Age | Commit message (Collapse) | Author |
|
This change adds a layer of abstraction around the internal Docker APIs,
and eliminates all direct dependencies on Dockerfiles in the infrastructure.
A subsequent change will automated the generation of local images (with
efficient caching). Note that this change drops the use of bazel container
rules, as that experiment does not seem to be viable.
PiperOrigin-RevId: 308095430
|
|
This feature will match UID and GID of the packet creator, for locally
generated packets. This match is only valid in the OUTPUT and POSTROUTING
chains. Forwarded packets do not have any socket associated with them.
Packets from kernel threads do have a socket, but usually no owner.
|
|
PiperOrigin-RevId: 303147253
|
|
PiperOrigin-RevId: 301716568
|
|
These tests could timeout because net.DialTCP didn't respect the
timeout.
|
|
PiperOrigin-RevId: 301686266
|
|
PiperOrigin-RevId: 301650898
|
|
PiperOrigin-RevId: 301476456
|
|
PiperOrigin-RevId: 301197007
|
|
Fixed flakes (tested via --runs_per_test=100) and added skips for
not-yet-implemented features. Once submitted, the iptables tests will be
ready to enable in kokoro.
|
|
Enables commands such as:
$ iptables -A INPUT -d 127.0.0.1 -j ACCEPT
$ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT
Also adds a bunch of REDIRECT+destination tests.
|
|
|
|
- commit the changes for the comments.
|
|
PiperOrigin-RevId: 295835807
|
|
PiperOrigin-RevId: 295785052
|
|
Add nat table support for Prerouting hook with Redirect option.
Add tests to check redirect of ports.
|
|
$ iptables -N foochain
$ iptables -A INPUT -j foochain
|
|
- Adds creation of user chains via `-N <chainname>`
- Adds `-j RETURN` support for built-in chains, which triggers the
chain's underflow rule (usually the default policy).
- Adds tests for chain creation, default policies, and `-j RETURN' from
built-in chains.
|
|
The readme didn't mention that users need to:
- `bazel build` when working on iptables tests
- enable raw sockets in /etc/docker/daemon.json.
PiperOrigin-RevId: 294260169
|
|
PiperOrigin-RevId: 293676954
|
|
PiperOrigin-RevId: 293243342
|
|
The name of the runner binary target changed from "runner" to "runner-image",
causing iptables tests to fail.
PiperOrigin-RevId: 292242263
|
|
|
|
PiperOrigin-RevId: 291745021
|
|
|
|
PiperOrigin-RevId: 291249314
|
|
|
|
|
|
|
|
|
|
PiperOrigin-RevId: 290793754
|
|
PiperOrigin-RevId: 290273561
|
|
|
|
|
|
Added tests for tcp protocol with input and output rules including options sport and dport
Increased timeout in iptables_test as TCP tests were timing out with existing value.
|
|
Fix indentation and change function names.
|
|
Fix the indentation and print statements.
Moved the NAT redirect tests to new file.
Added negative test to check redirect rule on ports other than
redirected port.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This gets us closer to passing the iptables tests and opens up iptables
so it can be worked on by multiple people.
A few restrictions are enforced for security (i.e. we don't want to let
users write a bunch of iptables rules and then just not enforce them):
- Only the filter table is writable.
- Only ACCEPT rules with no matching criteria can be added.
|
|
PiperOrigin-RevId: 288402480
|
|
PiperOrigin-RevId: 286083614
|
|
It would be preferrable to test iptables via syscall tests, but there are some
problems with that approach:
* We're limited to loopback-only, as syscall tests involve only a single
container. Other link interfaces (e.g. fdbased) should be tested.
* We'd have to shell out to call iptables anyways, as the iptables syscall
interface itself is too large and complex to work with alone.
* Running the Linux/native version of the syscall test will require root, which
is a pain to configure, is inherently unsafe, and could leave host iptables
misconfigured.
Using the go_test target allows there to be no new test runner.
PiperOrigin-RevId: 285274275
|