diff options
-rw-r--r-- | test/iptables/filter_input.go | 286 | ||||
-rw-r--r-- | test/iptables/filter_output.go | 200 | ||||
-rw-r--r-- | test/iptables/iptables.go | 12 | ||||
-rw-r--r-- | test/iptables/iptables_test.go | 134 | ||||
-rw-r--r-- | test/iptables/nat.go | 200 |
5 files changed, 479 insertions, 353 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index c47660026..0f656513e 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -30,45 +30,47 @@ const ( ) func init() { - RegisterTestCase(FilterInputDropAll{}) - RegisterTestCase(FilterInputDropDifferentUDPPort{}) - RegisterTestCase(FilterInputDropOnlyUDP{}) - RegisterTestCase(FilterInputDropTCPDestPort{}) - RegisterTestCase(FilterInputDropTCPSrcPort{}) - RegisterTestCase(FilterInputDropUDPPort{}) - RegisterTestCase(FilterInputDropUDP{}) - RegisterTestCase(FilterInputCreateUserChain{}) - RegisterTestCase(FilterInputDefaultPolicyAccept{}) - RegisterTestCase(FilterInputDefaultPolicyDrop{}) - RegisterTestCase(FilterInputReturnUnderflow{}) - RegisterTestCase(FilterInputSerializeJump{}) - RegisterTestCase(FilterInputJumpBasic{}) - RegisterTestCase(FilterInputJumpReturn{}) - RegisterTestCase(FilterInputJumpReturnDrop{}) - RegisterTestCase(FilterInputJumpBuiltin{}) - RegisterTestCase(FilterInputJumpTwice{}) - RegisterTestCase(FilterInputDestination{}) - RegisterTestCase(FilterInputInvertDestination{}) - RegisterTestCase(FilterInputSource{}) - RegisterTestCase(FilterInputInvertSource{}) - RegisterTestCase(FilterInputInterfaceAccept{}) - RegisterTestCase(FilterInputInterfaceDrop{}) - RegisterTestCase(FilterInputInterface{}) - RegisterTestCase(FilterInputInterfaceBeginsWith{}) - RegisterTestCase(FilterInputInterfaceInvertDrop{}) - RegisterTestCase(FilterInputInterfaceInvertAccept{}) + RegisterTestCase(&FilterInputDropAll{}) + RegisterTestCase(&FilterInputDropDifferentUDPPort{}) + RegisterTestCase(&FilterInputDropOnlyUDP{}) + RegisterTestCase(&FilterInputDropTCPDestPort{}) + RegisterTestCase(&FilterInputDropTCPSrcPort{}) + RegisterTestCase(&FilterInputDropUDPPort{}) + RegisterTestCase(&FilterInputDropUDP{}) + RegisterTestCase(&FilterInputCreateUserChain{}) + RegisterTestCase(&FilterInputDefaultPolicyAccept{}) + RegisterTestCase(&FilterInputDefaultPolicyDrop{}) + RegisterTestCase(&FilterInputReturnUnderflow{}) + RegisterTestCase(&FilterInputSerializeJump{}) + RegisterTestCase(&FilterInputJumpBasic{}) + RegisterTestCase(&FilterInputJumpReturn{}) + RegisterTestCase(&FilterInputJumpReturnDrop{}) + RegisterTestCase(&FilterInputJumpBuiltin{}) + RegisterTestCase(&FilterInputJumpTwice{}) + RegisterTestCase(&FilterInputDestination{}) + RegisterTestCase(&FilterInputInvertDestination{}) + RegisterTestCase(&FilterInputSource{}) + RegisterTestCase(&FilterInputInvertSource{}) + RegisterTestCase(&FilterInputInterfaceAccept{}) + RegisterTestCase(&FilterInputInterfaceDrop{}) + RegisterTestCase(&FilterInputInterface{}) + RegisterTestCase(&FilterInputInterfaceBeginsWith{}) + RegisterTestCase(&FilterInputInterfaceInvertDrop{}) + RegisterTestCase(&FilterInputInterfaceInvertAccept{}) } // FilterInputDropUDP tests that we can drop UDP traffic. type FilterInputDropUDP struct{ containerCase } +var _ TestCase = (*FilterInputDropUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputDropUDP) Name() string { +func (*FilterInputDropUDP) Name() string { return "FilterInputDropUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil { return err } @@ -88,20 +90,22 @@ func (FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 b } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } // FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic. type FilterInputDropOnlyUDP struct{ baseCase } +var _ TestCase = (*FilterInputDropOnlyUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputDropOnlyUDP) Name() string { +func (*FilterInputDropOnlyUDP) Name() string { return "FilterInputDropOnlyUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil { return err } @@ -115,7 +119,7 @@ func (FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Try to establish a TCP connection with the container, which should // succeed. return connectTCP(ctx, ip, acceptPort) @@ -124,13 +128,15 @@ func (FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 b // FilterInputDropUDPPort tests that we can drop UDP traffic by port. type FilterInputDropUDPPort struct{ containerCase } +var _ TestCase = (*FilterInputDropUDPPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropUDPPort) Name() string { +func (*FilterInputDropUDPPort) Name() string { return "FilterInputDropUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -150,7 +156,7 @@ func (FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -158,13 +164,15 @@ func (FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 b // doesn't drop packets on other ports. type FilterInputDropDifferentUDPPort struct{ containerCase } +var _ TestCase = (*FilterInputDropDifferentUDPPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropDifferentUDPPort) Name() string { +func (*FilterInputDropDifferentUDPPort) Name() string { return "FilterInputDropDifferentUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -178,20 +186,22 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports. type FilterInputDropTCPDestPort struct{ baseCase } +var _ TestCase = (*FilterInputDropTCPDestPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropTCPDestPort) Name() string { +func (*FilterInputDropTCPDestPort) Name() string { return "FilterInputDropTCPDestPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -209,7 +219,7 @@ func (FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -222,13 +232,15 @@ func (FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ip // FilterInputDropTCPSrcPort tests that connections are not accepted on specified source ports. type FilterInputDropTCPSrcPort struct{ baseCase } +var _ TestCase = (*FilterInputDropTCPSrcPort)(nil) + // Name implements TestCase.Name. -func (FilterInputDropTCPSrcPort) Name() string { +func (*FilterInputDropTCPSrcPort) Name() string { return "FilterInputDropTCPSrcPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Drop anything from an ephemeral port. if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "-m", "tcp", "--sport", "1024:65535", "-j", "DROP"); err != nil { return err @@ -247,7 +259,7 @@ func (FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -260,13 +272,15 @@ func (FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv // FilterInputDropAll tests that we can drop all traffic to the INPUT chain. type FilterInputDropAll struct{ containerCase } +var _ TestCase = (*FilterInputDropAll)(nil) + // Name implements TestCase.Name. -func (FilterInputDropAll) Name() string { +func (*FilterInputDropAll) Name() string { return "FilterInputDropAll" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-j", "DROP"); err != nil { return err } @@ -286,7 +300,7 @@ func (FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 b } // LocalAction implements TestCase.LocalAction. -func (FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -296,13 +310,15 @@ func (FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // misunderstand and save the wrong tables. type FilterInputMultiUDPRules struct{ baseCase } +var _ TestCase = (*FilterInputMultiUDPRules)(nil) + // Name implements TestCase.Name. -func (FilterInputMultiUDPRules) Name() string { +func (*FilterInputMultiUDPRules) Name() string { return "FilterInputMultiUDPRules" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"}, {"-A", "INPUT", "-p", "udp", "-m", "udp", "--destination-port", fmt.Sprintf("%d", acceptPort), "-j", "ACCEPT"}, @@ -312,7 +328,7 @@ func (FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -321,13 +337,15 @@ func (FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 // specified. type FilterInputRequireProtocolUDP struct{ baseCase } +var _ TestCase = (*FilterInputRequireProtocolUDP)(nil) + // Name implements TestCase.Name. -func (FilterInputRequireProtocolUDP) Name() string { +func (*FilterInputRequireProtocolUDP) Name() string { return "FilterInputRequireProtocolUDP" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-m", "udp", "--destination-port", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err == nil { return errors.New("expected iptables to fail with out \"-p udp\", but succeeded") } @@ -335,7 +353,7 @@ func (FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net } // LocalAction implements TestCase.LocalAction. -func (FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -343,13 +361,15 @@ func (FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, // FilterInputCreateUserChain tests chain creation. type FilterInputCreateUserChain struct{ baseCase } +var _ TestCase = (*FilterInputCreateUserChain)(nil) + // Name implements TestCase.Name. -func (FilterInputCreateUserChain) Name() string { +func (*FilterInputCreateUserChain) Name() string { return "FilterInputCreateUserChain" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ // Create a chain. {"-N", chainName}, @@ -360,7 +380,7 @@ func (FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -368,13 +388,15 @@ func (FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ip // FilterInputDefaultPolicyAccept tests the default ACCEPT policy. type FilterInputDefaultPolicyAccept struct{ containerCase } +var _ TestCase = (*FilterInputDefaultPolicyAccept)(nil) + // Name implements TestCase.Name. -func (FilterInputDefaultPolicyAccept) Name() string { +func (*FilterInputDefaultPolicyAccept) Name() string { return "FilterInputDefaultPolicyAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Set the default policy to accept, then receive a packet. if err := filterTable(ipv6, "-P", "INPUT", "ACCEPT"); err != nil { return err @@ -383,20 +405,22 @@ func (FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputDefaultPolicyDrop tests the default DROP policy. type FilterInputDefaultPolicyDrop struct{ containerCase } +var _ TestCase = (*FilterInputDefaultPolicyDrop)(nil) + // Name implements TestCase.Name. -func (FilterInputDefaultPolicyDrop) Name() string { +func (*FilterInputDefaultPolicyDrop) Name() string { return "FilterInputDefaultPolicyDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-P", "INPUT", "DROP"); err != nil { return err } @@ -416,7 +440,7 @@ func (FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net. } // LocalAction implements TestCase.LocalAction. -func (FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -424,13 +448,15 @@ func (FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, // the underflow rule (i.e. default policy) to be executed. type FilterInputReturnUnderflow struct{ containerCase } +var _ TestCase = (*FilterInputReturnUnderflow)(nil) + // Name implements TestCase.Name. -func (FilterInputReturnUnderflow) Name() string { +func (*FilterInputReturnUnderflow) Name() string { return "FilterInputReturnUnderflow" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Add a RETURN rule followed by an unconditional accept, and set the // default policy to DROP. rules := [][]string{ @@ -448,20 +474,22 @@ func (FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputSerializeJump verifies that we can serialize jumps. type FilterInputSerializeJump struct{ baseCase } +var _ TestCase = (*FilterInputSerializeJump)(nil) + // Name implements TestCase.Name. -func (FilterInputSerializeJump) Name() string { +func (*FilterInputSerializeJump) Name() string { return "FilterInputSerializeJump" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Write a JUMP rule, the serialize it with `-L`. rules := [][]string{ {"-N", chainName}, @@ -472,7 +500,7 @@ func (FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -480,13 +508,15 @@ func (FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterInputJumpBasic jumps to a chain and executes a rule there. type FilterInputJumpBasic struct{ containerCase } +var _ TestCase = (*FilterInputJumpBasic)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpBasic) Name() string { +func (*FilterInputJumpBasic) Name() string { return "FilterInputJumpBasic" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-P", "INPUT", "DROP"}, {"-N", chainName}, @@ -502,20 +532,22 @@ func (FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputJumpReturn jumps, returns, and executes a rule. type FilterInputJumpReturn struct{ containerCase } +var _ TestCase = (*FilterInputJumpReturn)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpReturn) Name() string { +func (*FilterInputJumpReturn) Name() string { return "FilterInputJumpReturn" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-N", chainName}, {"-P", "INPUT", "ACCEPT"}, @@ -532,20 +564,22 @@ func (FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets. type FilterInputJumpReturnDrop struct{ containerCase } +var _ TestCase = (*FilterInputJumpReturnDrop)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpReturnDrop) Name() string { +func (*FilterInputJumpReturnDrop) Name() string { return "FilterInputJumpReturnDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-N", chainName}, {"-A", "INPUT", "-j", chainName}, @@ -571,20 +605,22 @@ func (FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } // FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal. type FilterInputJumpBuiltin struct{ baseCase } +var _ TestCase = (*FilterInputJumpBuiltin)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpBuiltin) Name() string { +func (*FilterInputJumpBuiltin) Name() string { return "FilterInputJumpBuiltin" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-j", "OUTPUT"); err == nil { return fmt.Errorf("iptables should be unable to jump to a built-in chain") } @@ -592,7 +628,7 @@ func (FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -600,13 +636,15 @@ func (FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 b // FilterInputJumpTwice jumps twice, then returns twice and executes a rule. type FilterInputJumpTwice struct{ containerCase } +var _ TestCase = (*FilterInputJumpTwice)(nil) + // Name implements TestCase.Name. -func (FilterInputJumpTwice) Name() string { +func (*FilterInputJumpTwice) Name() string { return "FilterInputJumpTwice" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { const chainName2 = chainName + "2" rules := [][]string{ {"-P", "INPUT", "DROP"}, @@ -626,7 +664,7 @@ func (FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -634,13 +672,15 @@ func (FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // <ipaddr>`. type FilterInputDestination struct{ containerCase } +var _ TestCase = (*FilterInputDestination)(nil) + // Name implements TestCase.Name. -func (FilterInputDestination) Name() string { +func (*FilterInputDestination) Name() string { return "FilterInputDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { addrs, err := localAddrs(ipv6) if err != nil { return err @@ -660,7 +700,7 @@ func (FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -668,13 +708,15 @@ func (FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 b // <ipaddr>`. type FilterInputInvertDestination struct{ containerCase } +var _ TestCase = (*FilterInputInvertDestination)(nil) + // Name implements