From 2f35fa14abe546b58c72312fbd23ad3f0b7a193f Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Wed, 17 Feb 2021 09:59:54 -0800 Subject: Deflake //test/iptables:iptables_test We were opening dual-stack sockets, but tests only set iptables rules for a single network protocol. Thus, packets (probably sent by previous tests) could sneak in and break tests. Tested with: bazel test ///test/iptables:iptables_test --test_arg=--runtime=runsc --nocache_test_results --test_output=errors --runs_per_test=1000 --test_filter=TestFilterInputDropUDP PiperOrigin-RevId: 357972385 --- test/iptables/filter_input.go | 96 +++++++++++++++++++++--------------------- test/iptables/filter_output.go | 76 ++++++++++++++++----------------- test/iptables/iptables_util.go | 32 ++++++++++---- test/iptables/nat.go | 58 ++++++++++++------------- 4 files changed, 139 insertions(+), 123 deletions(-) diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 0f656513e..4739bc06f 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -78,7 +78,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -91,7 +91,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 // LocalAction implements TestCase.LocalAction. func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic. @@ -111,7 +111,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i } // Listen for a TCP connection, which should be allowed. - if err := listenTCP(ctx, acceptPort); err != nil { + if err := listenTCP(ctx, acceptPort, ipv6); err != nil { return fmt.Errorf("failed to establish a connection %v", err) } @@ -122,7 +122,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Try to establish a TCP connection with the container, which should // succeed. - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // FilterInputDropUDPPort tests that we can drop UDP traffic by port. @@ -144,7 +144,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -157,7 +157,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i // LocalAction implements TestCase.LocalAction. func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // FilterInputDropDifferentUDPPort tests that dropping traffic for a single UDP port @@ -178,7 +178,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip } // Listen for UDP packets on another port. - if err := listenUDP(ctx, acceptPort); err != nil { + if err := listenUDP(ctx, acceptPort, ipv6); err != nil { return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err) } @@ -187,7 +187,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip // LocalAction implements TestCase.LocalAction. func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports. @@ -209,7 +209,7 @@ func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.I // Listen for TCP packets on drop port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, dropPort); err == nil { + if err := listenTCP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -223,7 +223,7 @@ func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, i // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, dropPort); err == nil { + if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil { return fmt.Errorf("expected not to connect, but was able to connect on port %d", dropPort) } return nil @@ -249,7 +249,7 @@ func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but was", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -263,7 +263,7 @@ func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ip // Ensure we cannot connect to the container. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, dropPort); err == nil { + if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil { return fmt.Errorf("expected not to connect, but was able to connect on port %d", acceptPort) } return nil @@ -288,7 +288,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 // Listen for all packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets should have been dropped, but got a packet") } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -301,7 +301,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 // LocalAction implements TestCase.LocalAction. func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // FilterInputMultiUDPRules verifies that multiple UDP rules are applied @@ -401,12 +401,12 @@ func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip n if err := filterTable(ipv6, "-P", "INPUT", "ACCEPT"); err != nil { return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputDefaultPolicyDrop tests the default DROP policy. @@ -428,7 +428,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -441,7 +441,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net // LocalAction implements TestCase.LocalAction. func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputReturnUnderflow tests that -j RETURN in a built-in chain causes @@ -470,12 +470,12 @@ func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.I // We should receive packets, as the RETURN rule will trigger the default // ACCEPT policy. - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputSerializeJump verifies that we can serialize jumps. @@ -528,12 +528,12 @@ func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv } // Listen for UDP packets on acceptPort. - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputJumpReturn jumps, returns, and executes a rule. @@ -560,12 +560,12 @@ func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ip } // Listen for UDP packets on acceptPort. - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets. @@ -593,7 +593,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -606,7 +606,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP // LocalAction implements TestCase.LocalAction. func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal. @@ -660,12 +660,12 @@ func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv // UDP packets should jump and return twice, eventually hitting the // ACCEPT rule. - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputDestination verifies that we can filter packets via `-d @@ -696,12 +696,12 @@ func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, i return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInvertDestination verifies that we can filter packets via `! -d @@ -727,12 +727,12 @@ func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputSource verifies that we can filter packets via `-s @@ -758,12 +758,12 @@ func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 b return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInvertSource verifies that we can filter packets via `! -s @@ -789,12 +789,12 @@ func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInterfaceAccept tests that packets are accepted from interface @@ -817,7 +817,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", ifname, "-j", "ACCEPT"); err != nil { return err } - if err := listenUDP(ctx, acceptPort); err != nil { + if err := listenUDP(ctx, acceptPort, ipv6); err != nil { return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err) } @@ -826,7 +826,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I // LocalAction implements TestCase.LocalAction. func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInterfaceDrop tests that packets are dropped from interface @@ -851,7 +851,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, } timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, acceptPort); err != nil { + if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil { if errors.Is(err, context.DeadlineExceeded) { return nil } @@ -862,7 +862,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, // LocalAction implements TestCase.LocalAction. func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInterface tests that packets are not dropped from interface which @@ -881,7 +881,7 @@ func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "lo", "-j", "DROP"); err != nil { return err } - if err := listenUDP(ctx, acceptPort); err != nil { + if err := listenUDP(ctx, acceptPort, ipv6); err != nil { return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err) } return nil @@ -889,7 +889,7 @@ func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv // LocalAction implements TestCase.LocalAction. func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInterfaceBeginsWith tests that packets are dropped from an @@ -910,7 +910,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n } timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, acceptPort); err != nil { + if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil { if errors.Is(err, context.DeadlineExceeded) { return nil } @@ -921,7 +921,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n // LocalAction implements TestCase.LocalAction. func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // FilterInputInterfaceInvertDrop tests that we selectively drop packets from @@ -942,7 +942,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n } timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err != nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err != nil { if errors.Is(err, context.DeadlineExceeded) { return nil } @@ -955,7 +955,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err != nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err != nil { var operr *net.OpError if errors.As(err, &operr) && operr.Timeout() { return nil @@ -981,10 +981,10 @@ func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "ACCEPT"); err != nil { return err } - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } diff --git a/test/iptables/filter_output.go b/test/iptables/filter_output.go index 590d234bb..bcb2a3b70 100644 --- a/test/iptables/filter_output.go +++ b/test/iptables/filter_output.go @@ -64,7 +64,7 @@ func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net. // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -77,7 +77,7 @@ func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net. func (*FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } @@ -104,7 +104,7 @@ func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.I // Listen for TCP packets on drop port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, dropPort); err == nil { + if err := listenTCP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -117,7 +117,7 @@ func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.I func (*FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, dropPort); err == nil { + if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", dropPort) } @@ -141,12 +141,12 @@ func (*FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.I } // Listen for TCP packets on accept port. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // FilterOutputDropTCPOwner tests that TCP connections from uid owner are dropped. @@ -168,7 +168,7 @@ func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should be dropped, but got accepted", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -181,7 +181,7 @@ func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, func (*FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should be dropped, but got accepted", acceptPort) } @@ -205,13 +205,13 @@ func (*FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.I } // Send UDP packets on acceptPort. - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { // Listen for UDP packets on acceptPort. - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // FilterOutputDropUDPOwner tests that UDP packets from uid owner are dropped. @@ -231,7 +231,7 @@ func (*FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, } // Send UDP packets on dropPort. - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // LocalAction implements TestCase.LocalAction. @@ -239,7 +239,7 @@ func (*FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv // Listen for UDP packets on dropPort. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, dropPort); err == nil { + if err := listenUDP(timedCtx, dropPort, ipv6); err == nil { return fmt.Errorf("packets should not be received") } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -291,12 +291,12 @@ func (*FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.I } // Listen for TCP packets on accept port. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // FilterOutputDropGIDOwner tests that TCP connections from gid owner are dropped. @@ -318,7 +318,7 @@ func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -331,7 +331,7 @@ func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, func (*FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort) } @@ -361,7 +361,7 @@ func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.I // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -374,7 +374,7 @@ func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.I func (*FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort) } @@ -402,12 +402,12 @@ func (*FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.I } // Listen for TCP packets on accept port. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // FilterOutputInvertUIDAndGIDOwner tests that TCP connections from uid and gid @@ -434,7 +434,7 @@ func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -447,7 +447,7 @@ func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip func (*FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort) } @@ -486,12 +486,12 @@ func (*FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // FilterOutputInvertDestination tests that we can selectively allow packets @@ -515,12 +515,12 @@ func (*FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip ne return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // FilterOutputInterfaceAccept tests that packets are sent via interface @@ -544,12 +544,12 @@ func (*FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net. return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // FilterOutputInterfaceDrop tests that packets are not sent via interface @@ -573,14 +573,14 @@ func (*FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, acceptPort); err == nil { + if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("packets should not be received on port %v, but are received", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -606,12 +606,12 @@ func (*FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ip return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // FilterOutputInterfaceBeginsWith tests that packets are not sent via an @@ -631,14 +631,14 @@ func (*FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, acceptPort); err == nil { + if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("packets should not be received on port %v, but are received", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -667,7 +667,7 @@ func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip // Listen for TCP packets on accept port. timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenTCP(timedCtx, acceptPort); err == nil { + if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("connection on port %d should not be accepted, but got accepted", acceptPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -680,7 +680,7 @@ func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip func (*FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := connectTCP(timedCtx, ip, acceptPort); err == nil { + if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err == nil { return fmt.Errorf("connection destined to port %d should not be accepted, but got accepted", acceptPort) } @@ -705,10 +705,10 @@ func (*FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, i } // Listen for TCP packets on accept port. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } diff --git a/test/iptables/iptables_util.go b/test/iptables/iptables_util.go index 4cd770a65..bba17b894 100644 --- a/test/iptables/iptables_util.go +++ b/test/iptables/iptables_util.go @@ -71,11 +71,11 @@ func tableRules(ipv6 bool, table string, argsList [][]string) error { // listenUDP listens on a UDP port and returns the value of net.Conn.Read() for // the first read on that port. -func listenUDP(ctx context.Context, port int) error { +func listenUDP(ctx context.Context, port int, ipv6 bool) error { localAddr := net.UDPAddr{ Port: port, } - conn, err := net.ListenUDP("udp", &localAddr) + conn, err := net.ListenUDP(udpNetwork(ipv6), &localAddr) if err != nil { return err } @@ -97,12 +97,12 @@ func listenUDP(ctx context.Context, port int) error { // sendUDPLoop sends 1 byte UDP packets repeatedly to the IP and port specified // over a duration. -func sendUDPLoop(ctx context.Context, ip net.IP, port int) error { +func sendUDPLoop(ctx context.Context, ip net.IP, port int, ipv6 bool) error { remote := net.UDPAddr{ IP: ip, Port: port, } - conn, err := net.DialUDP("udp", nil, &remote) + conn, err := net.DialUDP(udpNetwork(ipv6), nil, &remote) if err != nil { return err } @@ -126,13 +126,13 @@ func sendUDPLoop(ctx context.Context, ip net.IP, port int) error { } // listenTCP listens for connections on a TCP port. -func listenTCP(ctx context.Context, port int) error { +func listenTCP(ctx context.Context, port int, ipv6 bool) error { localAddr := net.TCPAddr{ Port: port, } // Starts listening on port. - lConn, err := net.ListenTCP("tcp", &localAddr) + lConn, err := net.ListenTCP(tcpNetwork(ipv6), &localAddr) if err != nil { return err } @@ -155,7 +155,7 @@ func listenTCP(ctx context.Context, port int) error { } // connectTCP connects to the given IP and port from an ephemeral local address. -func connectTCP(ctx context.Context, ip net.IP, port int) error { +func connectTCP(ctx context.Context, ip net.IP, port int, ipv6 bool) error { contAddr := net.TCPAddr{ IP: ip, Port: port, @@ -164,7 +164,7 @@ func connectTCP(ctx context.Context, ip net.IP, port int) error { // upon error. callback := func() error { var d net.Dialer - conn, err := d.DialContext(ctx, "tcp", contAddr.String()) + conn, err := d.DialContext(ctx, tcpNetwork(ipv6), contAddr.String()) if conn != nil { conn.Close() } @@ -280,3 +280,19 @@ func nowhereIP(ipv6 bool) string { } return "192.0.2.1" } + +// udpNetwork returns an IPv6 or IPv6 UDP network argument to net.Dial. +func udpNetwork(ipv6 bool) string { + if ipv6 { + return "udp6" + } + return "udp4" +} + +// tcpNetwork returns an IPv6 or IPv6 TCP network argument to net.Dial. +func tcpNetwork(ipv6 bool) string { + if ipv6 { + return "tcp6" + } + return "tcp4" +} diff --git a/test/iptables/nat.go b/test/iptables/nat.go index 7ff8510a7..7f1d6d7ad 100644 --- a/test/iptables/nat.go +++ b/test/iptables/nat.go @@ -66,7 +66,7 @@ func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip return err } - if err := listenUDP(ctx, redirectPort); err != nil { + if err := listenUDP(ctx, redirectPort, ipv6); err != nil { return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", redirectPort, err) } @@ -75,7 +75,7 @@ func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ip // LocalAction implements TestCase.LocalAction. func (*NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // NATPreRedirectTCPPort tests that connections are redirected on specified ports. @@ -95,12 +95,12 @@ func (*NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ip } // Listen for TCP packets on redirect port. