4cba3904f4
PiperOrigin-RevId: 347047550 |
||
---|---|---|
.. | ||
runner | ||
BUILD | ||
README.md | ||
filter_input.go | ||
filter_output.go | ||
iptables.go | ||
iptables_test.go | ||
iptables_unsafe.go | ||
iptables_util.go | ||
nat.go |
README.md
iptables Tests
iptables tests are run via make iptables-tests
.
iptables require some extra Docker configuration to work. Enable IPv6 in
/etc/docker/daemon.json
(make sure to restart Docker if you change this file):
{
"experimental": true,
"fixed-cidr-v6": "2001:db8:1::/64",
"ipv6": true,
// Runtimes and other Docker config...
}
And if you're running manually (i.e. not using the make
target), you'll need
to:
- Enable iptables via
modprobe iptables_filter && modprobe ip6table_filter
. - Enable
--net-raw
in your chosen runtime in/etc/docker/daemon.json
(make sure to restart Docker if you change this file).
The resulting runtime should look something like this:
"runsc": {
"path": "/tmp/iptables/runsc",
"runtimeArgs": [
"--debug-log",
"/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
"--net-raw"
]
},
// ...
Test Structure
Each test implements TestCase
, providing (1) a function to run inside the
container and (2) a function to run locally. Those processes are given each
others' IP addresses. The test succeeds when both functions succeed.
The function inside the container (ContainerAction
) typically sets some
iptables rules and then tries to send or receive packets. The local function
(LocalAction
) will typically just send or receive packets.
Adding Tests
-
Add your test to the
iptables
package. -
Register the test in an
init
function viaRegisterTestCase
(seefilter_input.go
as an example). -
Add it to
iptables_test.go
(see the other tests in that file).
Your test is now runnable with bazel!
Run individual tests
Build and install runsc
. Re-run this when you modify gVisor:
$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)
Build the testing Docker container. Re-run this when you modify the test code in this directory:
$ make load-iptables
Run an individual test via:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
To run an individual test with runc
:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc