diff options
-rw-r--r-- | test/iptables/BUILD | 1 | ||||
-rw-r--r-- | test/iptables/filter_input.go | 28 | ||||
-rw-r--r-- | test/iptables/iptables_test.go | 9 | ||||
-rw-r--r-- | test/iptables/nat.go | 83 |
4 files changed, 91 insertions, 30 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD index fa833c3b2..68eed721e 100644 --- a/test/iptables/BUILD +++ b/test/iptables/BUILD @@ -8,6 +8,7 @@ go_library( "filter_input.go", "iptables.go", "iptables_util.go", + "nat.go", ], importpath = "gvisor.dev/gvisor/test/iptables", visibility = ["//test/iptables:__subpackages__"], diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 41bb85369..923f44e68 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -23,7 +23,6 @@ import ( const ( dropPort = 2401 acceptPort = 2402 - redirectPort = 42 sendloopDuration = 2 * time.Second network = "udp4" ) @@ -32,7 +31,6 @@ func init() { RegisterTestCase(FilterInputDropUDP{}) RegisterTestCase(FilterInputDropUDPPort{}) RegisterTestCase(FilterInputDropDifferentUDPPort{}) - RegisterTestCase(FilterInputRedirectUDPPort{}) } // FilterInputDropUDP tests that we can drop UDP traffic. @@ -124,29 +122,3 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error { func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error { return sendUDPLoop(ip, acceptPort, sendloopDuration) } - -// FilterInputRedirectUDPPort tests that packets are redirected to different port. -type FilterInputRedirectUDPPort struct{} - -// Name implements TestCase.Name. -func (FilterInputRedirectUDPPort) Name() string { - return "FilterInputRedirectUDPPort" -} - -// ContainerAction implements TestCase.ContainerAction. -func (FilterInputRedirectUDPPort) ContainerAction(ip net.IP) error { - if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { - return err - } - - if err := listenUDP(redirectPort, sendloopDuration); err != nil { - return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, redirectPort, err) - } - - return nil -} - -// LocalAction implements TestCase.LocalAction. -func (FilterInputRedirectUDPPort) LocalAction(ip net.IP) error { - return sendUDPLoop(ip, acceptPort, sendloopDuration) -} diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index d57ddc0fe..fce9247aa 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -178,9 +178,14 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) { } } -func TestFilterInputRedirectUDPPort(t *testing.T) { - if err := singleTest(FilterInputRedirectUDPPort{}); err != nil { +func TestFilterNATRedirectUDPPort(t *testing.T) { + if err := singleTest(FilterNATRedirectUDPPort{}); err != nil { t.Fatal(err) } } +func TestFilterNATDropUDP(t *testing.T) { + if err := singleTest(FilterNATDropUDP{}); err != nil { + t.Fatal(err) + } +} diff --git a/test/iptables/nat.go b/test/iptables/nat.go new file mode 100644 index 000000000..6deabf217 --- /dev/null +++ b/test/iptables/nat.go @@ -0,0 +1,83 @@ +// Copyright 2019 The gVisor Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package iptables + +import ( + "fmt" + "net" +) + +const ( + redirectPort = 42 +) + +func init() { + RegisterTestCase(FilterNATRedirectUDPPort{}) + RegisterTestCase(FilterNATDropUDP{}) +} + +// FilterInputRedirectUDPPort tests that packets are redirected to different port. +type FilterNATRedirectUDPPort struct{} + +// Name implements TestCase.Name. +func (FilterNATRedirectUDPPort) Name() string { + return "FilterNATRedirectUDPPort" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterNATRedirectUDPPort) ContainerAction(ip net.IP) error { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", + fmt.Sprintf("%d", redirectPort)); err != nil { + return err + } + + if err := listenUDP(redirectPort, sendloopDuration); err != nil { + return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err) + } + + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterNATRedirectUDPPort) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, acceptPort, sendloopDuration) +} + +// FilterNATDropUDP tests that packets are not received in ports other than redirect port. +type FilterNATDropUDP struct{} + +// Name implements TestCase.Name. +func (FilterNATDropUDP) Name() string { + return "FilterNATDropUDP" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterNATDropUDP) ContainerAction(ip net.IP) error { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", + fmt.Sprintf("%d", redirectPort)); err != nil { + return err + } + + if err := listenUDP(acceptPort, sendloopDuration); err == nil { + return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort) + } + + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterNATDropUDP) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, acceptPort, sendloopDuration) +} |