TestCase.Name. -func (FilterInputInvertDestination) Name() string { +func (*FilterInputInvertDestination) Name() string { return "FilterInputInvertDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets not bound // for 127.0.0.1. rules := [][]string{ @@ -689,7 +731,7 @@ func (FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net. } // LocalAction implements TestCase.LocalAction. -func (FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -697,13 +739,15 @@ func (FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, // <ipaddr>`. type FilterInputSource struct{ containerCase } +var _ TestCase = (*FilterInputSource)(nil) + // Name implements TestCase.Name. -func (FilterInputSource) Name() string { +func (*FilterInputSource) Name() string { return "FilterInputSource" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets from this // machine. rules := [][]string{ @@ -718,7 +762,7 @@ func (FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -726,13 +770,15 @@ func (FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // <ipaddr>`. type FilterInputInvertSource struct{ containerCase } +var _ TestCase = (*FilterInputInvertSource)(nil) + // Name implements TestCase.Name. -func (FilterInputInvertSource) Name() string { +func (*FilterInputInvertSource) Name() string { return "FilterInputInvertSource" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Make INPUT's default action DROP, then ACCEPT all packets not bound // for 127.0.0.1. rules := [][]string{ @@ -747,7 +793,7 @@ func (FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, i } // LocalAction implements TestCase.LocalAction. -func (FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -755,15 +801,15 @@ func (FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 // matching the iptables rule. type FilterInputInterfaceAccept struct{ localCase } -var _ TestCase = FilterInputInterfaceAccept{} +var _ TestCase = (*FilterInputInterfaceAccept)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceAccept) Name() string { +func (*FilterInputInterfaceAccept) Name() string { return "FilterInputInterfaceAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -779,7 +825,7 @@ func (FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -787,15 +833,15 @@ func (FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ip // matching the iptables rule. type FilterInputInterfaceDrop struct{ localCase } -var _ TestCase = FilterInputInterfaceDrop{} +var _ TestCase = (*FilterInputInterfaceDrop)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceDrop) Name() string { +func (*FilterInputInterfaceDrop) Name() string { return "FilterInputInterfaceDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -815,7 +861,7 @@ func (FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -823,15 +869,15 @@ func (FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 // is not matching the interface name in the iptables rule. type FilterInputInterface struct{ localCase } -var _ TestCase = FilterInputInterface{} +var _ TestCase = (*FilterInputInterface)(nil) // Name implements TestCase.Name. -func (FilterInputInterface) Name() string { +func (*FilterInputInterface) Name() string { return "FilterInputInterface" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "lo", "-j", "DROP"); err != nil { return err } @@ -842,7 +888,7 @@ func (FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -850,15 +896,15 @@ func (FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // interface which begins with the given interface name. type FilterInputInterfaceBeginsWith struct{ localCase } -var _ TestCase = FilterInputInterfaceBeginsWith{} +var _ TestCase = (*FilterInputInterfaceBeginsWith)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceBeginsWith) Name() string { +func (*FilterInputInterfaceBeginsWith) Name() string { return "FilterInputInterfaceBeginsWith" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "e+", "-j", "DROP"); err != nil { return err } @@ -874,7 +920,7 @@ func (FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -882,15 +928,15 @@ func (FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP // interface not matching the interface name. type FilterInputInterfaceInvertDrop struct{ baseCase } -var _ TestCase = FilterInputInterfaceInvertDrop{} +var _ TestCase = (*FilterInputInterfaceInvertDrop)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceInvertDrop) Name() string { +func (*FilterInputInterfaceInvertDrop) Name() string { return "FilterInputInterfaceInvertDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "DROP"); err != nil { return err } @@ -906,7 +952,7 @@ func (FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip ne } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err != nil { @@ -923,15 +969,15 @@ func (FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP // not matching the specific incoming interface. type FilterInputInterfaceInvertAccept struct{ baseCase } -var _ TestCase = FilterInputInterfaceInvertAccept{} +var _ TestCase = (*FilterInputInterfaceInvertAccept)(nil) // Name implements TestCase.Name. -func (FilterInputInterfaceInvertAccept) Name() string { +func (*FilterInputInterfaceInvertAccept) Name() string { return "FilterInputInterfaceInvertAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "ACCEPT"); err != nil { return err } @@ -939,6 +985,6 @@ func (FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go index f4af45e96..590d234bb 100644 --- a/test/iptables/filter_output.go +++ b/test/iptables/filter_output.go @@ -22,39 +22,41 @@ import ( ) func init() { - RegisterTestCase(FilterOutputDropTCPDestPort{}) - RegisterTestCase(FilterOutputDropTCPSrcPort{}) - RegisterTestCase(FilterOutputDestination{}) - RegisterTestCase(FilterOutputInvertDestination{}) - RegisterTestCase(FilterOutputAcceptTCPOwner{}) - RegisterTestCase(FilterOutputDropTCPOwner{}) - RegisterTestCase(FilterOutputAcceptUDPOwner{}) - RegisterTestCase(FilterOutputDropUDPOwner{}) - RegisterTestCase(FilterOutputOwnerFail{}) - RegisterTestCase(FilterOutputAcceptGIDOwner{}) - RegisterTestCase(FilterOutputDropGIDOwner{}) - RegisterTestCase(FilterOutputInvertGIDOwner{}) - RegisterTestCase(FilterOutputInvertUIDOwner{}) - RegisterTestCase(FilterOutputInvertUIDAndGIDOwner{}) - RegisterTestCase(FilterOutputInterfaceAccept{}) - RegisterTestCase(FilterOutputInterfaceDrop{}) - RegisterTestCase(FilterOutputInterface{}) - RegisterTestCase(FilterOutputInterfaceBeginsWith{}) - RegisterTestCase(FilterOutputInterfaceInvertDrop{}) - RegisterTestCase(FilterOutputInterfaceInvertAccept{}) + RegisterTestCase(&FilterOutputDropTCPDestPort{}) + RegisterTestCase(&FilterOutputDropTCPSrcPort{}) + RegisterTestCase(&FilterOutputDestination{}) + RegisterTestCase(&FilterOutputInvertDestination{}) + RegisterTestCase(&FilterOutputAcceptTCPOwner{}) + RegisterTestCase(&FilterOutputDropTCPOwner{}) + RegisterTestCase(&FilterOutputAcceptUDPOwner{}) + RegisterTestCase(&FilterOutputDropUDPOwner{}) + RegisterTestCase(&FilterOutputOwnerFail{}) + RegisterTestCase(&FilterOutputAcceptGIDOwner{}) + RegisterTestCase(&FilterOutputDropGIDOwner{}) + RegisterTestCase(&FilterOutputInvertGIDOwner{}) + RegisterTestCase(&FilterOutputInvertUIDOwner{}) + RegisterTestCase(&FilterOutputInvertUIDAndGIDOwner{}) + RegisterTestCase(&FilterOutputInterfaceAccept{}) + RegisterTestCase(&FilterOutputInterfaceDrop{}) + RegisterTestCase(&FilterOutputInterface{}) + RegisterTestCase(&FilterOutputInterfaceBeginsWith{}) + RegisterTestCase(&FilterOutputInterfaceInvertDrop{}) + RegisterTestCase(&FilterOutputInterfaceInvertAccept{}) } // FilterOutputDropTCPDestPort