tests: net: pkt_filter: Add TCs for new hooks

Add new TCs to cover new hooks functionality. These tests implement simple IP filter. Signed-off-by: Marcin Gasiorek <marcin.gasiorek@nordicsemi.no>
2023-07-06 14:21:46 +02:00 · 2023-07-06 14:21:46 +02:00 · eb16ab551f
parent 0bf467bbcd
commit eb16ab551f
2 changed files with 180 additions and 0 deletions
--- a/tests/net/npf/prj.conf
+++ b/tests/net/npf/prj.conf
@ -12,3 +12,7 @@ CONFIG_NET_BUF_TX_COUNT=20
 CONFIG_ZTEST=y
 CONFIG_ZTEST_NEW_API=y
 CONFIG_COMPILER_COLOR_DIAGNOSTICS=n
+CONFIG_NET_IPV4=y
+CONFIG_NET_PKT_FILTER_IPV4_HOOK=y
+CONFIG_NET_IPV6=y
+CONFIG_NET_PKT_FILTER_IPV6_HOOK=y
--- a/tests/net/npf/src/main.c
+++ b/tests/net/npf/src/main.c
@ -16,6 +16,9 @@ LOG_MODULE_REGISTER(npf_test, NET_LOG_LEVEL);
 #include <errno.h>
 #include <zephyr/sys/printk.h>

+#include "ipv4.h"
+#include "ipv6.h"
+
 #include <zephyr/ztest.h>

 #include <zephyr/net/net_if.h>
@ -72,6 +75,31 @@ static struct net_pkt *build_test_pkt(int type, int size, struct net_if *iface)
 	return pkt;
 }

+static struct net_pkt *build_test_ip_pkt(void *src, void *dst,
+	   sa_family_t family, struct net_if *iface)
+{
+	struct net_pkt *pkt;
+	int ret = -1;
+	int size;
+
+	size = (family == AF_INET) ? sizeof(struct net_ipv4_hdr) :
+		(family == AF_INET6) ? sizeof(struct net_ipv6_hdr) : 0U;
+
+	pkt = net_pkt_rx_alloc_with_buffer(iface, size, family, 0, K_NO_WAIT);
+	zassert_not_null(pkt, "");
+
+	if (family == AF_INET) {
+		ret = net_ipv4_create(pkt, (struct in_addr *)src, (struct in_addr *)dst);
+	} else if (family == AF_INET6) {
+		ret = net_ipv6_create(pkt, (struct in6_addr *)src, (struct in6_addr *)dst);
+	}
+	zassert_equal(ret, 0, "Cannot create %s packet (%d)",
+		(family == AF_INET) ? "IPv4" : "IPv6", ret);
+
+	DBG("pkt %p: iface %p size %d sa_family %d\n", pkt, iface, size, family);
+	return pkt;
+}
+
 /*
 * Declare some fake interfaces and test their filter conditions.
 */
@ -274,6 +302,8 @@ static void test_npf_eth_mac_address(void)
 	zassert_true(npf_remove_recv_rule(&accept_matched_dst_addr), "");
 	zassert_false(net_pkt_filter_recv_ok(pkt), "");
 	zassert_true(npf_remove_recv_rule(&accept_unmatched_dst_addr), "");
+
+	net_pkt_unref(pkt);
 }

 static NPF_ETH_SRC_ADDR_MASK_MATCH(matched_src_addr_mask, mac_address_list,
@ -299,6 +329,8 @@ static void test_npf_eth_mac_addr_mask(void)

 	/* cleanup */
 	zassert_true(npf_remove_all_recv_rules(), "");
+
+	net_pkt_unref(pkt);
 }

 ZTEST(net_pkt_filter_test_suite, test_npf_address_mask)
@ -307,4 +339,148 @@ ZTEST(net_pkt_filter_test_suite, test_npf_address_mask)
 	test_npf_eth_mac_addr_mask();
 }

