diff options
author | Toshi Kikuchi <toshik@google.com> | 2021-02-11 14:37:37 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-02-11 14:39:41 -0800 |
commit | 2129dfff61526879ca6a681e7a498d1e0d9ace34 (patch) | |
tree | 9418ae4b091fb42e02ddf04a77f8922eb7e0ea90 | |
parent | c833eed80a4ceaf9da852ef361dd5f4864eb647d (diff) |
iptables test: Implement testCase interface on pointers
Implementing interfaces on value types causes the interface to be
implemented by both the value type and the pointer type of the
implementer. This complicates type assertion as it requires the
assertion to check for both the pointer type and the value type.
PiperOrigin-RevId: 357061063
-rw-r--r-- | test/iptables/filter_input.go | 286 | ||||
-rw-r--r-- | test/iptables/filter_output.go | 200 | ||||
-rw-r--r-- | test/iptables/iptables.go | 12 | ||||
-rw-r--r-- | test/iptables/iptables_test.go | 134 | ||||
-rw-r--r-- | test/iptables/nat.go | 200 |
5 files changed, 479 insertions, 353 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index c47660026..0f656513e 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -30,45 +30,47 @@ const ( ) func init() { - RegisterTestCase(FilterInputDropAll{}) - RegisterTestCase(FilterInputDropDifferentUDPPort{}) - RegisterTestCase(FilterInputDropOnlyUDP{}) - RegisterTestCase(FilterInputDropTCPDestPort{}) - RegisterTestCase(FilterInputDropTCPSrcPort{}) - RegisterTestCase(FilterInputDropUDPPort{}) - RegisterTestCase(FilterInputDropUDP{}) - RegisterTestCase(FilterInputCreateUserChain{}) - RegisterTestCase(FilterInputDefaultPolicyAccept{}) - RegisterTestCase(FilterInputDefaultPolicyDrop{}) - RegisterTestCase(FilterInputReturnUnderflow{}) - RegisterTestCase(FilterInputSerializeJump{}) - RegisterTestCase(FilterInputJumpBasic{}) - RegisterTestCase(FilterInputJumpReturn{}) - RegisterTestCase(FilterInputJumpReturnDrop{}) - RegisterTestCase(FilterInputJumpBuiltin{}) - RegisterTestCase(FilterInputJumpTwice{}) - RegisterTestCase(FilterInputDestination{}) - RegisterTestCase(FilterInputInvertDestination{}) - RegisterTestCase(FilterInputSource{}) - RegisterTestCase(FilterInputInvertSource{}) - RegisterTestCase(FilterInputInterfaceAccept{}) - RegisterTestCase(FilterInputInterfaceDrop{}) - RegisterTestCase(FilterInputInterface{}) - RegisterTestCase(FilterInputInterfaceBeginsWith{}) - RegisterTestCase(FilterInputInterfaceInvertDrop{}) - RegisterTestCase(FilterInputInterfaceInvertAccept{}) + RegisterTestCase(&FilterInputDropAll{}) + RegisterTestCase(&FilterInputDropDifferentUDPPort{}) + RegisterTestCase(&FilterInputDropOnlyUDP{}) + RegisterTestCase(&FilterInputDropTCPDestPort{}) + RegisterTestCase(&FilterInputDropTCPSrcPort{}) + RegisterTestCase(&FilterInputDropUDPPort{}) + RegisterTestCase(&FilterInputDropUDP{}) + RegisterTestCase(&FilterInputCreateUserChain{}) + RegisterTestCase(&FilterInputDefaultPolicyAccept{}) + RegisterTestCase(&FilterInputDefaultPolicyDrop{}) + RegisterTestCase(&FilterInputReturnUnderflow{}) + RegisterTestCase(&FilterInputSerializeJump{}) + RegisterTestCase(&FilterInputJumpBasic{}) + RegisterTestCase(&FilterInputJumpReturn{}) + RegisterTestCase(&FilterInputJumpReturnDrop{}) + RegisterTestCase(&FilterInputJumpBuiltin{}) + RegisterTestCase(&FilterInputJumpTwice{}) + RegisterTestCase(&FilterInputDestination{}) + RegisterTestCase(&FilterInputInvertDestination{}) + RegisterTestCase(&FilterInputSource{}) + RegisterTestCase(&FilterInputInvertSource{}) + RegisterTestCase(&FilterInputInterfaceAccept{}) + RegisterTestCase(&FilterInputInterfaceDrop{}) + RegisterTestCase(&FilterInputInterface{}) + RegisterTestCase(&FilterInputInterfaceBeginsWith{}) + RegisterTestCase(&FilterInputInterfaceInvertDrop{}) + RegisterTestCase(&FilterInputInterfaceInvertAccept{}) } // FilterInputDropUDP tests that we can drop UDP traffic. type FilterInputDropUDP struct{ containerCase } +var _ TestCase = (*FilterInputDropUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputDropUDP) Name() string { +func (*FilterInputDropUDP) Name() string { return "FilterInputDropUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil { return err } @@ -88,20 +90,22 @@ func (FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 b } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } // FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic. type FilterInputDropOnlyUDP struct{ baseCase } +var _ TestCase = (*FilterInputDropOnlyUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputDropOnlyUDP) Name() string { +func (*FilterInputDropOnlyUDP) Name() string { return "FilterInputDropOnlyUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil { return err } @@ -115,7 +119,7 @@ func (FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Try to establish a TCP connection with the container, which should // succeed. return connectTCP(ctx, ip, acceptPort) @@ -124,13 +128,15 @@ func (FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 b // FilterInputDropUDPPort tests that we can drop UDP traffic by port. type FilterInputDropUDPPort struct{ containerCase } +var _ TestCase = (*FilterInputDropUDPPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropUDPPort) Name() string { +func (*FilterInputDropUDPPort) Name() string { return "FilterInputDropUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -150,7 +156,7 @@ func (FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -158,13 +164,15 @@ func (FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 b // doesn't drop packets on other ports. type FilterInputDropDifferentUDPPort struct{ containerCase } +var _ TestCase = (*FilterInputDropDifferentUDPPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropDifferentUDPPort) Name() string { +func (*FilterInputDropDifferentUDPPort) Name() string { return "FilterInputDropDifferentUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -178,20 +186,22 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports. type FilterInputDropTCPDestPort struct{ baseCase } +var _ TestCase = (*FilterInputDropTCPDestPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropTCPDestPort) Name() string { +func (*FilterInputDropTCPDestPort) Name() string { return "FilterInputDropTCPDestPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -209,7 +219,7 @@ func (FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -222,13 +232,15 @@ func (FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ip // FilterInputDropTCPSrcPort tests that connections are not accepted on specified source ports. type FilterInputDropTCPSrcPort struct{ baseCase } +var _ TestCase = (*FilterInputDropTCPSrcPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropTCPSrcPort) Name() string { +func (*FilterInputDropTCPSrcPort) Name() string { return "FilterInputDropTCPSrcPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Drop anything from an ephemeral port. if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--sport", "1024:65535", "-j", "DROP"); err != nil { return err @@ -247,7 +259,7 @@ func (FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -260,13 +272,15 @@ func (FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv // FilterInputDropAll tests that we can drop all traffic to the INPUT chain. type FilterInputDropAll struct{ containerCase } +var _ TestCase = (*FilterInputDropAll)(nil) + // Name implements TestCase.Name. -func (FilterInputDropAll) Name() string { +func (*FilterInputDropAll) Name() string { return "FilterInputDropAll" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-j", "DROP"); err != nil { return err } @@ -286,7 +300,7 @@ func (FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 b } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -296,13 +310,15 @@ func (FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // misunderstand and save the wrong tables. type FilterInputMultiUDPRules struct{ baseCase } +var _ TestCase = (*FilterInputMultiUDPRules)(nil) + // Name implements TestCase.Name. -func (FilterInputMultiUDPRules) Name() string { +func (*FilterInputMultiUDPRules) Name() string { return "FilterInputMultiUDPRules" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"}, {"-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", acceptPort), "-j", "ACCEPT"}, @@ -312,7 +328,7 @@ func (FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -321,13 +337,15 @@ func (FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 // specified. type FilterInputRequireProtocolUDP struct{ baseCase } +var _ TestCase = (*FilterInputRequireProtocolUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputRequireProtocolUDP) Name() string { +func (*FilterInputRequireProtocolUDP) Name() string { return "FilterInputRequireProtocolUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err == nil { return errors.New("expected iptables to fail with out \"-p udp\", but succeeded") } @@ -335,7 +353,7 @@ func (FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net } // LocalAction implements TestCase.LocalAction. -func (FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -343,13 +361,15 @@ func (FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, // FilterInputCreateUserChain tests chain creation. type FilterInputCreateUserChain struct{ baseCase } +var _ TestCase = (*FilterInputCreateUserChain)(nil) + // Name implements TestCase.Name. -func (FilterInputCreateUserChain) Name() string { +func (*FilterInputCreateUserChain) Name() string { return "FilterInputCreateUserChain" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ // Create a chain. {"-N", chainName}, @@ -360,7 +380,7 @@ func (FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -368,13 +388,15 @@ func (FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ip // FilterInputDefaultPolicyAccept tests the default ACCEPT policy. type FilterInputDefaultPolicyAccept struct{ containerCase } +var _ TestCase = (*FilterInputDefaultPolicyAccept)(nil) + // Name implements TestCase.Name. -func (FilterInputDefaultPolicyAccept) Name() string { +func (*FilterInputDefaultPolicyAccept) Name() string { return "FilterInputDefaultPolicyAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Set the default policy to accept, then receive a packet. if err := filterTable(ipv6, "-P", "INPUT", "ACCEPT"); err != nil { return err @@ -383,20 +405,22 @@ func (FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputDefaultPolicyDrop tests the default DROP policy. type FilterInputDefaultPolicyDrop struct{ containerCase } +var _ TestCase = (*FilterInputDefaultPolicyDrop)(nil) + // Name implements TestCase.Name. -func (FilterInputDefaultPolicyDrop) Name() string { +func (*FilterInputDefaultPolicyDrop) Name() string { return "FilterInputDefaultPolicyDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-P", "INPUT", "DROP"); err != nil { return err } @@ -416,7 +440,7 @@ func (FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net. } // LocalAction implements TestCase.LocalAction. -func (FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -424,13 +448,15 @@ func (FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, // the underflow rule (i.e. default policy) to be executed. type FilterInputReturnUnderflow struct{ containerCase } +var _ TestCase = (*FilterInputReturnUnderflow)(nil) + // Name implements TestCase.Name. -func (FilterInputReturnUnderflow) Name() string { +func (*FilterInputReturnUnderflow) Name() string { return "FilterInputReturnUnderflow" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Add a RETURN rule followed by an unconditional accept, and set the // default policy to DROP. rules := [][]string{ @@ -448,20 +474,22 @@ func (FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputSerializeJump verifies that we can serialize jumps. type FilterInputSerializeJump struct{ baseCase } +var _ TestCase = (*FilterInputSerializeJump)(nil) + // Name implements TestCase.Name. -func (FilterInputSerializeJump) Name() string { +func (*FilterInputSerializeJump) Name() string { return "FilterInputSerializeJump" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Write a JUMP rule, the serialize it with `-L`. rules := [][]string{ {"-N", chainName}, @@ -472,7 +500,7 @@ func (FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -480,13 +508,15 @@ func (FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterInputJumpBasic jumps to a chain and executes a rule there. type FilterInputJumpBasic struct{ containerCase } +var _ TestCase = (*FilterInputJumpBasic)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpBasic) Name() string { +func (*FilterInputJumpBasic) Name() string { return "FilterInputJumpBasic" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-P", "INPUT", "DROP"}, {"-N", chainName}, @@ -502,20 +532,22 @@ func (FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputJumpReturn jumps, returns, and executes a rule. type FilterInputJumpReturn struct{ containerCase } +var _ TestCase = (*FilterInputJumpReturn)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpReturn) Name() string { +func (*FilterInputJumpReturn) Name() string { return "FilterInputJumpReturn" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-N", chainName}, {"-P", "INPUT", "ACCEPT"}, @@ -532,20 +564,22 @@ func (FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets. type FilterInputJumpReturnDrop struct{ containerCase } +var _ TestCase = (*FilterInputJumpReturnDrop)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpReturnDrop) Name() string { +func (*FilterInputJumpReturnDrop) Name() string { return "FilterInputJumpReturnDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-N", chainName}, {"-A", "INPUT", "-j", chainName}, @@ -571,20 +605,22 @@ func (FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } // FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal. type FilterInputJumpBuiltin struct{ baseCase } +var _ TestCase = (*FilterInputJumpBuiltin)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpBuiltin) Name() string { +func (*FilterInputJumpBuiltin) Name() string { return "FilterInputJumpBuiltin" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-j", "OUTPUT"); err == nil { return fmt.Errorf("iptables should be unable to jump to a built-in chain") } @@ -592,7 +628,7 @@ func (FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -600,13 +636,15 @@ func (FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 b // FilterInputJumpTwice jumps twice, then returns twice and executes a rule. type FilterInputJumpTwice struct{ containerCase } +var _ TestCase = (*FilterInputJumpTwice)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpTwice) Name() string { +func (*FilterInputJumpTwice) Name() string { return "FilterInputJumpTwice" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { const chainName2 = chainName + "2" rules := [][]string{ {"-P", "INPUT", "DROP"}, @@ -626,7 +664,7 @@ func (FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -634,13 +672,15 @@ func (FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // <ipaddr>`. type FilterInputDestination struct{ containerCase } +var _ TestCase = (*FilterInputDestination)(nil) + // Name implements TestCase.Name. -func (FilterInputDestination) Name() string { +func (*FilterInputDestination) Name() string { return "FilterInputDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { addrs, err := localAddrs(ipv6) if err != nil { return err @@ -660,7 +700,7 @@ func (FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -668,13 +708,15 @@ func (FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 b // <ipaddr>`. type FilterInputInvertDestination struct{ containerCase } +var _ TestCase = (*FilterInputInvertDestination)(nil) + // Name implements TestCase.Name. -func (FilterInputInvertDestination) Name() string { +func (*FilterInputInvertDestination) Name() string { return "FilterInputInvertDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets not bound // for 127.0.0.1. rules := [][]string{ @@ -689,7 +731,7 @@ func (FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net. } // LocalAction implements TestCase.LocalAction. -func (FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -697,13 +739,15 @@ func (FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, // <ipaddr>`. type FilterInputSource struct{ containerCase } +var _ TestCase = (*FilterInputSource)(nil) + // Name implements TestCase.Name. -func (FilterInputSource) Name() string { +func (*FilterInputSource) Name() string { return "FilterInputSource" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets from this // machine. rules := [][]string{ @@ -718,7 +762,7 @@ func (FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -726,13 +770,15 @@ func (FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // <ipaddr>`. type FilterInputInvertSource struct{ containerCase } +var _ TestCase = (*FilterInputInvertSource)(nil) + // Name implements TestCase.Name. -func (FilterInputInvertSource) Name() string { +func (*FilterInputInvertSource) Name() string { return "FilterInputInvertSource" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets not bound // for 127.0.0.1. rules := [][]string{ @@ -747,7 +793,7 @@ func (FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, i } // LocalAction implements TestCase.LocalAction. -func (FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -755,15 +801,15 @@ func (FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 // matching the iptables rule. type FilterInputInterfaceAccept struct{ localCase } -var _ TestCase = FilterInputInterfaceAccept{} +var _ TestCase = (*FilterInputInterfaceAccept)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceAccept) Name() string { +func (*FilterInputInterfaceAccept) Name() string { return "FilterInputInterfaceAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -779,7 +825,7 @@ func (FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -787,15 +833,15 @@ func (FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ip // matching the iptables rule. type FilterInputInterfaceDrop struct{ localCase } -var _ TestCase = FilterInputInterfaceDrop{} +var _ TestCase = (*FilterInputInterfaceDrop)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceDrop) Name() string { +func (*FilterInputInterfaceDrop) Name() string { return "FilterInputInterfaceDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -815,7 +861,7 @@ func (FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -823,15 +869,15 @@ func (FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 // is not matching the interface name in the iptables rule. type FilterInputInterface struct{ localCase } -var _ TestCase = FilterInputInterface{} +var _ TestCase = (*FilterInputInterface)(nil) // Name implements TestCase.Name. -func (FilterInputInterface) Name() string { +func (*FilterInputInterface) Name() string { return "FilterInputInterface" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "lo", "-j", "DROP"); err != nil { return err } @@ -842,7 +888,7 @@ func (FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -850,15 +896,15 @@ func (FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // interface which begins with the given interface name. type FilterInputInterfaceBeginsWith struct{ localCase } -var _ TestCase = FilterInputInterfaceBeginsWith{} +var _ TestCase = (*FilterInputInterfaceBeginsWith)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceBeginsWith) Name() string { +func (*FilterInputInterfaceBeginsWith) Name() string { return "FilterInputInterfaceBeginsWith" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "e+", "-j", "DROP"); err != nil { return err } @@ -874,7 +920,7 @@ func (FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -882,15 +928,15 @@ func (FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP // interface not matching the interface name. type FilterInputInterfaceInvertDrop struct{ baseCase } -var _ TestCase = FilterInputInterfaceInvertDrop{} +var _ TestCase = (*FilterInputInterfaceInvertDrop)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceInvertDrop) Name() string { +func (*FilterInputInterfaceInvertDrop) Name() string { return "FilterInputInterfaceInvertDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "DROP"); err != nil { return err } @@ -906,7 +952,7 @@ func (FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err != nil { @@ -923,15 +969,15 @@ func (FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP // not matching the specific incoming interface. type FilterInputInterfaceInvertAccept struct{ baseCase } -var _ TestCase = FilterInputInterfaceInvertAccept{} +var _ TestCase = (*FilterInputInterfaceInvertAccept)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceInvertAccept) Name() string { +func (*FilterInputInterfaceInvertAccept) Name() string { return "FilterInputInterfaceInvertAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "ACCEPT"); err != nil { return err } @@ -939,6 +985,6 @@ func (FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go index f4af45e96..590d234bb 100644 --- a/test/iptables/filter_output.go +++ b/test/iptables/filter_output.go @@ -22,39 +22,41 @@ import ( ) func init() { - RegisterTestCase(FilterOutputDropTCPDestPort{}) - RegisterTestCase(FilterOutputDropTCPSrcPort{}) - RegisterTestCase(FilterOutputDestination{}) - RegisterTestCase(FilterOutputInvertDestination{}) - RegisterTestCase(FilterOutputAcceptTCPOwner{}) - RegisterTestCase(FilterOutputDropTCPOwner{}) - RegisterTestCase(FilterOutputAcceptUDPOwner{}) - RegisterTestCase(FilterOutputDropUDPOwner{}) - RegisterTestCase(FilterOutputOwnerFail{}) - RegisterTestCase(FilterOutputAcceptGIDOwner{}) - RegisterTestCase(FilterOutputDropGIDOwner{}) - RegisterTestCase(FilterOutputInvertGIDOwner{}) - RegisterTestCase(FilterOutputInvertUIDOwner{}) - RegisterTestCase(FilterOutputInvertUIDAndGIDOwner{}) - RegisterTestCase(FilterOutputInterfaceAccept{}) - RegisterTestCase(FilterOutputInterfaceDrop{}) - RegisterTestCase(FilterOutputInterface{}) - RegisterTestCase(FilterOutputInterfaceBeginsWith{}) - RegisterTestCase(FilterOutputInterfaceInvertDrop{}) - RegisterTestCase(FilterOutputInterfaceInvertAccept{}) + RegisterTestCase(&FilterOutputDropTCPDestPort{}) + RegisterTestCase(&FilterOutputDropTCPSrcPort{}) + RegisterTestCase(&FilterOutputDestination{}) + RegisterTestCase(&FilterOutputInvertDestination{}) + RegisterTestCase(&FilterOutputAcceptTCPOwner{}) + RegisterTestCase(&FilterOutputDropTCPOwner{}) + RegisterTestCase(&FilterOutputAcceptUDPOwner{}) + RegisterTestCase(&FilterOutputDropUDPOwner{}) + RegisterTestCase(&FilterOutputOwnerFail{}) + RegisterTestCase(&FilterOutputAcceptGIDOwner{}) + RegisterTestCase(&FilterOutputDropGIDOwner{}) + RegisterTestCase(&FilterOutputInvertGIDOwner{}) + RegisterTestCase(&FilterOutputInvertUIDOwner{}) + RegisterTestCase(&FilterOutputInvertUIDAndGIDOwner{}) + RegisterTestCase(&FilterOutputInterfaceAccept{}) + RegisterTestCase(&FilterOutputInterfaceDrop{}) + RegisterTestCase(&FilterOutputInterface{}) + RegisterTestCase(&FilterOutputInterfaceBeginsWith{}) + RegisterTestCase(&FilterOutputInterfaceInvertDrop{}) + RegisterTestCase(&FilterOutputInterfaceInvertAccept{}) } // FilterOutputDropTCPDestPort