# iptables Tests iptables tests are run via `make iptables-tests`. iptables require some extra Docker configuration to work. Enable IPv6 in `/etc/docker/daemon.json` (make sure to restart Docker if you change this file): ```json { "experimental": true, "fixed-cidr-v6": "2001:db8:1::/64", "ipv6": true, // Runtimes and other Docker config... } ``` And if you're running manually (i.e. not using the `make` target), you'll need to: * Enable iptables via `modprobe iptables_filter && modprobe ip6table_filter`. * Enable `--net-raw` in your chosen runtime in `/etc/docker/daemon.json` (make sure to restart Docker if you change this file). The resulting runtime should look something like this: ```json "runsc": { "path": "/tmp/iptables/runsc", "runtimeArgs": [ "--debug-log", "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%", "--net-raw" ] }, // ... ``` ## Test Structure Each test implements `TestCase`, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed. The function inside the container (`ContainerAction`) typically sets some iptables rules and then tries to send or receive packets. The local function (`LocalAction`) will typically just send or receive packets. ### Adding Tests 1) Add your test to the `iptables` package. 2) Register the test in an `init` function via `RegisterTestCase` (see `filter_input.go` as an example). 3) Add it to `iptables_test.go` (see the other tests in that file). Your test is now runnable with bazel! ## Run individual tests Build and install `runsc`. Re-run this when you modify gVisor: ```bash $ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc) ``` Build the testing Docker container. Re-run this when you modify the test code in this directory: ```bash $ make load-iptables ``` Run an individual test via: ```bash $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> ``` To run an individual test with `runc`: ```bash $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc ```