2019-12-12 22:40:36 +00:00
|
|
|
# iptables Tests
|
|
|
|
|
2020-10-05 22:47:30 +00:00
|
|
|
iptables tests are run via `make iptables-tests`.
|
2019-12-12 22:40:36 +00:00
|
|
|
|
2020-11-09 18:48:16 +00:00
|
|
|
iptables require some extra Docker configuration to work. Enable IPv6 in
|
|
|
|
`/etc/docker/daemon.json` (make sure to restart Docker if you change this file):
|
|
|
|
|
|
|
|
```json
|
|
|
|
{
|
|
|
|
"experimental": true,
|
|
|
|
"fixed-cidr-v6": "2001:db8:1::/64",
|
|
|
|
"ipv6": true,
|
|
|
|
// Runtimes and other Docker config...
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
And if you're running manually (i.e. not using the `make` target), you'll need
|
|
|
|
to:
|
|
|
|
|
|
|
|
* Enable iptables via `modprobe iptables_filter && modprobe ip6table_filter`.
|
|
|
|
* Enable `--net-raw` in your chosen runtime in `/etc/docker/daemon.json` (make
|
|
|
|
sure to restart Docker if you change this file).
|
|
|
|
|
|
|
|
The resulting runtime should look something like this:
|
|
|
|
|
|
|
|
```json
|
|
|
|
"runsc": {
|
|
|
|
"path": "/tmp/iptables/runsc",
|
|
|
|
"runtimeArgs": [
|
|
|
|
"--debug-log",
|
|
|
|
"/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
|
|
|
|
"--net-raw"
|
|
|
|
]
|
|
|
|
},
|
|
|
|
// ...
|
|
|
|
```
|
2020-02-10 19:08:24 +00:00
|
|
|
|
2019-12-12 22:40:36 +00:00
|
|
|
## Test Structure
|
|
|
|
|
|
|
|
Each test implements `TestCase`, providing (1) a function to run inside the
|
|
|
|
container and (2) a function to run locally. Those processes are given each
|
|
|
|
others' IP addresses. The test succeeds when both functions succeed.
|
|
|
|
|
|
|
|
The function inside the container (`ContainerAction`) typically sets some
|
|
|
|
iptables rules and then tries to send or receive packets. The local function
|
|
|
|
(`LocalAction`) will typically just send or receive packets.
|
|
|
|
|
|
|
|
### Adding Tests
|
|
|
|
|
|
|
|
1) Add your test to the `iptables` package.
|
|
|
|
|
|
|
|
2) Register the test in an `init` function via `RegisterTestCase` (see
|
|
|
|
`filter_input.go` as an example).
|
|
|
|
|
|
|
|
3) Add it to `iptables_test.go` (see the other tests in that file).
|
|
|
|
|
|
|
|
Your test is now runnable with bazel!
|
|
|
|
|
|
|
|
## Run individual tests
|
|
|
|
|
2020-02-10 19:08:24 +00:00
|
|
|
Build and install `runsc`. Re-run this when you modify gVisor:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)
|
|
|
|
```
|
|
|
|
|
|
|
|
Build the testing Docker container. Re-run this when you modify the test code in
|
|
|
|
this directory:
|
2019-12-12 22:40:36 +00:00
|
|
|
|
|
|
|
```bash
|
2020-04-23 18:32:08 +00:00
|
|
|
$ make load-iptables
|
2019-12-12 22:40:36 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
Run an individual test via:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
|
|
|
|
```
|
|
|
|
|
|
|
|
To run an individual test with `runc`:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc
|
|
|
|
```
|