tests that connections are not accepted on // specified source ports. type FilterOutputDropTCPDestPort struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPDestPort)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPDestPort) Name() string { +func (*FilterOutputDropTCPDestPort) Name() string { return "FilterOutputDropTCPDestPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "1024:65535", "-j", "DROP"); err != nil { return err } @@ -72,7 +74,7 @@ func (FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -86,13 +88,15 @@ func (FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, i // specified source ports. type FilterOutputDropTCPSrcPort struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPSrcPort)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPSrcPort) Name() string { +func (*FilterOutputDropTCPSrcPort) Name() string { return "FilterOutputDropTCPSrcPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--sport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -110,7 +114,7 @@ func (FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, dropPort); err == nil { @@ -123,13 +127,15 @@ func (FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputAcceptTCPOwner tests that TCP connections from uid owner are accepted. type FilterOutputAcceptTCPOwner struct{ baseCase } +var _ TestCase = (*FilterOutputAcceptTCPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptTCPOwner) Name() string { +func (*FilterOutputAcceptTCPOwner) Name() string { return "FilterOutputAcceptTCPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--uid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -139,20 +145,22 @@ func (FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // FilterOutputDropTCPOwner tests that TCP connections from uid owner are dropped. type FilterOutputDropTCPOwner struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPOwner) Name() string { +func (*FilterOutputDropTCPOwner) Name() string { return "FilterOutputDropTCPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--uid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -170,7 +178,7 @@ func (FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -183,13 +191,15 @@ func (FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterOutputAcceptUDPOwner tests that UDP packets from uid owner are accepted. type FilterOutputAcceptUDPOwner struct{ localCase } +var _ TestCase = (*FilterOutputAcceptUDPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptUDPOwner) Name() string { +func (*FilterOutputAcceptUDPOwner) Name() string { return "FilterOutputAcceptUDPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "--uid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -199,7 +209,7 @@ func (FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Listen for UDP packets on acceptPort. return listenUDP(ctx, acceptPort) } @@ -207,13 +217,15 @@ func (FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputDropUDPOwner tests that UDP packets from uid owner are dropped. type FilterOutputDropUDPOwner struct{ localCase } +var _ TestCase = (*FilterOutputDropUDPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropUDPOwner) Name() string { +func (*FilterOutputDropUDPOwner) Name() string { return "FilterOutputDropUDPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "--uid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -223,7 +235,7 @@ func (FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -240,13 +252,15 @@ func (FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // will fail. type FilterOutputOwnerFail struct{ baseCase } +var _ TestCase = (*FilterOutputOwnerFail)(nil) + // Name implements TestCase.Name. -func (FilterOutputOwnerFail) Name() string { +func (*FilterOutputOwnerFail) Name() string { return "FilterOutputOwnerFail" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "-j", "ACCEPT"); err == nil { return fmt.Errorf("invalid argument") } @@ -255,7 +269,7 @@ func (FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // no-op. return nil } @@ -263,13 +277,15 @@ func (FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // FilterOutputAcceptGIDOwner tests that TCP connections from gid owner are accepted. type FilterOutputAcceptGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputAcceptGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptGIDOwner) Name() string { +func (*FilterOutputAcceptGIDOwner) Name() string { return "FilterOutputAcceptGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--gid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -279,20 +295,22 @@ func (FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // FilterOutputDropGIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputDropGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputDropGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropGIDOwner) Name() string { +func (*FilterOutputDropGIDOwner) Name() string { return "FilterOutputDropGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--gid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -310,7 +328,7 @@ func (FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -323,13 +341,15 @@ func (FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterOutputInvertGIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputInvertGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertGIDOwner) Name() string { +func (*FilterOutputInvertGIDOwner) Name() string { return "FilterOutputInvertGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--gid-owner", "root", "-j", "ACCEPT"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "DROP"}, @@ -351,7 +371,7 @@ func (FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -364,13 +384,15 @@ func (FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputInvertUIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputInvertUIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertUIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertUIDOwner) Name() string { +func (*FilterOutputInvertUIDOwner) Name() string { return "FilterOutputInvertUIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--uid-owner", "root", "-j", "DROP"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "ACCEPT"}, @@ -384,7 +406,7 @@ func (FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } @@ -392,13 +414,15 @@ func (FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ip // owner are dropped. type FilterOutputInvertUIDAndGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertUIDAndGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertUIDAndGIDOwner) Name() string { +func (*FilterOutputInvertUIDAndGIDOwner) Name() string { return "FilterOutputInvertUIDAndGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--uid-owner", "root", "!", "--gid-owner", "root", "-j", "ACCEPT"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "DROP"}, @@ -420,7 +444,7 @@ func (FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -434,13 +458,15 @@ func (FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net. // certain destinations. type FilterOutputDestination struct{ localCase } +var _ TestCase = (*FilterOutputDestination)(nil) + // Name implements TestCase.Name. -func (FilterOutputDestination) Name() string { +func (*FilterOutputDestination) Name() string { return "FilterOutputDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { var rules [][]string if ipv6 { rules = [][]string{ @@ -464,7 +490,7 @@ func (FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, i } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -472,13 +498,15 @@ func (FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 // not headed for a particular destination. type FilterOutputInvertDestination struct{ localCase } +var _ TestCase = (*FilterOutputInvertDestination)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertDestination) Name() string { +func (*FilterOutputInvertDestination) Name() string { return "FilterOutputInvertDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "!", "-d", localIP(ipv6), "-j", "ACCEPT"}, {"-P", "OUTPUT", "DROP"}, @@ -491,7 +519,7 @@ func (FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -499,13 +527,15 @@ func (FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, // matching the iptables rule. type FilterOutputInterfaceAccept struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceAccept)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceAccept) Name() string { +func (*FilterOutputInterfaceAccept) Name() string { return "FilterOutputInterfaceAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -518,7 +548,7 @@ func (FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -526,13 +556,15 @@ func (FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, i // matching the iptables rule. type FilterOutputInterfaceDrop struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceDrop)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceDrop) Name() string { +func (*FilterOutputInterfaceDrop) Name() string { return "FilterOutputInterfaceDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -545,7 +577,7 @@ func (FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := listenUDP(timedCtx, acceptPort); err == nil { @@ -561,13 +593,15 @@ func (FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv // not matching the interface name in the iptables rule. type FilterOutputInterface struct{ localCase } +var _ TestCase = (*FilterOutputInterface)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterface) Name() string { +func (*FilterOutputInterface) Name() string { return "FilterOutputInterface" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-o", "lo", "-j", "DROP"); err != nil { return err } @@ -576,7 +610,7 @@ func (FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -584,13 +618,15 @@ func (FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // interface which begins with the given interface name. type FilterOutputInterfaceBeginsWith struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceBeginsWith)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceBeginsWith) Name() string { +func (*FilterOutputInterfaceBeginsWith) Name() string { return "FilterOutputInterfaceBeginsWith" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-o", "e+", "-j", "DROP"); err != nil { return err } @@ -599,7 +635,7 @@ func (FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := listenUDP(timedCtx, acceptPort); err == nil { @@ -615,13 +651,15 @@ func (FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.I // packets via interface not matching the interface name. type FilterOutputInterfaceInvertDrop struct{ baseCase } +var _ TestCase = (*FilterOutputInterfaceInvertDrop)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceInvertDrop) Name() string { +func (*FilterOutputInterfaceInvertDrop) Name() string { return "FilterOutputInterfaceInvertDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "!", "-o", "lo", "-j", "DROP"); err != nil { return err } @@ -639,7 +677,7 @@ func (FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -653,13 +691,15 @@ func (FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.I // not matching the specific outgoing interface. type FilterOutputInterfaceInvertAccept struct{ baseCase } +var _ TestCase = (*FilterOutputInterfaceInvertAccept)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceInvertAccept) Name() string { +func (*FilterOutputInterfaceInvertAccept) Name() string { return "FilterOutputInterfaceInvertAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "!", "-o", "lo", "-j", "ACCEPT"); err != nil { return err } @@ -669,6 +709,6 @@ func (FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } diff --git a/test/iptables/iptables.go b/test/iptables/iptables.go index c2a03f54c..970587a02 100644 --- a/test/iptables/iptables.go +++ b/test/iptables/iptables.go @@ -64,12 +64,12 @@ type TestCase interface { type baseCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (baseCase) ContainerSufficient() bool { +func (*baseCase) ContainerSufficient() bool { return false } // LocalSufficient implements TestCase.LocalSufficient. -func (baseCase) LocalSufficient() bool { +func (*baseCase) LocalSufficient() bool { return false } @@ -78,12 +78,12 @@ func (baseCase) LocalSufficient() bool { type localCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (localCase) ContainerSufficient() bool { +func (*localCase) ContainerSufficient() bool { return false } // LocalSufficient implements TestCase.LocalSufficient. -func (localCase) LocalSufficient() bool { +func (*localCase) LocalSufficient() bool { return true } @@ -92,12 +92,12 @@ func (localCase) LocalSufficient() bool { type containerCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (containerCase) ContainerSufficient() bool { +func (*containerCase) ContainerSufficient() bool { return true } // LocalSufficient implements TestCase.LocalSufficient. -func (containerCase) LocalSufficient() bool { +func (*containerCase) LocalSufficient() bool { return false } diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index ef92e3fff..d6c69a319 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -166,254 +166,254 @@ func sendIP(ip net.IP) error { } func TestFilterInputDropUDP(t *testing.T) { - singleTest(t, FilterInputDropUDP{}) + singleTest(t, &FilterInputDropUDP{}) } func TestFilterInputDropUDPPort(t *testing.T) { - singleTest(t, FilterInputDropUDPPort{}) + singleTest(t, &FilterInputDropUDPPort{}) } func TestFilterInputDropDifferentUDPPort(t *testing.T) { - singleTest(t, FilterInputDropDifferentUDPPort{}) + singleTest(t, &FilterInputDropDifferentUDPPort{}) } func TestFilterInputDropAll(t *testing.T) { - singleTest(t, FilterInputDropAll{}) + singleTest(t, &FilterInputDropAll{}) } func TestFilterInputDropOnlyUDP(t *testing.T) { - singleTest(t, FilterInputDropOnlyUDP{}) + singleTest(t, &FilterInputDropOnlyUDP{}) } func TestFilterInputDropTCPDestPort(t *testing.T) { - singleTest(t, FilterInputDropTCPDestPort{}) + singleTest(t, &FilterInputDropTCPDestPort{}) } func