summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2020-01-21 12:08:52 -0800
committergVisor bot <gvisor-bot@google.com>2020-01-21 12:08:52 -0800
commit5f82f092e7c5df8be8f9f8bacfbc135792ff2f5e (patch)
tree7fba07b20cb84ab828c62ec690a1be6abb2c17cd /test/iptables
parent7e155a133bac499d7b1e4490ae6f0c08b28a4006 (diff)
parent95e9de31d20ee1c7262fe5870e10485a369e6497 (diff)
Merge pull request #1558 from kevinGC:iptables-write-input-drop
PiperOrigin-RevId: 290793754
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/filter_input.go36
-rw-r--r--test/iptables/iptables_test.go6
2 files changed, 40 insertions, 2 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 4b8bbb093..03e4a1d72 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -28,11 +28,12 @@ const (
)
func init() {
- RegisterTestCase(FilterInputDropUDP{})
- RegisterTestCase(FilterInputDropUDPPort{})
+ RegisterTestCase(FilterInputDropAll{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
RegisterTestCase(FilterInputDropTCPDestPort{})
RegisterTestCase(FilterInputDropTCPSrcPort{})
+ RegisterTestCase(FilterInputDropUDPPort{})
+ RegisterTestCase(FilterInputDropUDP{})
}
// FilterInputDropUDP tests that we can drop UDP traffic.
@@ -186,3 +187,34 @@ func (FilterInputDropTCPSrcPort) LocalAction(ip net.IP) error {
return nil
}
+
+// FilterInputDropAll tests that we can drop all traffic to the INPUT chain.
+type FilterInputDropAll struct{}
+
+// Name implements TestCase.Name.
+func (FilterInputDropAll) Name() string {
+ return "FilterInputDropAll"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterInputDropAll) ContainerAction(ip net.IP) error {
+ if err := filterTable("-A", "INPUT", "-j", "DROP"); err != nil {
+ return err
+ }
+
+ // Listen for all packets on dropPort.
+ if err := listenUDP(dropPort, sendloopDuration); err == nil {
+ return fmt.Errorf("packets should have been dropped, but got a packet")
+ } else if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() {
+ return fmt.Errorf("error reading: %v", err)
+ }
+
+ // At this point we know that reading timed out and never received a
+ // packet.
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterInputDropAll) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, dropPort, sendloopDuration)
+}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index d268ea9b4..1cda10365 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -178,6 +178,12 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) {
}
}
+func TestFilterInputDropAll(t *testing.T) {
+ if err := singleTest(FilterInputDropAll{}); err != nil {
+ t.Fatal(err)
+ }
+}
+
func TestNATRedirectUDPPort(t *testing.T) {
if err := singleTest(NATRedirectUDPPort{}); err != nil {
t.Fatal(err)