Age | Commit message (Collapse) | Author | |
---|---|---|---|
2020-01-08 | Newline | Kevin Krakauer | |
2020-01-08 | Revert filter_input change | Kevin Krakauer | |
2020-01-08 | Minor fixes to comments and logging | Kevin Krakauer | |
2020-01-08 | Write simple ACCEPT rules to the filter table. | Kevin Krakauer | |
This gets us closer to passing the iptables tests and opens up iptables so it can be worked on by multiple people. A few restrictions are enforced for security (i.e. we don't want to let users write a bunch of iptables rules and then just not enforce them): - Only the filter table is writable. - Only ACCEPT rules with no matching criteria can be added. | |||
2020-01-06 | Fix readme formatting. | Kevin Krakauer | |
PiperOrigin-RevId: 288402480 | |||
2019-12-17 | Internal change. | Kevin Krakauer | |
PiperOrigin-RevId: 286083614 | |||
2019-12-12 | Add iptables testing framework. | Kevin Krakauer | |
It would be preferrable to test iptables via syscall tests, but there are some problems with that approach: * We're limited to loopback-only, as syscall tests involve only a single container. Other link interfaces (e.g. fdbased) should be tested. * We'd have to shell out to call iptables anyways, as the iptables syscall interface itself is too large and complex to work with alone. * Running the Linux/native version of the syscall test will require root, which is a pain to configure, is inherently unsafe, and could leave host iptables misconfigured. Using the go_test target allows there to be no new test runner. PiperOrigin-RevId: 285274275 |