diff --git a/.buildkite/pipeline.yaml b/.buildkite/pipeline.yaml index 1b9589a3a8..d4830bf70c 100644 --- a/.buildkite/pipeline.yaml +++ b/.buildkite/pipeline.yaml @@ -483,6 +483,15 @@ steps: <<: *ubuntu_agents # This test is flaky on old agents. cgroup: "v2" + - <<: *common + <<: *source_test + label: ":table: Native NFTable Syscall tests" + command: make nftables-syscall-tests + agents: + <<: *ubuntu_agents + # Test is only validated to run on newer agents, older kernels have + # different implementation behaviour. + cgroup: "v2" # Runtime tests. - <<: *common diff --git a/Makefile b/Makefile index 7f613ea689..0e67b4e521 100644 --- a/Makefile +++ b/Makefile @@ -435,6 +435,12 @@ nftables-tests: load-nftables $(RUNTIME_BIN) @$(call test_runtime,$(RUNTIME),--test_env=TEST_NET_RAW=true //test/nftables:nftables_test) .PHONY: nftables-tests +nftables-syscall-tests: load-basic + @sudo modprobe nfnetlink + @sudo modprobe nf_tables + @$(call sudo,--runtime=runc //test/syscalls/linux:socket_netlink_netfilter_test) +.PHONY: nftables-syscall-tests + packetdrill-tests: load-packetdrill $(RUNTIME_BIN) @$(call install_runtime,$(RUNTIME),) # Clear flags. @$(call test_runtime,$(RUNTIME),//test/packetdrill:all_tests) diff --git a/test/syscalls/linux/BUILD b/test/syscalls/linux/BUILD index 03b5b4c3c9..6e34bce2fb 100644 --- a/test/syscalls/linux/BUILD +++ b/test/syscalls/linux/BUILD @@ -3544,6 +3544,7 @@ cc_binary( "//test/util:socket_util", "//test/util:test_main", "//test/util:test_util", + "@com_google_absl//absl/strings", "@com_google_absl//absl/strings:str_format", ], ) @@ -3729,7 +3730,10 @@ cc_library( ":socket_netlink_util", "//test/util:file_descriptor", "//test/util:posix_error", + "//test/util:save_util", + "//test/util:test_util", "@com_google_absl//absl/log", + "@com_google_absl//absl/strings:string_view", ], ) diff --git a/test/syscalls/linux/socket_netlink_netfilter.cc b/test/syscalls/linux/socket_netlink_netfilter.cc index c671eccc89..96c5453c43 100644 --- a/test/syscalls/linux/socket_netlink_netfilter.cc +++ b/test/syscalls/linux/socket_netlink_netfilter.cc @@ -32,6 +32,7 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" +#include "absl/strings/str_cat.h" #include "absl/strings/str_format.h" #include "test/syscalls/linux/socket_netlink_netfilter_util.h" #include "test/syscalls/linux/socket_netlink_util.h" @@ -53,6 +54,7 @@ namespace { constexpr uint32_t kSeq = 12345; using ::testing::_; +using ::testing::UnitTest; using SockOptTest = ::testing::TestWithParam< std::tuple, std::string>>; @@ -86,6 +88,11 @@ std::function IsEqual(int target) { return [target](int val) { return val == target; }; } +std::string GetUniqueTestTableName() { + return absl::StrCat("table_", + UnitTest::GetInstance()->current_test_info()->name()); +} + INSTANTIATE_TEST_SUITE_P( NetlinkNetfilterTest, SockOptTest, ::testing::Values( @@ -101,44 +108,20 @@ INSTANTIATE_TEST_SUITE_P( NETLINK_NETFILTER)), std::make_tuple(SO_PASSCRED, IsEqual(0), "0"))); -class NetlinkNetfilterTest : public ::testing::Test { - protected: - void SetUp() override {} - - // Cleans up any tables created by a test, after it has run. - void TearDown() override { - SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); - - std::vector destroy_request_buffer = - NlBatchReq() - .SeqStart(kSeq) - .Req(NlReq("deltable req ack unspec").Seq(kSeq + 1).Build()) - .SeqEnd(kSeq + 2) - .Build(); - - ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( - fd, kSeq, kSeq + 2, destroy_request_buffer.data(), - destroy_request_buffer.size())); - } -}; - // Netlink sockets must be SOCK_DGRAM or SOCK_RAW. -TEST_F(NetlinkNetfilterTest, CanCreateSocket) { +TEST(NetlinkNetfilterTest, CanCreateSocket) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); EXPECT_THAT(fd.get(), SyscallSucceeds()); } -TEST_F(NetlinkNetfilterTest, AddAndAddTableWithDormantFlag) { +TEST(NetlinkNetfilterTest, AddAndAddTableWithDormantFlag) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table"; + SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_ADMIN))); + std::string test_table_name = GetUniqueTestTableName(); uint32_t table_flags = NFT_TABLE_F_DORMANT; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); // Assuming two separate transactions. std::vector add_request_buffer = @@ -168,11 +151,13 @@ TEST_F(NetlinkNetfilterTest, AddAndAddTableWithDormantFlag) { ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 3, kSeq + 5, add_request_buffer_2.data(), add_request_buffer_2.size())); + + ASSERT_NO_ERRNO(DestroyNetfilterTable(fd, test_table_name, kSeq + 6)); } -TEST_F(NetlinkNetfilterTest, AddAndRetrieveNewTable) { +TEST(NetlinkNetfilterTest, AddAndRetrieveNewTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_tab_add_retrieve"; + std::string test_table_name = GetUniqueTestTableName(); uint32_t table_flags = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER; uint8_t expected_udata[] = {0x01, 0x02, 0x03, 0x04}; uint32_t expected_chain_count = 0; @@ -180,8 +165,7 @@ TEST_F(NetlinkNetfilterTest, AddAndRetrieveNewTable) { size_t expected_udata_size = sizeof(expected_udata); bool correct_response = false; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint32_t expected_owner = ASSERT_NO_ERRNO_AND_VALUE(NetlinkPortID(fd.get())); std::vector add_request_buffer = @@ -229,15 +213,14 @@ TEST_F(NetlinkNetfilterTest, AddAndRetrieveNewTable) { ASSERT_TRUE(correct_response); } -TEST_F(NetlinkNetfilterTest, GetDumpTables) { +TEST(NetlinkNetfilterTest, GetDumpTables) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - const char test_table_name[] = "test_tab_one"; + std::string test_table_name = GetUniqueTestTableName(); const char test_table_name_2[] = "test_tab_two"; uint32_t expected_chain_count = 0; uint32_t expected_flags = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -272,7 +255,7 @@ TEST_F(NetlinkNetfilterTest, GetDumpTables) { const struct nfattr* table_name_attr = FindNfAttr(hdr, nullptr, NFTA_TABLE_NAME); - EXPECT_NE(table_name_attr, nullptr); + ASSERT_NE(table_name_attr, nullptr); std::string table_name( reinterpret_cast(NFA_DATA(table_name_attr))); @@ -291,11 +274,10 @@ TEST_F(NetlinkNetfilterTest, GetDumpTables) { ASSERT_TRUE(expected_tables.empty()); } -TEST_F(NetlinkNetfilterTest, ErrGettingTableWithDifferentFamily) { +TEST(NetlinkNetfilterTest, ErrGettingTableWithDifferentFamily) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_tab_different_families"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -325,12 +307,11 @@ TEST_F(NetlinkNetfilterTest, ErrGettingTableWithDifferentFamily) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddExistingTableWithExclusiveFlag) { +TEST(NetlinkNetfilterTest, ErrAddExistingTableWithExclusiveFlag) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "err_exclusive"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); // Assuming two separate transactions. std::vector add_request_buffer = @@ -362,12 +343,11 @@ TEST_F(NetlinkNetfilterTest, ErrAddExistingTableWithExclusiveFlag) { PosixErrorIs(EEXIST, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddExistingTableWithReplaceFlag) { +TEST(NetlinkNetfilterTest, ErrAddExistingTableWithReplaceFlag) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "err_replace"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); // Assuming two separate transactions. std::vector add_request_buffer = @@ -399,13 +379,12 @@ TEST_F(NetlinkNetfilterTest, ErrAddExistingTableWithReplaceFlag) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddTableWithInvalidFamily) { +TEST(NetlinkNetfilterTest, ErrAddTableWithInvalidFamily) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); uint8_t invalid_family = 255; - const char test_table_name[] = "unsupported_family_table"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -424,13 +403,12 @@ TEST_F(NetlinkNetfilterTest, ErrAddTableWithInvalidFamily) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddTableWithUnsupportedFlags) { +TEST(NetlinkNetfilterTest, ErrAddTableWithUnsupportedFlags) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); uint32_t unsupported_flags = 0xFFFFFFFF; - const char test_table_name[] = "test_table"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -449,11 +427,10 @@ TEST_F(NetlinkNetfilterTest, ErrAddTableWithUnsupportedFlags) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrRetrieveNoSpecifiedNameTable) { +TEST(NetlinkNetfilterTest, ErrRetrieveNoSpecifiedNameTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector get_request_buffer = NlReq("gettable req ack inet").Seq(kSeq).Build(); @@ -463,12 +440,11 @@ TEST_F(NetlinkNetfilterTest, ErrRetrieveNoSpecifiedNameTable) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrRetrieveNonexistentTable) { +TEST(NetlinkNetfilterTest, ErrRetrieveNonexistentTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "undefined_table"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector get_request_buffer = NlReq("gettable req ack inet") @@ -481,11 +457,10 @@ TEST_F(NetlinkNetfilterTest, ErrRetrieveNonexistentTable) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, DeleteExistingTableByName) { +TEST(NetlinkNetfilterTest, DeleteExistingTableByName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_name_delete"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -515,13 +490,12 @@ TEST_F(NetlinkNetfilterTest, DeleteExistingTableByName) { del_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, DeleteTableByHandle) { +TEST(NetlinkNetfilterTest, DeleteTableByHandle) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); // Retrieve the actual table handle from the kernel with a GET request. uint64_t expected_handle = 0; - const char test_table_name[] = "test_table_handle_delete"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -548,7 +522,7 @@ TEST_F(NetlinkNetfilterTest, DeleteTableByHandle) { fd, get_request_buffer.data(), get_request_buffer.size(), [&](const struct nlmsghdr* hdr) { const nfattr* attr = FindNfAttr(hdr, nullptr, NFTA_TABLE_HANDLE); - EXPECT_NE(attr, nullptr); + ASSERT_NE(attr, nullptr); EXPECT_EQ(attr->nfa_type, NFTA_TABLE_HANDLE); EXPECT_EQ(attr->nfa_len - NLA_HDRLEN, sizeof(expected_handle)); expected_handle = @@ -572,12 +546,11 @@ TEST_F(NetlinkNetfilterTest, DeleteTableByHandle) { del_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, ErrDeleteNonexistentTable) { +TEST(NetlinkNetfilterTest, ErrDeleteNonexistentTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "nonexistent_table"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector del_request_buffer = NlBatchReq() @@ -595,12 +568,11 @@ TEST_F(NetlinkNetfilterTest, ErrDeleteNonexistentTable) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, DestroyNonexistentTable) { +TEST(NetlinkNetfilterTest, DestroyNonexistentTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "nonexistent_table"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector destroy_request_buffer = NlBatchReq() @@ -617,13 +589,12 @@ TEST_F(NetlinkNetfilterTest, DestroyNonexistentTable) { destroy_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamily) { +TEST(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamily) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); char test_table_name_inet[] = "test_table_inet"; char test_table_name_arp[] = "test_table_arp"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -673,13 +644,12 @@ TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamily) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamilySpecifiedName) { +TEST(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamilySpecifiedName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); char test_table_name_same[] = "test_same_name_table"; char test_table_name_different[] = "test_different_name_table"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -749,7 +719,7 @@ TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamilySpecifiedName) { [&](const struct nlmsghdr* hdr) { const struct nfattr* table_name_attr = FindNfAttr(hdr, nullptr, NFTA_TABLE_NAME); - EXPECT_NE(table_name_attr, nullptr); + ASSERT_NE(table_name_attr, nullptr); EXPECT_EQ(table_name_attr->nfa_type, NFTA_TABLE_NAME); std::string name( reinterpret_cast(NFA_DATA(table_name_attr))); @@ -761,13 +731,12 @@ TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedFamilySpecifiedName) { ASSERT_TRUE(correct_response); } -TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedNameAndHandle) { +TEST(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedNameAndHandle) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); char test_table_name_inet[] = "test_table_inet"; char test_table_name_arp[] = "test_table_arp"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -817,12 +786,11 @@ TEST_F(NetlinkNetfilterTest, DeleteAllTablesUnspecifiedNameAndHandle) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedTableName) { +TEST(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedTableName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); // Kept separate to make clear that the chain request is the one that // fails. @@ -852,12 +820,11 @@ TEST_F(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedTableName) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewChainWithNonexistentTable) { +TEST(NetlinkNetfilterTest, ErrNewChainWithNonexistentTable) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_no_table_chain"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_chain_request_buffer = NlBatchReq() @@ -875,12 +842,11 @@ TEST_F(NetlinkNetfilterTest, ErrNewChainWithNonexistentTable) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedNameOrHandle) { +TEST(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedNameOrHandle) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_no_name_or_handle_chain"; + std::string test_table_name = GetUniqueTestTableName(); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); // Kept separate to make clear that the chain request is the one that // fails. @@ -913,13 +879,12 @@ TEST_F(NetlinkNetfilterTest, ErrNewChainWithNoSpecifiedNameOrHandle) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewChainWithPolicySet) { +TEST(NetlinkNetfilterTest, ErrNewChainWithPolicySet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_reg_chain"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain"; const uint32_t test_policy = NF_ACCEPT; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_table_request_buffer = NlBatchReq() @@ -952,17 +917,16 @@ TEST_F(NetlinkNetfilterTest, ErrNewChainWithPolicySet) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidPolicy) { +TEST(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidPolicy) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = 1 << 3; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = 0; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1005,9 +969,9 @@ TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidPolicy) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidFlags) { +TEST(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidFlags) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const uint32_t test_policy = NF_ACCEPT; const uint8_t test_hook = NF_INET_PRE_ROUTING; @@ -1015,8 +979,7 @@ TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidFlags) { // Only NFT_CHAIN_BASE, NFT_CHAIN_HW_OFFLOAD, and NFT_CHAIN_BINDING are // valid flags that should be set by users. const uint32_t test_chain_flags = 1 << 3; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1058,16 +1021,15 @@ TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidFlags) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, - ErrNewBaseChainWithMalformedHookDataMissingPriority) { +TEST(NetlinkNetfilterTest, + ErrNewBaseChainWithMalformedHookDataMissingPriority) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_table_request_buffer = NlBatchReq() @@ -1106,16 +1068,14 @@ TEST_F(NetlinkNetfilterTest, PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, - ErrNewBaseChainWithMalformedHookDataMissingHookNum) { +TEST(NetlinkNetfilterTest, ErrNewBaseChainWithMalformedHookDataMissingHookNum) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_priority = 10; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr().U32Attr(NFTA_HOOK_PRIORITY, test_hook_priority).Build(); @@ -1145,19 +1105,18 @@ TEST_F(NetlinkNetfilterTest, PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidChainType) { +TEST(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidChainType) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); // TODO: b/421437663 - Fix this error test for native Linux. SKIP_IF(!IsRunningOnGvisor()); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "test_chain_type_invalid"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = 10; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1191,64 +1150,18 @@ TEST_F(NetlinkNetfilterTest, ErrNewBaseChainWithInvalidChainType) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, - ErrNewBaseChainWithUnsupportedFamilyChainTypePair) { - SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; - const char test_chain_name[] = "test_chain_bad_policy"; - const char test_chain_type_name[] = "route"; - const uint32_t test_policy = NF_ACCEPT; - const uint32_t test_hook_num = NF_INET_PRE_ROUTING; - const uint32_t test_hook_priority = 10; - const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); - - std::vector nested_hook_data = - NlNestedAttr() - .U32Attr(NFTA_HOOK_HOOKNUM, test_hook_num) - .U32Attr(NFTA_HOOK_PRIORITY, test_hook_priority) - .StrAttr(NFTA_CHAIN_TYPE, test_chain_type_name) - .Build(); - - std::vector add_request_buffer = - NlBatchReq() - .SeqStart(kSeq) - .Req(NlReq("newtable req ack arp") - .Seq(kSeq + 1) - .StrAttr(NFTA_TABLE_NAME, test_table_name) - .Build()) - .Req(NlReq("newchain req ack arp") - .Seq(kSeq + 2) - .StrAttr(NFTA_CHAIN_TABLE, test_table_name) - .StrAttr(NFTA_CHAIN_NAME, test_chain_name) - .U32Attr(NFTA_CHAIN_POLICY, test_policy) - .RawAttr(NFTA_CHAIN_HOOK, nested_hook_data.data(), - nested_hook_data.size()) - .U32Attr(NFTA_CHAIN_FLAGS, test_chain_flags) - .Build()) - .SeqEnd(kSeq + 3) - .Build(); - - ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError(fd, kSeq, kSeq + 3, - add_request_buffer.data(), - add_request_buffer.size()), - PosixErrorIs(ENOTSUP, _)); -} - -TEST_F(NetlinkNetfilterTest, ErrNewNATBaseChainWithInvalidPriority) { +TEST(NetlinkNetfilterTest, ErrNewNATBaseChainWithInvalidPriority) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); // TODO: b/421437663 - Fix this error test for native Linux. SKIP_IF(!IsRunningOnGvisor()); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "nat"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = -250; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1282,19 +1195,18 @@ TEST_F(NetlinkNetfilterTest, ErrNewNATBaseChainWithInvalidPriority) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewNetDevBaseChain) { +TEST(NetlinkNetfilterTest, ErrUnsupportedNewNetDevBaseChain) { // TODO: b/434243967 - Remove when netdev chains are supported. SKIP_IF(!IsRunningOnGvisor()); SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_NETDEV_INGRESS; const uint32_t test_hook_priority = 10; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1328,19 +1240,18 @@ TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewNetDevBaseChain) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewInetBaseChainAtIngress) { +TEST(NetlinkNetfilterTest, ErrUnsupportedNewInetBaseChainAtIngress) { // TODO: b/434243967 - Remove when inet chains are supported at Ingress. SKIP_IF(!IsRunningOnGvisor()); SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_INET_INGRESS; const uint32_t test_hook_priority = 10; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1374,19 +1285,18 @@ TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewInetBaseChainAtIngress) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewBaseChainWithChainCounters) { +TEST(NetlinkNetfilterTest, ErrUnsupportedNewBaseChainWithChainCounters) { // TODO: b/434243967 - Remove when chain counters are supported. SKIP_IF(!IsRunningOnGvisor()); SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_ACCEPT; const uint32_t test_hook_num = NF_INET_INGRESS; const uint32_t test_hook_priority = 10; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1421,13 +1331,12 @@ TEST_F(NetlinkNetfilterTest, ErrUnsupportedNewBaseChainWithChainCounters) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrChainWithBaseChainFlagSet) { +TEST(NetlinkNetfilterTest, ErrChainWithBaseChainFlagSet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1451,15 +1360,14 @@ TEST_F(NetlinkNetfilterTest, ErrChainWithBaseChainFlagSet) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrUnsupportedChainWithHardwareOffloadFlagSet) { +TEST(NetlinkNetfilterTest, ErrUnsupportedChainWithHardwareOffloadFlagSet) { // TODO: b/434243967 - Remove when hardware offload chains are supported. SKIP_IF(!IsRunningOnGvisor()); SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const uint32_t test_chain_flags = NFT_CHAIN_HW_OFFLOAD; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1483,13 +1391,12 @@ TEST_F(NetlinkNetfilterTest, ErrUnsupportedChainWithHardwareOffloadFlagSet) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, ErrChainWithNoNameAndChainBindingFlagNotSet) { +TEST(NetlinkNetfilterTest, ErrChainWithNoNameAndChainBindingFlagNotSet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const uint32_t test_chain_flags = 0; const uint32_t test_chain_id = 1; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1513,15 +1420,14 @@ TEST_F(NetlinkNetfilterTest, ErrChainWithNoNameAndChainBindingFlagNotSet) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrUnsupportedUpdateChain) { +TEST(NetlinkNetfilterTest, ErrUnsupportedUpdateChain) { // TODO: b/434243967 - Remove when updating existing chains are supported. SKIP_IF(!IsRunningOnGvisor()); SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_invalid_update"; const uint32_t test_chain_flags = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1561,13 +1467,13 @@ TEST_F(NetlinkNetfilterTest, ErrUnsupportedUpdateChain) { PosixErrorIs(ENOTSUP, _)); } -TEST_F(NetlinkNetfilterTest, AddChainWithNoNameAndChainIdAttributeSet) { +TEST(NetlinkNetfilterTest, AddChainWithNoNameAndChainIdAttributeSet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + SKIP_IF(!IsRunningOnGvisor()); + const std::string test_table_name = GetUniqueTestTableName(); const uint32_t test_chain_flags = NFT_CHAIN_BINDING; const uint32_t test_chain_id = 2; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1588,15 +1494,15 @@ TEST_F(NetlinkNetfilterTest, AddChainWithNoNameAndChainIdAttributeSet) { ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq, kSeq + 3, add_request_buffer.data(), add_request_buffer.size())); + ASSERT_NO_ERRNO(DestroyNetfilterTable(fd, test_table_name, kSeq + 4)); } -TEST_F(NetlinkNetfilterTest, AddChainWithName) { +TEST(NetlinkNetfilterTest, AddChainWithName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_name"; const uint32_t test_chain_flags = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1619,17 +1525,16 @@ TEST_F(NetlinkNetfilterTest, AddChainWithName) { add_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, AddBaseChainWithDropPolicy) { +TEST(NetlinkNetfilterTest, AddBaseChainWithDropPolicy) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_bad_policy"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_DROP; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = 0; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1662,16 +1567,15 @@ TEST_F(NetlinkNetfilterTest, AddBaseChainWithDropPolicy) { add_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, GetChainWithDumpFlagSet) { +TEST(NetlinkNetfilterTest, GetChainWithDumpFlagSet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain"; const char test_chain_two_name[] = "test_chain_two"; const uint32_t test_chain_flags = 0; uint32_t expected_use = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1715,7 +1619,7 @@ TEST_F(NetlinkNetfilterTest, GetChainWithDumpFlagSet) { const struct nfattr* chain_name_attr = FindNfAttr(hdr, nullptr, NFTA_CHAIN_NAME); - EXPECT_NE(chain_name_attr, nullptr); + ASSERT_NE(chain_name_attr, nullptr); std::string chain_name( reinterpret_cast(NFA_DATA(chain_name_attr))); @@ -1737,13 +1641,12 @@ TEST_F(NetlinkNetfilterTest, GetChainWithDumpFlagSet) { ASSERT_TRUE(expected_chains.empty()); } -TEST_F(NetlinkNetfilterTest, ErrGetChainWithNoTableName) { +TEST(NetlinkNetfilterTest, ErrGetChainWithNoTableName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_no_table_name"; const uint32_t test_chain_flags = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1776,13 +1679,12 @@ TEST_F(NetlinkNetfilterTest, ErrGetChainWithNoTableName) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrGetChainWithNoChainName) { +TEST(NetlinkNetfilterTest, ErrGetChainWithNoChainName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain_hook"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_no_chain_name"; const uint32_t test_chain_flags = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1815,14 +1717,13 @@ TEST_F(NetlinkNetfilterTest, ErrGetChainWithNoChainName) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, GetChain) { +TEST(NetlinkNetfilterTest, GetChain) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain"; uint8_t test_user_data[] = {0x01, 0x02, 0x03, 0x04}; size_t expected_udata_size = sizeof(test_user_data); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_request_buffer = NlBatchReq() @@ -1869,9 +1770,9 @@ TEST_F(NetlinkNetfilterTest, GetChain) { false)); } -TEST_F(NetlinkNetfilterTest, GetBaseChain) { +TEST(NetlinkNetfilterTest, GetBaseChain) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chain"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_base_chain"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_ACCEPT; @@ -1880,8 +1781,7 @@ TEST_F(NetlinkNetfilterTest, GetBaseChain) { uint8_t test_user_data[] = {0x01, 0x02, 0x03, 0x04}; size_t expected_udata_size = sizeof(test_user_data); const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1942,17 +1842,16 @@ TEST_F(NetlinkNetfilterTest, GetBaseChain) { false)); } -TEST_F(NetlinkNetfilterTest, ErrDeleteChainWithNoTableNameSpecified) { +TEST(NetlinkNetfilterTest, ErrDeleteChainWithNoTableNameSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chains"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_no_table_name"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_DROP; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = 0; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -1999,12 +1898,11 @@ TEST_F(NetlinkNetfilterTest, ErrDeleteChainWithNoTableNameSpecified) { PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrDeleteNonexistentChain) { +TEST(NetlinkNetfilterTest, ErrDeleteNonexistentChain) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chains"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_nonexistent"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_table_request_buffer = NlBatchReq() @@ -2036,12 +1934,11 @@ TEST_F(NetlinkNetfilterTest, ErrDeleteNonexistentChain) { PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, DestroyNonexistentChain) { +TEST(NetlinkNetfilterTest, DestroyNonexistentChain) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chains"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_nonexistent"; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_table_request_buffer = NlBatchReq() @@ -2072,17 +1969,16 @@ TEST_F(NetlinkNetfilterTest, DestroyNonexistentChain) { delete_chain_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, DeleteBaseChain) { +TEST(NetlinkNetfilterTest, DeleteBaseChain) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chains"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_delete_base_chain"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_DROP; const uint32_t test_hook_num = NF_INET_PRE_ROUTING; const uint32_t test_hook_priority = 0; const uint32_t test_chain_flags = NFT_CHAIN_BASE; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -2129,9 +2025,9 @@ TEST_F(NetlinkNetfilterTest, DeleteBaseChain) { delete_chain_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, DeleteBaseChainByHandle) { +TEST(NetlinkNetfilterTest, DeleteBaseChainByHandle) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_chains"; + std::string test_table_name = GetUniqueTestTableName(); const char test_chain_name[] = "test_chain_delete_base_chain"; const char test_chain_type_name[] = "filter"; const uint32_t test_policy = NF_DROP; @@ -2139,8 +2035,7 @@ TEST_F(NetlinkNetfilterTest, DeleteBaseChainByHandle) { const uint32_t test_hook_priority = 0; const uint32_t test_chain_flags = NFT_CHAIN_BASE; uint64_t chain_handle = 0; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector nested_hook_data = NlNestedAttr() @@ -2205,14 +2100,13 @@ TEST_F(NetlinkNetfilterTest, DeleteBaseChainByHandle) { delete_chain_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, ErrModifyTableWithOwnerMismatchUnboundSocket) { +TEST(NetlinkNetfilterTest, ErrModifyTableWithOwnerMismatchUnboundSocket) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table_owner_mismatch"; + std::string test_table_name = GetUniqueTestTableName(); uint32_t table_flags = NFT_TABLE_F_OWNER; uint32_t new_table_flags = NFT_TABLE_F_DORMANT; uint8_t expected_udata[3] = {0x01, 0x02, 0x03}; - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); FileDescriptor fd_2 = ASSERT_NO_ERRNO_AND_VALUE( Socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)); @@ -2250,9 +2144,9 @@ TEST_F(NetlinkNetfilterTest, ErrModifyTableWithOwnerMismatchUnboundSocket) { PosixErrorIs(EPERM, _)); } -TEST_F(NetlinkNetfilterTest, AddTableWithUnboundSocket) { +TEST(NetlinkNetfilterTest, AddTableWithUnboundSocket) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - const char test_table_name[] = "test_table"; + std::string test_table_name = GetUniqueTestTableName(); uint32_t table_flags = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER; uint32_t expected_port_id = 0; uint8_t expected_udata[3] = {0x01, 0x02, 0x03}; @@ -2288,7 +2182,7 @@ TEST_F(NetlinkNetfilterTest, AddTableWithUnboundSocket) { [&](const struct nlmsghdr* hdr) { const struct nfattr* owner_attr = FindNfAttr(hdr, nullptr, NFTA_TABLE_OWNER); - EXPECT_NE(owner_attr, nullptr); + ASSERT_NE(owner_attr, nullptr); uint32_t owner = ntohl(*(reinterpret_cast(NFA_DATA(owner_attr)))); EXPECT_NE(owner, 0); @@ -2307,10 +2201,10 @@ TEST_F(NetlinkNetfilterTest, AddTableWithUnboundSocket) { ASSERT_EQ(expected_port_id, assigned_port_id); } -TEST_F(NetlinkNetfilterTest, ErrAddRuleWithMissingTableName) { +TEST(NetlinkNetfilterTest, ErrAddRuleWithMissingTableName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_rule_request_buffer = NlBatchReq() @@ -2319,18 +2213,19 @@ TEST_F(NetlinkNetfilterTest, ErrAddRuleWithMissingTableName) { .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } - -TEST_F(NetlinkNetfilterTest, ErrAddRuleWithUnknownTableName) { +// here +TEST(NetlinkNetfilterTest, ErrAddRuleWithUnknownTableName) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_rule_request_buffer = NlBatchReq() @@ -2342,90 +2237,94 @@ TEST_F(NetlinkNetfilterTest, ErrAddRuleWithUnknownTableName) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddRuleNoChainSpecified) { +TEST(NetlinkNetfilterTest, ErrAddRuleNoChainSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_rule_request_buffer = NlBatchReq() .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .Build()) .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, - ErrAddRuleNoHandleOrPositionSpecifiedAndCreateReplaceFlagNotSet) { +TEST(NetlinkNetfilterTest, + ErrAddRuleNoHandleOrPositionSpecifiedAndCreateReplaceFlagNotSet) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_rule_request_buffer = NlBatchReq() .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .Build()) .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddRuleNoHandleOrPositionSpecified) { +TEST(NetlinkNetfilterTest, ErrAddRuleNoHandleOrPositionSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector add_rule_request_buffer = NlBatchReq() .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .Build()) .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddRuleInvalidPositionSpecified) { +TEST(NetlinkNetfilterTest, ErrAddRuleInvalidPositionSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint64_t invalid_position = 10; std::vector add_rule_request_buffer = @@ -2433,25 +2332,26 @@ TEST_F(NetlinkNetfilterTest, ErrAddRuleInvalidPositionSpecified) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .U64Attr(NFTA_RULE_POSITION, invalid_position) .Build()) .