diff options
| author | Lorenzo Colitti <lorenzo@google.com> | 2017-03-30 02:50:09 +0900 |
|---|---|---|
| committer | Lorenzo Colitti <lorenzo@google.com> | 2017-03-30 03:31:54 +0900 |
| commit | 50b198a4656cf11d92339e6c4ec5dafa19dcf625 (patch) | |
| tree | ec0fc4fdfd6c7f6fa94d518879e3a627b235bb72 /server/FirewallControllerTest.cpp | |
| parent | 4793a62f67baa9e6bd9e9d495023a943dec4843d (diff) | |
| download | platform_system_netd-50b198a4656cf11d92339e6c4ec5dafa19dcf625.tar.gz platform_system_netd-50b198a4656cf11d92339e6c4ec5dafa19dcf625.tar.bz2 platform_system_netd-50b198a4656cf11d92339e6c4ec5dafa19dcf625.zip | |
Really always allow networking on loopback.
https://android-review.googlesource.com/#/c/294359/ attempted to
allow networking on loopback, but actually does not do anything
because no packet has both -i lo and -o lo: loopback packets have
-i lo in INPUT and -o lo in OUTPUT.
Test: bullhead builds, boots
Test: netd_{unit,integration}_test pass
Test: loopback traffic is matched by new "-i lo" and "-o lo" rules
Test: originated and received traffic is not matched by new rules
Bug: 34444781
Change-Id: I090cbeafce5bbdcf36a7aecaafbf832feddc06e1
Diffstat (limited to 'server/FirewallControllerTest.cpp')
| -rw-r--r-- | server/FirewallControllerTest.cpp | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/server/FirewallControllerTest.cpp b/server/FirewallControllerTest.cpp index 9d4363629..f709cda7a 100644 --- a/server/FirewallControllerTest.cpp +++ b/server/FirewallControllerTest.cpp @@ -52,7 +52,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) { std::vector<std::string> expectedRestore4 = { "*filter", ":fw_whitelist -", - "-A fw_whitelist -i lo -o lo -j RETURN", + "-A fw_whitelist -i lo -j RETURN", + "-A fw_whitelist -o lo -j RETURN", "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", "-A fw_whitelist -m owner --uid-owner 0-9999 -j RETURN", "-A fw_whitelist -j DROP", @@ -61,7 +62,8 @@ TEST_F(FirewallControllerTest, TestCreateWhitelistChain) { std::vector<std::string> expectedRestore6 = { "*filter", ":fw_whitelist -", - "-A fw_whitelist -i lo -o lo -j RETURN", + "-A fw_whitelist -i lo -j RETURN", + "-A fw_whitelist -o lo -j RETURN", "-A fw_whitelist -p tcp --tcp-flags RST RST -j RETURN", "-A fw_whitelist -p icmpv6 --icmpv6-type packet-too-big -j RETURN", "-A fw_whitelist -p icmpv6 --icmpv6-type router-solicitation -j RETURN", @@ -86,7 +88,8 @@ TEST_F(FirewallControllerTest, TestCreateBlacklistChain) { std::vector<std::string> expectedRestore = { "*filter", ":fw_blacklist -", - "-A fw_blacklist -i lo -o lo -j RETURN", + "-A fw_blacklist -i lo -j RETURN", + "-A fw_blacklist -o lo -j RETURN", "-A fw_blacklist -p tcp --tcp-flags RST RST -j RETURN", "COMMIT\n" }; @@ -131,7 +134,8 @@ TEST_F(FirewallControllerTest, TestReplaceWhitelistUidRule) { std::string expected = "*filter\n" ":FW_whitechain -\n" - "-A FW_whitechain -i lo -o lo -j RETURN\n" + "-A FW_whitechain -i lo -j RETURN\n" + "-A FW_whitechain -o lo -j RETURN\n" "-A FW_whitechain -p tcp --tcp-flags RST RST -j RETURN\n" "-A FW_whitechain -p icmpv6 --icmpv6-type packet-too-big -j RETURN\n" "-A FW_whitechain -p icmpv6 --icmpv6-type router-solicitation -j RETURN\n" @@ -158,7 +162,8 @@ TEST_F(FirewallControllerTest, TestReplaceBlacklistUidRule) { std::string expected = "*filter\n" ":FW_blackchain -\n" - "-A FW_blackchain -i lo -o lo -j RETURN\n" + "-A FW_blackchain -i lo -j RETURN\n" + "-A FW_blackchain -o lo -j RETURN\n" "-A FW_blackchain -p tcp --tcp-flags RST RST -j RETURN\n" "-A FW_blackchain -m owner --uid-owner 10023 -j DROP\n" "-A FW_blackchain -m owner --uid-owner 10059 -j DROP\n" |