# iptables Tests iptables tests are run via `scripts/iptables_test.sh`. iptables requires raw socket support, so you must add the `--net-raw=true` flag to `/etc/docker/daemon.json` in order to use it. ## Test Structure Each test implements `TestCase`, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed. The function inside the container (`ContainerAction`) typically sets some iptables rules and then tries to send or receive packets. The local function (`LocalAction`) will typically just send or receive packets. ### Adding Tests 1) Add your test to the `iptables` package. 2) Register the test in an `init` function via `RegisterTestCase` (see `filter_input.go` as an example). 3) Add it to `iptables_test.go` (see the other tests in that file). Your test is now runnable with bazel! ## Run individual tests Build and install `runsc`. Re-run this when you modify gVisor: ```bash $ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc) ``` Build the testing Docker container. Re-run this when you modify the test code in this directory: ```bash $ make load-iptables ``` Run an individual test via: ```bash $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> ``` To run an individual test with `runc`: ```bash $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc ```