From 447f64c561e6b5893c1bbae7d641187b7aca64ac Mon Sep 17 00:00:00 2001 From: Kevin Krakauer Date: Wed, 8 Jan 2020 12:48:17 -0800 Subject: Added test for unconditional DROP on the filter INPUT chain --- test/iptables/filter_input.go | 32 ++++++++++++++++++++++++++++++++ test/iptables/iptables_test.go | 6 ++++++ 2 files changed, 38 insertions(+) (limited to 'test/iptables') diff --git a/test/iptables/filter_input.go b/test/iptables/filter_input.go index 923f44e68..1723a4d3e 100644 --- a/test/iptables/filter_input.go +++ b/test/iptables/filter_input.go @@ -31,6 +31,7 @@ func init() { RegisterTestCase(FilterInputDropUDP{}) RegisterTestCase(FilterInputDropUDPPort{}) RegisterTestCase(FilterInputDropDifferentUDPPort{}) + RegisterTestCase(FilterInputDropAll{}) } // FilterInputDropUDP tests that we can drop UDP traffic. @@ -122,3 +123,34 @@ func (FilterInputDropDifferentUDPPort) ContainerAction(ip net.IP) error { func (FilterInputDropDifferentUDPPort) LocalAction(ip net.IP) error { return sendUDPLoop(ip, acceptPort, sendloopDuration) } + +// FilterInputDropAll tests that we can drop all traffic to the INPUT chain. +type FilterInputDropAll struct{} + +// Name implements TestCase.Name. +func (FilterInputDropAll) Name() string { + return "FilterInputDropAll" +} + +// ContainerAction implements TestCase.ContainerAction. +func (FilterInputDropAll) ContainerAction(ip net.IP) error { + if err := filterTable("-A", "INPUT", "-j", "DROP"); err != nil { + return err + } + + // Listen for All packets on dropPort. + if err := listenUDP(dropPort, sendloopDuration); err == nil { + return fmt.Errorf("packets should have been dropped, but got a packet") + } else if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() { + return fmt.Errorf("error reading: %v", err) + } + + // At this point we know that reading timed out and never received a + // packet. + return nil +} + +// LocalAction implements TestCase.LocalAction. +func (FilterInputDropAll) LocalAction(ip net.IP) error { + return sendUDPLoop(ip, dropPort, sendloopDuration) +} diff --git a/test/iptables/iptables_test.go b/test/iptables/iptables_test.go index 23d15bf71..5927eb017 100644 --- a/test/iptables/iptables_test.go +++ b/test/iptables/iptables_test.go @@ -177,3 +177,9 @@ func TestFilterInputDropDifferentUDPPort(t *testing.T) { t.Fatal(err) } } + +func TestFilterInputDropAll(t *testing.T) { + if err := singleTest(FilterInputDropAll{}); err != nil { + t.Fatal(err) + } +} -- cgit v1.2.3