tests that connections are not accepted on // specified source ports. type FilterOutputDropTCPDestPort struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPDestPort)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPDestPort) Name() string { +func (*FilterOutputDropTCPDestPort) Name() string { return "FilterOutputDropTCPDestPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", "1024:65535", "-j", "DROP"); err != nil { return err } @@ -72,7 +74,7 @@ func (FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -86,13 +88,15 @@ func (FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, i // specified source ports. type FilterOutputDropTCPSrcPort struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPSrcPort)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPSrcPort) Name() string { +func (*FilterOutputDropTCPSrcPort) Name() string { return "FilterOutputDropTCPSrcPort" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--sport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } @@ -110,7 +114,7 @@ func (FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, dropPort); err == nil { @@ -123,13 +127,15 @@ func (FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputAcceptTCPOwner tests that TCP connections from uid owner are accepted. type FilterOutputAcceptTCPOwner struct{ baseCase } +var _ TestCase = (*FilterOutputAcceptTCPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptTCPOwner) Name() string { +func (*FilterOutputAcceptTCPOwner) Name() string { return "FilterOutputAcceptTCPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--uid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -139,20 +145,22 @@ func (FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // FilterOutputDropTCPOwner tests that TCP connections from uid owner are dropped. type FilterOutputDropTCPOwner struct{ baseCase } +var _ TestCase = (*FilterOutputDropTCPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropTCPOwner) Name() string { +func (*FilterOutputDropTCPOwner) Name() string { return "FilterOutputDropTCPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--uid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -170,7 +178,7 @@ func (FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -183,13 +191,15 @@ func (FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterOutputAcceptUDPOwner tests that UDP packets from uid owner are accepted. type FilterOutputAcceptUDPOwner struct{ localCase } +var _ TestCase = (*FilterOutputAcceptUDPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptUDPOwner) Name() string { +func (*FilterOutputAcceptUDPOwner) Name() string { return "FilterOutputAcceptUDPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "--uid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -199,7 +209,7 @@ func (FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Listen for UDP packets on acceptPort. return listenUDP(ctx, acceptPort) } @@ -207,13 +217,15 @@ func (FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputDropUDPOwner tests that UDP packets from uid owner are dropped. type FilterOutputDropUDPOwner struct{ localCase } +var _ TestCase = (*FilterOutputDropUDPOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropUDPOwner) Name() string { +func (*FilterOutputDropUDPOwner) Name() string { return "FilterOutputDropUDPOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "--uid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -223,7 +235,7 @@ func (FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() @@ -240,13 +252,15 @@ func (FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // will fail. type FilterOutputOwnerFail struct{ baseCase } +var _ TestCase = (*FilterOutputOwnerFail)(nil) + // Name implements TestCase.Name. -func (FilterOutputOwnerFail) Name() string { +func (*FilterOutputOwnerFail) Name() string { return "FilterOutputOwnerFail" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "-j", "ACCEPT"); err == nil { return fmt.Errorf("invalid argument") } @@ -255,7 +269,7 @@ func (FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // no-op. return nil } @@ -263,13 +277,15 @@ func (FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // FilterOutputAcceptGIDOwner tests that TCP connections from gid owner are accepted. type FilterOutputAcceptGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputAcceptGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputAcceptGIDOwner) Name() string { +func (*FilterOutputAcceptGIDOwner) Name() string { return "FilterOutputAcceptGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--gid-owner", "root", "-j", "ACCEPT"); err != nil { return err } @@ -279,20 +295,22 @@ func (FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // FilterOutputDropGIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputDropGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputDropGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputDropGIDOwner) Name() string { +func (*FilterOutputDropGIDOwner) Name() string { return "FilterOutputDropGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "owner", "--gid-owner", "root", "-j", "DROP"); err != nil { return err } @@ -310,7 +328,7 @@ func (FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -323,13 +341,15 @@ func (FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 // FilterOutputInvertGIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputInvertGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertGIDOwner) Name() string { +func (*FilterOutputInvertGIDOwner) Name() string { return "FilterOutputInvertGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--gid-owner", "root", "-j", "ACCEPT"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "DROP"}, @@ -351,7 +371,7 @@ func (FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -364,13 +384,15 @@ func (FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ip // FilterOutputInvertUIDOwner tests that TCP connections from gid owner are dropped. type FilterOutputInvertUIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertUIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertUIDOwner) Name() string { +func (*FilterOutputInvertUIDOwner) Name() string { return "FilterOutputInvertUIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--uid-owner", "root", "-j", "DROP"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "ACCEPT"}, @@ -384,7 +406,7 @@ func (FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } @@ -392,13 +414,15 @@ func (FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ip // owner are dropped. type FilterOutputInvertUIDAndGIDOwner struct{ baseCase } +var _ TestCase = (*FilterOutputInvertUIDAndGIDOwner)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertUIDAndGIDOwner) Name() string { +func (*FilterOutputInvertUIDAndGIDOwner) Name() string { return "FilterOutputInvertUIDAndGIDOwner" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "-p", "tcp", "-m", "owner", "!", "--uid-owner", "root", "!", "--gid-owner", "root", "-j", "ACCEPT"}, {"-A", "OUTPUT", "-p", "tcp", "-j", "DROP"}, @@ -420,7 +444,7 @@ func (FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -434,13 +458,15 @@ func (FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net. // certain destinations. type FilterOutputDestination struct{ localCase } +var _ TestCase = (*FilterOutputDestination)(nil) + // Name implements TestCase.Name. -func (FilterOutputDestination) Name() string { +func (*FilterOutputDestination) Name() string { return "FilterOutputDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { var rules [][]string if ipv6 { rules = [][]string{ @@ -464,7 +490,7 @@ func (FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, i } // LocalAction implements TestCase.LocalAction. -func (FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -472,13 +498,15 @@ func (FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 // not headed for a particular destination. type FilterOutputInvertDestination struct{ localCase } +var _ TestCase = (*FilterOutputInvertDestination)(nil) + // Name implements TestCase.Name. -func (FilterOutputInvertDestination) Name() string { +func (*FilterOutputInvertDestination) Name() string { return "FilterOutputInvertDestination" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { rules := [][]string{ {"-A", "OUTPUT", "!", "-d", localIP(ipv6), "-j", "ACCEPT"}, {"-P", "OUTPUT", "DROP"}, @@ -491,7 +519,7 @@ func (FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -499,13 +527,15 @@ func (FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, // matching the iptables rule. type FilterOutputInterfaceAccept struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceAccept)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceAccept) Name() string { +func (*FilterOutputInterfaceAccept) Name() string { return "FilterOutputInterfaceAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -518,7 +548,7 @@ func (FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -526,13 +556,15 @@ func (FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, i // matching the iptables rule. type FilterOutputInterfaceDrop struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceDrop)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceDrop) Name() string { +func (*FilterOutputInterfaceDrop) Name() string { return "FilterOutputInterfaceDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { ifname, ok := getInterfaceName() if !ok { return fmt.Errorf("no interface is present, except loopback") @@ -545,7 +577,7 @@ func (FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := listenUDP(timedCtx, acceptPort); err == nil { @@ -561,13 +593,15 @@ func (FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv // not matching the interface name in the iptables rule. type FilterOutputInterface struct{ localCase } +var _ TestCase = (*FilterOutputInterface)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterface) Name() string { +func (*FilterOutputInterface) Name() string { return "FilterOutputInterface" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-o", "lo", "-j", "DROP"); err != nil { return err } @@ -576,7 +610,7 @@ func (FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } @@ -584,13 +618,15 @@ func (FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // interface which begins with the given interface name. type FilterOutputInterfaceBeginsWith struct{ localCase } +var _ TestCase = (*FilterOutputInterfaceBeginsWith)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceBeginsWith) Name() string { +func (*FilterOutputInterfaceBeginsWith) Name() string { return "FilterOutputInterfaceBeginsWith" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-o", "e+", "-j", "DROP"); err != nil { return err } @@ -599,7 +635,7 @@ func (FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := listenUDP(timedCtx, acceptPort); err == nil { @@ -615,13 +651,15 @@ func (FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.I // packets via interface not matching the interface name. type FilterOutputInterfaceInvertDrop struct{ baseCase } +var _ TestCase = (*FilterOutputInterfaceInvertDrop)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceInvertDrop) Name() string { +func (*FilterOutputInterfaceInvertDrop) Name() string { return "FilterOutputInterfaceInvertDrop" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "!", "-o", "lo", "-j", "DROP"); err != nil { return err } @@ -639,7 +677,7 @@ func (FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() if err := connectTCP(timedCtx, ip, acceptPort); err == nil { @@ -653,13 +691,15 @@ func (FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.I // not matching the specific outgoing interface. type FilterOutputInterfaceInvertAccept struct{ baseCase } +var _ TestCase = (*FilterOutputInterfaceInvertAccept)(nil) + // Name implements TestCase.Name. -func (FilterOutputInterfaceInvertAccept) Name() string { +func (*FilterOutputInterfaceInvertAccept) Name() string { return "FilterOutputInterfaceInvertAccept" } // ContainerAction implements TestCase.ContainerAction. -func (FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "!", "-o", "lo", "-j", "ACCEPT"); err != nil { return err } @@ -669,6 +709,6 @@ func (FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip } // LocalAction implements TestCase.LocalAction. -func (FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } diff --git a/test/iptables/iptables.go b/test/iptables/iptables.go index c2a03f54c..970587a02 100644 --- a/test/iptables/iptables.go +++ b/test/iptables/iptables.go @@ -64,12 +64,12 @@ type TestCase interface { type baseCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (baseCase) ContainerSufficient() bool { +func (*baseCase) ContainerSufficient() bool { return false } // LocalSufficient implements TestCase.LocalSufficient. -func (baseCase) LocalSufficient() bool { +func (*baseCase) LocalSufficient() bool { return false } @@ -78,12 +78,12 @@ func (baseCase) LocalSufficient() bool { type localCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (localCase) ContainerSufficient() bool { +func (*localCase) ContainerSufficient() bool { return false } // LocalSufficient implements TestCase.LocalSufficient. -func (localCase) LocalSufficient() bool { +func (*localCase) LocalSufficient() bool { return true } @@ -92,12 +92,12 @@ func (localCase) LocalSufficient() bool { type containerCase struct{} // ContainerSufficient implements TestCase.ContainerSufficient. -func (containerCase) ContainerSufficient() bool { +func (*containerCase) ContainerSufficient() bool { return true } // LocalSufficient implements TestCase.LocalSufficient. -func (containerCase) LocalSufficient() bool { +func (*containerCase) LocalSufficient() bool { return false } diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index ef92e3fff..d6c69a319 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -166,254 +166,254 @@ func sendIP(ip net.IP) error { } func TestFilterInputDropUDP(t *testing.T) { - singleTest(t, FilterInputDropUDP{}) + singleTest(t, &FilterInputDropUDP{}) } func TestFilterInputDropUDPPort(t *testing.T) { - singleTest(t, FilterInputDropUDPPort{}) + singleTest(t, &FilterInputDropUDPPort{}) } func TestFilterInputDropDifferentUDPPort(t *testing.T) { - singleTest(t, FilterInputDropDifferentUDPPort{}) + singleTest(t, &FilterInputDropDifferentUDPPort{}) } func TestFilterInputDropAll(t *testing.T) { - singleTest(t, FilterInputDropAll{}) + singleTest(t, &FilterInputDropAll{}) } func TestFilterInputDropOnlyUDP(t *testing.T) { - singleTest(t, FilterInputDropOnlyUDP{}) + singleTest(t, &FilterInputDropOnlyUDP{}) } func TestFilterInputDropTCPDestPort(t *testing.T) { - singleTest(t, FilterInputDropTCPDestPort{}) + singleTest(t, &FilterInputDropTCPDestPort{}) } func TestFilterInputDropTCPSrcPort(t *testing.T) { - singleTest(t, FilterInputDropTCPSrcPort{}) + singleTest(t, &FilterInputDropTCPSrcPort{}) } func TestFilterInputCreateUserChain(t *testing.T) { - singleTest(t, FilterInputCreateUserChain{}) + singleTest(t, &FilterInputCreateUserChain{}) } func TestFilterInputDefaultPolicyAccept(t *testing.T) { - singleTest(t, FilterInputDefaultPolicyAccept{}) + singleTest(t, &FilterInputDefaultPolicyAccept{}) } func