diff options
Diffstat (limited to 'test/iptables')
| -rw-r--r-- | test/iptables/filter_input.go | 16 | ||||
| -rw-r--r-- | test/iptables/filter_output.go | 16 | ||||
| -rw-r--r-- | test/iptables/iptables_test.go | 2 | ||||
| -rw-r--r-- | test/iptables/iptables_util.go | 36 | ||||
| -rw-r--r-- | test/iptables/nat.go | 10 |
5 files changed, 36 insertions, 44 deletions
diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 1c04601df..4b8bbb093 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -125,7 +125,7 @@ func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error { return sendUDPLoop(ip, acceptPort, sendloopDuration) } -// FilterInputDropTCP tests that connections are not accepted on specified source ports. +// FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports. type FilterInputDropTCPDestPort struct{} // Name implements TestCase.Name. @@ -135,14 +135,13 @@ func (FilterInputDropTCPDestPort) Name() string { // ContainerAction implements TestCase.ContainerAction. func (FilterInputDropTCPDestPort) ContainerAction(ip net.IP) error { - if err := filterTable("-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", - fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { + if err := filterTable("-A", "INPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } // Listen for TCP packets on drop port. if err := listenTCP(dropPort, sendloopDuration); err == nil { - return fmt.Errorf("Connections on port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } return nil @@ -151,7 +150,7 @@ func (FilterInputDropTCPDestPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterInputDropTCPDestPort) LocalAction(ip net.IP) error { if err := connectTCP(ip, dropPort, acceptPort, sendloopDuration); err == nil { - return fmt.Errorf("Connection destined to port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) } return nil @@ -167,14 +166,13 @@ func (FilterInputDropTCPSrcPort) Name() string { // ContainerAction implements TestCase.ContainerAction. func (FilterInputDropTCPSrcPort) ContainerAction(ip net.IP) error { - if err := filterTable("-A", "INPUT", "-p", "tcp", "-m", "tcp", "--sport", - fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { + if err := filterTable("-A", "INPUT", "-p", "tcp", "-m", "tcp", "--sport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } // Listen for TCP packets on accept port. if err := listenTCP(acceptPort, sendloopDuration); err == nil { - return fmt.Errorf("connections destined to port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) } return nil @@ -183,7 +181,7 @@ func (FilterInputDropTCPSrcPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterInputDropTCPSrcPort) LocalAction(ip net.IP) error { if err := connectTCP(ip, acceptPort, dropPort, sendloopDuration); err == nil { - return fmt.Errorf("connection sent from port %d should not be accepted", dropPort) + return fmt.Errorf("connection on port %d should not be acceptedi, but got accepted", dropPort) } return nil diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go index 63d74e4f4..ee2c49f9a 100644 --- a/test/iptables/filter_output.go +++ b/test/iptables/filter_output.go @@ -34,14 +34,13 @@ func (FilterOutputDropTCPDestPort) Name() string { // ContainerAction implements TestCase.ContainerAction. func (FilterOutputDropTCPDestPort) ContainerAction(ip net.IP) error { - if err := filterTable("-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", - fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { + if err := filterTable("-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--dport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } // Listen for TCP packets on accept port. if err := listenTCP(acceptPort, sendloopDuration); err == nil { - return fmt.Errorf("connections destined to port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) } return nil @@ -50,7 +49,7 @@ func (FilterOutputDropTCPDestPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterOutputDropTCPDestPort) LocalAction(ip net.IP) error { if err := connectTCP(ip, acceptPort, dropPort, sendloopDuration); err == nil { - return fmt.Errorf("connection sent from port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } return nil @@ -66,14 +65,13 @@ func (FilterOutputDropTCPSrcPort) Name() string { // ContainerAction implements TestCase.ContainerAction. func (FilterOutputDropTCPSrcPort) ContainerAction(ip net.IP) error { - if err := filterTable("-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--sport", - fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { + if err := filterTable("-A", "OUTPUT", "-p", "tcp", "-m", "tcp", "--sport", fmt.Sprintf("%d", dropPort), "-j", "DROP"); err != nil { return err } // Listen for TCP packets on drop port. if err := listenTCP(dropPort, sendloopDuration); err == nil { - return fmt.Errorf("connections on port %d should not be accepted, but got accepted", dropPort) + return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } return nil @@ -82,8 +80,8 @@ func (FilterOutputDropTCPSrcPort) ContainerAction(ip net.IP) error { // LocalAction implements TestCase.LocalAction. func (FilterOutputDropTCPSrcPort) LocalAction(ip net.IP) error { if err := connectTCP(ip, dropPort, acceptPort, sendloopDuration); err == nil { - return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) - } + return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) + } return nil } diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index 3eeb75b8b..d268ea9b4 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -28,7 +28,7 @@ import ( "gvisor.dev/gvisor/runsc/testutil" ) -const timeout time.Duration = 18 * time.Second +const timeout = 18 * time.Second var image = flag.String("image", "bazel/test/iptables/runner:runner", "image to run tests in") diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go index 44945bd89..1c4f4f665 100644 --- a/test/iptables/iptables_util.go +++ b/test/iptables/iptables_util.go @@ -81,33 +81,33 @@ func sendUDPLoop(ip net.IP, port int, duration time.Duration) error { return nil } -// listenTCP listens for connections on a TCP port +// listenTCP listens for connections on a TCP port. func listenTCP(port int, timeout time.Duration) error { localAddr := net.TCPAddr{ Port: port, } - // Starts listening on port + // Starts listening on port. lConn, err := net.ListenTCP("tcp4", &localAddr) if err != nil { return err } defer lConn.Close() - // Accept connections on port + // Accept connections on port. lConn.SetDeadline(time.Now().Add(timeout)) conn, err := lConn.AcceptTCP() - if err == nil { - conn.Close() + if err != nil { + return err } - return err + conn.Close() + return nil } -// connectTCP connects the TCP server over specified local port, server IP -// and remote/server port -func connectTCP(ip net.IP, remotePort int, localPort int, duration time.Duration) error { +// connectTCP connects the TCP server over specified local port, server IP and remote/server port. +func connectTCP(ip net.IP, remotePort, localPort int, duration time.Duration) error { remote := net.TCPAddr{ - IP: ip, + IP: ip, Port: remotePort, } @@ -115,23 +115,21 @@ func connectTCP(ip net.IP, remotePort int, localPort int, duration time.Duration Port: localPort, } - // Container may not be up. Retry DialTCP - // over a given duration + // Container may not be up. Retry DialTCP over a duration. to := time.After(duration) - var res error - for timedOut := false; !timedOut; { + for { conn, err := net.DialTCP("tcp4", &local, &remote) - res = err - if res == nil { + if err == nil { conn.Close() return nil } - select{ + select { + // Timed out waiting for connection to be accepted. case <-to: - timedOut = true + return err default: time.Sleep(200 * time.Millisecond) } } - return res + return fmt.Errorf("Failed to establish connection on port %d", localPort) } diff --git a/test/iptables/nat.go b/test/iptables/nat.go index 72c413af2..b5c6f927e 100644 --- a/test/iptables/nat.go +++ b/test/iptables/nat.go @@ -20,7 +20,7 @@ import ( ) const ( - redirectPort = 42 + redirectPort = 42 ) func init() { @@ -28,7 +28,7 @@ func init() { RegisterTestCase(NATDropUDP{}) } -// InputRedirectUDPPort tests that packets are redirected to different port. +// NATRedirectUDPPort tests that packets are redirected to different port. type NATRedirectUDPPort struct{} // Name implements TestCase.Name. @@ -38,8 +38,7 @@ func (NATRedirectUDPPort) Name() string { // ContainerAction implements TestCase.ContainerAction. func (NATRedirectUDPPort) ContainerAction(ip net.IP) error { - if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", - fmt.Sprintf("%d", redirectPort)); err != nil { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } @@ -64,8 +63,7 @@ func (NATDropUDP) Name() string { // ContainerAction implements TestCase.ContainerAction. func (NATDropUDP) ContainerAction(ip net.IP) error { - if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", - fmt.Sprintf("%d", redirectPort)); err != nil { + if err := filterTable("-t", "nat", "-A", "PREROUTING", "-p", "udp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", redirectPort)); err != nil { return err } |