summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2021-02-17 09:59:54 -0800
committergVisor bot <gvisor-bot@google.com>2021-02-17 10:02:02 -0800
commit2f35fa14abe546b58c72312fbd23ad3f0b7a193f (patch)
tree75c0a29d8dd6e62a59ef0ad96306440ac9ee4756 /test/iptables
parent3ef012944d32313cee4df244585f48e8d4fd8e9e (diff)
Deflake //test/iptables:iptables_test
We were opening dual-stack sockets, but tests only set iptables rules for a single network protocol. Thus, packets (probably sent by previous tests) could sneak in and break tests. Tested with: bazel test ///test/iptables:iptables_test --test_arg=--runtime=runsc --nocache_test_results --test_output=errors --runs_per_test=1000 --test_filter=TestFilterInputDropUDP PiperOrigin-RevId: 357972385
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/filter_input.go96
-rw-r--r--test/iptables/filter_output.go76
-rw-r--r--test/iptables/iptables_util.go32
-rw-r--r--test/iptables/nat.go58
4 files changed, 139 insertions, 123 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 0f656513e..4739bc06f 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -78,7 +78,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -91,7 +91,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.
@@ -111,7 +111,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i
}
// Listen for a TCP connection, which should be allowed.
- if err := listenTCP(ctx, acceptPort); err != nil {
+ if err := listenTCP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("failed to establish a connection %v", err)
}
@@ -122,7 +122,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i
func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
// Try to establish a TCP connection with the container, which should
// succeed.
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// FilterInputDropUDPPort tests that we can drop UDP traffic by port.
@@ -144,7 +144,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -157,7 +157,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// FilterInputDropDifferentUDPPort tests that dropping traffic for a single UDP port
@@ -178,7 +178,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip
}
// Listen for UDP packets on another port.
- if err := listenUDP(ctx, acceptPort); err != nil {
+ if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err)
}
@@ -187,7 +187,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports.
@@ -209,7 +209,7 @@ func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.I
// Listen for TCP packets on drop port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, dropPort); err == nil {
+ if err := listenTCP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -223,7 +223,7 @@ func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, i
// Ensure we cannot connect to the container.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, dropPort); err == nil {
+ if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil {
return fmt.Errorf("expected not to connect, but was able to connect on port %d", dropPort)
}
return nil
@@ -249,7 +249,7 @@ func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but was", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -263,7 +263,7 @@ func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ip
// Ensure we cannot connect to the container.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, dropPort); err == nil {
+ if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil {
return fmt.Errorf("expected not to connect, but was able to connect on port %d", acceptPort)
}
return nil
@@ -288,7 +288,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6
// Listen for all packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets should have been dropped, but got a packet")
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -301,7 +301,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// FilterInputMultiUDPRules verifies that multiple UDP rules are applied
@@ -401,12 +401,12 @@ func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip n
if err := filterTable(ipv6, "-P", "INPUT", "ACCEPT"); err != nil {
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputDefaultPolicyDrop tests the default DROP policy.
@@ -428,7 +428,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -441,7 +441,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputReturnUnderflow tests that -j RETURN in a built-in chain causes
@@ -470,12 +470,12 @@ func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.I
// We should receive packets, as the RETURN rule will trigger the default
// ACCEPT policy.
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputSerializeJump verifies that we can serialize jumps.
@@ -528,12 +528,12 @@ func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv
}
// Listen for UDP packets on acceptPort.
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputJumpReturn jumps, returns, and executes a rule.
@@ -560,12 +560,12 @@ func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ip
}
// Listen for UDP packets on acceptPort.
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets.
@@ -593,7 +593,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -606,7 +606,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP
// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal.
@@ -660,12 +660,12 @@ func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv
// UDP packets should jump and return twice, eventually hitting the
// ACCEPT rule.
