diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-01-21 12:08:52 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-01-21 12:08:52 -0800 |
commit | 5f82f092e7c5df8be8f9f8bacfbc135792ff2f5e (patch) | |
tree | 7fba07b20cb84ab828c62ec690a1be6abb2c17cd /test/iptables | |
parent | 7e155a133bac499d7b1e4490ae6f0c08b28a4006 (diff) | |
parent | 95e9de31d20ee1c7262fe5870e10485a369e6497 (diff) |
Merge pull request #1558 from kevinGC:iptables-write-input-drop
PiperOrigin-RevId: 290793754
Diffstat (limited to 'test/iptables')
-rw-r--r-- | test/iptables/filter_input.go | 36 | ||||
-rw-r--r-- | test/iptables/iptables_test.go | 6 |
2 files changed, 40 insertions, 2 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 4b8bbb093..03e4a1d72 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -28,11 +28,12 @@ const ( ) func init() { - RegisterTestCase(FilterInputDropUDP{}) - RegisterTestCase(FilterInputDropUDPPort{}) + RegisterTestCase(FilterInputDropAll{}) RegisterTestCase(FilterInputDropDifferentUDPPort{}) RegisterTestCase(FilterInputDropTCPDestPort{}) RegisterTestCase(FilterInputDropTCPSrcPort{}) + RegisterTestCase(FilterInputDropUDPPort{}) + RegisterTestCase(FilterInputDropUDP{}) } // FilterInputDropUDP tests that we can drop UDP traffic. @@ -186,3 +187,34 @@ func (FilterInputDropTCPSrcPort) LocalAction(ip net.IP) error { return nil } + +// FilterInputDropAll tests that we can drop all traffic to the INPUT chain. +type FilterInputDropAll struct{} + +// Name implements TestCase.Name. +func (FilterInputDropAll) Name() string { + return "FilterInputDropAll" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterInputDropAll) ContainerAction(ip net.IP) error { + if err := filterTable("-A", "INPUT", "-j", "DROP"); err != nil { + return err + } + + // Listen for all packets on dropPort. + if err := listenUDP(dropPort, sendloopDuration); err == nil { + return fmt.Errorf("packets should have been dropped, but got a packet") + } else if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() { + return fmt.Errorf("error reading: %v", err) + } + + // At this point we know that reading timed out and never received a + // packet. + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterInputDropAll) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, dropPort, sendloopDuration) +} diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index d268ea9b4..1cda10365 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -178,6 +178,12 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) { } } +func TestFilterInputDropAll(t *testing.T) { + if err := singleTest(FilterInputDropAll{}); err != nil { + t.Fatal(err) + } +} + func TestNATRedirectUDPPort(t *testing.T) { if err := singleTest(NATRedirectUDPPort{}); err != nil { t.Fatal(err) |