summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2020-01-08 12:48:17 -0800
committerKevin Krakauer <krakauer@google.com>2020-01-08 12:48:17 -0800
commit447f64c561e6b5893c1bbae7d641187b7aca64ac (patch)
treecdc877258620e3e23ba1fc20b415981d382e9e4b /test/iptables
parent7cebd77806d164a3baec52eaeb05662e8c404967 (diff)
Added test for unconditional DROP on the filter INPUT chain
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/filter_input.go32
-rw-r--r--test/iptables/iptables_test.go6
2 files changed, 38 insertions, 0 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 923f44e68..1723a4d3e 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -31,6 +31,7 @@ func init() {
RegisterTestCase(FilterInputDropUDP{})
RegisterTestCase(FilterInputDropUDPPort{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
+ RegisterTestCase(FilterInputDropAll{})
}
// FilterInputDropUDP tests that we can drop UDP traffic.
@@ -122,3 +123,34 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error {
func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error {
return sendUDPLoop(ip, acceptPort, sendloopDuration)
}
+
+// FilterInputDropAll tests that we can drop all traffic to the INPUT chain.
+type FilterInputDropAll struct{}
+
+// Name implements TestCase.Name.
+func (FilterInputDropAll) Name() string {
+ return "FilterInputDropAll"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterInputDropAll) ContainerAction(ip net.IP) error {
+ if err := filterTable("-A", "INPUT", "-j", "DROP"); err != nil {
+ return err
+ }
+
+ // Listen for All packets on dropPort.
+ if err := listenUDP(dropPort, sendloopDuration); err == nil {
+ return fmt.Errorf("packets should have been dropped, but got a packet")
+ } else if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() {
+ return fmt.Errorf("error reading: %v", err)
+ }
+
+ // At this point we know that reading timed out and never received a
+ // packet.
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterInputDropAll) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, dropPort, sendloopDuration)
+}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 23d15bf71..5927eb017 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -177,3 +177,9 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) {
t.Fatal(err)
}
}
+
+func TestFilterInputDropAll(t *testing.T) {
+ if err := singleTest(FilterInputDropAll{}); err != nil {
+ t.Fatal(err)
+ }
+}