test-firewall-util: use assert_se() at most places

Otherwise, we cannot notice any failures...
author: Yu Watanabe <watanabe.yu+github@gmail.com> 2021-03-22 14:44:25 +0100
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2021-03-24 17:05:54 +0100
commit: b5d2f4e757ba2beda2f911c14ee622d59fde7de9 (patch)
tree: ac38d75816f7252d48825c404bebfc88e26cfd4e
parent: firewall-util: refuse IPv6 firewall rules when kernel does not support IPv6 (diff)
download: systemd-b5d2f4e757ba2beda2f911c14ee622d59fde7de9.tar.xz
systemd-b5d2f4e757ba2beda2f911c14ee622d59fde7de9.zip
1 files changed, 74 insertions, 78 deletions
diff --git a/src/test/test-firewall-util.c b/src/test/test-firewall-util.c
index 8d69f192d8..abc28d500d 100644
--- a/src/test/test-firewall-util.c
+++ b/src/test/test-firewall-util.c
@@ -1,114 +1,110 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 
+#include <unistd.h>
+
 #include "firewall-util.h"
+#include "firewall-util-private.h"
 #include "log.h"
 #include "random-util.h"
+#include "socket-util.h"
 #include "tests.h"
 
-#define MAKE_IN_ADDR_UNION(a,b,c,d) (union in_addr_union) { .in.s_addr = htobe32((uint32_t) (a) << 24 | (uint32_t) (b) << 16 | (uint32_t) (c) << 8 | (uint32_t) (d))}
-#define MAKE_IN6_ADDR_UNION(str, u) assert_se(in_addr_from_string(AF_INET6, str, u) >= 0)
-
-static void test_v6(FirewallContext **ctx) {
-        union in_addr_union u = {}, u2 = {};
+static void test_v6(FirewallContext *ctx) {
+        union in_addr_union u1, u2, u3;
         uint8_t prefixlen;
         int r;
 
-        MAKE_IN6_ADDR_UNION("dead::beef", &u);
-
-        r = fw_add_masquerade(ctx, true, AF_INET6, &u, 128);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+        log_info("/* %s(backend=%s) */", __func__, firewall_backend_to_string(ctx->backend));
 
-        r = fw_add_masquerade(ctx, false, AF_INET6, &u, 128);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+        if (!socket_ipv6_is_supported())
+                return log_info("IPv6 is not supported by kernel, skipping tests.");
 
-        r = fw_add_masquerade(ctx, true, AF_INET6, &u, 64);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+        assert_se(in_addr_from_string(AF_INET6, "dead::beef", &u1) >= 0);
+        assert_se(in_addr_from_string(AF_INET6, "1c3::c01d", &u2) >= 0);
 
-        r = fw_add_masquerade(ctx, false, AF_INET6, &u, 64);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+        prefixlen = random_u64_range(128 + 1 - 8) + 8;
+        pseudo_random_bytes(&u3, sizeof(u3));
 
-        r = fw_add_local_dnat(ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u, 815, NULL);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u1, 128) >= 0);
+        assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u1, 128) >= 0);
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u1, 64) >= 0);
+        assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u1, 64) >= 0);
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET6, &u3, prefixlen) >= 0);
+        assert_se(fw_add_masquerade(&ctx, false, AF_INET6, &u3, prefixlen) >= 0);
 
-        MAKE_IN6_ADDR_UNION("1c3::c01d", &u2);
-        r = fw_add_local_dnat(ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, &u);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        r = fw_add_local_dnat(&ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u1, 815, NULL);
+        if (r == -EOPNOTSUPP) {
+                log_info("IPv6 DNAT seems not supported, skipping the following tests.");
+                return;
+        }
+        assert_se(r >= 0);
 
-        r = fw_add_local_dnat(ctx, false, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, NULL);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        assert_se(fw_add_local_dnat(&ctx, true, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, &u1) >= 0);
+        assert_se(fw_add_local_dnat(&ctx, false, AF_INET6, IPPROTO_TCP, 4711, &u2, 815, NULL) >= 0);
 
-        prefixlen = random_u32() % (128 + 1 - 8);
-        prefixlen += 8;
-        pseudo_random_bytes(&u, sizeof(u));
-
-        r = fw_add_masquerade(ctx, true, AF_INET6, &u, prefixlen);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+}
 
-        r = fw_add_masquerade(ctx, false, AF_INET6, &u, prefixlen);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify ipv6 firewall: %m");
+static union in_addr_union *parse_addr(const char *str, union in_addr_union *u) {
+        assert(str);
+        assert_se(in_addr_from_string(AF_INET, str, u) >= 0);
+        return u;
 }
 
