Age | Commit message (Collapse) | Author |
|
Envoy (#170) uses this to get the original destination of redirected
packets.
|
|
We skip gVisor tests for now, as ip6tables aren't yet implemented.
|
|
Sending UDP packets in a loop can be done in a separate goroutine. We
can't do this in ContainerAction because the container will terminate
early.
Locally, scripts/iptables_tests.sh runs ~40 seconds faster.
|
|
Fixes a NAT bug that manifested as:
- A SYN was sent from gVisor to another host, unaffected by iptables.
- The corresponding SYN/ACK was NATted by a PREROUTING REDIRECT rule
despite being part of the existing connection.
- The socket that sent the SYN never received the SYN/ACK and thus a
connection could not be established.
We handle this (as Linux does) by tracking all connections, inserting a
no-op conntrack rule for new connections with no rules of their own.
Needed for istio support (#170).
|
|
PiperOrigin-RevId: 320290162
|
|
Enabling IPv6 in Docker caused IPv4 tests to fail because localAddrs
didn't distinguish between address types. Example failure:
https://source.cloud.google.com/results/invocations/203b2401-3333-4bec-9a56-72cc53d68ddd/log
|
|
Moves following to new dockerutil API:
- //test/e2e:integration_test
- //test/image:image_test
- //test/iptables:iptables_test
- //test/root:root_test
- //test/packetimpact:packetimpact_test
PiperOrigin-RevId: 320253118
|
|
Separate mount configuration from links and move it to
RunOpts, like the other options.
PiperOrigin-RevId: 317010158
|
|
Loopback traffic is not affected by rules in the PREROUTING chain.
This change is also necessary for istio's envoy to talk to other
components in the same pod.
|
|
PiperOrigin-RevId: 313862843
|
|
|
|
- Added support for matching gid owner and invert flag for uid
and gid.
$ iptables -A OUTPUT -p tcp -m owner --gid-owner root -j ACCEPT
$ iptables -A OUTPUT -p tcp -m owner ! --uid-owner root -j ACCEPT
$ iptables -A OUTPUT -p tcp -m owner ! --gid-owner root -j DROP
- Added tests for uid, gid and invert flags.
|
|
Enables commands with -o (--out-interface) for iptables rules.
$ iptables -A OUTPUT -o eth0 -j ACCEPT
PiperOrigin-RevId: 310642286
|
|
Connection tracking is used to track packets in prerouting and
output hooks of iptables. The NAT rules modify the tuples in
connections. The connection tracking code modifies the packets by
looking at the modified tuples.
|
|
This change moves all Docker images to a standard location, and abstracts the
build process so that they can be maintained in an automated fashion. This also
allows the images to be architecture-independent.
All images will now be referred to by the test framework via the canonical
`gvisor.dev/images/<name>`, where `<name>` is a function of the path within the
source tree.
In a subsequent change, continuous integration will be added so that the images
will always be correct and available locally.
In the end, using `bazel` for Docker containers is simply not possible. Given
that we already have the need to use `make` with the base container (for
Docker), we extend this approach to get more flexibility.
This change also adds a self-documenting and powerful Makefile that is intended
to replace the collection of scripts in scripts. Canonical (self-documenting)
targets can be added here for targets that understand which images need to be
loaded and/or built.
PiperOrigin-RevId: 308322438
|
|
This change adds a layer of abstraction around the internal Docker APIs,
and eliminates all direct dependencies on Dockerfiles in the infrastructure.
A subsequent change will automated the generation of local images (with
efficient caching). Note that this change drops the use of bazel container
rules, as that experiment does not seem to be viable.
PiperOrigin-RevId: 308095430
|
|
This feature will match UID and GID of the packet creator, for locally
generated packets. This match is only valid in the OUTPUT and POSTROUTING
chains. Forwarded packets do not have any socket associated with them.
Packets from kernel threads do have a socket, but usually no owner.
|
|
PiperOrigin-RevId: 303147253
|
|
PiperOrigin-RevId: 301716568
|
|
These tests could timeout because net.DialTCP didn't respect the
timeout.
|
|
PiperOrigin-RevId: 301686266
|
|
PiperOrigin-RevId: 301650898
|
|
PiperOrigin-RevId: 301476456
|
|
PiperOrigin-RevId: 301197007
|
|
Fixed flakes (tested via --runs_per_test=100) and added skips for
not-yet-implemented features. Once submitted, the iptables tests will be
ready to enable in kokoro.
|
|
Enables commands such as:
$ iptables -A INPUT -d 127.0.0.1 -j ACCEPT
$ iptables -t nat -A PREROUTING ! -d 127.0.0.1 -j REDIRECT
Also adds a bunch of REDIRECT+destination tests.
|
|
|
|
- commit the changes for the comments.
|
|
PiperOrigin-RevId: 295835807
|
|
PiperOrigin-RevId: 295785052
|
|
Add nat table support for Prerouting hook with Redirect option.
Add tests to check redirect of ports.
|
|
$ iptables -N foochain
$ iptables -A INPUT -j foochain
|
|
- Adds creation of user chains via `-N <chainname>`
- Adds `-j RETURN` support for built-in chains, which triggers the
chain's underflow rule (usually the default policy).
- Adds tests for chain creation, default policies, and `-j RETURN' from
built-in chains.
|
|
The readme didn't mention that users need to:
- `bazel build` when working on iptables tests
- enable raw sockets in /etc/docker/daemon.json.
PiperOrigin-RevId: 294260169
|
|
PiperOrigin-RevId: 293676954
|
|
PiperOrigin-RevId: 293243342
|
|
The name of the runner binary target changed from "runner" to "runner-image",
causing iptables tests to fail.
PiperOrigin-RevId: 292242263
|
|
|
|
PiperOrigin-RevId: 291745021
|
|
|
|
PiperOrigin-RevId: 291249314
|
|
|
|
|
|
|
|
|
|
PiperOrigin-RevId: 290793754
|
|
PiperOrigin-RevId: 290273561
|
|
|
|
|
|
Added tests for tcp protocol with input and output rules including options sport and dport
Increased timeout in iptables_test as TCP tests were timing out with existing value.
|