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, dropPort) + return connectTCP(ctx, ip, dropPort, ipv6) } // NATPreRedirectTCPOutgoing verifies that outgoing TCP connections aren't @@ -122,12 +122,12 @@ func (*NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP } // Establish a connection to the host process. - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // NATOutRedirectTCPIncoming verifies that incoming TCP connections aren't @@ -149,12 +149,12 @@ func (*NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP } // Establish a connection to the host process. - return listenTCP(ctx, acceptPort) + return listenTCP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, acceptPort) + return connectTCP(ctx, ip, acceptPort, ipv6) } // NATOutRedirectUDPPort tests that packets are redirected to different port. @@ -197,7 +197,7 @@ func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) er timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout) defer cancel() - if err := listenUDP(timedCtx, acceptPort); err == nil { + if err := listenUDP(timedCtx, acceptPort, ipv6); err == nil { return fmt.Errorf("packets on port %d should have been redirected to port %d", acceptPort, redirectPort) } else if !errors.Is(err, context.DeadlineExceeded) { return fmt.Errorf("error reading: %v", err) @@ -208,7 +208,7 @@ func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) er // LocalAction implements TestCase.LocalAction. func (*NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // NATAcceptAll tests that all UDP packets are accepted. @@ -227,7 +227,7 @@ func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) return err } - if err := listenUDP(ctx, acceptPort); err != nil { + if err := listenUDP(ctx, acceptPort, ipv6); err != nil { return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err) } @@ -236,7 +236,7 @@ func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) // LocalAction implements TestCase.LocalAction. func (*NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // NATOutRedirectIP uses iptables to select packets based on destination IP and @@ -282,12 +282,12 @@ func (*NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv if err := natTable(ipv6, "-A", "OUTPUT", "-d", localIP(ipv6), "-p", "udp", "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", dropPort)); err != nil { return err } - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // NATOutRedirectInvert tests that iptables can match with "! -d". @@ -345,12 +345,12 @@ func (*NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bo if err := natTableRules(ipv6, rules); err != nil { return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // NATPreDontRedirectIP tests that iptables matching with "-d" does not match @@ -369,12 +369,12 @@ func (*NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", dropPort)); err != nil { return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // NATPreRedirectInvert tests that iptables can match with "! -d". @@ -392,12 +392,12 @@ func (*NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv if err := natTable(ipv6, "-A", "PREROUTING", "-p", "udp", "!", "-d", localIP(ipv6), "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", acceptPort)); err != nil { return err } - return listenUDP(ctx, acceptPort) + return listenUDP(ctx, acceptPort, ipv6) } // LocalAction implements TestCase.LocalAction. func (*NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, dropPort) + return sendUDPLoop(ctx, ip, dropPort, ipv6) } // NATRedirectRequiresProtocol tests that use of the --to-ports flag requires a @@ -454,7 +454,7 @@ func (*NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ip defer lConn.Close() // Accept connections on port. - if err := connectTCP(ctx, ip, dropPort); err != nil { + if err := connectTCP(ctx, ip, dropPort, ipv6); err != nil { return err } @@ -495,10 +495,10 @@ func (*NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.I // loopback traffic, the connection would fail. sendCh := make(chan error) go func() { - sendCh <- connectTCP(ctx, dest, acceptPort) + sendCh <- connectTCP(ctx, dest, acceptPort, ipv6) }() - if err := listenTCP(ctx, acceptPort); err != nil { + if err := listenTCP(ctx, acceptPort, ipv6); err != nil { return err } return <-sendCh @@ -540,7 +540,7 @@ func (*NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 b // LocalAction implements TestCase.LocalAction. func (*NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return connectTCP(ctx, ip, dropPort) + return connectTCP(ctx, ip, dropPort, ipv6) } // NATOutOriginalDst tests that SO_ORIGINAL_DST returns the pre-NAT destination @@ -563,7 +563,7 @@ func (*NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 b connCh := make(chan error) go func() { - connCh <- connectTCP(ctx, ip, dropPort) + connCh <- connectTCP(ctx, ip, dropPort, ipv6) }() if err := listenForRedirectedConn(ctx, ipv6, []net.IP{ip}); err != nil { @@ -669,10 +669,10 @@ func loopbackTest(ctx context.Context, ipv6 bool, dest net.IP, args ...string) e sendCh := make(chan error, 1) listenCh := make(chan error, 1) go func() { - sendCh <- sendUDPLoop(ctx, dest, dropPort) + sendCh <- sendUDPLoop(ctx, dest, dropPort, ipv6) }() go func() { - listenCh <- listenUDP(ctx, acceptPort) + listenCh <- listenUDP(ctx, acceptPort, ipv6) }() select { case err := <-listenCh: @@ -708,7 +708,7 @@ func (*NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ip // LocalAction implements TestCase.LocalAction. func (*NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error { - return sendUDPLoop(ctx, ip, acceptPort) + return sendUDPLoop(ctx, ip, acceptPort, ipv6) } // NATOutRECVORIGDSTADDR tests that IP{V6}_RECVORIGDSTADDR gets the post-NAT @@ -732,7 +732,7 @@ func (*NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ip go func() { // Packets will be sent to a non-container IP and redirected // back to the container. - sendCh <- sendUDPLoop(ctx, ip, acceptPort) + sendCh <- sendUDPLoop(ctx, ip, acceptPort, ipv6) }() expectedIP := &net.IP{127, 0, 0, 1} -- cgit v1.2.3