0f54ca0ad39c22bbfeb
Diffstat (limited to 'server/FirewallControllerTest.cpp')
| -rw-r--r-- | server/FirewallControllerTest.cpp | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp index b909833b..7e3686bb 100644 --- a/server/FirewallControllerTest.cpp +++ b/server/FirewallControllerTest.cpp @@ -35,11 +35,12 @@ protected: } FirewallController mFw; - std::string makeUidRules(const char *a, bool b, const std::vector<int32_t>& c) { - return mFw.makeUidRules(a, b, c); + std::string makeUidRules(IptablesTarget a, const char* b, bool c, + const std::vector<int32_t>& d) { + return mFw.makeUidRules(a, b, c, d); } - int createChain(const char* a, const char*b , FirewallType c) { + int createChain(const char* a, const char* b , FirewallType c) { return mFw.createChain(a, b, c); } }; @@ -109,6 +110,13 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) { std::string expected = "*filter\n" ":FW_whitechain -\n" + "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type router-advertisement -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-solicitation -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type neighbour-advertisement -j RETURN\n" + "-A FW_whitechain -p icmpv6 --icmpv6-type redirect -j RETURN\n" "-A FW_whitechain -m owner --uid-owner 0-9999 -j RETURN\n" "-A FW_whitechain -m owner --uid-owner 10023 -j RETURN\n" "-A FW_whitechain -m owner --uid-owner 10059 -j RETURN\n" @@ -121,19 +129,19 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) { "COMMIT\n\x04"; std::vector<int32_t> uids = { 10023, 10059, 10124, 10111, 110122, 210153, 210024 }; - EXPECT_EQ(expected, makeUidRules("FW_whitechain", true, uids)); + EXPECT_EQ(expected, makeUidRules(V6, "FW_whitechain", true, uids)); } TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) { std::string expected = "*filter\n" ":FW_blackchain -\n" + "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n" "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n" "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n" "-A FW_blackchain -m owner --uid-owner 10124 -j DROP\n" - "-A FW_blackchain -j RETURN\n" "COMMIT\n\x04"; std::vector<int32_t> uids = { 10023, 10059, 10124 }; - EXPECT_EQ(expected, makeUidRules("FW_blackchain", false, uids)); + EXPECT_EQ(expected, makeUidRules(V4 ,"FW_blackchain", false, uids)); } |