summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--test/iptables/BUILD1
-rw-r--r--test/iptables/filter_input.go28
-rw-r--r--test/iptables/iptables_test.go9
-rw-r--r--test/iptables/nat.go83
4 files changed, 91 insertions, 30 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index fa833c3b2..68eed721e 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -8,6 +8,7 @@ go_library(
"filter_input.go",
"iptables.go",
"iptables_util.go",
+ "nat.go",
],
importpath = "gvisor.dev/gvisor/test/iptables",
visibility = ["//test/iptables:__subpackages__"],
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 41bb85369..923f44e68 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -23,7 +23,6 @@ import (
const (
dropPort = 2401
acceptPort = 2402
- redirectPort = 42
sendloopDuration = 2 * time.Second
network = "udp4"
)
@@ -32,7 +31,6 @@ func init() {
RegisterTestCase(FilterInputDropUDP{})
RegisterTestCase(FilterInputDropUDPPort{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
- RegisterTestCase(FilterInputRedirectUDPPort{})
}
// FilterInputDropUDP tests that we can drop UDP traffic.
@@ -124,29 +122,3 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error {
func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error {
return sendUDPLoop(ip, acceptPort, sendloopDuration)
}
-
-// FilterInputRedirectUDPPort tests that packets are redirected to different port.
-type FilterInputRedirectUDPPort struct{}
-
-// Name implements TestCase.Name.
-func (FilterInputRedirectUDPPort) Name() string {
- return "FilterInputRedirectUDPPort"
-}
-
-// ContainerAction implements TestCase.ContainerAction.
-func (FilterInputRedirectUDPPort) ContainerAction(ip net.IP) error {
- if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil {
- return err
- }
-
- if err := listenUDP(redirectPort, sendloopDuration); err != nil {
- return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, redirectPort, err)
- }
-
- return nil
-}
-
-// LocalAction implements TestCase.LocalAction.
-func (FilterInputRedirectUDPPort) LocalAction(ip net.IP) error {
- return sendUDPLoop(ip, acceptPort, sendloopDuration)
-}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index d57ddc0fe..fce9247aa 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -178,9 +178,14 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) {
}
}
-func TestFilterInputRedirectUDPPort(t *testing.T) {
- if err := singleTest(FilterInputRedirectUDPPort{}); err != nil {
+func TestFilterNATRedirectUDPPort(t *testing.T) {
+ if err := singleTest(FilterNATRedirectUDPPort{}); err != nil {
t.Fatal(err)
}
}
+func TestFilterNATDropUDP(t *testing.T) {
+ if err := singleTest(FilterNATDropUDP{}); err != nil {
+ t.Fatal(err)
+ }
+}
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
new file mode 100644
index 000000000..6deabf217
--- /dev/null
+++ b/test/iptables/nat.go
@@ -0,0 +1,83 @@
+// Copyright 2019 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iptables
+
+import (
+ "fmt"
+ "net"
+)
+
+const (
+ redirectPort = 42
+)
+
+func init() {
+ RegisterTestCase(FilterNATRedirectUDPPort{})
+ RegisterTestCase(FilterNATDropUDP{})
+}
+
+// FilterInputRedirectUDPPort tests that packets are redirected to different port.
+type FilterNATRedirectUDPPort struct{}
+
+// Name implements TestCase.Name.
+func (FilterNATRedirectUDPPort) Name() string {
+ return "FilterNATRedirectUDPPort"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterNATRedirectUDPPort) ContainerAction(ip net.IP) error {
+ if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports",
+ fmt.Sprintf("%d", redirectPort)); err != nil {
+ return err
+ }
+
+ if err := listenUDP(redirectPort, sendloopDuration); err != nil {
+ return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterNATRedirectUDPPort) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, acceptPort, sendloopDuration)
+}
+
+// FilterNATDropUDP tests that packets are not received in ports other than redirect port.
+type FilterNATDropUDP struct{}
+
+// Name implements TestCase.Name.
+func (FilterNATDropUDP) Name() string {
+ return "FilterNATDropUDP"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterNATDropUDP) ContainerAction(ip net.IP) error {
+ if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports",
+ fmt.Sprintf("%d", redirectPort)); err != nil {
+ return err
+ }
+
+ if err := listenUDP(acceptPort, sendloopDuration); err == nil {
+ return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterNATDropUDP) LocalAction(ip net.IP) error {
+ return sendUDPLoop(ip, acceptPort, sendloopDuration)
+}