+/*
+ * IP address filtering
+ */
+
+static struct in_addr ipv4_address_list[4] = {
+	{ { { 192, 168, 1, 1 } } },
+	{ { { 192, 0, 2, 1 } } },
+	{ { { 172, 16, 0, 1 } } },
+	{ { { 10, 49, 0, 252 } } }
+};
+
+static struct in6_addr ipv6_address_list[4] = {
+	{ { { 0x20, 0x01, 0x0d, 0xb8, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1 } } },
+	{ { { 0x20, 0x01, 0x0d, 0xb8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1 } } },
+	{ { { 0x20, 0x01, 0x0d, 0xb8, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1 } } },
+	{ { { 0x20, 0x01, 0x0d, 0xb8, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1 } } },
+};
+
+static NPF_IP_SRC_ADDR_ALLOWLIST(allowlist_ipv4_src_addr, (void *)ipv4_address_list,
+					 ARRAY_SIZE(ipv4_address_list), AF_INET);
+static NPF_IP_SRC_ADDR_BLOCKLIST(blocklist_ipv4_src_addr, (void *)ipv4_address_list,
+					 ARRAY_SIZE(ipv4_address_list), AF_INET);
+
+static NPF_RULE(ipv4_allowlist, NET_OK, allowlist_ipv4_src_addr);
+static NPF_RULE(ipv4_blocklist, NET_OK, blocklist_ipv4_src_addr);
+
+ZTEST(net_pkt_filter_test_suite, test_npf_ipv4_address_filtering)
+{
+	struct in_addr dst = { { { 192, 168, 2, 1 } } };
+	struct in_addr bad_addr = { { { 192, 168, 2, 3 } } };
+	struct net_pkt *pkt_v4 = build_test_ip_pkt(&ipv4_address_list[0], &dst, AF_INET,
+						   &dummy_iface_a);
+	struct net_pkt *pkt_v6 = build_test_ip_pkt(&ipv6_address_list[0], &ipv6_address_list[1],
+						   AF_INET6, &dummy_iface_a);
+
+	/* make sure pkt is initially accepted */
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* validate allowlist */
+	npf_insert_ipv4_recv_rule(&ipv4_allowlist);
+
+	for (int it = 0; it < ARRAY_SIZE(ipv4_address_list); it++) {
+		memcpy((struct in_addr *)NET_IPV4_HDR(pkt_v4)->src, &ipv4_address_list[it],
+		       sizeof(struct in_addr));
+		zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	}
+
+	/* And one not listed */
+	memcpy((struct in_addr *)NET_IPV4_HDR(pkt_v4)->src,
+				 &bad_addr, sizeof(struct in_addr));
+	zassert_false(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* Prepare new test */
+	zassert_true(npf_remove_all_ipv4_recv_rules(), "");
+
+	/* make sure pkt is initially accepted */
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* validate blocklist */
+	npf_insert_ipv4_recv_rule(&ipv4_blocklist);
+
+	for (int it = 0; it < ARRAY_SIZE(ipv4_address_list); it++) {
+		memcpy((struct in_addr *)NET_IPV4_HDR(pkt_v4)->src, &ipv4_address_list[it],
+		       sizeof(struct in_addr));
+		zassert_false(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	}
+
+	/* And one not listed */
+	memcpy((struct in_addr *)NET_IPV4_HDR(pkt_v4)->src,
+				 &bad_addr, sizeof(struct in_addr));
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+
+	zassert_true(npf_remove_all_ipv4_recv_rules(), "");
+	net_pkt_unref(pkt_v6);
+	net_pkt_unref(pkt_v4);
+}
+
+static NPF_IP_SRC_ADDR_ALLOWLIST(allowlist_ipv6_src_addr, (void *)ipv6_address_list,
+					 ARRAY_SIZE(ipv6_address_list), AF_INET6);
+static NPF_IP_SRC_ADDR_BLOCKLIST(blocklist_ipv6_src_addr, (void *)ipv6_address_list,
+					 ARRAY_SIZE(ipv6_address_list), AF_INET6);
+
+static NPF_RULE(ipv6_allowlist, NET_OK, allowlist_ipv6_src_addr);
+static NPF_RULE(ipv6_blocklist, NET_OK, blocklist_ipv6_src_addr);
+
+ZTEST(net_pkt_filter_test_suite, test_npf_ipv6_address_filtering)
+{
+	struct in6_addr dst = { { { 0xfe, 0x80, 0x43, 0xb8, 0, 0, 0, 0,
+					  0, 0, 0, 0xf2, 0xaa, 0x29, 0x02, 0x04 } } };
+	struct in6_addr bad_addr = { { { 0x20, 0x01, 0x0d, 0xb8, 8, 0, 0, 0,
+					  0, 0, 0, 0, 0, 0, 0, 0x1 } } };
+	struct net_pkt *pkt_v6 = build_test_ip_pkt(&ipv6_address_list[0], &dst, AF_INET6,
+						   &dummy_iface_a);
+	struct net_pkt *pkt_v4 = build_test_ip_pkt(&ipv4_address_list[0], &ipv4_address_list[1],
+						   AF_INET, &dummy_iface_a);
+
+	/* make sure pkt is initially accepted */
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* validate allowlist */
+	npf_insert_ipv6_recv_rule(&ipv6_allowlist);
+
+	for (int it = 0; it < ARRAY_SIZE(ipv6_address_list); it++) {
+		memcpy((struct in6_addr *)NET_IPV6_HDR(pkt_v6)->src,
+				 &ipv6_address_list[it], sizeof(struct in6_addr));
+		zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+	}
+
+	/* And one not listed */
+	memcpy((struct in6_addr *)NET_IPV6_HDR(pkt_v6)->src,
+				 &bad_addr, sizeof(struct in6_addr));
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_false(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* Prepare new test */
+	zassert_true(npf_remove_all_ipv6_recv_rules(), "");
+
+	/* make sure pkt is initially accepted */
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v4), "");
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	/* validate blocklist */
+	npf_insert_ipv6_recv_rule(&ipv6_blocklist);
+
+	for (int it = 0; it < ARRAY_SIZE(ipv6_address_list); it++) {
+		memcpy((struct in6_addr *)NET_IPV6_HDR(pkt_v6)->src,
+				 &ipv6_address_list[it], sizeof(struct in6_addr));
+		zassert_false(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+	}
+
+	/* And one not listed */
+	memcpy((struct in6_addr *)NET_IPV4_HDR(pkt_v6)->src,
+				 &bad_addr, sizeof(struct in6_addr));
+	zassert_true(net_pkt_filter_ip_recv_ok(pkt_v6), "");
+
+	zassert_true(npf_remove_all_ipv6_recv_rules(), "");
+	net_pkt_unref(pkt_v6);
+	net_pkt_unref(pkt_v4);
+}
+
 ZTEST_SUITE(net_pkt_filter_test_suite, NULL, test_npf_iface, NULL, NULL, NULL);