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputDestination verifies that we can filter packets via `-d
@@ -696,12 +696,12 @@ func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, i
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInvertDestination verifies that we can filter packets via `! -d
@@ -727,12 +727,12 @@ func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputSource verifies that we can filter packets via `-s
@@ -758,12 +758,12 @@ func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 b
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInvertSource verifies that we can filter packets via `! -s
@@ -789,12 +789,12 @@ func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP,
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInterfaceAccept tests that packets are accepted from interface
@@ -817,7 +817,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I
if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", ifname, "-j", "ACCEPT"); err != nil {
return err
}
- if err := listenUDP(ctx, acceptPort); err != nil {
+ if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err)
}
@@ -826,7 +826,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInterfaceDrop tests that packets are dropped from interface
@@ -851,7 +851,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP,
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, acceptPort); err != nil {
+ if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
@@ -862,7 +862,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP,
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInterface tests that packets are not dropped from interface which
@@ -881,7 +881,7 @@ func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv
if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "lo", "-j", "DROP"); err != nil {
return err
}
- if err := listenUDP(ctx, acceptPort); err != nil {
+ if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err)
}
return nil
@@ -889,7 +889,7 @@ func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInterfaceBeginsWith tests that packets are dropped from an
@@ -910,7 +910,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, acceptPort); err != nil {
+ if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
@@ -921,7 +921,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// FilterInputInterfaceInvertDrop tests that we selectively drop packets from
@@ -942,7 +942,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err != nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
@@ -955,7 +955,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n
func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err != nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err != nil {
var operr *net.OpError
if errors.As(err, &operr) && operr.Timeout() {
return nil
@@ -981,10 +981,10 @@ func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip
if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "ACCEPT"); err != nil {
return err
}
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go
index 590d234bb..bcb2a3b70 100644
--- a/test/iptables/filter_output.go
+++ b/test/iptables/filter_output.go
@@ -64,7 +64,7 @@ func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -77,7 +77,7 @@ func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.
func (*FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort)
}
@@ -104,7 +104,7 @@ func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.I
// Listen for TCP packets on drop port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, dropPort); err == nil {
+ if err := listenTCP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -117,7 +117,7 @@ func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.I
func (*FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, dropPort); err == nil {
+ if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort)
}
@@ -141,12 +141,12 @@ func (*FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.I
}
// Listen for TCP packets on accept port.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// FilterOutputDropTCPOwner tests that TCP connections from uid owner are dropped.
@@ -168,7 +168,7 @@ func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP,
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should be dropped, but got accepted", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -181,7 +181,7 @@ func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP,
func (*FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should be dropped, but got accepted", acceptPort)
}
@@ -205,13 +205,13 @@ func (*FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.I
}
// Send UDP packets on acceptPort.
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
// Listen for UDP packets on acceptPort.
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// FilterOutputDropUDPOwner tests that UDP packets from uid owner are dropped.
@@ -231,7 +231,7 @@ func (*FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP,
}
// Send UDP packets on dropPort.
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
@@ -239,7 +239,7 @@ func (*FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, dropPort); err == nil {
+ if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets should not be received")
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -291,12 +291,12 @@ func (*FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.I
}
// Listen for TCP packets on accept port.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// FilterOutputDropGIDOwner tests that TCP connections from gid owner are dropped.
@@ -318,7 +318,7 @@ func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP,
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -331,7 +331,7 @@ func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP,
func (*FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort)
}
@@ -361,7 +361,7 @@ func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.I
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -374,7 +374,7 @@ func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.I
func (*FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort)
}
@@ -402,12 +402,12 @@ func (*FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.I
}
// Listen for TCP packets on accept port.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// FilterOutputInvertUIDAndGIDOwner tests that TCP connections from uid and gid
@@ -434,7 +434,7 @@ func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -447,7 +447,7 @@ func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip
func (*FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort)
}
@@ -486,12 +486,12 @@ func (*FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP,
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// FilterOutputInvertDestination tests that we can selectively allow packets
@@ -515,12 +515,12 @@ func (*FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip ne
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// FilterOutputInterfaceAccept tests that packets are sent via interface
@@ -544,12 +544,12 @@ func (*FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// FilterOutputInterfaceDrop tests that packets are not sent via interface
@@ -573,14 +573,14 @@ func (*FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, acceptPort); err == nil {
+ if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("packets should not be received on port %v, but are received", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -606,12 +606,12 @@ func (*FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ip
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// FilterOutputInterfaceBeginsWith tests that packets are not sent via an
@@ -631,14 +631,14 @@ func (*FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, acceptPort); err == nil {
+ if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("packets should not be received on port %v, but are received", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -667,7 +667,7 @@ func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenTCP(timedCtx, acceptPort); err == nil {
+ if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -680,7 +680,7 @@ func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip
func (*FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := connectTCP(timedCtx, ip, acceptPort); err == nil {
+ if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort)
}
@@ -705,10 +705,10 @@ func (*FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, i
}
// Listen for TCP packets on accept port.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go
index 4cd770a65..bba17b894 100644
--- a/test/iptables/iptables_util.go
+++ b/test/iptables/iptables_util.go
@@ -71,11 +71,11 @@ func tableRules(ipv6 bool, table string, argsList [][]string) error {
// listenUDP listens on a UDP port and returns the value of net.Conn.Read() for
// the first read on that port.