TestFilterInputDropTCPSrcPort(t *testing.T) { - singleTest(t, FilterInputDropTCPSrcPort{}) + singleTest(t, &FilterInputDropTCPSrcPort{}) } func TestFilterInputCreateUserChain(t *testing.T) { - singleTest(t, FilterInputCreateUserChain{}) + singleTest(t, &FilterInputCreateUserChain{}) } func TestFilterInputDefaultPolicyAccept(t *testing.T) { - singleTest(t, FilterInputDefaultPolicyAccept{}) + singleTest(t, &FilterInputDefaultPolicyAccept{}) } func TestFilterInputDefaultPolicyDrop(t *testing.T) { - singleTest(t, FilterInputDefaultPolicyDrop{}) + singleTest(t, &FilterInputDefaultPolicyDrop{}) } func TestFilterInputReturnUnderflow(t *testing.T) { - singleTest(t, FilterInputReturnUnderflow{}) + singleTest(t, &FilterInputReturnUnderflow{}) } func TestFilterOutputDropTCPDestPort(t *testing.T) { - singleTest(t, FilterOutputDropTCPDestPort{}) + singleTest(t, &FilterOutputDropTCPDestPort{}) } func TestFilterOutputDropTCPSrcPort(t *testing.T) { - singleTest(t, FilterOutputDropTCPSrcPort{}) + singleTest(t, &FilterOutputDropTCPSrcPort{}) } func TestFilterOutputAcceptTCPOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptTCPOwner{}) + singleTest(t, &FilterOutputAcceptTCPOwner{}) } func TestFilterOutputDropTCPOwner(t *testing.T) { - singleTest(t, FilterOutputDropTCPOwner{}) + singleTest(t, &FilterOutputDropTCPOwner{}) } func TestFilterOutputAcceptUDPOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptUDPOwner{}) + singleTest(t, &FilterOutputAcceptUDPOwner{}) } func TestFilterOutputDropUDPOwner(t *testing.T) { - singleTest(t, FilterOutputDropUDPOwner{}) + singleTest(t, &FilterOutputDropUDPOwner{}) } func TestFilterOutputOwnerFail(t *testing.T) { - singleTest(t, FilterOutputOwnerFail{}) + singleTest(t, &FilterOutputOwnerFail{}) } func TestFilterOutputAcceptGIDOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptGIDOwner{}) + singleTest(t, &FilterOutputAcceptGIDOwner{}) } func TestFilterOutputDropGIDOwner(t *testing.T) { - singleTest(t, FilterOutputDropGIDOwner{}) + singleTest(t, &FilterOutputDropGIDOwner{}) } func TestFilterOutputInvertGIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertGIDOwner{}) + singleTest(t, &FilterOutputInvertGIDOwner{}) } func TestFilterOutputInvertUIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertUIDOwner{}) + singleTest(t, &FilterOutputInvertUIDOwner{}) } func TestFilterOutputInvertUIDAndGIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertUIDAndGIDOwner{}) + singleTest(t, &FilterOutputInvertUIDAndGIDOwner{}) } func TestFilterOutputInterfaceAccept(t *testing.T) { - singleTest(t, FilterOutputInterfaceAccept{}) + singleTest(t, &FilterOutputInterfaceAccept{}) } func TestFilterOutputInterfaceDrop(t *testing.T) { - singleTest(t, FilterOutputInterfaceDrop{}) + singleTest(t, &FilterOutputInterfaceDrop{}) } func TestFilterOutputInterface(t *testing.T) { - singleTest(t, FilterOutputInterface{}) + singleTest(t, &FilterOutputInterface{}) } func TestFilterOutputInterfaceBeginsWith(t *testing.T) { - singleTest(t, FilterOutputInterfaceBeginsWith{}) + singleTest(t, &FilterOutputInterfaceBeginsWith{}) } func TestFilterOutputInterfaceInvertDrop(t *testing.T) { - singleTest(t, FilterOutputInterfaceInvertDrop{}) + singleTest(t, &FilterOutputInterfaceInvertDrop{}) } func TestFilterOutputInterfaceInvertAccept(t *testing.T) { - singleTest(t, FilterOutputInterfaceInvertAccept{}) + singleTest(t, &FilterOutputInterfaceInvertAccept{}) } func TestJumpSerialize(t *testing.T) { - singleTest(t, FilterInputSerializeJump{}) + singleTest(t, &FilterInputSerializeJump{}) } func TestJumpBasic(t *testing.T) { - singleTest(t, FilterInputJumpBasic{}) + singleTest(t, &FilterInputJumpBasic{}) } func TestJumpReturn(t *testing.T) { - singleTest(t, FilterInputJumpReturn{}) + singleTest(t, &FilterInputJumpReturn{}) } func TestJumpReturnDrop(t *testing.T) { - singleTest(t, FilterInputJumpReturnDrop{}) + singleTest(t, &FilterInputJumpReturnDrop{}) } func TestJumpBuiltin(t *testing.T) { - singleTest(t, FilterInputJumpBuiltin{}) + singleTest(t, &FilterInputJumpBuiltin{}) } func TestJumpTwice(t *testing.T) { - singleTest(t, FilterInputJumpTwice{}) + singleTest(t, &FilterInputJumpTwice{}) } func TestInputDestination(t *testing.T) { - singleTest(t, FilterInputDestination{}) + singleTest(t, &FilterInputDestination{}) } func TestInputInvertDestination(t *testing.T) { - singleTest(t, FilterInputInvertDestination{}) + singleTest(t, &FilterInputInvertDestination{}) } func TestFilterOutputDestination(t *testing.T) { - singleTest(t, FilterOutputDestination{}) + singleTest(t, &FilterOutputDestination{}) } func TestFilterOutputInvertDestination(t *testing.T) { - singleTest(t, FilterOutputInvertDestination{}) + singleTest(t, &FilterOutputInvertDestination{}) } func TestNATPreRedirectUDPPort(t *testing.T) { - singleTest(t, NATPreRedirectUDPPort{}) + singleTest(t, &NATPreRedirectUDPPort{}) } func TestNATPreRedirectTCPPort(t *testing.T) { - singleTest(t, NATPreRedirectTCPPort{}) + singleTest(t, &NATPreRedirectTCPPort{}) } func TestNATPreRedirectTCPOutgoing(t *testing.T) { - singleTest(t, NATPreRedirectTCPOutgoing{}) + singleTest(t, &NATPreRedirectTCPOutgoing{}) } func TestNATOutRedirectTCPIncoming(t *testing.T) { - singleTest(t, NATOutRedirectTCPIncoming{}) + singleTest(t, &NATOutRedirectTCPIncoming{}) } func TestNATOutRedirectUDPPort(t *testing.T) { - singleTest(t, NATOutRedirectUDPPort{}) + singleTest(t, &NATOutRedirectUDPPort{}) } func TestNATOutRedirectTCPPort(t *testing.T) { - singleTest(t, NATOutRedirectTCPPort{}) + singleTest(t, &NATOutRedirectTCPPort{}) } func TestNATDropUDP(t *testing.T) { - singleTest(t, NATDropUDP{}) + singleTest(t, &NATDropUDP{}) } func TestNATAcceptAll(t *testing.T) { - singleTest(t, NATAcceptAll{}) + singleTest(t, &NATAcceptAll{}) } func TestNATOutRedirectIP(t *testing.T) { - singleTest(t, NATOutRedirectIP{}) + singleTest(t, &NATOutRedirectIP{}) } func TestNATOutDontRedirectIP(t *testing.T) { - singleTest(t, NATOutDontRedirectIP{}) + singleTest(t, &NATOutDontRedirectIP{}) } func TestNATOutRedirectInvert(t *testing.T) { - singleTest(t, NATOutRedirectInvert{}) + singleTest(t, &NATOutRedirectInvert{}) } func TestNATPreRedirectIP(t *testing.T) { - singleTest(t, NATPreRedirectIP{}) + singleTest(t, &NATPreRedirectIP{}) } func TestNATPreDontRedirectIP(t *testing.T) { - singleTest(t, NATPreDontRedirectIP{}) + singleTest(t, &NATPreDontRedirectIP{}) } func TestNATPreRedirectInvert(t *testing.T) { - singleTest(t, NATPreRedirectInvert{}) + singleTest(t, &NATPreRedirectInvert{}) } func TestNATRedirectRequiresProtocol(t *testing.T) { - singleTest(t, NATRedirectRequiresProtocol{}) + singleTest(t, &NATRedirectRequiresProtocol{}) } func TestNATLoopbackSkipsPrerouting(t *testing.T) { - singleTest(t, NATLoopbackSkipsPrerouting{}) + singleTest(t, &NATLoopbackSkipsPrerouting{}) } func TestInputSource(t *testing.T) { - singleTest(t, FilterInputSource{}) + singleTest(t, &FilterInputSource{}) } func TestInputInvertSource(t *testing.T) { - singleTest(t, FilterInputInvertSource{}) + singleTest(t, &FilterInputInvertSource{}) } func TestInputInterfaceAccept(t *testing.T) { - singleTest(t, FilterInputInterfaceAccept{}) + singleTest(t, &FilterInputInterfaceAccept{}) } func TestInputInterfaceDrop(t *testing.T) { - singleTest(t, FilterInputInterfaceDrop{}) + singleTest(t, &FilterInputInterfaceDrop{}) } func