summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
AgeCommit message (Collapse)Author
2021-02-17Deflake //test/iptables:iptables_testKevin Krakauer
We were opening dual-stack sockets, but tests only set iptables rules for a single network protocol. Thus, packets (probably sent by previous tests) could sneak in and break tests. Tested with: bazel test ///test/iptables:iptables_test --test_arg=--runtime=runsc --nocache_test_results --test_output=errors --runs_per_test=1000 --test_filter=TestFilterInputDropUDP PiperOrigin-RevId: 357972385
2021-02-11iptables test: Implement testCase interface on pointersToshi Kikuchi
Implementing interfaces on value types causes the interface to be implemented by both the value type and the pointer type of the implementer. This complicates type assertion as it requires the assertion to check for both the pointer type and the value type. PiperOrigin-RevId: 357061063
2021-01-21iptables: support matching the input interface nameToshi Kikuchi
We have support for the output interface name, but not for the input interface name. This change adds the support for the input interface name, and adds the test cases for it. Fixes #5300 PiperOrigin-RevId: 353179389
2021-01-19Ensure that IP{V6}_RECVORIGDSTADDR yields the post-NAT address and port.Kevin Krakauer
PiperOrigin-RevId: 352624174
2021-01-12Fix simple mistakes identified by goreportcard.Adin Scannell
These are primarily simplification and lint mistakes. However, minor fixes are also included and tests added where appropriate. PiperOrigin-RevId: 351425971
2020-12-11Remove existing nogo exceptions.Adin Scannell
PiperOrigin-RevId: 347047550
2020-11-23Fail gracefully if Docker is not configured with ipv6.Adin Scannell
PiperOrigin-RevId: 343927315
2020-11-09iptables: add documentation about enabing docker ipv6Kevin Krakauer
PiperOrigin-RevId: 341439435
2020-10-23iptables testing: handle EINTR on calls to accept().Kevin Krakauer
This caused test flakes. PiperOrigin-RevId: 338758723
2020-10-22Pass NetworkInterface to LinkAddressRequestGhanan Gowripalan
Previously a link endpoint was passed to stack.LinkAddressResolver.LinkAddressRequest. With this change, implementations that want a route for the link address request may find one through the stack. Other implementations that want to send a packet without a route may continue to do so using the network interface directly. Test: - arp_test.TestLinkAddressRequest - ipv6.TestLinkAddressRequest PiperOrigin-RevId: 338577474
2020-10-05Remove reference to deleted scriptKevin Krakauer
PiperOrigin-RevId: 335516625
2020-09-30ip6tables: redirect supportKevin Krakauer
Adds support for the IPv6-compatible redirect target. Redirection is a limited form of DNAT, where the destination is always the localhost. Updates #3549. PiperOrigin-RevId: 334698344
2020-09-17ip6tables: filter table supportKevin Krakauer
`ip6tables -t filter` is now usable. NAT support will come in a future CL. #3549 PiperOrigin-RevId: 332381801
2020-08-10Speed up iptables testsKevin Krakauer
//test/iptables:iptables_test runs 30 seconds faster on my machine. * Using contexts instead of many smaller timeouts makes the tests less likely to flake and removes unnecessary complexity. * We also use context to properly shut down concurrent goroutines and the test container. * Container logs are always logged.
2020-07-31iptables: support SO_ORIGINAL_DSTKevin Krakauer
Envoy (#170) uses this to get the original destination of redirected packets.
2020-07-28ip6tables testingKevin Krakauer
We skip gVisor tests for now, as ip6tables aren't yet implemented.
2020-07-24Speed up some iptables testsKevin Krakauer
Sending UDP packets in a loop can be done in a separate goroutine. We can't do this in ContainerAction because the container will terminate early. Locally, scripts/iptables_tests.sh runs ~40 seconds faster.
2020-07-22iptables: don't NAT existing connectionsKevin Krakauer
Fixes a NAT bug that manifested as: - A SYN was sent from gVisor to another host, unaffected by iptables. - The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule despite being part of the existing connection. - The socket that sent the SYN never received the SYN/ACK and thus a connection could not be established. We handle this (as Linux does) by tracking all connections, inserting a no-op conntrack rule for new connections with no rules of their own. Needed for istio support (#170).
2020-07-08Merge pull request #3171 from kevinGC:ipv6-kokorogVisor bot
PiperOrigin-RevId: 320290162
2020-07-08ip6tables: handle both IPv4 and v6 addressesKevin Krakauer
Enabling IPv6 in Docker caused IPv4 tests to fail because localAddrs didn't distinguish between address types. Example failure: https://source.cloud.google.com/results/invocations/203b2401-3333-4bec-9a56-72cc53d68ddd/log
2020-07-08Move all tests to new docker API.Zach Koopmans
Moves following to new dockerutil API: - //test/e2e:integration_test - //test/image:image_test - //test/iptables:iptables_test - //test/root:root_test - //test/packetimpact:packetimpact_test PiperOrigin-RevId: 320253118
2020-06-17Move mount configutation to RunOptsFabricio Voznika
Separate mount configuration from links and move it to RunOpts, like the other options. PiperOrigin-RevId: 317010158
2020-06-05iptables: loopback traffic skips prerouting chainKevin Krakauer
Loopback traffic is not affected by rules in the PREROUTING chain. This change is also necessary for istio's envoy to talk to other components in the same pod.