-func listenUDP(ctx context.Context, port int) error {
+func listenUDP(ctx context.Context, port int, ipv6 bool) error {
localAddr := net.UDPAddr{
Port: port,
}
- conn, err := net.ListenUDP("udp", &localAddr)
+ conn, err := net.ListenUDP(udpNetwork(ipv6), &localAddr)
if err != nil {
return err
}
@@ -97,12 +97,12 @@ func listenUDP(ctx context.Context, port int) error {
// sendUDPLoop sends 1 byte UDP packets repeatedly to the IP and port specified
// over a duration.
-func sendUDPLoop(ctx context.Context, ip net.IP, port int) error {
+func sendUDPLoop(ctx context.Context, ip net.IP, port int, ipv6 bool) error {
remote := net.UDPAddr{
IP: ip,
Port: port,
}
- conn, err := net.DialUDP("udp", nil, &remote)
+ conn, err := net.DialUDP(udpNetwork(ipv6), nil, &remote)
if err != nil {
return err
}
@@ -126,13 +126,13 @@ func sendUDPLoop(ctx context.Context, ip net.IP, port int) error {
}
// listenTCP listens for connections on a TCP port.
-func listenTCP(ctx context.Context, port int) error {
+func listenTCP(ctx context.Context, port int, ipv6 bool) error {
localAddr := net.TCPAddr{
Port: port,
}
// Starts listening on port.
- lConn, err := net.ListenTCP("tcp", &localAddr)
+ lConn, err := net.ListenTCP(tcpNetwork(ipv6), &localAddr)
if err != nil {
return err
}
@@ -155,7 +155,7 @@ func listenTCP(ctx context.Context, port int) error {
}
// connectTCP connects to the given IP and port from an ephemeral local address.
-func connectTCP(ctx context.Context, ip net.IP, port int) error {
+func connectTCP(ctx context.Context, ip net.IP, port int, ipv6 bool) error {
contAddr := net.TCPAddr{
IP: ip,
Port: port,
@@ -164,7 +164,7 @@ func connectTCP(ctx context.Context, ip net.IP, port int) error {
// upon error.
callback := func() error {
var d net.Dialer
- conn, err := d.DialContext(ctx, "tcp", contAddr.String())
+ conn, err := d.DialContext(ctx, tcpNetwork(ipv6), contAddr.String())
if conn != nil {
conn.Close()
}
@@ -280,3 +280,19 @@ func nowhereIP(ipv6 bool) string {
}
return "192.0.2.1"
}
+
+// udpNetwork returns an IPv6 or IPv6 UDP network argument to net.Dial.
+func udpNetwork(ipv6 bool) string {
+ if ipv6 {
+ return "udp6"
+ }
+ return "udp4"
+}
+
+// tcpNetwork returns an IPv6 or IPv6 TCP network argument to net.Dial.
+func tcpNetwork(ipv6 bool) string {
+ if ipv6 {
+ return "tcp6"
+ }
+ return "tcp4"
+}
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
index 7ff8510a7..7f1d6d7ad 100644
--- a/test/iptables/nat.go
+++ b/test/iptables/nat.go
@@ -66,7 +66,7 @@ func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip
return err
}
- if err := listenUDP(ctx, redirectPort); err != nil {
+ if err := listenUDP(ctx, redirectPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err)
}
@@ -75,7 +75,7 @@ func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip
// LocalAction implements TestCase.LocalAction.
func (*NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// NATPreRedirectTCPPort tests that connections are redirected on specified ports.
@@ -95,12 +95,12 @@ func (*NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ip
}
// Listen for TCP packets on redirect port.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, dropPort)
+ return connectTCP(ctx, ip, dropPort, ipv6)
}
// NATPreRedirectTCPOutgoing verifies that outgoing TCP connections aren't
@@ -122,12 +122,12 @@ func (*NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP
}
// Establish a connection to the host process.
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// NATOutRedirectTCPIncoming verifies that incoming TCP connections aren't
@@ -149,12 +149,12 @@ func (*NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP
}
// Establish a connection to the host process.
- return listenTCP(ctx, acceptPort)
+ return listenTCP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, acceptPort)
+ return connectTCP(ctx, ip, acceptPort, ipv6)
}
// NATOutRedirectUDPPort tests that packets are redirected to different port.