TestInputInterface(t *testing.T) { - singleTest(t, FilterInputInterface{}) + singleTest(t, &FilterInputInterface{}) } func TestInputInterfaceBeginsWith(t *testing.T) { - singleTest(t, FilterInputInterfaceBeginsWith{}) + singleTest(t, &FilterInputInterfaceBeginsWith{}) } func TestInputInterfaceInvertDrop(t *testing.T) { - singleTest(t, FilterInputInterfaceInvertDrop{}) + singleTest(t, &FilterInputInterfaceInvertDrop{}) } func TestInputInterfaceInvertAccept(t *testing.T) { - singleTest(t, FilterInputInterfaceInvertAccept{}) + singleTest(t, &FilterInputInterfaceInvertAccept{}) } func TestFilterAddrs(t *testing.T) { @@ -442,17 +442,17 @@ func TestFilterAddrs(t *testing.T) { } func TestNATPreOriginalDst(t *testing.T) { - singleTest(t, NATPreOriginalDst{}) + singleTest(t, &NATPreOriginalDst{}) } func TestNATOutOriginalDst(t *testing.T) { - singleTest(t, NATOutOriginalDst{}) + singleTest(t, &NATOutOriginalDst{}) } func TestNATPreRECVORIGDSTADDR(t *testing.T) { - singleTest(t, NATPreRECVORIGDSTADDR{}) + singleTest(t, &NATPreRECVORIGDSTADDR{}) } func TestNATOutRECVORIGDSTADDR(t *testing.T) { - singleTest(t, NATOutRECVORIGDSTADDR{}) + singleTest(t, &NATOutRECVORIGDSTADDR{}) } diff --git a/test/iptables/nat.go b/test/iptables/nat.go index c3874240f..7ff8510a7 100644 --- a/test/iptables/nat.go +++ b/test/iptables/nat.go @@ -28,38 +28,40 @@ import ( const redirectPort = 42 func init() { - RegisterTestCase(NATPreRedirectUDPPort{}) - RegisterTestCase(NATPreRedirectTCPPort{}) - RegisterTestCase(NATPreRedirectTCPOutgoing{}) - RegisterTestCase(NATOutRedirectTCPIncoming{}) - RegisterTestCase(NATOutRedirectUDPPort{}) - RegisterTestCase(NATOutRedirectTCPPort{}) - RegisterTestCase(NATDropUDP{}) - RegisterTestCase(NATAcceptAll{}) - RegisterTestCase(NATPreRedirectIP{}) - RegisterTestCase(NATPreDontRedirectIP{}) - RegisterTestCase(NATPreRedirectInvert{}) - RegisterTestCase(NATOutRedirectIP{}) - RegisterTestCase(NATOutDontRedirectIP{}) - RegisterTestCase(NATOutRedirectInvert{}) - RegisterTestCase(NATRedirectRequiresProtocol{}) - RegisterTestCase(NATLoopbackSkipsPrerouting{}) - RegisterTestCase(NATPreOriginalDst{}) - RegisterTestCase(NATOutOriginalDst{}) - RegisterTestCase(NATPreRECVORIGDSTADDR{}) - RegisterTestCase(NATOutRECVORIGDSTADDR{}) + RegisterTestCase(&NATPreRedirectUDPPort{}) + RegisterTestCase(&NATPreRedirectTCPPort{}) + RegisterTestCase(&NATPreRedirectTCPOutgoing{}) + RegisterTestCase(&NATOutRedirectTCPIncoming{}) + RegisterTestCase(&NATOutRedirectUDPPort{}) + RegisterTestCase(&NATOutRedirectTCPPort{}) + RegisterTestCase(&NATDropUDP{}) + RegisterTestCase(&NATAcceptAll{}) + RegisterTestCase(&NATPreRedirectIP{}) + RegisterTestCase(&NATPreDontRedirectIP{}) + RegisterTestCase(&NATPreRedirectInvert{}) + RegisterTestCase(&NATOutRedirectIP{}) + RegisterTestCase(&NATOutDontRedirectIP{}) + RegisterTestCase(&NATOutRedirectInvert{}) + RegisterTestCase(&NATRedirectRequiresProtocol{}) + RegisterTestCase(&NATLoopbackSkipsPrerouting{}) + RegisterTestCase(&NATPreOriginalDst{}) + RegisterTestCase(&NATOutOriginalDst{}) + RegisterTestCase(&NATPreRECVORIGDSTADDR{}) + RegisterTestCase(&NATOutRECVORIGDSTADDR{}) } // NATPreRedirectUDPPort tests that packets are redirected to different port. type NATPreRedirectUDPPort struct{ containerCase } +var _ TestCase = (*NATPreRedirectUDPPort)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectUDPPort) Name() string { +func (*NATPreRedirectUDPPort) Name() string { return "NATPreRedirectUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -72,20 +74,22 @@ func (NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATPreRedirectTCPPort tests that connections are redirected on specified ports. type NATPreRedirectTCPPort struct{ baseCase } +var _ TestCase = (*NATPreRedirectTCPPort)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectTCPPort) Name() string { +func (*NATPreRedirectTCPPort) Name() string { return "NATPreRedirectTCPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -95,7 +99,7 @@ func (NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, dropPort) } @@ -103,13 +107,15 @@ func (NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // affected by PREROUTING connection tracking. type NATPreRedirectTCPOutgoing struct{ baseCase } +var _ TestCase = (*NATPreRedirectTCPOutgoing)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectTCPOutgoing) Name() string { +func (*NATPreRedirectTCPOutgoing) Name() string { return "NATPreRedirectTCPOutgoing" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect all incoming TCP traffic to a closed port. if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err @@ -120,7 +126,7 @@ func (NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenTCP(ctx, acceptPort) } @@ -128,13 +134,15 @@ func (NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv // affected by OUTPUT connection tracking. type NATOutRedirectTCPIncoming struct{ baseCase } +var _ TestCase = (*NATOutRedirectTCPIncoming)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectTCPIncoming) Name() string { +func (*NATOutRedirectTCPIncoming) Name() string { return "NATOutRedirectTCPIncoming" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect all outgoing TCP traffic to a closed port. if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err @@ -145,25 +153,27 @@ func (NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // NATOutRedirectUDPPort tests that packets are redirected to different port. type NATOutRedirectUDPPort struct{ containerCase } +var _ TestCase = (*NATOutRedirectUDPPort)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectUDPPort) Name() string { +func (*NATOutRedirectUDPPort) Name() string { return "NATOutRedirectUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { return loopbackTest(ctx, ipv6, net.ParseIP(nowhereIP(ipv6)), "-A", "OUTPUT", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)) } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -172,13 +182,15 @@ func (NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // port. type NATDropUDP struct{ containerCase } +var _ TestCase = (*NATDropUDP)(nil) + // Name implements TestCase.Name. -func (NATDropUDP) Name() string { +func (*NATDropUDP) Name() string { return "NATDropUDP" } // ContainerAction implements TestCase.ContainerAction. -func (NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -195,20 +207,22 @@ func (NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) err } // LocalAction implements TestCase.LocalAction. -func (NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATAcceptAll tests that all UDP packets are accepted. type NATAcceptAll struct{ containerCase } +var _ TestCase = (*NATAcceptAll)(nil) + // Name implements TestCase.Name. -func (NATAcceptAll) Name() string { +func (*NATAcceptAll) Name() string { return "NATAcceptAll" } // ContainerAction implements TestCase.ContainerAction. -func (NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "ACCEPT"); err != nil { return err } @@ -221,7 +235,7 @@ func (NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) e } // LocalAction implements TestCase.LocalAction. -func (NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -229,13 +243,15 @@ func (NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error // redirects them. type NATOutRedirectIP struct{ baseCase } +var _ TestCase = (*NATOutRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectIP) Name() string { +func (*NATOutRedirectIP) Name() string { return "NATOutRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect OUTPUT packets to a listening localhost port. return loopbackTest(ctx, ipv6, net.ParseIP(nowhereIP(ipv6)), "-A", "OUTPUT", @@ -245,7 +261,7 @@ func (NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 boo } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -254,13 +270,15 @@ func (NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) e // packets it shouldn't. type NATOutDontRedirectIP struct{ localCase } +var _ TestCase = (*NATOutDontRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATOutDontRedirectIP) Name() string { +func (*NATOutDontRedirectIP) Name() string { return "NATOutDontRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-d", localIP(ipv6), "-p", "udp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil { return err } @@ -268,20 +286,22 @@ func (NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } // NATOutRedirectInvert tests that iptables can match with "! -d". type NATOutRedirectInvert struct{ baseCase } +var _ TestCase = (*NATOutRedirectInvert)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectInvert) Name() string { +func (*NATOutRedirectInvert) Name() string { return "NATOutRedirectInvert" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect OUTPUT packets to a listening localhost port. dest := "192.0.2.2" if ipv6 { @@ -295,7 +315,7 @@ func (NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -304,13 +324,15 @@ func (NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // destination IP and redirect them. type NATPreRedirectIP struct{ containerCase } +var _ TestCase = (*NATPreRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectIP) Name() string { +func (*NATPreRedirectIP) Name() string { return "NATPreRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { addrs, err := localAddrs(ipv6) if err != nil { return err @@ -327,7 +349,7 @@ func (NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 boo } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -335,13 +357,15 @@ func (NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) e // packets it shouldn't. type NATPreDontRedirectIP struct{ containerCase } +var _ TestCase = (*NATPreDontRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATPreDontRedirectIP) Name() string { +func (*NATPreDontRedirectIP) Name() string { return "NATPreDontRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err } @@ -349,20 +373,22 @@ func (NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATPreRedirectInvert tests that iptables can match with "! -d". type NATPreRedirectInvert struct{ containerCase } +var _ TestCase = (*NATPreRedirectInvert)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectInvert) Name() string { +func (*NATPreRedirectInvert) Name() string { return "NATPreRedirectInvert" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "!", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -370,7 +396,7 @@ func (NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -378,13 +404,15 @@ func (NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // protocol to be specified with -p. type NATRedirectRequiresProtocol struct{ baseCase } +var _ TestCase = (*NATRedirectRequiresProtocol)(nil) + // Name implements TestCase.Name. -func (NATRedirectRequiresProtocol) Name() string { +func (*NATRedirectRequiresProtocol) Name() string { return "NATRedirectRequiresProtocol" } // ContainerAction implements TestCase.ContainerAction. -func (NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err == nil { return errors.New("expected an error using REDIRECT --to-ports without a protocol") } @@ -392,7 +420,7 @@ func (NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -400,13 +428,15 @@ func (NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, i // NATOutRedirectTCPPort tests that connections are redirected on specified ports. type NATOutRedirectTCPPort struct{ baseCase } +var _ TestCase = (*NATOutRedirectTCPPort)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectTCPPort) Name() string { +func (*NATOutRedirectTCPPort) Name() string { return "NATOutRedirectTCPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -438,7 +468,7 @@ func (NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return nil } @@ -446,13 +476,15 @@ func (NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // affected by PREROUTING rules. type NATLoopbackSkipsPrerouting struct{ baseCase } +var _ TestCase = (*NATLoopbackSkipsPrerouting)(nil) + // Name implements TestCase.Name. -func (NATLoopbackSkipsPrerouting) Name() string { +func (*NATLoopbackSkipsPrerouting) Name() string { return "NATLoopbackSkipsPrerouting" } // ContainerAction implements TestCase.ContainerAction. -func (NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect anything sent to localhost to an unused port. dest := []byte{127, 0, 0, 1} if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil { @@ -473,7 +505,7 @@ func (NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -482,13 +514,15 @@ func (NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ip // of PREROUTING NATted packets. type NATPreOriginalDst struct{ baseCase } +var _ TestCase = (*NATPreOriginalDst)(nil) + // Name implements TestCase.Name. -func (NATPreOriginalDst) Name() string { +func (*NATPreOriginalDst) Name() string { return "NATPreOriginalDst" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect incoming TCP connections to acceptPort. if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", @@ -505,7 +539,7 @@ func (NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, dropPort) } @@ -513,13 +547,15 @@ func (NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // of OUTBOUND NATted packets. type NATOutOriginalDst struct{ baseCase } +var _ TestCase = (*NATOutOriginalDst)(nil) + // Name implements TestCase.Name. -func (NATOutOriginalDst) Name() string { +func (*NATOutOriginalDst) Name() string { return "NATOutOriginalDst" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect incoming TCP connections to acceptPort. if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", acceptPort)); err != nil { return err @@ -537,7 +573,7 @@ func (NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (NATOutOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -650,13 +686,15 @@ func loopbackTest(ctx context.Context, ipv6 bool, dest net.IP, args ...string) e // address on the PREROUTING chain. type NATPreRECVORIGDSTADDR struct{ containerCase } +var _ TestCase = (*NATPreRECVORIGDSTADDR)(nil) + // Name implements TestCase.Name. -func (NATPreRECVORIGDSTADDR) Name() string { +func (*NATPreRECVORIGDSTADDR) Name() string { return "NATPreRECVORIGDSTADDR" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -669,7 +707,7 @@ func (NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -677,13 +715,15 @@ func (NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // address on the OUTPUT chain. type NATOutRECVORIGDSTADDR struct{ containerCase } +var _ TestCase = (*NATOutRECVORIGDSTADDR)(nil) + // Name implements TestCase.Name. -func (NATOutRECVORIGDSTADDR) Name() string { +func (*NATOutRECVORIGDSTADDR) Name() string { return "NATOutRECVORIGDSTADDR" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -712,7 +752,7 @@ func (NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATOutRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } |