summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'test/iptables')
-rw-r--r--test/iptables/BUILD4
-rw-r--r--test/iptables/filter_input.go30
-rw-r--r--test/iptables/iptables_test.go46
-rw-r--r--test/iptables/iptables_util.go40
-rw-r--r--test/iptables/runner/BUILD1
5 files changed, 101 insertions, 20 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index fa833c3b2..6a9d05828 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -4,6 +4,7 @@ package(licenses = ["notice"])
go_library(
name = "iptables",
+ testonly = 1,
srcs = [
"filter_input.go",
"iptables.go",
@@ -11,6 +12,9 @@ go_library(
],
importpath = "gvisor.dev/gvisor/test/iptables",
visibility = ["//test/iptables:__subpackages__"],
+ deps = [
+ "//runsc/testutil",
+ ],
)
go_test(
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 7c4d469fa..a3f0052b5 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -28,6 +28,7 @@ const (
)
func init() {
+ RegisterTestCase(FilterInputDropOnlyUDP{})
RegisterTestCase(FilterInputDropUDP{})
RegisterTestCase(FilterInputDropUDPPort{})
RegisterTestCase(FilterInputDropDifferentUDPPort{})
@@ -65,6 +66,35 @@ func (FilterInputDropUDP) LocalAction(ip net.IP) error {
return sendUDPLoop(ip, dropPort, sendloopDuration)
}
+// FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.
+type FilterInputDropOnlyUDP struct{}
+
+// Name implements TestCase.Name.
+func (FilterInputDropOnlyUDP) Name() string {
+ return "FilterInputDropOnlyUDP"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterInputDropOnlyUDP) ContainerAction(ip net.IP) error {
+ if err := filterTable("-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil {
+ return err
+ }
+
+ // Listen for a TCP connection, which should be allowed.
+ if err := listenTCP(acceptPort, sendloopDuration); err != nil {
+ return fmt.Errorf("failed to establish a connection %v", err)
+ }
+
+ return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterInputDropOnlyUDP) LocalAction(ip net.IP) error {
+ // Try to establish a TCP connection with the container, which should
+ // succeed.
+ return connectLoopTCP(ip, acceptPort, sendloopDuration)
+}
+
// FilterInputDropUDPPort tests that we can drop UDP traffic by port.
type FilterInputDropUDPPort struct{}
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 0c9dee8fe..635beea36 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -160,26 +160,32 @@ func logContainer(output string, err error) {
log.Infof(msg)
}
-func TestFilterInputDropUDP(t *testing.T) {
- if err := singleTest(FilterInputDropUDP{}); err != nil {
- t.Fatal(err)
- }
-}
-
-func TestFilterInputDropUDPPort(t *testing.T) {
- if err := singleTest(FilterInputDropUDPPort{}); err != nil {
- t.Fatal(err)
- }
-}
-
-func TestFilterInputDropDifferentUDPPort(t *testing.T) {
- if err := singleTest(FilterInputDropDifferentUDPPort{}); err != nil {
- t.Fatal(err)
- }
-}
-
-func TestFilterInputDropAll(t *testing.T) {
- if err := singleTest(FilterInputDropAll{}); err != nil {
+// func TestFilterInputDropUDP(t *testing.T) {
+// if err := singleTest(FilterInputDropUDP{}); err != nil {
+// t.Fatal(err)
+// }
+// }
+
+// func TestFilterInputDropUDPPort(t *testing.T) {
+// if err := singleTest(FilterInputDropUDPPort{}); err != nil {
+// t.Fatal(err)
+// }
+// }
+
+// func TestFilterInputDropDifferentUDPPort(t *testing.T) {
+// if err := singleTest(FilterInputDropDifferentUDPPort{}); err != nil {
+// t.Fatal(err)
+// }
+// }
+
+// func TestFilterInputDropAll(t *testing.T) {
+// if err := singleTest(FilterInputDropAll{}); err != nil {
+// t.Fatal(err)
+// }
+// }
+
+func TestFilterInputDropOnlyUDP(t *testing.T) {
+ if err := singleTest(FilterInputDropOnlyUDP{}); err != nil {
t.Fatal(err)
}
}
diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go
index 3a4d11f1a..3dcaafb79 100644
--- a/test/iptables/iptables_util.go
+++ b/test/iptables/iptables_util.go
@@ -19,6 +19,8 @@ import (
"net"
"os/exec"
"time"
+
+ "gvisor.dev/gvisor/runsc/testutil"
)
const iptablesBinary = "iptables"
@@ -80,3 +82,41 @@ func sendUDPLoop(ip net.IP, port int, duration time.Duration) error {
return nil
}
+
+func listenTCP(port int, timeout time.Duration) error {
+ localAddr := net.TCPAddr{Port: acceptPort}
+ listener, err := net.ListenTCP("tcp4", &localAddr)
+ if err != nil {
+ return err
+ }
+ defer listener.Close()
+ listener.SetDeadline(time.Now().Add(timeout))
+ conn, err := listener.AcceptTCP()
+ if err != nil {
+ return fmt.Errorf("failed to establish a connection %v", err)
+ }
+ defer conn.Close()
+
+ return nil
+}
+
+func connectLoopTCP(ip net.IP, port int, timeout time.Duration) error {
+ contAddr := net.TCPAddr{
+ IP: ip,
+ Port: port,
+ }
+ // The container may not be listening when we first connect, so retry
+ // upon error.
+ cb := func() error {
+ conn, err := net.DialTCP("tcp4", nil, &contAddr)
+ if conn != nil {
+ conn.Close()
+ }
+ return err
+ }
+ if err := testutil.Poll(cb, timeout); err != nil {
+ return fmt.Errorf("timed out waiting to send IP, most recent error: %v", err)
+ }
+
+ return nil
+}
diff --git a/test/iptables/runner/BUILD b/test/iptables/runner/BUILD
index c6c42d870..a5b6f082c 100644
--- a/test/iptables/runner/BUILD
+++ b/test/iptables/runner/BUILD
@@ -10,6 +10,7 @@ container_image(
go_image(
name = "runner",
+ testonly = 1,
srcs = ["main.go"],
base = ":iptables-base",
deps = ["//test/iptables"],