summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2020-01-23 14:48:39 -0800
committergVisor bot <gvisor-bot@google.com>2020-01-23 14:48:39 -0800
commit3d10edc9423789342047f8fcf3b6054bb71ea392 (patch)
tree20cdcf677ae33aa7bd5447734d586103bb6aad57 /test/iptables
parent14d2ed1ad7785a54b35ef7ee949d3cf89a87e66d (diff)
parent747137c120bca27aeb259817d30ef60e01521621 (diff)
Merge pull request #1617 from kevinGC:iptables-write-filter-proto
PiperOrigin-RevId: 291249314
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/BUILD4
-rw-r--r--test/iptables/filter_input.go30
-rw-r--r--test/iptables/iptables_test.go8
-rw-r--r--test/iptables/iptables_util.go39
-rw-r--r--test/iptables/runner/BUILD1
5 files changed, 60 insertions, 22 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index 372ba7abf..22f470092 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -4,6 +4,7 @@ package(licenses = ["notice"])
go_library(
name = "iptables",
+ testonly = 1,
srcs = [
"filter_input.go",
"filter_output.go",
@@ -13,6 +14,9 @@ go_library(
],
importpath = "gvisor.dev/gvisor/test/iptables",
visibility = ["//test/iptables:__subpackages__"],
+ deps = [
+ "//runsc/testutil",
+ ],
)
go_test(
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 03e4a1d72..fd02ff2ff 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -30,6 +30,7 @@ const (
func init() {
RegisterTestCase(FilterInputDropAll{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
+ RegisterTestCase(FilterInputDropOnlyUDP{})
RegisterTestCase(FilterInputDropTCPDestPort{})
RegisterTestCase(FilterInputDropTCPSrcPort{})
RegisterTestCase(FilterInputDropUDPPort{})
@@ -67,6 +68,35 @@ func (FilterInputDropUDP) LocalAction(ip net.IP) error {
return sendUDPLoop(ip, dropPort, sendloopDuration)
}
+// FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.
+type FilterInputDropOnlyUDP struct{}
+
+// Name implements TestCase.Name.
+func (FilterInputDropOnlyUDP) Name() string {
+ return "FilterInputDropOnlyUDP"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterInputDropOnlyUDP) ContainerAction(ip net.IP) error {
+ if err := filterTable("-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil {
+ return err
+ }
+
+ // Listen for a TCP connection, which should be allowed.
+ if err := listenTCP(acceptPort, sendloopDuration); err != nil {
+ return fmt.Errorf("failed to establish a connection %v", err)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterInputDropOnlyUDP) LocalAction(ip net.IP) error {
+ // Try to establish a TCP connection with the container, which should
+ // succeed.
+ return connectTCP(ip, acceptPort, dropPort, sendloopDuration)
+}
+
// FilterInputDropUDPPort tests that we can drop UDP traffic by port.
type FilterInputDropUDPPort struct{}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 1cda10365..679a29bef 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -15,6 +15,7 @@
package iptables
import (
+ "flag"
"fmt"
"net"
"os"
@@ -22,7 +23,6 @@ import (
"testing"
"time"
- "flag"
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/runsc/dockerutil"
"gvisor.dev/gvisor/runsc/testutil"
@@ -184,6 +184,12 @@ func TestFilterInputDropAll(t *testing.T) {
}
}
+func TestFilterInputDropOnlyUDP(t *testing.T) {
+ if err := singleTest(FilterInputDropOnlyUDP{}); err != nil {
+ t.Fatal(err)
+ }
+}
+
func TestNATRedirectUDPPort(t *testing.T) {
if err := singleTest(NATRedirectUDPPort{}); err != nil {
t.Fatal(err)
diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go
index 1c4f4f665..043114c78 100644
--- a/test/iptables/iptables_util.go
+++ b/test/iptables/iptables_util.go
@@ -19,6 +19,8 @@ import (
"net"
"os/exec"
"time"
+
+ "gvisor.dev/gvisor/runsc/testutil"
)
const iptablesBinary = "iptables"
@@ -105,31 +107,26 @@ func listenTCP(port int, timeout time.Duration) error {
}
// connectTCP connects the TCP server over specified local port, server IP and remote/server port.
-func connectTCP(ip net.IP, remotePort, localPort int, duration time.Duration) error {
- remote := net.TCPAddr{
+func connectTCP(ip net.IP, remotePort, localPort int, timeout time.Duration) error {
+ contAddr := net.TCPAddr{
IP: ip,
Port: remotePort,
}
-
- local := net.TCPAddr{
- Port: localPort,
- }
-
- // Container may not be up. Retry DialTCP over a duration.
- to := time.After(duration)
- for {
- conn, err := net.DialTCP("tcp4", &local, &remote)
- if err == nil {
- conn.Close()
- return nil
+ // The container may not be listening when we first connect, so retry
+ // upon error.
+ callback := func() error {
+ localAddr := net.TCPAddr{
+ Port: localPort,
}
- select {
- // Timed out waiting for connection to be accepted.
- case <-to:
- return err
- default:
- time.Sleep(200 * time.Millisecond)
+ conn, err := net.DialTCP("tcp4", &localAddr, &contAddr)
+ if conn != nil {
+ conn.Close()
}
+ return err
}
- return fmt.Errorf("Failed to establish connection on port %d", localPort)
+ if err := testutil.Poll(callback, timeout); err != nil {
+ return fmt.Errorf("timed out waiting to send IP, most recent error: %v", err)
+ }
+
+ return nil
}
diff --git a/test/iptables/runner/BUILD b/test/iptables/runner/BUILD
index c6c42d870..a5b6f082c 100644
--- a/test/iptables/runner/BUILD
+++ b/test/iptables/runner/BUILD
@@ -10,6 +10,7 @@ container_image(
go_image(
name = "runner",
+ testonly = 1,
srcs = ["main.go"],
base = ":iptables-base",
deps = ["//test/iptables"],