diff options
author | Kevin Krakauer <krakauer@google.com> | 2020-03-26 10:46:47 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-03-26 10:47:51 -0700 |
commit | bc3def43c3c30ccde6577a0af213d13e4fd17e1e (patch) | |
tree | 772b694ddbbefcc09e6efeb822fcc490c4aed636 | |
parent | c64796748c735af8b304e62d7833648b691d5a72 (diff) |
Check error in DropTCP*Port tests and fix comment.
PiperOrigin-RevId: 303147253
-rw-r--r-- | test/iptables/filter_input.go | 22 |
1 files changed, 8 insertions, 14 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 4ccd4cce7..41e0cfa8d 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -194,14 +194,11 @@ func (FilterInputDropTCPDestPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterInputDropTCPDestPort) LocalAction(ip net.IP) error { - // After the container sets its DROP rule, we shouldn't be able to connect. - // However, we may succeed in connecting if this runs before the container - // sets the rule. To avoid this race, we retry connecting until - // sendloopDuration has elapsed, ignoring whether the connect succeeds. The - // test works becuase the container will error if a connection is - // established after the rule is set. + // Ensure we cannot connect to the container. for start := time.Now(); time.Since(start) < sendloopDuration; { - connectTCP(ip, dropPort, sendloopDuration-time.Since(start)) + if err := connectTCP(ip, dropPort, sendloopDuration-time.Since(start)); err == nil { + return fmt.Errorf("expected not to connect, but was able to connect on port %d", dropPort) + } } return nil @@ -232,14 +229,11 @@ func (FilterInputDropTCPSrcPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterInputDropTCPSrcPort) LocalAction(ip net.IP) error { - // After the container sets its DROP rule, we shouldn't be able to connect. - // However, we may succeed in connecting if this runs before the container - // sets the rule. To avoid this race, we retry connecting until - // sendloopDuration has elapsed, ignoring whether the connect succeeds. The - // test works becuase the container will error if a connection is - // established after the rule is set. + // Ensure we cannot connect to the container. for start := time.Now(); time.Since(start) < sendloopDuration; { - connectTCP(ip, acceptPort, sendloopDuration-time.Since(start)) + if err := connectTCP(ip, acceptPort, sendloopDuration-time.Since(start)); err == nil { + return fmt.Errorf("expected not to connect, but was able to connect on port %d", acceptPort) + } } return nil |