summaryrefslogtreecommitdiffhomepage
path: root/test/iptables/nat.go
AgeCommit message (Collapse)Author
2020-08-10Speed up iptables testsKevin Krakauer
//test/iptables:iptables_test runs 30 seconds faster on my machine. * Using contexts instead of many smaller timeouts makes the tests less likely to flake and removes unnecessary complexity. * We also use context to properly shut down concurrent goroutines and the test container. * Container logs are always logged.
2020-07-31iptables: support SO_ORIGINAL_DSTKevin Krakauer
Envoy (#170) uses this to get the original destination of redirected packets.
2020-07-28ip6tables testingKevin Krakauer
We skip gVisor tests for now, as ip6tables aren't yet implemented.
2020-07-24Speed up some iptables testsKevin Krakauer
Sending UDP packets in a loop can be done in a separate goroutine. We can't do this in ContainerAction because the container will terminate early. Locally, scripts/iptables_tests.sh runs ~40 seconds faster.
2020-07-22iptables: don't NAT existing connectionsKevin Krakauer
Fixes a NAT bug that manifested as: - A SYN was sent from gVisor to another host, unaffected by iptables. - The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule despite being part of the existing connection. - The socket that sent the SYN never received the SYN/ACK and thus a connection could not be established. We handle this (as Linux does) by tracking all connections, inserting a no-op conntrack rule for new connections with no rules of their own. Needed for istio support (#170).
2020-07-08ip6tables: handle both IPv4 and v6 addressesKevin Krakauer
Enabling IPv6 in Docker caused IPv4 tests to fail because localAddrs didn't distinguish between address types. Example failure: https://source.cloud.google.com/results/invocations/203b2401-3333-4bec-9a56-72cc53d68ddd/log
2020-06-05iptables: loopback traffic skips prerouting chainKevin Krakauer
Loopback traffic is not affected by rules in the PREROUTING chain. This change is also necessary for istio's envoy to talk to other components in the same pod.
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-11iptables: ready tests to be enabled in kokoroKevin Krakauer
Fixed flakes (tested via --runs_per_test=100) and added skips for not-yet-implemented features. Once submitted, the iptables tests will be ready to enable in kokoro.
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-25Add nat table support for iptables.Nayana Bidari
- commit the changes for the comments.
2020-02-18iptables: use "-t nat" for NAT testsgVisor bot
PiperOrigin-RevId: 295835807
2020-02-18Add nat table support for iptables.Nayana Bidari
Add nat table support for Prerouting hook with Redirect option. Add tests to check redirect of ports.
2020-01-17Merge pull request #1541 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 290273561
2020-01-10Add tests for redirect portNayana Bidari
Fix indentation and change function names.
2020-01-09Add test for redirect portNayana Bidari
Fix the indentation and print statements. Moved the NAT redirect tests to new file. Added negative test to check redirect rule on ports other than redirected port.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-06 09:40:48 +0000