Add iptables testing framework.

It would be preferrable to test iptables via syscall tests, but there are some
problems with that approach:

* We're limited to loopback-only, as syscall tests involve only a single
  container. Other link interfaces (e.g. fdbased) should be tested.
* We'd have to shell out to call iptables anyways, as the iptables syscall
  interface itself is too large and complex to work with alone.
* Running the Linux/native version of the syscall test will require root, which
  is a pain to configure, is inherently unsafe, and could leave host iptables
  misconfigured.

Using the go_test target allows there to be no new test runner.

PiperOrigin-RevId: 285274275

3 files changed, 90 insertions, 0 deletions

diff --git a/test/iptables/runner/BUILD b/test/iptables/runner/BUILD
new file mode 100644
index 000000000..1c59e26b9
--- /dev/null
+++ b/test/iptables/runner/BUILD
@@ -0,0 +1,16 @@
+load("@io_bazel_rules_docker//container:container.bzl", "container_image")
+load("@io_bazel_rules_docker//go:image.bzl", "go_image")
+
+package(licenses = ["notice"])
+
+container_image(
+    name = "iptables-base",
+    base = "@iptables-test//image",
+)
+
+go_image(
+    name = "runner",
+    srcs = ["main.go"],
+    base = ":iptables-base",
+    deps = ["//test/iptables"],
+)
diff --git a/test/iptables/runner/Dockerfile b/test/iptables/runner/Dockerfile
new file mode 100644
index 000000000..b77db44a1
--- /dev/null
+++ b/test/iptables/runner/Dockerfile
@@ -0,0 +1,4 @@
+# This Dockerfile builds the image hosted at
+# gcr.io/gvisor-presubmit/iptables-test.
+FROM ubuntu
+RUN apt update && apt install -y iptables
diff --git a/test/iptables/runner/main.go b/test/iptables/runner/main.go
new file mode 100644
index 000000000..3c794114e
--- /dev/null
+++ b/test/iptables/runner/main.go
@@ -0,0 +1,70 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package main runs iptables tests from within a docker container.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"net"
+
+	"gvisor.dev/gvisor/test/iptables"
+)
+
+var name = flag.String("name", "", "name of the test to run")
+
+func main() {
+	flag.Parse()
+
+	// Find out which test we're running.
+	test, ok := iptables.Tests[*name]
+	if !ok {
+		log.Fatalf("No test found named %q", *name)
+	}
+	log.Printf("Running test %q", *name)
+
+	// Get the IP of the local process.
+	ip, err := getIP()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// Run the test.
+	if err := test.ContainerAction(ip); err != nil {
+		log.Fatalf("Failed running test %q: %v", *name, err)
+	}
+}
+
+// getIP listens for a connection from the local process and returns the source
+// IP of that connection.
+func getIP() (net.IP, error) {
+	localAddr := net.TCPAddr{
+		Port: iptables.IPExchangePort,
+	}
+	listener, err := net.ListenTCP("tcp4", &localAddr)
+	if err != nil {
+		return net.IP{}, fmt.Errorf("failed listening for IP: %v", err)
+	}
+	defer listener.Close()
+	conn, err := listener.AcceptTCP()
+	if err != nil {
+		return net.IP{}, fmt.Errorf("failed accepting IP: %v", err)
+	}
+	defer conn.Close()
+	log.Printf("Connected to %v", conn.RemoteAddr())
+
+	return conn.RemoteAddr().(*net.TCPAddr).IP, nil
+}