TestFilterInputDefaultPolicyDrop(t *testing.T) { - singleTest(t, FilterInputDefaultPolicyDrop{}) + singleTest(t, &FilterInputDefaultPolicyDrop{}) } func TestFilterInputReturnUnderflow(t *testing.T) { - singleTest(t, FilterInputReturnUnderflow{}) + singleTest(t, &FilterInputReturnUnderflow{}) } func TestFilterOutputDropTCPDestPort(t *testing.T) { - singleTest(t, FilterOutputDropTCPDestPort{}) + singleTest(t, &FilterOutputDropTCPDestPort{}) } func TestFilterOutputDropTCPSrcPort(t *testing.T) { - singleTest(t, FilterOutputDropTCPSrcPort{}) + singleTest(t, &FilterOutputDropTCPSrcPort{}) } func TestFilterOutputAcceptTCPOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptTCPOwner{}) + singleTest(t, &FilterOutputAcceptTCPOwner{}) } func TestFilterOutputDropTCPOwner(t *testing.T) { - singleTest(t, FilterOutputDropTCPOwner{}) + singleTest(t, &FilterOutputDropTCPOwner{}) } func TestFilterOutputAcceptUDPOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptUDPOwner{}) + singleTest(t, &FilterOutputAcceptUDPOwner{}) } func TestFilterOutputDropUDPOwner(t *testing.T) { - singleTest(t, FilterOutputDropUDPOwner{}) + singleTest(t, &FilterOutputDropUDPOwner{}) } func TestFilterOutputOwnerFail(t *testing.T) { - singleTest(t, FilterOutputOwnerFail{}) + singleTest(t, &FilterOutputOwnerFail{}) } func TestFilterOutputAcceptGIDOwner(t *testing.T) { - singleTest(t, FilterOutputAcceptGIDOwner{}) + singleTest(t, &FilterOutputAcceptGIDOwner{}) } func TestFilterOutputDropGIDOwner(t *testing.T) { - singleTest(t, FilterOutputDropGIDOwner{}) + singleTest(t, &FilterOutputDropGIDOwner{}) } func TestFilterOutputInvertGIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertGIDOwner{}) + singleTest(t, &FilterOutputInvertGIDOwner{}) } func TestFilterOutputInvertUIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertUIDOwner{}) + singleTest(t, &FilterOutputInvertUIDOwner{}) } func TestFilterOutputInvertUIDAndGIDOwner(t *testing.T) { - singleTest(t, FilterOutputInvertUIDAndGIDOwner{}) + singleTest(t, &FilterOutputInvertUIDAndGIDOwner{}) } func TestFilterOutputInterfaceAccept(t *testing.T) { - singleTest(t, FilterOutputInterfaceAccept{}) + singleTest(t, &FilterOutputInterfaceAccept{}) } func TestFilterOutputInterfaceDrop(t *testing.T) { - singleTest(t, FilterOutputInterfaceDrop{}) + singleTest(t, &FilterOutputInterfaceDrop{}) } func TestFilterOutputInterface(t *testing.T) { - singleTest(t, FilterOutputInterface{}) + singleTest(t, &FilterOutputInterface{}) } func TestFilterOutputInterfaceBeginsWith(t *testing.T) { - singleTest(t, FilterOutputInterfaceBeginsWith{}) + singleTest(t, &FilterOutputInterfaceBeginsWith{}) } func TestFilterOutputInterfaceInvertDrop(t *testing.T) { - singleTest(t, FilterOutputInterfaceInvertDrop{}) + singleTest(t, &FilterOutputInterfaceInvertDrop{}) } func TestFilterOutputInterfaceInvertAccept(t *testing.T) { - singleTest(t, FilterOutputInterfaceInvertAccept{}) + singleTest(t, &FilterOutputInterfaceInvertAccept{}) } func TestJumpSerialize(t *testing.T) { - singleTest(t, FilterInputSerializeJump{}) + singleTest(t, &FilterInputSerializeJump{}) } func TestJumpBasic(t *testing.T) { - singleTest(t, FilterInputJumpBasic{}) + singleTest(t, &FilterInputJumpBasic{}) } func TestJumpReturn(t *testing.T) { - singleTest(t, FilterInputJumpReturn{}) + singleTest(t, &FilterInputJumpReturn{}) } func TestJumpReturnDrop(t *testing.T) { - singleTest(t, FilterInputJumpReturnDrop{}) + singleTest(t, &FilterInputJumpReturnDrop{}) } func TestJumpBuiltin(t *testing.T) { - singleTest(t, FilterInputJumpBuiltin{}) + singleTest(t, &FilterInputJumpBuiltin{}) } func TestJumpTwice(t *testing.T) { - singleTest(t, FilterInputJumpTwice{}) + singleTest(t, &FilterInputJumpTwice{}) } func TestInputDestination(t *testing.T) { - singleTest(t, FilterInputDestination{}) + singleTest(t, &FilterInputDestination{}) } func TestInputInvertDestination(t *testing.T) { - singleTest(t, FilterInputInvertDestination{}) + singleTest(t, &FilterInputInvertDestination{}) } func TestFilterOutputDestination(t *testing.T) { - singleTest(t, FilterOutputDestination{}) + singleTest(t, &FilterOutputDestination{}) } func TestFilterOutputInvertDestination(t *testing.T) { - singleTest(t, FilterOutputInvertDestination{}) + singleTest(t, &FilterOutputInvertDestination{}) } func TestNATPreRedirectUDPPort(t *testing.T) { - singleTest(t, NATPreRedirectUDPPort{}) + singleTest(t, &NATPreRedirectUDPPort{}) } func TestNATPreRedirectTCPPort(t *testing.T) { - singleTest(t, NATPreRedirectTCPPort{}) + singleTest(t, &NATPreRedirectTCPPort{}) } func TestNATPreRedirectTCPOutgoing(t *testing.T) { - singleTest(t, NATPreRedirectTCPOutgoing{}) + singleTest(t, &NATPreRedirectTCPOutgoing{}) } func TestNATOutRedirectTCPIncoming(t *testing.T) { - singleTest(t, NATOutRedirectTCPIncoming{}) + singleTest(t, &NATOutRedirectTCPIncoming{}) } func TestNATOutRedirectUDPPort(t *testing.T) { - singleTest(t, NATOutRedirectUDPPort{}) + singleTest(t, &NATOutRedirectUDPPort{}) } func TestNATOutRedirectTCPPort(t *testing.T) { - singleTest(t, NATOutRedirectTCPPort{}) + singleTest(t, &NATOutRedirectTCPPort{}) } func TestNATDropUDP(t *testing.T) { - singleTest(t, NATDropUDP{}) + singleTest(t, &NATDropUDP{}) } func TestNATAcceptAll(t *testing.T) { - singleTest(t, NATAcceptAll{}) + singleTest(t, &NATAcceptAll{}) } func TestNATOutRedirectIP(t *testing.T) { - singleTest(t, NATOutRedirectIP{}) + singleTest(t, &NATOutRedirectIP{}) } func TestNATOutDontRedirectIP(t *testing.T) { - singleTest(t, NATOutDontRedirectIP{}) + singleTest(t, &NATOutDontRedirectIP{}) } func TestNATOutRedirectInvert(t *testing.T) { - singleTest(t, NATOutRedirectInvert{}) + singleTest(t, &NATOutRedirectInvert{}) } func TestNATPreRedirectIP(t *testing.T) { - singleTest(t, NATPreRedirectIP{}) + singleTest(t, &NATPreRedirectIP{}) } func TestNATPreDontRedirectIP(t *testing.T) { - singleTest(t, NATPreDontRedirectIP{}) + singleTest(t, &NATPreDontRedirectIP{}) } func TestNATPreRedirectInvert(t *testing.T) { - singleTest(t, NATPreRedirectInvert{}) + singleTest(t, &NATPreRedirectInvert{}) } func TestNATRedirectRequiresProtocol(t *testing.T) { - singleTest(t, NATRedirectRequiresProtocol{}) + singleTest(t, &NATRedirectRequiresProtocol{}) } func TestNATLoopbackSkipsPrerouting(t *testing.T) { - singleTest(t, NATLoopbackSkipsPrerouting{}) + singleTest(t, &NATLoopbackSkipsPrerouting{}) } func TestInputSource(t *testing.T) { - singleTest(t, FilterInputSource{}) + singleTest(t, &FilterInputSource{}) } func TestInputInvertSource(t *testing.T) { - singleTest(t, FilterInputInvertSource{}) + singleTest(t, &FilterInputInvertSource{}) } func TestInputInterfaceAccept(t *testing.T) { - singleTest(t, FilterInputInterfaceAccept{}) + singleTest(t, &FilterInputInterfaceAccept{}) } func TestInputInterfaceDrop(t *testing.T) { - singleTest(t, FilterInputInterfaceDrop{}) + singleTest(t, &FilterInputInterfaceDrop{}) } func TestInputInterface(t *testing.T) { - singleTest(t, FilterInputInterface{}) + singleTest(t, &FilterInputInterface{}) } func TestInputInterfaceBeginsWith(t *testing.T) { - singleTest(t, FilterInputInterfaceBeginsWith{}) + singleTest(t, &FilterInputInterfaceBeginsWith{}) } func TestInputInterfaceInvertDrop(t *testing.T) { - singleTest(t, FilterInputInterfaceInvertDrop{}) + singleTest(t, &FilterInputInterfaceInvertDrop{}) } func TestInputInterfaceInvertAccept(t *testing.T) { - singleTest(t, FilterInputInterfaceInvertAccept{}) + singleTest(t, &FilterInputInterfaceInvertAccept{}) } func TestFilterAddrs(t *testing.T) { @@ -442,17 +442,17 @@ func