iptables: don't NAT existing connections

Fixes a NAT bug that manifested as: - A SYN was sent from gVisor to another host, unaffected by iptables. - The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule despite being part of the existing connection. - The socket that sent the SYN never received the SYN/ACK and thus a connection could not be established. We handle this (as Linux does) by tracking all connections, inserting a no-op conntrack rule for new connections with no rules of their own. Needed for istio support (#170).
author: Kevin Krakauer <krakauer@google.com> 2020-06-05 11:22:44 -0700
committer: Kevin Krakauer <krakauer@google.com> 2020-07-22 16:49:11 -0700
commit: 89bd71c942146f9a77aabab8bc832ec5c3912d6b (patch)
tree: 2b5d6a1a00706f9f22bcb8994241da43ed7cbf57 /test/iptables/iptables_test.go
parent: bd98f820141208d9f19b0e12dee93f6f6de3ac97 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index f5ac79370..f303030aa 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -263,6 +263,13 @@ func TestNATPreRedirectTCPPort(t *testing.T) {
 	singleTest(t, NATPreRedirectTCPPort{})
 }
 
+func TestNATPreRedirectTCPOutgoing(t *testing.T) {
+	singleTest(t, NATPreRedirectTCPOutgoing{})
+}
+
+func TestNATOutRedirectTCPIncoming(t *testing.T) {
+	singleTest(t, NATOutRedirectTCPIncoming{})
+}
 func TestNATOutRedirectUDPPort(t *testing.T) {
 	singleTest(t, NATOutRedirectUDPPort{})
 }
author	Kevin Krakauer <krakauer@google.com>	2020-06-05 11:22:44 -0700
committer	Kevin Krakauer <krakauer@google.com>	2020-07-22 16:49:11 -0700
commit	89bd71c942146f9a77aabab8bc832ec5c3912d6b (patch)
tree	2b5d6a1a00706f9f22bcb8994241da43ed7cbf57 /test/iptables/iptables_test.go
parent	bd98f820141208d9f19b0e12dee93f6f6de3ac97 (diff)