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, ErrAddRuleInvalidHandleSpecified) { +TEST(NetlinkNetfilterTest, ErrAddRuleInvalidHandleSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint64_t invalid_handle = 10; std::vector add_rule_request_buffer = @@ -2459,25 +2359,26 @@ TEST_F(NetlinkNetfilterTest, ErrAddRuleInvalidHandleSpecified) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .U64Attr(NFTA_RULE_HANDLE, invalid_handle) .Build()) .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(ENOENT, _)); } -TEST_F(NetlinkNetfilterTest, AddEmptyRule) { +TEST(NetlinkNetfilterTest, AddEmptyRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t expected_udata[] = {0, 1, 2, 3, 4}; std::vector add_rule_request_buffer = @@ -2485,7 +2386,7 @@ TEST_F(NetlinkNetfilterTest, AddEmptyRule) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, expected_udata, sizeof(expected_udata)) @@ -2493,17 +2394,18 @@ TEST_F(NetlinkNetfilterTest, AddEmptyRule) { .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, ErrRuleExpressionWrongType) { +TEST(NetlinkNetfilterTest, ErrRuleExpressionWrongType) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2, 3, 4}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); @@ -2516,7 +2418,7 @@ TEST_F(NetlinkNetfilterTest, ErrRuleExpressionWrongType) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2525,20 +2427,21 @@ TEST_F(NetlinkNetfilterTest, ErrRuleExpressionWrongType) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrRuleTooManyExpressions) { +TEST(NetlinkNetfilterTest, ErrRuleTooManyExpressions) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); // TODO: b/421437663 - Fix this error test for native Linux. SKIP_IF(!IsRunningOnGvisor()); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2, 3, 4}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); @@ -2549,7 +2452,7 @@ TEST_F(NetlinkNetfilterTest, ErrRuleTooManyExpressions) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2558,18 +2461,19 @@ TEST_F(NetlinkNetfilterTest, ErrRuleTooManyExpressions) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDestinationRegisterSpecified) { +TEST(NetlinkNetfilterTest, ErrImmRuleNoDestinationRegisterSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_data = {0, 1, 2}; @@ -2595,7 +2499,7 @@ TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDestinationRegisterSpecified) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2604,18 +2508,19 @@ TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDestinationRegisterSpecified) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDataSpecified) { +TEST(NetlinkNetfilterTest, ErrImmRuleNoDataSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; uint32_t dreg = NFT_REG_VERDICT; @@ -2635,7 +2540,7 @@ TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDataSpecified) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2644,18 +2549,19 @@ TEST_F(NetlinkNetfilterTest, ErrImmRuleNoDataSpecified) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrValueDataWithVerdictRegister) { +TEST(NetlinkNetfilterTest, ErrValueDataWithVerdictRegister) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = @@ -2667,7 +2573,7 @@ TEST_F(NetlinkNetfilterTest, ErrValueDataWithVerdictRegister) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2676,18 +2582,19 @@ TEST_F(NetlinkNetfilterTest, ErrValueDataWithVerdictRegister) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrVerdictDataWithNonVerdictRegister) { +TEST(NetlinkNetfilterTest, ErrVerdictDataWithNonVerdictRegister) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = @@ -2699,7 +2606,7 @@ TEST_F(NetlinkNetfilterTest, ErrVerdictDataWithNonVerdictRegister) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2708,18 +2615,19 @@ TEST_F(NetlinkNetfilterTest, ErrVerdictDataWithNonVerdictRegister) { .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrExpressionDataMalformed) { +TEST(NetlinkNetfilterTest, ErrExpressionDataMalformed) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; uint32_t dreg = NFT_REG_1; @@ -2745,7 +2653,7 @@ TEST_F(NetlinkNetfilterTest, ErrExpressionDataMalformed) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2754,18 +2662,19 @@ TEST_F(NetlinkNetfilterTest, ErrExpressionDataMalformed) { .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(EINVAL, _)); } -TEST_F(NetlinkNetfilterTest, ErrImmInvalidDreg) { +TEST(NetlinkNetfilterTest, ErrImmInvalidDreg) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; uint32_t dreg = 1000; @@ -2793,7 +2702,7 @@ TEST_F(NetlinkNetfilterTest, ErrImmInvalidDreg) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2802,18 +2711,19 @@ TEST_F(NetlinkNetfilterTest, ErrImmInvalidDreg) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_THAT(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size()), PosixErrorIs(ERANGE, _)); } -TEST_F(NetlinkNetfilterTest, AddAcceptAllRule) { +TEST(NetlinkNetfilterTest, AddAcceptAllRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); @@ -2824,7 +2734,7 @@ TEST_F(NetlinkNetfilterTest, AddAcceptAllRule) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2833,17 +2743,18 @@ TEST_F(NetlinkNetfilterTest, AddAcceptAllRule) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, AddDropAllRule) { +TEST(NetlinkNetfilterTest, AddDropAllRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = NlImmExpr::DefaultDropAll(); @@ -2853,7 +2764,7 @@ TEST_F(NetlinkNetfilterTest, AddDropAllRule) { .SeqStart(kSeq + 4) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2862,17 +2773,18 @@ TEST_F(NetlinkNetfilterTest, AddDropAllRule) { .SeqEnd(kSeq + 6) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 4, kSeq + 6, add_rule_request_buffer.data(), add_rule_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, AddRuleWithImmDataValue) { +TEST(NetlinkNetfilterTest, AddRuleWithImmDataValue) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2, 3, 4}; uint32_t dreg = NFT_REG_1; @@ -2886,7 +2798,7 @@ TEST_F(NetlinkNetfilterTest, AddRuleWithImmDataValue) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2895,17 +2807,18 @@ TEST_F(NetlinkNetfilterTest, AddRuleWithImmDataValue) { .SeqEnd(kSeq + 8) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { +TEST(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); @@ -2916,7 +2829,7 @@ TEST_F(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2930,7 +2843,7 @@ TEST_F(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { .SeqStart(kSeq + 9) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 10) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2939,8 +2852,9 @@ TEST_F(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { .SeqEnd(kSeq + 11) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_request_buffer.data(), add_rule_request_buffer.size())); @@ -2949,11 +2863,12 @@ TEST_F(NetlinkNetfilterTest, AddRuleToEndOfRuleList) { add_rule_request_buffer_2.size())); } -TEST_F(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { +TEST(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); + std::string table_name = GetUniqueTestTableName(); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); std::vector list_expr_data = NlListAttr().Add(rule_expr_data).Build(); @@ -2963,7 +2878,7 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -2982,7 +2897,7 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { .SeqStart(kSeq + 9) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 10) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .U64Attr(NFTA_RULE_POSITION, rule_handle) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) @@ -2992,8 +2907,8 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { .SeqEnd(kSeq + 11) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = table_name, .seq = kSeq}); + AddDefaultBaseChain({.fd = fd, .table_name = table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_accept_request_buffer.data(), add_rule_accept_request_buffer.size())); @@ -3002,11 +2917,12 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleBeforeAcceptRule) { add_rule_drop_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { +TEST(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); + std::string table_name = GetUniqueTestTableName(); uint8_t udata[] = {0, 1, 2}; std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); std::vector list_expr_data = NlListAttr().Add(rule_expr_data).Build(); @@ -3016,7 +2932,7 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3035,7 +2951,7 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { .SeqStart(kSeq + 9) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 10) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .U64Attr(NFTA_RULE_POSITION, rule_handle) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) @@ -3045,8 +2961,8 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { .SeqEnd(kSeq + 11) .Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = table_name, .seq = kSeq}); + AddDefaultBaseChain({.fd = fd, .table_name = table_name, .seq = kSeq + 3}); ASSERT_NO_ERRNO(NetlinkNetfilterBatchRequestAckOrError( fd, kSeq + 6, kSeq + 8, add_rule_accept_request_buffer.data(), add_rule_accept_request_buffer.size())); @@ -3055,11 +2971,12 @@ TEST_F(NetlinkNetfilterTest, AddDropRuleAfterAcceptRule) { add_rule_drop_request_buffer.size())); } -TEST_F(NetlinkNetfilterTest, GetRule) { +TEST(NetlinkNetfilterTest, GetRule) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); + std::string table_name = GetUniqueTestTableName(); uint8_t udata[] = {0, 1, 2}; size_t expected_udata_size = sizeof(udata); std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); @@ -3068,14 +2985,14 @@ TEST_F(NetlinkNetfilterTest, GetRule) { // for chains and rules are the same. uint64_t rule_handle = 2; - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = table_name, .seq = kSeq}); + AddDefaultBaseChain({.fd = fd, .table_name = table_name, .seq = kSeq + 3}); std::vector add_rule_accept_request_buffer = NlBatchReq() .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3087,7 +3004,7 @@ TEST_F(NetlinkNetfilterTest, GetRule) { std::vector get_rule_request_buffer = NlReq("getrule req inet") .Seq(kSeq + 9) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .U64Attr(NFTA_RULE_HANDLE, rule_handle) .Build(); @@ -3102,7 +3019,7 @@ TEST_F(NetlinkNetfilterTest, GetRule) { [&](const struct nlmsghdr* hdr) { CheckNetfilterRuleAttributes({ .hdr = hdr, - .expected_table_name = DEFAULT_TABLE_NAME, + .expected_table_name = table_name, .expected_chain_name = DEFAULT_CHAIN_NAME, .expected_handle = &rule_handle, .expected_udata = udata, @@ -3114,26 +3031,27 @@ TEST_F(NetlinkNetfilterTest, GetRule) { EXPECT_TRUE(correct_response); } -TEST_F(NetlinkNetfilterTest, GetRuleDump) { +TEST(NetlinkNetfilterTest, GetRuleDump) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; size_t expected_udata_size = sizeof(udata); std::vector rule_expr_data = NlImmExpr::DefaultAcceptAll(); std::vector list_expr_data = NlListAttr().Add(rule_expr_data).Build(); - AddDefaultTable({.fd = fd, .seq = kSeq}); - AddDefaultBaseChain({.fd = fd, .seq = kSeq + 3}); + AddDefaultTable({.fd = fd, .table_name = test_table_name, .seq = kSeq}); + AddDefaultBaseChain( + {.fd = fd, .table_name = test_table_name, .seq = kSeq + 3}); // Add two rules. std::vector add_rule_request_buffer = NlBatchReq() .SeqStart(kSeq + 6) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3141,7 +3059,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDump) { .Build()) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 8) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3153,7 +3071,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDump) { std::vector get_dump_rule_request_buffer = NlReq("getrule req dump inet") .Seq(kSeq + 10) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .Build(); @@ -3174,7 +3092,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDump) { CheckNetfilterRuleAttributes({ .hdr = hdr, - .expected_table_name = DEFAULT_TABLE_NAME, + .expected_table_name = test_table_name, .expected_chain_name = DEFAULT_CHAIN_NAME, .expected_udata = udata, .expected_udata_size = &expected_udata_size, @@ -3186,11 +3104,11 @@ TEST_F(NetlinkNetfilterTest, GetRuleDump) { EXPECT_EQ(rules_found, 2); } -TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { +TEST(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + std::string test_table_name = GetUniqueTestTableName(); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); uint8_t udata[] = {0, 1, 2}; size_t expected_udata_size = sizeof(udata); @@ -3202,25 +3120,25 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { .SeqStart(kSeq) .Req(NlReq("newtable req ack inet") .Seq(kSeq + 1) - .StrAttr(NFTA_TABLE_NAME, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .Build()) .Req(NlReq("newtable req ack ipv6") .Seq(kSeq + 2) - .StrAttr(NFTA_TABLE_NAME, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .Build()) .Req(NlReq("newchain req ack inet") .Seq(kSeq + 3) - .StrAttr(NFTA_TABLE_NAME, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .StrAttr(NFTA_CHAIN_NAME, DEFAULT_CHAIN_NAME) .Build()) .Req(NlReq("newchain req ack ipv6") .Seq(kSeq + 4) - .StrAttr(NFTA_TABLE_NAME, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .StrAttr(NFTA_CHAIN_NAME, DEFAULT_CHAIN_NAME) .Build()) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3228,7 +3146,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { .Build()) .Req(NlReq("newrule req ack create ipv6") .Seq(kSeq + 6) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, DEFAULT_CHAIN_NAME) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3240,13 +3158,13 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { std::vector get_dump_request_inet = NlReq("getrule req dump inet") .Seq(kSeq + 8) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .Build(); std::vector get_dump_request_ipv6 = NlReq("getrule req dump ipv6") .Seq(kSeq + 9) - .StrAttr(NFTA_RULE_TABLE, DEFAULT_TABLE_NAME) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .Build(); int rules_found = 0; @@ -3263,7 +3181,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { CheckNetfilterRuleAttributes( {.hdr = hdr, - .expected_table_name = DEFAULT_TABLE_NAME, + .expected_table_name = test_table_name, .expected_chain_name = DEFAULT_CHAIN_NAME, .expected_udata = udata, .expected_udata_size = &expected_udata_size, @@ -3285,7 +3203,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { CheckNetfilterRuleAttributes( {.hdr = hdr, - .expected_table_name = DEFAULT_TABLE_NAME, + .expected_table_name = test_table_name, .expected_chain_name = DEFAULT_CHAIN_NAME, .expected_udata = udata, .expected_udata_size = &expected_udata_size, @@ -3296,13 +3214,12 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableSpecified) { EXPECT_EQ(rules_found, 1); } -TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { +TEST(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); - const char* test_table_name_one = "test_table_1"; + std::string test_table_name = GetUniqueTestTableName(); const char* test_chain_name_one = "test_chain_1"; const char* test_chain_name_two = "test_chain_2"; @@ -3316,21 +3233,21 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { .SeqStart(kSeq) .Req(NlReq("newtable req ack inet") .Seq(kSeq + 1) - .StrAttr(NFTA_TABLE_NAME, test_table_name_one) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .Build()) .Req(NlReq("newchain req ack inet") .Seq(kSeq + 2) - .StrAttr(NFTA_TABLE_NAME, test_table_name_one) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .StrAttr(NFTA_CHAIN_NAME, test_chain_name_one) .Build()) .Req(NlReq("newchain req ack inet") .Seq(kSeq + 3) - .StrAttr(NFTA_TABLE_NAME, test_table_name_one) + .StrAttr(NFTA_TABLE_NAME, test_table_name) .StrAttr(NFTA_CHAIN_NAME, test_chain_name_two) .Build()) .Req(NlReq("newrule req ack create inet") .Seq(kSeq + 4) - .StrAttr(NFTA_RULE_TABLE, test_table_name_one) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, test_chain_name_one) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3338,7 +3255,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { .Build()) .Req(NlReq("newrule req ack create append inet") .Seq(kSeq + 5) - .StrAttr(NFTA_RULE_TABLE, test_table_name_one) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, test_chain_name_one) .RawAttr(NFTA_RULE_USERDATA, udata, sizeof(udata)) .RawAttr(NFTA_RULE_EXPRESSIONS, list_expr_data.data(), @@ -3350,14 +3267,14 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { std::vector get_dump_request_inet = NlReq("getrule req dump inet") .Seq(kSeq + 7) - .StrAttr(NFTA_RULE_TABLE, test_table_name_one) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, test_chain_name_one) .Build(); std::vector