summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-03-26 10:46:47 -0700
committergVisor bot <gvisor-bot@google.com>2020-03-26 10:47:51 -0700
commitbc3def43c3c30ccde6577a0af213d13e4fd17e1e (patch)
tree772b694ddbbefcc09e6efeb822fcc490c4aed636
parentc64796748c735af8b304e62d7833648b691d5a72 (diff)
Check error in DropTCP*Port tests and fix comment.
PiperOrigin-RevId: 303147253
-rw-r--r--test/iptables/filter_input.go22
1 files changed, 8 insertions, 14 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 4ccd4cce7..41e0cfa8d 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -194,14 +194,11 @@ func (FilterInputDropTCPDestPort) ContainerAction(ip net.IP) error {
// LocalAction implements TestCase.LocalAction.
func (FilterInputDropTCPDestPort) LocalAction(ip net.IP) error {
- // After the container sets its DROP rule, we shouldn't be able to connect.
- // However, we may succeed in connecting if this runs before the container
- // sets the rule. To avoid this race, we retry connecting until
- // sendloopDuration has elapsed, ignoring whether the connect succeeds. The
- // test works becuase the container will error if a connection is
- // established after the rule is set.
+ // Ensure we cannot connect to the container.
for start := time.Now(); time.Since(start) < sendloopDuration; {
- connectTCP(ip, dropPort, sendloopDuration-time.Since(start))
+ if err := connectTCP(ip, dropPort, sendloopDuration-time.Since(start)); err == nil {
+ return fmt.Errorf("expected not to connect, but was able to connect on port %d", dropPort)
+ }
}
return nil
@@ -232,14 +229,11 @@ func (FilterInputDropTCPSrcPort) ContainerAction(ip net.IP) error {
// LocalAction implements TestCase.LocalAction.
func (FilterInputDropTCPSrcPort) LocalAction(ip net.IP) error {
- // After the container sets its DROP rule, we shouldn't be able to connect.
- // However, we may succeed in connecting if this runs before the container
- // sets the rule. To avoid this race, we retry connecting until
- // sendloopDuration has elapsed, ignoring whether the connect succeeds. The
- // test works becuase the container will error if a connection is
- // established after the rule is set.
+ // Ensure we cannot connect to the container.
for start := time.Now(); time.Since(start) < sendloopDuration; {
- connectTCP(ip, acceptPort, sendloopDuration-time.Since(start))
+ if err := connectTCP(ip, acceptPort, sendloopDuration-time.Since(start)); err == nil {
+ return fmt.Errorf("expected not to connect, but was able to connect on port %d", acceptPort)
+ }
}
return nil