Add nat table support for iptables.

Add nat table support for Prerouting hook with Redirect option.
Add tests to check redirect of ports.

3 files changed, 84 insertions, 2 deletions

diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 46a7c99b0..7d061acba 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -196,12 +196,24 @@ func TestNATRedirectUDPPort(t *testing.T) {
 	}
 }
 
+func TestNATRedirectTCPPort(t *testing.T) {
+	if err := singleTest(NATRedirectTCPPort{}); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestNATDropUDP(t *testing.T) {
 	if err := singleTest(NATDropUDP{}); err != nil {
 		t.Fatal(err)
 	}
 }
 
+func TestNATAcceptAll(t *testing.T) {
+	if err := singleTest(NATAcceptAll{}); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestFilterInputDropTCPDestPort(t *testing.T) {
 	if err := singleTest(FilterInputDropTCPDestPort{}); err != nil {
 		t.Fatal(err)
diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go
index 043114c78..5c9199abf 100644
--- a/test/iptables/iptables_util.go
+++ b/test/iptables/iptables_util.go
@@ -35,6 +35,16 @@ func filterTable(args ...string) error {
 	return nil
 }
 
+// natTable calls `iptables -t nat` with the given args.
+func natTable(args ...string) error {
+	args = append([]string{"-t", "nat"}, args...)
+	cmd := exec.Command(iptablesBinary, args...)
+	if out, err := cmd.CombinedOutput(); err != nil {
+		return fmt.Errorf("error running iptables with args %v\nerror: %v\noutput: %s", args, err, string(out))
+	}
+	return nil
+}
+
 // listenUDP listens on a UDP port and returns the value of net.Conn.Read() for
 // the first read on that port.
 func listenUDP(port int, timeout time.Duration) error {
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
index b5c6f927e..306cbd1b3 100644
--- a/test/iptables/nat.go
+++ b/test/iptables/nat.go
@@ -25,7 +25,9 @@ const (
 
 func init() {
 	RegisterTestCase(NATRedirectUDPPort{})
+	RegisterTestCase(NATRedirectTCPPort{})
 	RegisterTestCase(NATDropUDP{})
+	RegisterTestCase(NATAcceptAll{})
 }
 
 // NATRedirectUDPPort tests that packets are redirected to different port.
@@ -38,13 +40,14 @@ func (NATRedirectUDPPort) Name() string {
 
 // ContainerAction implements TestCase.ContainerAction.
 func (NATRedirectUDPPort) ContainerAction(ip net.IP) error {
-	if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
+	if err := natTable("-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
 		return err
 	}
 
 	if err := listenUDP(redirectPort, sendloopDuration); err != nil {
 		return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err)
 	}
+
 	return nil
 }
 
@@ -53,6 +56,37 @@ func (NATRedirectUDPPort) LocalAction(ip net.IP) error {
 	return sendUDPLoop(ip, acceptPort, sendloopDuration)
 }
 
+// NATRedirectTCPPort tests that connections are redirected on specified ports.
+type NATRedirectTCPPort struct{}
+
+// Name implements TestCase.Name.
+func (NATRedirectTCPPort) Name() string {
+	return "NATRedirectTCPPort"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (NATRedirectTCPPort) ContainerAction(ip net.IP) error {
+	if err := natTable("-A", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
+		return err
+	}
+
+	// Listen for TCP packets on redirect port.
+	if err := listenTCP(redirectPort, sendloopDuration); err != nil {
+		return fmt.Errorf("connection on port %d should be accepted, but got error %v", redirectPort, err)
+	}
+
+	return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (NATRedirectTCPPort) LocalAction(ip net.IP) error {
+	if err := connectTCP(ip, dropPort, acceptPort, sendloopDuration); err != nil {
+		return fmt.Errorf("connection destined to port %d should be accepted, but got error %v", dropPort, err)
+	}
+
+	return nil
+}
+
 // NATDropUDP tests that packets are not received in ports other than redirect port.
 type NATDropUDP struct{}
 
@@ -63,7 +97,7 @@ func (NATDropUDP) Name() string {
 
 // ContainerAction implements TestCase.ContainerAction.
 func (NATDropUDP) ContainerAction(ip net.IP) error {
-	if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
+	if err := natTable("-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
 		return err
 	}
 
@@ -78,3 +112,29 @@ func (NATDropUDP) ContainerAction(ip net.IP) error {
 func (NATDropUDP) LocalAction(ip net.IP) error {
 	return sendUDPLoop(ip, acceptPort, sendloopDuration)
 }
+
+// NATAcceptAll tests that all UDP packets are accepted.
+type NATAcceptAll struct{}
+
+// Name implements TestCase.Name.
+func (NATAcceptAll) Name() string {
+	return "NATAcceptAll"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (NATAcceptAll) ContainerAction(ip net.IP) error {
+	if err := natTable("-A", "PREROUTING", "-p", "udp", "-j", "ACCEPT"); err != nil {
+		return err
+	}
+
+	if err := listenUDP(acceptPort, sendloopDuration); err != nil {
+		return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err)
+	}
+
+	return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (NATAcceptAll) LocalAction(ip net.IP) error {
+	return sendUDPLoop(ip, acceptPort, sendloopDuration)
+}