6 files changed, 73 insertions, 30 deletions
diff --git a/test/iptables/BUILD b/test/iptables/BUILD
index 372ba7abf..6bb3b82b5 100644
--- a/test/iptables/BUILD
+++ b/test/iptables/BUILD
@@ -1,9 +1,10 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+load("//tools:defs.bzl", "go_library", "go_test")
 
 package(licenses = ["notice"])
 
 go_library(
     name = "iptables",
+    testonly = 1,
     srcs = [
         "filter_input.go",
         "filter_output.go",
@@ -11,8 +12,10 @@ go_library(
         "iptables_util.go",
         "nat.go",
     ],
-    importpath = "gvisor.dev/gvisor/test/iptables",
     visibility = ["//test/iptables:__subpackages__"],
+    deps = [
+        "//runsc/testutil",
+    ],
 )
 
 go_test(
@@ -20,7 +23,7 @@ go_test(
     srcs = [
         "iptables_test.go",
     ],
-    embed = [":iptables"],
+    library = ":iptables",
     tags = [
         "local",
         "manual",
diff --git a/test/iptables/README.md b/test/iptables/README.md
index 9f8e34420..8f61b4c41 100644
--- a/test/iptables/README.md
+++ b/test/iptables/README.md
@@ -28,7 +28,7 @@ Your test is now runnable with bazel!
 Build the testing Docker container:
 
 ```bash
-$ bazel run //test/iptables/runner -- --norun
+$ bazel run //test/iptables/runner-image -- --norun
 ```
 
 Run an individual test via:
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go
index 03e4a1d72..fd02ff2ff 100644
--- a/test/iptables/filter_input.go
+++ b/test/iptables/filter_input.go
@@ -30,6 +30,7 @@ const (
 func init() {
 	RegisterTestCase(FilterInputDropAll{})
 	RegisterTestCase(FilterInputDropDifferentUDPPort{})
+	RegisterTestCase(FilterInputDropOnlyUDP{})
 	RegisterTestCase(FilterInputDropTCPDestPort{})
 	RegisterTestCase(FilterInputDropTCPSrcPort{})
 	RegisterTestCase(FilterInputDropUDPPort{})
@@ -67,6 +68,35 @@ func (FilterInputDropUDP) LocalAction(ip net.IP) error {
 	return sendUDPLoop(ip, dropPort, sendloopDuration)
 }
 
+// FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.
+type FilterInputDropOnlyUDP struct{}
+
+// Name implements TestCase.Name.
+func (FilterInputDropOnlyUDP) Name() string {
+	return "FilterInputDropOnlyUDP"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (FilterInputDropOnlyUDP) ContainerAction(ip net.IP) error {
+	if err := filterTable("-A", "INPUT", "-p", "udp", "-j", "DROP"); err != nil {
+		return err
+	}
+
+	// Listen for a TCP connection, which should be allowed.
+	if err := listenTCP(acceptPort, sendloopDuration); err != nil {
+		return fmt.Errorf("failed to establish a connection %v", err)
+	}
+
+	return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (FilterInputDropOnlyUDP) LocalAction(ip net.IP) error {
+	// Try to establish a TCP connection with the container, which should
+	// succeed.
+	return connectTCP(ip, acceptPort, dropPort, sendloopDuration)
+}
+
 // FilterInputDropUDPPort tests that we can drop UDP traffic by port.
 type FilterInputDropUDPPort struct{}
 
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 1cda10365..41909582a 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -15,6 +15,7 @@
 package iptables
 
 import (
+	"flag"
 	"fmt"
 	"net"
 	"os"
@@ -22,7 +23,6 @@ import (
 	"testing"
 	"time"
 
-	"flag"
 	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/runsc/dockerutil"
 	"gvisor.dev/gvisor/runsc/testutil"
@@ -30,7 +30,7 @@ import (
 
 const timeout = 18 * time.Second
 
-var image = flag.String("image", "bazel/test/iptables/runner:runner", "image to run tests in")
+var image = flag.String("image", "bazel/test/iptables/runner:runner-image", "image to run tests in")
 
 type result struct {
 	output string
@@ -184,6 +184,12 @@ func TestFilterInputDropAll(t *testing.T) {
 	}
 }
 
+func TestFilterInputDropOnlyUDP(t *testing.T) {
+	if err := singleTest(FilterInputDropOnlyUDP{}); err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestNATRedirectUDPPort(t *testing.T) {
 	if err := singleTest(NATRedirectUDPPort{}); err != nil {
 		t.Fatal(err)
diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go
index 1c4f4f665..043114c78 100644
--- a/test/iptables/iptables_util.go
+++ b/test/iptables/iptables_util.go
@@ -19,6 +19,8 @@ import (
 	"net"
 	"os/exec"
 	"time"
+
+	"gvisor.dev/gvisor/runsc/testutil"
 )
 
 const iptablesBinary = "iptables"
@@ -105,31 +107,26 @@ func listenTCP(port int, timeout time.Duration) error {
 }
 
 // connectTCP connects the TCP server over specified local port, server IP and remote/server port.
-func connectTCP(ip net.IP, remotePort, localPort int, duration time.Duration) error {
-	remote := net.TCPAddr{
+func connectTCP(ip net.IP, remotePort, localPort int, timeout time.Duration) error {
+	contAddr := net.TCPAddr{
 		IP:   ip,
 		Port: remotePort,
 	}
-
-	local := net.TCPAddr{
-		Port: localPort,
-	}
-
-	// Container may not be up. Retry DialTCP over a duration.
-	to := time.After(duration)
-	for {
-		conn, err := net.DialTCP("tcp4", &local, &remote)
-		if err == nil {
-			conn.Close()
-			return nil
+	// The container may not be listening when we first connect, so retry
+	// upon error.
+	callback := func() error {
+		localAddr := net.TCPAddr{
+			Port: localPort,
 		}
-		select {
-		// Timed out waiting for connection to be accepted.
-		case <-to:
-			return err
-		default:
-			time.Sleep(200 * time.Millisecond)
+		conn, err := net.DialTCP("tcp4", &localAddr, &contAddr)
+		if conn != nil {
+			conn.Close()
 		}
+		return err
 	}
-	return fmt.Errorf("Failed to establish connection on port %d", localPort)
+	if err := testutil.Poll(callback, timeout); err != nil {
+		return fmt.Errorf("timed out waiting to send IP, most recent error: %v", err)
+	}
+
+	return nil
 }
diff --git a/test/iptables/runner/BUILD b/test/iptables/runner/BUILD
index c6c42d870..b9199387a 100644
--- a/test/iptables/runner/BUILD
+++ b/test/iptables/runner/BUILD
@@ -1,15 +1,22 @@
-load("@io_bazel_rules_docker//go:image.bzl", "go_image")
-load("@io_bazel_rules_docker//container:container.bzl", "container_image")
+load("//tools:defs.bzl", "container_image", "go_binary", "go_image")
 
 package(licenses = ["notice"])
 
+go_binary(
+    name = "runner",
+    testonly = 1,
+    srcs = ["main.go"],
+    deps = ["//test/iptables"],
+)
+
 container_image(
     name = "iptables-base",
     base = "@iptables-test//image",
 )
 
 go_image(
-    name = "runner",
+    name = "runner-image",
+    testonly = 1,
     srcs = ["main.go"],
     base = ":iptables-base",
     deps = ["//test/iptables"],