TestFilterAddrs(t *testing.T) { } func TestNATPreOriginalDst(t *testing.T) { - singleTest(t, NATPreOriginalDst{}) + singleTest(t, &NATPreOriginalDst{}) } func TestNATOutOriginalDst(t *testing.T) { - singleTest(t, NATOutOriginalDst{}) + singleTest(t, &NATOutOriginalDst{}) } func TestNATPreRECVORIGDSTADDR(t *testing.T) { - singleTest(t, NATPreRECVORIGDSTADDR{}) + singleTest(t, &NATPreRECVORIGDSTADDR{}) } func TestNATOutRECVORIGDSTADDR(t *testing.T) { - singleTest(t, NATOutRECVORIGDSTADDR{}) + singleTest(t, &NATOutRECVORIGDSTADDR{}) } diff --git a/test/iptables/nat.go b/test/iptables/nat.go index c3874240f..7ff8510a7 100644 --- a/test/iptables/nat.go +++ b/test/iptables/nat.go @@ -28,38 +28,40 @@ import ( const redirectPort = 42 func init() { - RegisterTestCase(NATPreRedirectUDPPort{}) - RegisterTestCase(NATPreRedirectTCPPort{}) - RegisterTestCase(NATPreRedirectTCPOutgoing{}) - RegisterTestCase(NATOutRedirectTCPIncoming{}) - RegisterTestCase(NATOutRedirectUDPPort{}) - RegisterTestCase(NATOutRedirectTCPPort{}) - RegisterTestCase(NATDropUDP{}) - RegisterTestCase(NATAcceptAll{}) - RegisterTestCase(NATPreRedirectIP{}) - RegisterTestCase(NATPreDontRedirectIP{}) - RegisterTestCase(NATPreRedirectInvert{}) - RegisterTestCase(NATOutRedirectIP{}) - RegisterTestCase(NATOutDontRedirectIP{}) - RegisterTestCase(NATOutRedirectInvert{}) - RegisterTestCase(NATRedirectRequiresProtocol{}) - RegisterTestCase(NATLoopbackSkipsPrerouting{}) - RegisterTestCase(NATPreOriginalDst{}) - RegisterTestCase(NATOutOriginalDst{}) - RegisterTestCase(NATPreRECVORIGDSTADDR{}) - RegisterTestCase(NATOutRECVORIGDSTADDR{}) + RegisterTestCase(&NATPreRedirectUDPPort{}) + RegisterTestCase(&NATPreRedirectTCPPort{}) + RegisterTestCase(&NATPreRedirectTCPOutgoing{}) + RegisterTestCase(&NATOutRedirectTCPIncoming{}) + RegisterTestCase(&NATOutRedirectUDPPort{}) + RegisterTestCase(&NATOutRedirectTCPPort{}) + RegisterTestCase(&NATDropUDP{}) + RegisterTestCase(&NATAcceptAll{}) + RegisterTestCase(&NATPreRedirectIP{}) + RegisterTestCase(&NATPreDontRedirectIP{}) + RegisterTestCase(&NATPreRedirectInvert{}) + RegisterTestCase(&NATOutRedirectIP{}) + RegisterTestCase(&NATOutDontRedirectIP{}) + RegisterTestCase(&NATOutRedirectInvert{}) + RegisterTestCase(&NATRedirectRequiresProtocol{}) + RegisterTestCase(&NATLoopbackSkipsPrerouting{}) + RegisterTestCase(&NATPreOriginalDst{}) + RegisterTestCase(&NATOutOriginalDst{}) + RegisterTestCase(&NATPreRECVORIGDSTADDR{}) + RegisterTestCase(&NATOutRECVORIGDSTADDR{}) } // NATPreRedirectUDPPort tests that packets are redirected to different port. type NATPreRedirectUDPPort struct{ containerCase } +var _ TestCase = (*NATPreRedirectUDPPort)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectUDPPort) Name() string { +func (*NATPreRedirectUDPPort) Name() string { return "NATPreRedirectUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -72,20 +74,22 @@ func (NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATPreRedirectTCPPort tests that connections are redirected on specified ports. type NATPreRedirectTCPPort struct{ baseCase } +var _ TestCase = (*NATPreRedirectTCPPort)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectTCPPort) Name() string { +func (*NATPreRedirectTCPPort) Name() string { return "NATPreRedirectTCPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -95,7 +99,7 @@ func (NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, dropPort) } @@ -103,13 +107,15 @@ func (NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // affected by PREROUTING connection tracking. type NATPreRedirectTCPOutgoing struct{ baseCase } +var _ TestCase = (*NATPreRedirectTCPOutgoing)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectTCPOutgoing) Name() string { +func (*NATPreRedirectTCPOutgoing) Name() string { return "NATPreRedirectTCPOutgoing" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect all incoming TCP traffic to a closed port. if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err @@ -120,7 +126,7 @@ func (NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenTCP(ctx, acceptPort) } @@ -128,13 +134,15 @@ func (NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv // affected by OUTPUT connection tracking. type NATOutRedirectTCPIncoming struct{ baseCase } +var _ TestCase = (*NATOutRedirectTCPIncoming)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectTCPIncoming) Name() string { +func (*NATOutRedirectTCPIncoming) Name() string { return "NATOutRedirectTCPIncoming" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect all outgoing TCP traffic to a closed port. if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err @@ -145,25 +153,27 @@ func (NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, acceptPort) } // NATOutRedirectUDPPort tests that packets are redirected to different port. type NATOutRedirectUDPPort struct{ containerCase } +var _ TestCase = (*NATOutRedirectUDPPort)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectUDPPort) Name() string { +func (*NATOutRedirectUDPPort) Name() string { return "NATOutRedirectUDPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { return loopbackTest(ctx, ipv6, net.ParseIP(nowhereIP(ipv6)), "-A", "OUTPUT", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)) } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -172,13 +182,15 @@ func (NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // port. type NATDropUDP struct{ containerCase } +var _ TestCase = (*NATDropUDP)(nil) + // Name implements TestCase.Name. -func (NATDropUDP) Name() string { +func (*NATDropUDP) Name() string { return "NATDropUDP" } // ContainerAction implements TestCase.ContainerAction. -func (NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -195,20 +207,22 @@ func (NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) err } // LocalAction implements TestCase.LocalAction. -func (NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATAcceptAll tests that all UDP packets are accepted. type NATAcceptAll struct{ containerCase } +var _ TestCase = (*NATAcceptAll)(nil) + // Name implements TestCase.Name. -func (NATAcceptAll) Name() string { +func (*NATAcceptAll) Name() string { return "NATAcceptAll" } // ContainerAction implements TestCase.ContainerAction. -func (NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "ACCEPT"); err != nil { return err } @@ -221,7 +235,7 @@ func (NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) e } // LocalAction implements TestCase.LocalAction. -func (NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -229,13 +243,15 @@ func (NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error // redirects them. type NATOutRedirectIP struct{ baseCase } +var _ TestCase = (*NATOutRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectIP) Name() string { +func (*NATOutRedirectIP) Name() string { return "NATOutRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect OUTPUT packets to a listening localhost port. return loopbackTest(ctx, ipv6, net.ParseIP(nowhereIP(ipv6)), "-A", "OUTPUT", @@ -245,7 +261,7 @@ func (NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 boo } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -254,13 +270,15 @@ func (NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) e // packets it shouldn't. type NATOutDontRedirectIP struct{ localCase } +var _ TestCase = (*NATOutDontRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATOutDontRedirectIP) Name() string { +func (*NATOutDontRedirectIP) Name() string { return "NATOutDontRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-d", localIP(ipv6), "-p", "udp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil { return err } @@ -268,20 +286,22 @@ func (NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return listenUDP(ctx, acceptPort) } // NATOutRedirectInvert tests that iptables can match with "! -d". type NATOutRedirectInvert struct{ baseCase } +var _ TestCase = (*NATOutRedirectInvert)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectInvert) Name() string { +func (*NATOutRedirectInvert) Name() string { return "NATOutRedirectInvert" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect OUTPUT packets to a listening localhost port. dest := "192.0.2.2" if ipv6 { @@ -295,7 +315,7 @@ func (NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -304,13 +324,15 @@ func (NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // destination IP and redirect them. type NATPreRedirectIP struct{ containerCase } +var _ TestCase = (*NATPreRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectIP) Name() string { +func (*NATPreRedirectIP) Name() string { return "NATPreRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { addrs, err := localAddrs(ipv6) if err != nil { return err @@ -327,7 +349,7 @@ func (NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 boo } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -335,13 +357,15 @@ func (NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) e // packets it shouldn't. type NATPreDontRedirectIP struct{ containerCase } +var _ TestCase = (*NATPreDontRedirectIP)(nil) + // Name implements TestCase.Name. -func (NATPreDontRedirectIP) Name() string { +func (*NATPreDontRedirectIP) Name() string { return "NATPreDontRedirectIP" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err } @@ -349,20 +373,22 @@ func (NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } // NATPreRedirectInvert tests that iptables can match with "! -d". type NATPreRedirectInvert struct{ containerCase } +var _ TestCase = (*NATPreRedirectInvert)(nil) + // Name implements TestCase.Name. -func (NATPreRedirectInvert) Name() string { +func (*NATPreRedirectInvert) Name() string { return "NATPreRedirectInvert" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "!", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -370,7 +396,7 @@ func (NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 } // LocalAction implements TestCase.LocalAction. -func (NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, dropPort) } @@ -378,13 +404,15 @@ func (NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 boo // protocol to be specified with -p. type NATRedirectRequiresProtocol struct{ baseCase } +var _ TestCase = (*NATRedirectRequiresProtocol)(nil) + // Name implements TestCase.Name. -func (NATRedirectRequiresProtocol) Name() string { +func (*NATRedirectRequiresProtocol) Name() string { return "NATRedirectRequiresProtocol" } // ContainerAction implements TestCase.ContainerAction. -func (NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err == nil { return errors.New("expected an error using REDIRECT --to-ports without a protocol") } @@ -392,7 +420,7 @@ func (NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.I } // LocalAction implements TestCase.LocalAction. -func (NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -400,13 +428,15 @@ func (NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, i // NATOutRedirectTCPPort tests that connections are redirected on specified ports. type NATOutRedirectTCPPort struct{ baseCase } +var _ TestCase = (*NATOutRedirectTCPPort)(nil) + // Name implements TestCase.Name. -func (NATOutRedirectTCPPort) Name() string { +func (*NATOutRedirectTCPPort) Name() string { return "NATOutRedirectTCPPort" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } @@ -438,7 +468,7 @@ func (NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return nil } @@ -446,13 +476,15 @@ func (NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // affected by PREROUTING rules. type NATLoopbackSkipsPrerouting struct{ baseCase } +var _ TestCase = (*NATLoopbackSkipsPrerouting)(nil) + // Name implements TestCase.Name. -func (NATLoopbackSkipsPrerouting) Name() string { +func (*NATLoopbackSkipsPrerouting) Name() string { return "NATLoopbackSkipsPrerouting" } // ContainerAction implements TestCase.ContainerAction. -func (NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect anything sent to localhost to an unused port. dest := []byte{127, 0, 0, 1} if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil { @@ -473,7 +505,7 @@ func (NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP } // LocalAction implements TestCase.LocalAction. -func (NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -482,13 +514,15 @@ func (NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ip // of PREROUTING NATted packets. type NATPreOriginalDst struct{ baseCase } +var _ TestCase = (*NATPreOriginalDst)(nil) + // Name implements TestCase.Name. -func (NATPreOriginalDst) Name() string { +func (*NATPreOriginalDst) Name() string { return "NATPreOriginalDst" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect incoming TCP connections to acceptPort. if err := natTable(ipv6, "-A", "PREROUTING", "-p", "tcp", @@ -505,7 +539,7 @@ func (NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return connectTCP(ctx, ip, dropPort) } @@ -513,13 +547,15 @@ func (NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) // of OUTBOUND NATted packets. type NATOutOriginalDst struct{ baseCase } +var _ TestCase = (*NATOutOriginalDst)(nil) + // Name implements TestCase.Name. -func (NATOutOriginalDst) Name() string { +func (*NATOutOriginalDst) Name() string { return "NATOutOriginalDst" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Redirect incoming TCP connections to acceptPort. if err := natTable(ipv6, "-A", "OUTPUT", "-p", "tcp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", acceptPort)); err != nil { return err @@ -537,7 +573,7 @@ func (NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo } // LocalAction implements TestCase.LocalAction. -func (NATOutOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } @@ -650,13 +686,15 @@ func loopbackTest(ctx context.Context, ipv6 bool, dest net.IP, args ...string) e // address on the PREROUTING chain. type NATPreRECVORIGDSTADDR struct{ containerCase } +var _ TestCase = (*NATPreRECVORIGDSTADDR)(nil) + // Name implements TestCase.Name. -func (NATPreRECVORIGDSTADDR) Name() string { +func (*NATPreRECVORIGDSTADDR) Name() string { return "NATPreRECVORIGDSTADDR" } // ContainerAction implements TestCase.ContainerAction. -func (NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -669,7 +707,7 @@ func (NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { return sendUDPLoop(ctx, ip, acceptPort) } @@ -677,13 +715,15 @@ func (NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bo // address on the OUTPUT chain. type NATOutRECVORIGDSTADDR struct{ containerCase } +var _ TestCase = (*NATOutRECVORIGDSTADDR)(nil) + // Name implements TestCase.Name. -func (NATOutRECVORIGDSTADDR) Name() string { +func (*NATOutRECVORIGDSTADDR) Name() string { return "NATOutRECVORIGDSTADDR" } // ContainerAction implements TestCase.ContainerAction. -func (NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error { if err := natTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -712,7 +752,7 @@ func (NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv } // LocalAction implements TestCase.LocalAction. -func (NATOutRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { +func (*NATOutRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // No-op. return nil } |