-int main(int argc, char *argv[]) {
-        _cleanup_(fw_ctx_freep) FirewallContext *ctx;
+static bool test_v4(FirewallContext *ctx) {
+        union in_addr_union u, v;
         int r;
-        test_setup_logging(LOG_DEBUG);
-        uint8_t prefixlen = 32;
 
-        r = fw_ctx_new(&ctx);
-        if (r < 0)
-                return log_error_errno(r, "Failed to init firewall: %m");
+        log_info("/* %s(backend=%s) */", __func__, firewall_backend_to_string(ctx->backend));
+
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET, NULL, 0) == -EINVAL);
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.1.2.0", &u), 0) == -EINVAL);
+
+        r = fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.1.2.3", &u), 32);
+        if (r < 0) {
+                bool ignore = IN_SET(r, -EPERM, -EOPNOTSUPP, -ENOPROTOOPT);
 
-        r = fw_add_masquerade(&ctx, true, AF_INET, NULL, 0);
-        if (r == 0)
-                log_error("Expected failure: NULL source");
+                log_full_errno(ignore ? LOG_DEBUG : LOG_ERR, r,
+                               "Failed to add IPv4 masquerade%s: %m",
+                               ignore ? ", skipping following tests" : "");
 
-        r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,0), 0);
-        if (r == 0)
-                log_error("Expected failure: 0 prefixlen");
+                if (ignore)
+                        return false;
+        }
+        assert(r >= 0);
 
-        r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), prefixlen);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        assert_se(fw_add_masquerade(&ctx, true, AF_INET, parse_addr("10.0.2.0", &u), 28) >= 0);
+        assert_se(fw_add_masquerade(&ctx, false, AF_INET, parse_addr("10.0.2.0", &u), 28) >= 0);
+        assert_se(fw_add_masquerade(&ctx, false, AF_INET, parse_addr("10.1.2.3", &u), 32) >= 0);
+        assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.4", &u), 815, NULL) >= 0);
+        assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.4", &u), 815, NULL) >= 0);
+        assert_se(fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.5", &u), 815, parse_addr("1.2.3.4", &v)) >= 0);
+        assert_se(fw_add_local_dnat(&ctx, false, AF_INET, IPPROTO_TCP, 4711, parse_addr("1.2.3.5", &u), 815, NULL) >= 0);
 
-        prefixlen = 28;
-        r = fw_add_masquerade(&ctx, true, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        return true;
+}
 
-        r = fw_add_masquerade(&ctx, false, AF_INET, &MAKE_IN_ADDR_UNION(10,0,2,0), prefixlen);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+int main(int argc, char *argv[]) {
+        _cleanup_(fw_ctx_freep) FirewallContext *ctx = NULL;
 
-        r = fw_add_masquerade(&ctx, false, AF_INET, &MAKE_IN_ADDR_UNION(10,1,2,3), 32);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        test_setup_logging(LOG_DEBUG);
 
-        r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 4), 815, NULL);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        if (getuid() != 0)
+                return log_tests_skipped("not root");
 
-        r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 4), 815, NULL);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        assert_se(fw_ctx_new(&ctx) >= 0);
 
-        r = fw_add_local_dnat(&ctx, true, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 5), 815, &MAKE_IN_ADDR_UNION(1, 2, 3, 4));
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        if (ctx->backend == FW_BACKEND_NONE)
+                return EXIT_TEST_SKIP;
 
-        r = fw_add_local_dnat(&ctx, false, AF_INET, IPPROTO_TCP, 4711, &MAKE_IN_ADDR_UNION(1, 2, 3, 5), 815, NULL);
-        if (r < 0)
-                log_error_errno(r, "Failed to modify firewall: %m");
+        if (test_v4(ctx) && ctx->backend == FW_BACKEND_NFTABLES)
+                test_v6(ctx);
 
-        test_v6(&ctx);
+#if HAVE_LIBIPTC
+        if (ctx->backend != FW_BACKEND_IPTABLES) {
+                ctx->backend = FW_BACKEND_IPTABLES;
+                test_v4(ctx);
+        }
+#endif
 
         return 0;
 }
author	Yu Watanabe <watanabe.yu+github@gmail.com>	2021-03-22 14:44:25 +0100
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2021-03-24 17:05:54 +0100
commit	b5d2f4e757ba2beda2f911c14ee622d59fde7de9 (patch)
tree	ac38d75816f7252d48825c404bebfc88e26cfd4e
parent	firewall-util: refuse IPv6 firewall rules when kernel does not support IPv6 (diff)
download	systemd-b5d2f4e757ba2beda2f911c14ee622d59fde7de9.tar.xz systemd-b5d2f4e757ba2beda2f911c14ee622d59fde7de9.zip