tests: added quota tests

daemon/firewall/nftables/exprs/nat_test.go

@@ -20,7 +20,7 @@ func TestExprVerdictSNAT(t *testing.T) {
 	nftest.Fw.Conn = conn
 
 	// TODO: test random, permanent, persistent flags.
-	tests := []nftest.NatTestsT{
+	tests := []nftest.TestsT{
 		{
 			"test-nat-snat-to-127001",
 			exprs.NFT_FAMILY_IP,
@@ -204,7 +204,7 @@ func TestExprVerdictDNAT(t *testing.T) {
 	defer nftest.CleanupSystemConn(t, newNS)
 	nftest.Fw.Conn = conn
 
-	tests := []nftest.NatTestsT{
+	tests := []nftest.TestsT{
 		{
 			"test-nat-dnat-to-127001",
 			exprs.NFT_FAMILY_IP,
@@ -389,7 +389,7 @@ func TestExprVerdictMasquerade(t *testing.T) {
 	defer nftest.CleanupSystemConn(t, newNS)
 	nftest.Fw.Conn = conn
 
-	tests := []nftest.NatTestsT{
+	tests := []nftest.TestsT{
 		{
 			"test-nat-masq-to-:12345",
 			exprs.NFT_FAMILY_IP,
@@ -473,7 +473,7 @@ func TestExprVerdictRedirect(t *testing.T) {
 	defer nftest.CleanupSystemConn(t, newNS)
 	nftest.Fw.Conn = conn
 
-	tests := []nftest.NatTestsT{
+	tests := []nftest.TestsT{
 		{
 			"test-nat-redir-to-127001:12345",
 			exprs.NFT_FAMILY_IP,
@@ -548,7 +548,7 @@ func TestExprVerdictTProxy(t *testing.T) {
 	defer nftest.CleanupSystemConn(t, newNS)
 	nftest.Fw.Conn = conn
 
-	tests := []nftest.NatTestsT{
+	tests := []nftest.TestsT{
 		{
 			"test-nat-tproxy-to-127001:12345",
 			exprs.NFT_FAMILY_IP,

daemon/firewall/nftables/exprs/quota.go

@@ -49,6 +49,8 @@ func NewQuota(opts []*config.ExprValues) (*[]expr.Any, error) {
 				return nil, fmt.Errorf("invalid quota bytes: %s", opt.Value)
 			}
 			bytes = ((b * 1024) * 1024) * 1024
+		default:
+			return nil, fmt.Errorf("invalid quota key: %s", opt.Key)
 		}
 	}
 	if bytes == 0 {

daemon/firewall/nftables/exprs/quota_test.go

@@ -0,0 +1,243 @@
+package exprs_test
+
+import (
+	"testing"
+
+	"github.com/evilsocket/opensnitch/daemon/firewall/config"
+	"github.com/evilsocket/opensnitch/daemon/firewall/nftables/exprs"
+	"github.com/evilsocket/opensnitch/daemon/firewall/nftables/nftest"
+	"github.com/google/nftables/expr"
+)
+
+func TestExprQuota(t *testing.T) {
+	nftest.SkipIfNotPrivileged(t)
+
+	conn, newNS := nftest.OpenSystemConn(t)
+	defer nftest.CleanupSystemConn(t, newNS)
+	nftest.Fw.Conn = conn
+
+	tests := []nftest.TestsT{
+		{
+			"test-quota-over-bytes-12345",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_OVER,
+					Value: "",
+				},
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_BYTES,
+					Value: "12345",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(12345),
+					Consumed: 0,
+					Over:     true,
+				},
+			},
+			false,
+		},
+		{
+			"test-quota-over-kbytes-1",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_OVER,
+					Value: "",
+				},
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_KB,
+					Value: "1",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(1024),
+					Consumed: 0,
+					Over:     true,
+				},
+			},
+			false,
+		},
+		{
+			"test-quota-over-mbytes-1",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_OVER,
+					Value: "",
+				},
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_MB,
+					Value: "1",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(1024 * 1024),
+					Consumed: 0,
+					Over:     true,
+				},
+			},
+			false,
+		},
+		{
+			"test-quota-over-gbytes-1",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_OVER,
+					Value: "",
+				},
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "1",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(1024 * 1024 * 1024),
+					Consumed: 0,
+					Over:     true,
+				},
+			},
+			false,
+		},
+		{
+			"test-quota-until-gbytes-1",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "1",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(1024 * 1024 * 1024),
+					Consumed: 0,
+					Over:     false,
+				},
+			},
+			false,
+		},
+		{
+			"test-quota-consumed-bytes-1024",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "1",
+				},
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_USED,
+					Value: "1024",
+				},
+			},
+			1,
+			[]interface{}{
+				&expr.Quota{
+					Bytes:    uint64(1024 * 1024 * 1024),
+					Consumed: 1024,
+					Over:     false,
+				},
+			},
+			false,
+		},
+		{
+			"test-invalid-quota-key",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   "gbyte",
+					Value: "1",
+				},
+			},
+			1,
+			[]interface{}{},
+			true,
+		},
+		{
+			"test-invalid-quota-value",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "1a",
+				},
+			},
+			1,
+			[]interface{}{},
+			true,
+		},
+		{
+			"test-invalid-quota-value",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "",
+				},
+			},
+			1,
+			[]interface{}{},
+			true,
+		},
+		{
+			"test-invalid-quota-bytes-0",
+			"", // family
+			"", // parms
+			[]*config.ExprValues{
+				&config.ExprValues{
+					Key:   exprs.NFT_QUOTA_UNIT_GB,
+					Value: "0",
+				},
+			},
+			1,
+			[]interface{}{},
+			true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.Name, func(t *testing.T) {
+			quotaExpr, err := exprs.NewQuota(test.Values)
+			if err != nil && !test.ExpectedFail {
+				t.Errorf("Error creating expr Quota: %s", quotaExpr)
+				return
+			} else if err != nil && test.ExpectedFail {
+				return
+			}
+
+			r, _ := nftest.AddTestRule(t, conn, quotaExpr)
+			if r == nil && !test.ExpectedFail {
+				t.Error("Error adding rule with Quota expression")
+			}
+
+			if !nftest.AreExprsValid(t, &test, r) {
+				return
+			}
+
+			if test.ExpectedFail {
+				t.Errorf("test should have failed")
+			}
+		})
+	}
+
+}

daemon/firewall/nftables/nftest/test_utils.go

@@ -10,8 +10,8 @@ import (
 	"github.com/google/nftables/expr"
 )
 
-// NatTestsT defines the fields of a test.
-type NatTestsT struct {
+// TestsT defines the fields of a test.
+type TestsT struct {
 	Name             string
 	Family           string
 	Parms            string
@@ -23,7 +23,7 @@ type NatTestsT struct {
 
 // AreExprsValid checks if the expressions defined in the given rule are valid
 // according to the expected expressions defined in the tests.
-func AreExprsValid(t *testing.T, test *NatTestsT, rule *nftables.Rule) bool {
+func AreExprsValid(t *testing.T, test *TestsT, rule *nftables.Rule) bool {
 
 	if total := len(rule.Exprs); total != test.ExpectedExprsNum {
 		t.Errorf("expected %d expressions, found %d", test.ExpectedExprsNum, total)
@@ -121,6 +121,20 @@ func AreExprsValid(t *testing.T, test *NatTestsT, rule *nftables.Rule) bool {
 				return false
 			}
 
+		case *expr.Quota:
+			lExpr, ok := e.(*expr.Quota)
+			lExpect, okExpected := test.ExpectedExprs[idx].(*expr.Quota)
+			if !ok || !okExpected {
+				t.Errorf("invalid Quota expr,\ngot: %+v,\nexpected: %+v", lExpr, lExpect)
+				return false
+			}
+			if lExpr.Bytes != lExpect.Bytes ||
+				lExpr.Over != lExpect.Over ||
+				lExpr.Consumed != lExpect.Consumed {
+				t.Errorf("invalid Quota.Data,\ngot: %+v,\nexpected: %+v", lExpr, lExpect)
+				return false
+			}
+
 		case *expr.Cmp:
 			lExpr, ok := e.(*expr.Cmp)
 			lExpect, okExpected := test.ExpectedExprs[idx].(*expr.Cmp)