summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
authorNayana Bidari <nybidari@google.com>2020-01-09 15:38:28 -0800
committerNayana Bidari <nybidari@google.com>2020-01-09 15:38:28 -0800
commit04abc9cf558930472605bf740a4333d6fafe5930 (patch)
treed65f2f37959f772a416ae75ebd0d269050fc9f8d /test/iptables
parent6cc8e2d814f99439e01c308e16f6631d75578ec0 (diff)
Add test for redirect port
Fix the indentation and print statements. Moved the NAT redirect tests to new file. Added negative test to check redirect rule on ports other than redirected port.
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/BUILD1
-rw-r--r--test/iptables/filter_input.go28
-rw-r--r--test/iptables/iptables_test.go9
-rw-r--r--test/iptables/nat.go83
4 files changed, 91 insertions, 30 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index fa833c3b2..68eed721e 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -8,6 +8,7 @@ go_library(
"filter_input.go",
"iptables.go",
"iptables_util.go",
+ "nat.go",
],
importpath = "gvisor.dev/gvisor/test/iptables",
visibility = ["//test/iptables:__subpackages__"],
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 41bb85369..923f44e68 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -23,7 +23,6 @@ import (
const (
dropPort = 2401
acceptPort = 2402
- redirectPort = 42
sendloopDuration = 2 * time.Second
network = "udp4"
)
@@ -32,7 +31,6 @@ func init() {
RegisterTestCase(FilterInputDropUDP{})
RegisterTestCase(FilterInputDropUDPPort{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
- RegisterTestCase(FilterInputRedirectUDPPort{})
}
// FilterInputDropUDP tests that we can drop UDP traffic.
@@ -124,29 +122,3 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error {
func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error {
return sendUDPLoop(ip, acceptPort, sendloopDuration)
}
-
-// FilterInputRedirectUDPPort tests that packets are redirected to different port.
-type FilterInputRedirectUDPPort struct{}
-
-// Name implements TestCase.Name.
-func (FilterInputRedirectUDPPort) Name() string {
- return "FilterInputRedirectUDPPort"
-}
-
-// ContainerAction implements TestCase.ContainerAction.
-func (FilterInputRedirectUDPPort) ContainerAction(ip net.IP) error {
- if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
- return err
- }
-
- if err := listenUDP(redirectPort, sendloopDuration); err != nil {
- return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, redirectPort, err)
- }
-
- return nil
-}
-
-// LocalAction implements TestCase.LocalAction.
-func (FilterInputRedirectUDPPort) LocalAction(ip net.IP) error {
- return sendUDPLoop(ip, acceptPort, sendloopDuration)
-}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index d57ddc0fe..fce9247aa 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -178,9 +178,14 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) {
}
}
-func TestFilterInputRedirectUDPPort(t *testing.T) {
- if err := singleTest(FilterInputRedirectUDPPort{}); err != nil {
+func TestFilterNATRedirectUDPPort(t *testing.T) {
+ if err := singleTest(FilterNATRedirectUDPPort{}); err != nil {
t.Fatal(err)
}
}
+func TestFilterNATDropUDP(t *testing.T) {
+ if err := singleTest(FilterNATDropUDP{}); err != nil {
+ t.Fatal(err)
+ }
+}
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
new file mode 100644
index 000000000..6deabf217
--- /dev/null
+++ b/test/iptables/nat.go
@@ -0,0 +1,83 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iptables
+
+import (
+ "fmt"
+ "net"
+)
+
+const (
+ redirectPort = 42
+)
+
+func init() {
+ RegisterTestCase(FilterNATRedirectUDPPort{})
+ RegisterTestCase(FilterNATDropUDP{})
+}
+
+// FilterInputRedirectUDPPort tests that packets are redirected to different port.
+type FilterNATRedirectUDPPort struct{}
+
+// Name implements TestCase.Name.
+func (FilterNATRedirectUDPPort) Name() string {
+ return "FilterNATRedirectUDPPort"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterNATRedirectUDPPort) ContainerAction(ip net.IP) error {
+ if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports",
+ fmt.Sprintf("%d", redirectPort)); err != nil {
+ return err
+ }
+
+ if err := listenUDP(redirectPort, sendloopDuration); err != nil {
+ return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterNATRedirectUDPPort) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, acceptPort, sendloopDuration)
+}
+
+// FilterNATDropUDP tests that packets are not received in ports other than redirect port.
+type FilterNATDropUDP struct{}
+
+// Name implements TestCase.Name.
+func (FilterNATDropUDP) Name() string {
+ return "FilterNATDropUDP"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterNATDropUDP) ContainerAction(ip net.IP) error {
+ if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports",
+ fmt.Sprintf("%d", redirectPort)); err != nil {
+ return err
+ }
+
+ if err := listenUDP(acceptPort, sendloopDuration); err == nil {
+ return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterNATDropUDP) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, acceptPort, sendloopDuration)
+}