2020-05-29Fix copied comment mistakes.Kevin Krakauer
PiperOrigin-RevId: 313862843
2020-05-28Enable iptables source filtering (-s/--source)Kevin Krakauer
2020-05-12iptables: support gid match for owner matching.Nayana Bidari
- Added support for matching gid owner and invert flag for uid and gid. $ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT $ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP - Added tests for uid, gid and invert flags.
2020-05-08iptables - filter packets using outgoing interface.gVisor bot
Enables commands with -o (--out-interface) for iptables rules. $ iptables -A OUTPUT -o eth0 -j ACCEPT PiperOrigin-RevId: 310642286
2020-05-01Support for connection tracking of TCP packets.Nayana Bidari
Connection tracking is used to track packets in prerouting and output hooks of iptables. The NAT rules modify the tuples in connections. The connection tracking code modifies the packets by looking at the modified tuples.
2020-04-24Standardize all Docker images.Adin Scannell
This change moves all Docker images to a standard location, and abstracts the build process so that they can be maintained in an automated fashion. This also allows the images to be architecture-independent. All images will now be referred to by the test framework via the canonical `gvisor.dev/images/<name>`, where `<name>` is a function of the path within the source tree. In a subsequent change, continuous integration will be added so that the images will always be correct and available locally. In the end, using `bazel` for Docker containers is simply not possible. Given that we already have the need to use `make` with the base container (for Docker), we extend this approach to get more flexibility. This change also adds a self-documenting and powerful Makefile that is intended to replace the collection of scripts in scripts. Canonical (self-documenting) targets can be added here for targets that understand which images need to be loaded and/or built. PiperOrigin-RevId: 308322438
2020-04-23Simplify Docker test infrastructure.Adin Scannell
This change adds a layer of abstraction around the internal Docker APIs, and eliminates all direct dependencies on Dockerfiles in the infrastructure. A subsequent change will automated the generation of local images (with efficient caching). Note that this change drops the use of bazel container rules, as that experiment does not seem to be viable. PiperOrigin-RevId: 308095430
2020-03-26Support owner matching for iptables.Nayana Bidari
This feature will match UID and GID of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.
2020-03-26Check error in DropTCP*Port tests and fix comment.Kevin Krakauer
PiperOrigin-RevId: 303147253
2020-03-18Merge pull request #2187 from kevinGC:deflake-connectTCPgVisor bot
PiperOrigin-RevId: 301716568
2020-03-18iptables: deflake DropTCP*Port testsKevin Krakauer
These tests could timeout because net.DialTCP didn't respect the timeout.
2020-03-18iptables: skip tests for not-yet-supported featuresKevin Krakauer
PiperOrigin-RevId: 301686266
2020-03-18Automated rollback of changelist 301476456Kevin Krakauer
PiperOrigin-RevId: 301650898
2020-03-17iptables: fix type in script name, mark some new tests as skippedKevin Krakauer
PiperOrigin-RevId: 301476456
2020-03-16Merge pull request #1943 from kevinGC:ipt-filter-ipgVisor bot
PiperOrigin-RevId: 301197007
2020-03-11iptables: ready tests to be enabled in kokoroKevin Krakauer
Fixed flakes (tested via --runs_per_test=100) and added skips for not-yet-implemented features. Once submitted, the iptables tests will be ready to enable in kokoro.
2020-02-26iptables: filter by IP address (and range)Kevin Krakauer
Enables commands such as: $ iptables -A INPUT -d 127.0.0.1 -j ACCEPT $ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT Also adds a bunch of REDIRECT+destination tests.
2020-02-25Merge branch 'master' into iptablesnybidari
2020-02-25Add nat table support for iptables.Nayana Bidari
- commit the changes for the comments.
2020-02-18iptables: use "-t nat" for NAT testsgVisor bot
PiperOrigin-RevId: 295835807
2020-02-18Merge pull request #1850 from kevinGC:jump2gVisor bot
PiperOrigin-RevId: 295785052
2020-02-18Add nat table support for iptables.Nayana Bidari
Add nat table support for Prerouting hook with Redirect option. Add tests to check redirect of ports.
2020-02-13We can now create and jump in iptables. For example:Kevin Krakauer
$ iptables -N foochain $ iptables -A INPUT -j foochain
2020-02-12iptables: User chainsKevin Krakauer
- Adds creation of user chains via `-N <chainname>` - Adds `-j RETURN` support for built-in chains, which triggers the chain's underflow rule (usually the default policy). - Adds tests for chain creation, default policies, and `-j RETURN' from built-in chains.
2020-02-10iptables: add instructions for runsc building.Kevin Krakauer
The readme didn't mention that users need to: - `bazel build` when working on iptables tests - enable raw sockets in /etc/docker/daemon.json. PiperOrigin-RevId: 294260169
2020-02-06Fix `bazel run` target in docs.Kevin Krakauer
PiperOrigin-RevId: 293676954
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342