Age | Commit message (Collapse) | Author |
|
We have support for the output interface name, but not for the input
interface name.
This change adds the support for the input interface name, and adds the
test cases for it.
Fixes #5300
PiperOrigin-RevId: 353179389
|
|
PiperOrigin-RevId: 352624174
|
|
PiperOrigin-RevId: 343927315
|
|
Adds support for the IPv6-compatible redirect target. Redirection is a limited
form of DNAT, where the destination is always the localhost.
Updates #3549.
PiperOrigin-RevId: 334698344
|
|
`ip6tables -t filter` is now usable. NAT support will come in a future CL.
#3549
PiperOrigin-RevId: 332381801
|
|
//test/iptables:iptables_test runs 30 seconds faster on my machine.
* Using contexts instead of many smaller timeouts makes the tests less
likely to flake and removes unnecessary complexity.
* We also use context to properly shut down concurrent goroutines and
the test container.
* Container logs are always logged.
|
|
Envoy (#170) uses this to get the original destination of redirected
packets.
|
|
We skip gVisor tests for now, as ip6tables aren't yet implemented.
|
|
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
|
|
PiperOrigin-RevId: 320290162
|
|
Enabling IPv6 in Docker caused IPv4 tests to fail because localAddrs
didn't distinguish between address types. Example failure:
https://source.cloud.google.com/results/invocations/203b2401-3333-4bec-9a56-72cc53d68ddd/log
|
|
Moves following to new dockerutil API:
- //test/e2e:integration_test
- //test/image:image_test
- //test/iptables:iptables_test
- //test/root:root_test
- //test/packetimpact:packetimpact_test
PiperOrigin-RevId: 320253118
|
|
Separate mount configuration from links and move it to
RunOpts, like the other options.
PiperOrigin-RevId: 317010158
|
|
Loopback traffic is not affected by rules in the PREROUTING chain.
This change is also necessary for istio's envoy to talk to other
components in the same pod.
|
|
|
|
- Added support for matching gid owner and invert flag for uid
and gid.
$ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT
$ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT
$ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP
- Added tests for uid, gid and invert flags.
|
|
Enables commands with -o (--out-interface) for iptables rules.
$ iptables -A OUTPUT -o eth0 -j ACCEPT
PiperOrigin-RevId: 310642286
|
|
Connection tracking is used to track packets in prerouting and
output hooks of iptables. The NAT rules modify the tuples in
connections. The connection tracking code modifies the packets by
looking at the modified tuples.
|
|
This change adds a layer of abstraction around the internal Docker APIs,
and eliminates all direct dependencies on Dockerfiles in the infrastructure.
A subsequent change will automated the generation of local images (with
efficient caching). Note that this change drops the use of bazel container
rules, as that experiment does not seem to be viable.
PiperOrigin-RevId: 308095430
|
|
This feature will match UID and GID of the packet creator, for locally
generated packets. This match is only valid in the OUTPUT and POSTROUTING
chains. Forwarded packets do not have any socket associated with them.
Packets from kernel threads do have a socket, but usually no owner.
|
|
PiperOrigin-RevId: 301686266
|
|
PiperOrigin-RevId: 301650898
|
|
PiperOrigin-RevId: 301476456
|
|
PiperOrigin-RevId: 301197007
|
|
Fixed flakes (tested via --runs_per_test=100) and added skips for
not-yet-implemented features. Once submitted, the iptables tests will be
ready to enable in kokoro.
|
|
Enables commands such as:
$ iptables -A INPUT -d 127.0.0.1 -j ACCEPT
$ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT
Also adds a bunch of REDIRECT+destination tests.
|
|
|
|
Add nat table support for Prerouting hook with Redirect option.
Add tests to check redirect of ports.
|
|
$ iptables -N foochain
$ iptables -A INPUT -j foochain
|
|
- Adds creation of user chains via `-N <chainname>`
- Adds `-j RETURN` support for built-in chains, which triggers the
chain's underflow rule (usually the default policy).
- Adds tests for chain creation, default policies, and `-j RETURN' from
built-in chains.
|
|
The name of the runner binary target changed from "runner" to "runner-image",
causing iptables tests to fail.
PiperOrigin-RevId: 292242263
|
|
|
|
|
|
|
|
PiperOrigin-RevId: 290793754
|
|
PiperOrigin-RevId: 290273561
|
|
|
|
|
|
Added tests for tcp protocol with input and output rules including options sport and dport
Increased timeout in iptables_test as TCP tests were timing out with existing value.
|
|
Fix indentation and change function names.
|
|
Fix the indentation and print statements.
Moved the NAT redirect tests to new file.
Added negative test to check redirect rule on ports other than
redirected port.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This gets us closer to passing the iptables tests and opens up iptables
so it can be worked on by multiple people.
A few restrictions are enforced for security (i.e. we don't want to let
users write a bunch of iptables rules and then just not enforce them):
- Only the filter table is writable.
- Only ACCEPT rules with no matching criteria can be added.
|
|
It would be preferrable to test iptables via syscall tests, but there are some
problems with that approach:
* We're limited to loopback-only, as syscall tests involve only a single
container. Other link interfaces (e.g. fdbased) should be tested.
* We'd have to shell out to call iptables anyways, as the iptables syscall
interface itself is too large and complex to work with alone.
* Running the Linux/native version of the syscall test will require root, which
is a pain to configure, is inherently unsafe, and could leave host iptables
misconfigured.
Using the go_test target allows there to be no new test runner.
PiperOrigin-RevId: 285274275
|