diff options
author | Nayana Bidari <nybidari@google.com> | 2020-01-09 15:38:28 -0800 |
---|---|---|
committer | Nayana Bidari <nybidari@google.com> | 2020-01-09 15:38:28 -0800 |
commit | 04abc9cf558930472605bf740a4333d6fafe5930 (patch) | |
tree | d65f2f37959f772a416ae75ebd0d269050fc9f8d /test/iptables | |
parent | 6cc8e2d814f99439e01c308e16f6631d75578ec0 (diff) |
Add test for redirect port
Fix the indentation and print statements.
Moved the NAT redirect tests to new file.
Added negative test to check redirect rule on ports other than
redirected port.
Diffstat (limited to 'test/iptables')
-rw-r--r-- | test/iptables/BUILD | 1 | ||||
-rw-r--r-- | test/iptables/filter_input.go | 28 | ||||
-rw-r--r-- | test/iptables/iptables_test.go | 9 | ||||
-rw-r--r-- | test/iptables/nat.go | 83 |
4 files changed, 91 insertions, 30 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD index fa833c3b2..68eed721e 100644 --- a/test/iptables/BUILD +++ b/test/iptables/BUILD @@ -8,6 +8,7 @@ go_library( "filter_input.go", "iptables.go", "iptables_util.go", + "nat.go", ], importpath = "gvisor.dev/gvisor/test/iptables", visibility = ["//test/iptables:__subpackages__"], diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 41bb85369..923f44e68 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -23,7 +23,6 @@ import ( const ( dropPort = 2401 acceptPort = 2402 - redirectPort = 42 sendloopDuration = 2 * time.Second network = "udp4" ) @@ -32,7 +31,6 @@ func init() { RegisterTestCase(FilterInputDropUDP{}) RegisterTestCase(FilterInputDropUDPPort{}) RegisterTestCase(FilterInputDropDifferentUDPPort{}) - RegisterTestCase(FilterInputRedirectUDPPort{}) } // FilterInputDropUDP tests that we can drop UDP traffic. @@ -124,29 +122,3 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error { func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error { return sendUDPLoop(ip, acceptPort, sendloopDuration) } - -// FilterInputRedirectUDPPort tests that packets are redirected to different port. -type FilterInputRedirectUDPPort struct{} - -// Name implements TestCase.Name. -func (FilterInputRedirectUDPPort) Name() string { - return "FilterInputRedirectUDPPort" -} - -// ContainerAction implements TestCase.ContainerAction. -func (FilterInputRedirectUDPPort) ContainerAction(ip net.IP) error { - if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { - return err - } - - if err := listenUDP(redirectPort, sendloopDuration); err != nil { - return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, redirectPort, err) - } - - return nil -} - -// LocalAction implements TestCase.LocalAction. -func (FilterInputRedirectUDPPort) LocalAction(ip net.IP) error { - return sendUDPLoop(ip, acceptPort, sendloopDuration) -} diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index d57ddc0fe..fce9247aa 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -178,9 +178,14 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) { } } -func TestFilterInputRedirectUDPPort(t *testing.T) { - if err := singleTest(FilterInputRedirectUDPPort{}); err != nil { +func TestFilterNATRedirectUDPPort(t *testing.T) { + if err := singleTest(FilterNATRedirectUDPPort{}); err != nil { t.Fatal(err) } } +func TestFilterNATDropUDP(t *testing.T) { + if err := singleTest(FilterNATDropUDP{}); err != nil { + t.Fatal(err) + } +} diff --git a/test/iptables/nat.go b/test/iptables/nat.go new file mode 100644 index 000000000..6deabf217 --- /dev/null +++ b/test/iptables/nat.go @@ -0,0 +1,83 @@ +// Copyright 2019 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package iptables + +import ( + "fmt" + "net" +) + +const ( + redirectPort = 42 +) + +func init() { + RegisterTestCase(FilterNATRedirectUDPPort{}) + RegisterTestCase(FilterNATDropUDP{}) +} + +// FilterInputRedirectUDPPort tests that packets are redirected to different port. +type FilterNATRedirectUDPPort struct{} + +// Name implements TestCase.Name. +func (FilterNATRedirectUDPPort) Name() string { + return "FilterNATRedirectUDPPort" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterNATRedirectUDPPort) ContainerAction(ip net.IP) error { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", + fmt.Sprintf("%d", redirectPort)); err != nil { + return err + } + + if err := listenUDP(redirectPort, sendloopDuration); err != nil { + return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err) + } + + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterNATRedirectUDPPort) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, acceptPort, sendloopDuration) +} + +// FilterNATDropUDP tests that packets are not received in ports other than redirect port. +type FilterNATDropUDP struct{} + +// Name implements TestCase.Name. +func (FilterNATDropUDP) Name() string { + return "FilterNATDropUDP" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterNATDropUDP) ContainerAction(ip net.IP) error { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", + fmt.Sprintf("%d", redirectPort)); err != nil { + return err + } + + if err := listenUDP(acceptPort, sendloopDuration); err == nil { + return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort) + } + + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterNATDropUDP) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, acceptPort, sendloopDuration) +} |