dns/tests/acl_test.c

6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews/*
9ab989b88ca3dc6a4f0f52ca450ea5e35242cc85Tinderbox User * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews *
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews * This Source Code Form is subject to the terms of the Mozilla Public
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews * License, v. 2.0. If a copy of the MPL was not distributed with this
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews * file, You can obtain one at http://mozilla.org/MPL/2.0/.
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews/* $Id$ */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews/*! \file */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <config.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <atf-c.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <stdio.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <unistd.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <isc/print.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include <dns/acl.h>
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#include "dnstest.h"
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews/*
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews * Helper functions
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#define BUFLEN      255
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#define BIGBUFLEN   (70 * 1024)
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews#define TEST_ORIGIN "test"
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark AndrewsATF_TC(dns_acl_isinsecure);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark AndrewsATF_TC_HEAD(dns_acl_isinsecure, tc) {
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    atf_tc_set_md_var(tc, "descr", "test that dns_acl_isinsecure works");
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews}
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark AndrewsATF_TC_BODY(dns_acl_isinsecure, tc) {
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    isc_result_t result;
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    unsigned int pass;
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    struct {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_boolean_t first;
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_boolean_t second;
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    } ecs[] = {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        { ISC_FALSE, ISC_FALSE },
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        { ISC_TRUE, ISC_TRUE },
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        { ISC_TRUE, ISC_FALSE },
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        { ISC_FALSE, ISC_TRUE }
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    };
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *any = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *none = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notnone = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notany = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *pos4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notpos4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *neg4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notneg4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *pos4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notpos4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *neg4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notneg4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *loop4 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notloop4 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *loop6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notloop6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *loop4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notloop4pos6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *loop4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_t *notloop4neg6 = NULL;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    struct in_addr inaddr;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    isc_netaddr_t addr;
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    UNUSED(tc);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_test_begin(NULL, ISC_FALSE);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_any(mctx, &any);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_none(mctx, &none);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_create(mctx, 1, &notnone);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_create(mctx, 1, &notany);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_merge(notnone, none, ISC_FALSE);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    result = dns_acl_merge(notany, any, ISC_FALSE);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_CHECK(dns_acl_isinsecure(any));     /* any; */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_CHECK(!dns_acl_isinsecure(none));       /* none; */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_CHECK(!dns_acl_isinsecure(notany));     /* !any; */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_CHECK(!dns_acl_isinsecure(notnone));    /* !none; */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_detach(&any);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_detach(&none);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_detach(&notany);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_acl_detach(&notnone);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &pos4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notpos4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &neg4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notneg4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &pos4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notpos4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &neg4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notneg4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x0a000000);  /* 10.0.0.0 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* 0a00:: */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x0a000000);  /* !10.0.0.0/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_FALSE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* 0a00::/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x0a000000);  /* 10.0.0.0/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* !0a00::/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_FALSE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x0a000000);  /* !10.0.0.0/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_FALSE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* !0a00::/8 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_FALSE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(dns_acl_isinsecure(pos4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(dns_acl_isinsecure(neg4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(dns_acl_isinsecure(pos4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&pos4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notpos4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&neg4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notneg4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&pos4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notpos4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&neg4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notneg4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &loop4);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notloop4);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &loop6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notloop6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x7f000001);  /* 127.0.0.1 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin6(&addr, &in6addr_loopback);  /* ::1 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        if (!ecs[pass].first) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(loop4));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(loop6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        } else if (ecs[pass].first) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        }
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&loop4);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notloop4);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&loop6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notloop6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &loop4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notloop4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &loop4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_create(mctx, 1, &notloop4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x7f000001);  /* 127.0.0.1 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* f700:0001::/32 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        inaddr.s_addr = htonl(0x7f000001);  /* 127.0.0.1 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        isc_netaddr_fromin(&addr, &inaddr);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_TRUE, ecs[pass].first);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        addr.family = AF_INET6;         /* !f700:0001::/32 */
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews                        ISC_FALSE, ecs[pass].second);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        if (!ecs[pass].first && !ecs[pass].second) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        } else if (ecs[pass].first && !ecs[pass].second) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        } else if (!ecs[pass].first && ecs[pass].second) {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        } else {
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(dns_acl_isinsecure(loop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews            ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        }
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&loop4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notloop4pos6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&loop4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews        dns_acl_detach(&notloop4neg6);
f1e3dd087b7ce34382df8354efddaae79caa11b7Mark Andrews    }
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    dns_test_end();
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews}
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews/*
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews * Main
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews */
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark AndrewsATF_TP_ADD_TCS(tp) {
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    ATF_TP_ADD_TC(tp, dns_acl_isinsecure);
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews    return (atf_no_error());
6db55b4ff9b099bc8d6621f6e13ec1f087d35e04Mark Andrews}