4 files changed, 62 insertions, 10 deletions

diff --git a/test/iptables/README.md b/test/iptables/README.md
index 28ab195ca..1196f8eb5 100644
--- a/test/iptables/README.md
+++ b/test/iptables/README.md
@@ -2,8 +2,38 @@
 
 iptables tests are run via `make iptables-tests`.
 
-iptables requires raw socket support, so you must add the `--net-raw=true` flag
-to `/etc/docker/daemon.json` in order to use it.
+iptables require some extra Docker configuration to work. Enable IPv6 in
+`/etc/docker/daemon.json` (make sure to restart Docker if you change this file):
+
+```json
+{
+    "experimental": true,
+    "fixed-cidr-v6": "2001:db8:1::/64",
+    "ipv6": true,
+    // Runtimes and other Docker config...
+}
+```
+
+And if you're running manually (i.e. not using the `make` target), you'll need
+to:
+
+*   Enable iptables via `modprobe iptables_filter && modprobe ip6table_filter`.
+*   Enable `--net-raw` in your chosen runtime in `/etc/docker/daemon.json` (make
+    sure to restart Docker if you change this file).
+
+The resulting runtime should look something like this:
+
+```json
+"runsc": {
+    "path": "/tmp/iptables/runsc",
+    "runtimeArgs": [
+        "--debug-log",
+        "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
+        "--net-raw"
+    ]
+},
+// ...
+```
 
 ## Test Structure
 
diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go
index 32bf2a992..f4af45e96 100644
--- a/test/iptables/filter_output.go
+++ b/test/iptables/filter_output.go
@@ -248,7 +248,7 @@ func (FilterOutputOwnerFail) Name() string {
 // ContainerAction implements TestCase.ContainerAction.
 func (FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error {
 	if err := filterTable(ipv6, "-A", "OUTPUT", "-p", "udp", "-m", "owner", "-j", "ACCEPT"); err == nil {
-		return fmt.Errorf("Invalid argument")
+		return fmt.Errorf("invalid argument")
 	}
 
 	return nil
@@ -441,9 +441,20 @@ func (FilterOutputDestination) Name() string {
 
 // ContainerAction implements TestCase.ContainerAction.
 func (FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error {
-	rules := [][]string{
-		{"-A", "OUTPUT", "-d", ip.String(), "-j", "ACCEPT"},
-		{"-P", "OUTPUT", "DROP"},
+	var rules [][]string
+	if ipv6 {
+		rules = [][]string{
+			{"-A", "OUTPUT", "-d", ip.String(), "-j", "ACCEPT"},
+			// Allow solicited node multicast addresses so we can send neighbor
+			// solicitations.
+			{"-A", "OUTPUT", "-d", "ff02::1:ff00:0/104", "-j", "ACCEPT"},
+			{"-P", "OUTPUT", "DROP"},
+		}
+	} else {
+		rules = [][]string{
+			{"-A", "OUTPUT", "-d", ip.String(), "-j", "ACCEPT"},
+			{"-P", "OUTPUT", "DROP"},
+		}
 	}
 	if err := filterTableRules(ipv6, rules); err != nil {
 		return err
diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go
index 834f7615f..4733146c0 100644
--- a/test/iptables/iptables_test.go
+++ b/test/iptables/iptables_test.go
@@ -89,6 +89,10 @@ func iptablesTest(t *testing.T, test TestCase, ipv6 bool) {
 	// Get the container IP.
 	ip, err := d.FindIP(ctx, ipv6)
 	if err != nil {
+		// If ipv6 is not configured, don't fail.
+		if ipv6 && err == dockerutil.ErrNoIP {
+			t.Skipf("No ipv6 address is available.")
+		}
 		t.Fatalf("failed to get container IP: %v", err)
 	}
 
diff --git a/test/iptables/nat.go b/test/iptables/nat.go
index dd9a18339..b98d99fb8 100644
--- a/test/iptables/nat.go
+++ b/test/iptables/nat.go
@@ -577,11 +577,18 @@ func listenForRedirectedConn(ctx context.Context, ipv6 bool, originalDsts []net.
 	connCh := make(chan int)
 	errCh := make(chan error)
 	go func() {
-		connFD, _, err := syscall.Accept(sockfd)
-		if err != nil {
-			errCh <- err
+		for {
+			connFD, _, err := syscall.Accept(sockfd)
+			if errors.Is(err, syscall.EINTR) {
+				continue
+			}
+			if err != nil {
+				errCh <- err
+				return
+			}
+			connCh <- connFD
+			return
 		}
-		connCh <- connFD
 	}()
 
 	// Wait for accept() to return or for the context to finish.