get_dump_request_inet_two = NlReq("getrule req dump inet") .Seq(kSeq + 8) - .StrAttr(NFTA_RULE_TABLE, test_table_name_one) + .StrAttr(NFTA_RULE_TABLE, test_table_name) .StrAttr(NFTA_RULE_CHAIN, test_chain_name_two) .Build(); @@ -3375,7 +3292,7 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { CheckNetfilterRuleAttributes( {.hdr = hdr, - .expected_table_name = test_table_name_one, + .expected_table_name = test_table_name, .expected_chain_name = test_chain_name_one, .expected_udata = udata, .expected_udata_size = &expected_udata_size, @@ -3401,11 +3318,10 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) { EXPECT_EQ(rules_found, 0); } -TEST_F(NetlinkNetfilterTest, GetGenerationID) { +TEST(NetlinkNetfilterTest, GetGenerationID) { SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW))); SKIP_IF(!IsRunningOnGvisor()); - FileDescriptor fd = - ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER)); + FileDescriptor fd = ASSERT_NO_ERRNO_AND_VALUE(NetfilterBoundSocket()); std::vector get_gen_request = NlReq("getgen req inet").Seq(kSeq).Build(); @@ -3415,7 +3331,7 @@ TEST_F(NetlinkNetfilterTest, GetGenerationID) { [&](const struct nlmsghdr* hdr) { const struct nfattr* gen_id_attr = FindNfAttr(hdr, nullptr, NFTA_GEN_ID); - EXPECT_NE(gen_id_attr, nullptr); + ASSERT_NE(gen_id_attr, nullptr); // Although the generation ID is initialized to 1, this number gets // incremented on successful NETFILTER nftables batch requests. // Thus, we simply check that is is greater than 1 here. diff --git a/test/syscalls/linux/socket_netlink_netfilter_util.cc b/test/syscalls/linux/socket_netlink_netfilter_util.cc index aa852e56fc..1638617ab9 100644 --- a/test/syscalls/linux/socket_netlink_netfilter_util.cc +++ b/test/syscalls/linux/socket_netlink_netfilter_util.cc @@ -22,16 +22,36 @@ #include #include #include +#include #include #include "gtest/gtest.h" +#include "absl/strings/string_view.h" #include "test/syscalls/linux/socket_netlink_util.h" #include "test/util/file_descriptor.h" #include "test/util/posix_error.h" +#include "test/util/save_util.h" +#include "test/util/test_util.h" namespace gvisor { namespace testing { +PosixErrorOr NetfilterBoundSocket() { + ASSIGN_OR_RETURN_ERRNO(FileDescriptor fd, + NetlinkBoundSocket(NETLINK_NETFILTER)); + + // Set arbitrary timeout big enough to handle most netfilter operations, + // to catch buggy behaviour permanently blocking on recv. + struct timeval tv; + tv.tv_sec = 5; + tv.tv_usec = 0; + RETURN_ERROR_IF_SYSCALL_FAIL(setsockopt(fd.get(), SOL_SOCKET, SO_RCVTIMEO, + (const char*)&tv, sizeof(tv))); + MaybeSave(); + + return std::move(fd); +} + // Helper function to initialize a nfgenmsg header. void InitNetfilterGenmsg(struct nfgenmsg* genmsg, uint8_t family, uint8_t version, uint16_t res_id) { @@ -75,12 +95,12 @@ void CheckNetfilterTableAttributes(const NfTableCheckOptions& options) { // Check for the NFTA_TABLE_NAME attribute. const struct nfattr* table_name_attr = FindNfAttr(options.hdr, nullptr, NFTA_TABLE_NAME); - if (table_name_attr != nullptr && options.test_table_name != nullptr) { + if (table_name_attr != nullptr && !options.test_table_name.empty()) { std::string name(reinterpret_cast(NFA_DATA(table_name_attr))); EXPECT_EQ(name, options.test_table_name); } else { EXPECT_EQ(table_name_attr, nullptr); - EXPECT_EQ(options.test_table_name, nullptr); + EXPECT_TRUE(options.test_table_name.empty()); } // Check for the NFTA_TABLE_USE attribute. @@ -151,25 +171,25 @@ void CheckNetfilterChainAttributes(const NfChainCheckOptions& options) { // Check for the NFTA_CHAIN_TABLE attribute. const struct nfattr* table_name_attr = FindNfAttr(options.hdr, nullptr, NFTA_CHAIN_TABLE); - if (table_name_attr != nullptr && options.expected_table_name != nullptr) { + if (table_name_attr != nullptr && !options.expected_table_name.empty()) { std::string table_name( reinterpret_cast(NFA_DATA(table_name_attr))); EXPECT_EQ(table_name, options.expected_table_name); } else { EXPECT_EQ(table_name_attr, nullptr); - EXPECT_EQ(options.expected_table_name, nullptr); + EXPECT_TRUE(options.expected_table_name.empty()); } // Check for the NFTA_CHAIN_NAME attribute. const struct nfattr* chain_name_attr = FindNfAttr(options.hdr, nullptr, NFTA_CHAIN_NAME); - if (chain_name_attr != nullptr && options.expected_chain_name != nullptr) { + if (chain_name_attr != nullptr && !options.expected_chain_name.empty()) { std::string chain_name( reinterpret_cast(NFA_DATA(chain_name_attr))); EXPECT_EQ(chain_name, options.expected_chain_name); } else { EXPECT_EQ(chain_name_attr, nullptr); - EXPECT_EQ(options.expected_chain_name, nullptr); + EXPECT_TRUE(options.expected_chain_name.empty()); } if (!options.skip_handle_check) { @@ -199,13 +219,13 @@ void CheckNetfilterChainAttributes(const NfChainCheckOptions& options) { // Check for the NFTA_CHAIN_TYPE attribute. const struct nfattr* chain_type_attr = FindNfAttr(options.hdr, nullptr, NFTA_CHAIN_TYPE); - if (chain_type_attr != nullptr && options.expected_chain_type != nullptr) { + if (chain_type_attr != nullptr && !options.expected_chain_type.empty()) { std::string chain_type( reinterpret_cast(NFA_DATA(chain_type_attr))); EXPECT_EQ(chain_type, options.expected_chain_type); } else { EXPECT_EQ(chain_type_attr, nullptr); - EXPECT_EQ(options.expected_chain_type, nullptr); + EXPECT_TRUE(options.expected_chain_type.empty()); } // Check for the NFTA_CHAIN_FLAGS attribute. @@ -252,25 +272,25 @@ void CheckNetfilterRuleAttributes(const NfRuleCheckOptions& options) { // Check for the NFTA_RULE_TABLE attribute. const struct nfattr* table_name_attr = FindNfAttr(options.hdr, nullptr, NFTA_RULE_TABLE); - if (table_name_attr != nullptr && options.expected_table_name != nullptr) { + if (table_name_attr != nullptr && !options.expected_table_name.empty()) { std::string table_name( reinterpret_cast(NFA_DATA(table_name_attr))); EXPECT_EQ(table_name, options.expected_table_name); } else { EXPECT_EQ(table_name_attr, nullptr); - EXPECT_EQ(options.expected_table_name, nullptr); + EXPECT_TRUE(options.expected_table_name.empty()); } // Check for the NFTA_RULE_CHAIN attribute. const struct nfattr* chain_name_attr = FindNfAttr(options.hdr, nullptr, NFTA_RULE_CHAIN); - if (chain_name_attr != nullptr && options.expected_chain_name != nullptr) { + if (chain_name_attr != nullptr && !options.expected_chain_name.empty()) { std::string chain_name( reinterpret_cast(NFA_DATA(chain_name_attr))); EXPECT_EQ(chain_name, options.expected_chain_name); } else { EXPECT_EQ(chain_name_attr, nullptr); - EXPECT_EQ(options.expected_chain_name, nullptr); + EXPECT_TRUE(options.expected_chain_name.empty()); } if (!options.skip_handle_check) { @@ -303,10 +323,10 @@ void CheckNetfilterRuleAttributes(const NfRuleCheckOptions& options) { } // Helper function to add a default table. -void AddDefaultTable(const AddDefaultTableOptions options) { - const char* test_table_name = options.test_table_name; - if (test_table_name == nullptr) { - test_table_name = DEFAULT_TABLE_NAME; +void AddDefaultTable(const AddDefaultTableOptions& options) { + absl::string_view table_name = options.table_name; + if (table_name.empty()) { + table_name = DEFAULT_TABLE_NAME; } std::vector add_table_request_buffer = @@ -314,7 +334,7 @@ void AddDefaultTable(const AddDefaultTableOptions options) { .SeqStart(options.seq) .Req(NlReq("newtable req ack inet") .Seq(options.seq + 1) - .StrAttr(NFTA_TABLE_NAME, test_table_name) + .StrAttr(NFTA_TABLE_NAME, table_name) .Build()) .SeqEnd(options.seq + 2) .Build(); @@ -324,15 +344,15 @@ void AddDefaultTable(const AddDefaultTableOptions options) { } // Helper function to add a default base chain. -void AddDefaultBaseChain(const AddDefaultBaseChainOptions options) { - const char* test_table_name = options.test_table_name; - if (test_table_name == nullptr) { - test_table_name = DEFAULT_TABLE_NAME; +void AddDefaultBaseChain(const AddDefaultBaseChainOptions& options) { + absl::string_view table_name = options.table_name; + if (table_name.empty()) { + table_name = DEFAULT_TABLE_NAME; } - const char* test_chain_name = options.test_chain_name; - if (test_chain_name == nullptr) { - test_chain_name = DEFAULT_CHAIN_NAME; + absl::string_view chain_name = options.chain_name; + if (chain_name.empty()) { + chain_name = DEFAULT_CHAIN_NAME; } const char test_chain_type_name[] = "filter"; @@ -352,8 +372,8 @@ void AddDefaultBaseChain(const AddDefaultBaseChainOptions options) { .SeqStart(options.seq) .Req(NlReq("newchain req ack inet") .Seq(options.seq + 1) - .StrAttr(NFTA_CHAIN_TABLE, test_table_name) - .StrAttr(NFTA_CHAIN_NAME, test_chain_name) + .StrAttr(NFTA_CHAIN_TABLE, table_name) + .StrAttr(NFTA_CHAIN_NAME, chain_name) .U32Attr(NFTA_CHAIN_POLICY, test_policy) .RawAttr(NFTA_CHAIN_HOOK, nested_hook_data.data(), nested_hook_data.size()) @@ -527,8 +547,8 @@ NlReq& NlReq::RawAttr(uint16_t attr_type, const void* payload, // Method to add a string attribute to the message. // The payload is expected to be a null-terminated string. -NlReq& NlReq::StrAttr(uint16_t attr_type, const char* payload) { - return RawAttr(attr_type, payload, strlen(payload) + 1); +NlReq& NlReq::StrAttr(uint16_t attr_type, absl::string_view payload) { + return RawAttr(attr_type, payload.data(), payload.size() + 1); } // Method to add a uint8_t attribute to the message. @@ -603,8 +623,9 @@ NlNestedAttr& NlNestedAttr::RawAttr(uint16_t attr_type, const void* payload, // Method to add a string attribute to the message. // The payload is expected to be a null-terminated string. -NlNestedAttr& NlNestedAttr::StrAttr(uint16_t attr_type, const char* payload) { - return RawAttr(attr_type, payload, strlen(payload) + 1); +NlNestedAttr& NlNestedAttr::StrAttr(uint16_t attr_type, + absl::string_view payload) { + return RawAttr(attr_type, payload.data(), payload.size() + 1); } // Method to add a uint8_t attribute to the message. @@ -757,14 +778,26 @@ PosixError NetlinkNetfilterBatchRequestAckOrError(const FileDescriptor& fd, uint32_t seq_start, uint32_t seq_end, void* request, size_t len) { + // Test sanity checking. seq start/end bounds are inclusive. + EXPECT_GT(seq_end, seq_start); + + // A properly formatted batch has start and end headers. Older Linux versions + // do not send them, whereas kernels past 6.10 do. + int expected_msg_count = seq_end - seq_start + 1; // include headers + if (!IsRunningOnGvisor()) { + ASSIGN_OR_RETURN_ERRNO(KernelVersion version, GetKernelVersion()); + if (version.major < 6 || (version.major == 6 && version.minor < 10)) { + expected_msg_count = seq_end - seq_start - 1; // exclude headers + } + } + RETURN_IF_ERRNO(NetlinkRequest(fd, request, len)); // Dummy negative number for no error message received. // On a successful message, err will be set to 0 (signalling an ack). int err = -42; bool err_set = false; int msg_count = 0; - int expected_msg_count = seq_end - seq_start + 1; - while (msg_count < expected_msg_count) { + while (msg_count < expected_msg_count && !err_set) { RETURN_IF_ERRNO(NetlinkResponse( fd, [&](const struct nlmsghdr* hdr) { @@ -773,25 +806,35 @@ PosixError NetlinkNetfilterBatchRequestAckOrError(const FileDescriptor& fd, EXPECT_GE(hdr->nlmsg_seq, seq_start); EXPECT_LE(hdr->nlmsg_seq, seq_end); EXPECT_GE(hdr->nlmsg_len, sizeof(*hdr) + sizeof(struct nlmsgerr)); - const struct nlmsgerr* msg = reinterpret_cast(NLMSG_DATA(hdr)); err = -msg->error; if (err != 0) { - if (!err_set) { - expected_msg_count -= 1; - err_set = true; - } + err_set = true; } }, true)); } - // Assumes that we need to read as many messages as there are sequences in the - // batch. - EXPECT_EQ(msg_count, expected_msg_count); return PosixError(err); } +PosixError DestroyNetfilterTable(FileDescriptor& fd, + absl::string_view table_name, int seq_num) { + std::vector destroy_request_buffer = + NlBatchReq() + .SeqStart(seq_num) + .Req(NlReq("deltable req ack unspec") + .Seq(seq_num + 1) + .StrAttr(NFTA_TABLE_NAME, table_name.data()) + .Build()) + .SeqEnd(seq_num + 2) + .Build(); + + return NetlinkNetfilterBatchRequestAckOrError(fd, seq_num, seq_num + 2, + destroy_request_buffer.data(), + destroy_request_buffer.size()); +} + } // namespace testing } // namespace gvisor diff --git a/test/syscalls/linux/socket_netlink_netfilter_util.h b/test/syscalls/linux/socket_netlink_netfilter_util.h index e12a442d06..f2ffdeb46a 100644 --- a/test/syscalls/linux/socket_netlink_netfilter_util.h +++ b/test/syscalls/linux/socket_netlink_netfilter_util.h @@ -61,7 +61,7 @@ namespace testing { struct NfTableCheckOptions { const struct nlmsghdr* hdr; - const char* test_table_name; + absl::string_view test_table_name; uint32_t* expected_chain_count; uint64_t* expected_handle; uint32_t* expected_flags; @@ -73,11 +73,11 @@ struct NfTableCheckOptions { struct NfChainCheckOptions { const struct nlmsghdr* hdr; - const char* expected_table_name; - const char* expected_chain_name; + absl::string_view expected_table_name; + absl::string_view expected_chain_name; uint64_t* expected_handle; const uint32_t* expected_policy; - const char* expected_chain_type; + absl::string_view expected_chain_type; const uint32_t* expected_flags; uint32_t* expected_use; uint8_t* expected_udata; @@ -87,8 +87,8 @@ struct NfChainCheckOptions { struct NfRuleCheckOptions { const struct nlmsghdr* hdr; - const char* expected_table_name; - const char* expected_chain_name; + absl::string_view expected_table_name; + absl::string_view expected_chain_name; uint64_t* expected_handle; uint8_t* expected_udata; size_t* expected_udata_size; @@ -97,17 +97,20 @@ struct NfRuleCheckOptions { struct AddDefaultTableOptions { const FileDescriptor& fd; - const char* test_table_name; + absl::string_view table_name; uint32_t seq; }; struct AddDefaultBaseChainOptions { const FileDescriptor& fd; - const char* test_table_name; - const char* test_chain_name; + absl::string_view table_name; + absl::string_view chain_name; uint32_t seq; }; +// Like NetlinkBoundSocket, but with extra configuration for netfilter tests.. +PosixErrorOr NetfilterBoundSocket(); + void InitNetfilterGenmsg(struct nfgenmsg* genmsg, uint8_t family, uint8_t version, uint16_t res_id); @@ -121,10 +124,20 @@ void CheckNetfilterChainAttributes(const NfChainCheckOptions& options); void CheckNetfilterRuleAttributes(const struct NfRuleCheckOptions& options); // Helper function to add a default table. -void AddDefaultTable(AddDefaultTableOptions options); +void AddDefaultTable(const AddDefaultTableOptions& options); // Helper function to add a default chain. -void AddDefaultBaseChain(AddDefaultBaseChainOptions options); +void AddDefaultBaseChain(const AddDefaultBaseChainOptions& options); + +// Helper function to generate a batch netfilter request. +PosixError NetlinkNetfilterBatchRequestAckOrError(const FileDescriptor& fd, + uint32_t seq_start, + uint32_t seq_end, + void* request, size_t len); + +// Helper function to delete a table. +PosixError DestroyNetfilterTable(FileDescriptor& fd, + absl::string_view table_name, int seq_num); class NlBatchReq { public: @@ -164,7 +177,7 @@ class NlReq { // Method to add a string attribute to the message. // The payload is expected to be a null-terminated string. - NlReq& StrAttr(uint16_t attr_type, const char* payload); + NlReq& StrAttr(uint16_t attr_type, absl::string_view payload); // Method to add a uint8_t attribute to the message. NlReq& U8Attr(uint16_t attr_type, uint8_t payload); @@ -209,7 +222,7 @@ class NlNestedAttr { // Method to add a string attribute to the message. // The payload is expected to be a null-terminated string. - NlNestedAttr& StrAttr(uint16_t attr_type, const char* payload); + NlNestedAttr& StrAttr(uint16_t attr_type, absl::string_view payload); // Method to add a uint8_t attribute to the message. NlNestedAttr& U8Attr(uint16_t attr_type, uint8_t payload); diff --git a/test/syscalls/linux/socket_netlink_util.h b/test/syscalls/linux/socket_netlink_util.h index 531862b7e1..b21f513f69 100644 --- a/test/syscalls/linux/socket_netlink_util.h +++ b/test/syscalls/linux/socket_netlink_util.h @@ -68,11 +68,6 @@ PosixError NetlinkRequestResponseSingle( PosixError NetlinkRequestAckOrError(const FileDescriptor& fd, uint32_t seq, void* request, size_t len); -PosixError NetlinkNetfilterBatchRequestAckOrError(const FileDescriptor& fd, - uint32_t seq_start, - uint32_t seq_end, - void* request, size_t len); - // Find rtnetlink attribute in message. const struct rtattr* FindRtAttr(const struct nlmsghdr* hdr, const struct ifinfomsg* msg, int16_t attr);