summaryrefslogtreecommitdiffhomepage
path: root/test/iptables
AgeCommit message (Collapse)Author
2020-02-18Merge pull request #1850 from kevinGC:jump2gVisor bot
PiperOrigin-RevId: 295785052
2020-02-13We can now create and jump in iptables. For example:Kevin Krakauer
$ iptables -N foochain $ iptables -A INPUT -j foochain
2020-02-12iptables: User chainsKevin Krakauer
- Adds creation of user chains via `-N <chainname>` - Adds `-j RETURN` support for built-in chains, which triggers the chain's underflow rule (usually the default policy). - Adds tests for chain creation, default policies, and `-j RETURN' from built-in chains.
2020-02-10iptables: add instructions for runsc building.Kevin Krakauer
The readme didn't mention that users need to: - `bazel build` when working on iptables tests - enable raw sockets in /etc/docker/daemon.json. PiperOrigin-RevId: 294260169
2020-02-06Fix `bazel run` target in docs.Kevin Krakauer
PiperOrigin-RevId: 293676954
2020-02-04Merge pull request #1683 from kevinGC:ipt-udp-matchersgVisor bot
PiperOrigin-RevId: 293243342
2020-01-29Fix iptables tests that were broken by rename.Kevin Krakauer
The name of the runner binary target changed from "runner" to "runner-image", causing iptables tests to fail. PiperOrigin-RevId: 292242263
2020-01-27Cleanup for GH review.Kevin Krakauer
2020-01-27Standardize on tools directory.Adin Scannell
PiperOrigin-RevId: 291745021
2020-01-24Merge branch 'master' into ipt-udp-matchersKevin Krakauer
2020-01-23Merge pull request #1617 from kevinGC:iptables-write-filter-protogVisor bot
PiperOrigin-RevId: 291249314
2020-01-21Add UDP matchers.Kevin Krakauer
2020-01-21More little fixes.Kevin Krakauer
2020-01-21Fixing stuffKevin Krakauer
2020-01-21Merge branch 'master' into iptables-write-filter-protoKevin Krakauer
2020-01-21Merge pull request #1558 from kevinGC:iptables-write-input-dropgVisor bot
PiperOrigin-RevId: 290793754
2020-01-17Merge pull request #1541 from nybidari:iptablesgVisor bot
PiperOrigin-RevId: 290273561
2020-01-13Merge branch 'iptables-write-input-drop' into iptables-write-filter-protoKevin Krakauer
2020-01-13Merge branch 'master' into iptables-write-input-dropKevin Krakauer
2020-01-13Add test for iptables TCP ruleNayana Bidari
Added tests for tcp protocol with input and output rules including options sport and dport Increased timeout in iptables_test as TCP tests were timing out with existing value.
2020-01-10Add tests for redirect portNayana Bidari
Fix indentation and change function names.
2020-01-09Add test for redirect portNayana Bidari
Fix the indentation and print statements. Moved the NAT redirect tests to new file. Added negative test to check redirect rule on ports other than redirected port.
2020-01-09Added a test that we don't pass yetKevin Krakauer
2020-01-09Add test to check iptables redirect port ruleNayana Bidari
2020-01-08Working on filtering by protocol.Kevin Krakauer
2020-01-08Built dead-simple traversal, but now getting depedency cycle error :'(Kevin Krakauer
2020-01-08Added test for unconditional DROP on the filter INPUT chainKevin Krakauer
2020-01-08NewlineKevin Krakauer
2020-01-08Revert filter_input changeKevin Krakauer
2020-01-08Minor fixes to comments and loggingKevin Krakauer
2020-01-08Write simple ACCEPT rules to the filter table.Kevin Krakauer
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added.
2020-01-06Fix readme formatting.Kevin Krakauer
PiperOrigin-RevId: 288402480
2019-12-17Internal change.Kevin Krakauer
PiperOrigin-RevId: 286083614
2019-12-12Add iptables testing framework.Kevin Krakauer
It would be preferrable to test iptables via syscall tests, but there are some problems with that approach: * We're limited to loopback-only, as syscall tests involve only a single container. Other link interfaces (e.g. fdbased) should be tested. * We'd have to shell out to call iptables anyways, as the iptables syscall interface itself is too large and complex to work with alone. * Running the Linux/native version of the syscall test will require root, which is a pain to configure, is inherently unsafe, and could leave host iptables misconfigured. Using the go_test target allows there to be no new test runner. PiperOrigin-RevId: 285274275