@@ -197,7 +197,7 @@ func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) er
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
- if err := listenUDP(timedCtx, acceptPort); err == nil {
+ if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
@@ -208,7 +208,7 @@ func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) er
// LocalAction implements TestCase.LocalAction.
func (*NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// NATAcceptAll tests that all UDP packets are accepted.
@@ -227,7 +227,7 @@ func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool)
return err
}
- if err := listenUDP(ctx, acceptPort); err != nil {
+ if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err)
}
@@ -236,7 +236,7 @@ func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool)
// LocalAction implements TestCase.LocalAction.
func (*NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// NATOutRedirectIP uses iptables to select packets based on destination IP and
@@ -282,12 +282,12 @@ func (*NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv
if err := natTable(ipv6, "-A", "OUTPUT", "-d", localIP(ipv6), "-p", "udp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil {
return err
}
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// NATOutRedirectInvert tests that iptables can match with "! -d".
@@ -345,12 +345,12 @@ func (*NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo
if err := natTableRules(ipv6, rules); err != nil {
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// NATPreDontRedirectIP tests that iptables matching with "-d" does not match
@@ -369,12 +369,12 @@ func (*NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv
if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil {
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// NATPreRedirectInvert tests that iptables can match with "! -d".
@@ -392,12 +392,12 @@ func (*NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv
if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "!", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil {
return err
}
- return listenUDP(ctx, acceptPort)
+ return listenUDP(ctx, acceptPort, ipv6)
}
// LocalAction implements TestCase.LocalAction.
func (*NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, dropPort)
+ return sendUDPLoop(ctx, ip, dropPort, ipv6)
}
// NATRedirectRequiresProtocol tests that use of the --to-ports flag requires a
@@ -454,7 +454,7 @@ func (*NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ip
defer lConn.Close()
// Accept connections on port.
- if err := connectTCP(ctx, ip, dropPort); err != nil {
+ if err := connectTCP(ctx, ip, dropPort, ipv6); err != nil {
return err
}
@@ -495,10 +495,10 @@ func (*NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.I
// loopback traffic, the connection would fail.
sendCh := make(chan error)
go func() {
- sendCh <- connectTCP(ctx, dest, acceptPort)
+ sendCh <- connectTCP(ctx, dest, acceptPort, ipv6)
}()
- if err := listenTCP(ctx, acceptPort); err != nil {
+ if err := listenTCP(ctx, acceptPort, ipv6); err != nil {
return err
}
return <-sendCh
@@ -540,7 +540,7 @@ func (*NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 b
// LocalAction implements TestCase.LocalAction.
func (*NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return connectTCP(ctx, ip, dropPort)
+ return connectTCP(ctx, ip, dropPort, ipv6)
}
// NATOutOriginalDst tests that SO_ORIGINAL_DST returns the pre-NAT destination
@@ -563,7 +563,7 @@ func (*NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 b
connCh := make(chan error)
go func() {
- connCh <- connectTCP(ctx, ip, dropPort)
+ connCh <- connectTCP(ctx, ip, dropPort, ipv6)
}()
if err := listenForRedirectedConn(ctx, ipv6, []net.IP{ip}); err != nil {
@@ -669,10 +669,10 @@ func loopbackTest(ctx context.Context, ipv6 bool, dest net.IP, args ...string) e
sendCh := make(chan error, 1)
listenCh := make(chan error, 1)
go func() {
- sendCh <- sendUDPLoop(ctx, dest, dropPort)
+ sendCh <- sendUDPLoop(ctx, dest, dropPort, ipv6)
}()
go func() {
- listenCh <- listenUDP(ctx, acceptPort)
+ listenCh <- listenUDP(ctx, acceptPort, ipv6)
}()
select {
case err := <-listenCh:
@@ -708,7 +708,7 @@ func (*NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ip
// LocalAction implements TestCase.LocalAction.
func (*NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
- return sendUDPLoop(ctx, ip, acceptPort)
+ return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}
// NATOutRECVORIGDSTADDR tests that IP{V6}_RECVORIGDSTADDR gets the post-NAT
@@ -732,7 +732,7 @@ func (*NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ip
go func() {
// Packets will be sent to a non-container IP and redirected
// back to the container.
- sendCh <- sendUDPLoop(ctx, ip, acceptPort)
+ sendCh <- sendUDPLoop(ctx, ip, acceptPort, ipv6)
}()
expectedIP := &net.IP{127, 0, 0, 1}