go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/test/iptables
History
Toshi Kikuchi d1edabdca0 iptables: support postrouting hook and SNAT target 
The current SNAT implementation has several limitations:
- SNAT source port has to be specified. It is not optional.
- SNAT source port range is not supported.
- SNAT for UDP is a one-way translation. No response packets
  are handled (because conntrack doesn't support UDP currently).
- SNAT and REDIRECT can't work on the same connection.

Fixes #5489

PiperOrigin-RevId: 367750325
 		2021-04-09 21:11:26 -07:00
..
runner Speed up iptables tests 2020-08-10 17:50:01 -07:00
BUILD [syserror] Split usermem package 2021-03-29 13:30:21 -07:00
README.md iptables: add documentation about enabing docker ipv6 2020-11-09 10:50:43 -08:00
filter_input.go Deflake //test/iptables:iptables_test 2021-02-17 10:02:02 -08:00
filter_output.go Deflake //test/iptables:iptables_test 2021-02-17 10:02:02 -08:00
iptables.go iptables test: Implement testCase interface on pointers 2021-02-11 14:39:41 -08:00
iptables_test.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00
iptables_unsafe.go [op] Replace syscall package usage with golang.org/x/sys/unix in test/. 2021-03-06 09:54:09 -08:00
iptables_util.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00
nat.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00

README.md

iptables Tests

iptables tests are run via make iptables-tests.

iptables require some extra Docker configuration to work. Enable IPv6 in /etc/docker/daemon.json (make sure to restart Docker if you change this file):

{
    "experimental": true,
    "fixed-cidr-v6": "2001:db8:1::/64",
    "ipv6": true,
    // Runtimes and other Docker config...
}

And if you're running manually (i.e. not using the make target), you'll need to:

  • Enable iptables via modprobe iptables_filter && modprobe ip6table_filter.
  • Enable --net-raw in your chosen runtime in /etc/docker/daemon.json (make sure to restart Docker if you change this file).

The resulting runtime should look something like this:

"runsc": {
    "path": "/tmp/iptables/runsc",
    "runtimeArgs": [
        "--debug-log",
        "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
        "--net-raw"
    ]
},
// ...

Test Structure

Each test implements TestCase, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed.

The function inside the container (ContainerAction) typically sets some iptables rules and then tries to send or receive packets. The local function (LocalAction) will typically just send or receive packets.

Adding Tests

  1. Add your test to the iptables package.

  2. Register the test in an init function via RegisterTestCase (see filter_input.go as an example).

  3. Add it to iptables_test.go (see the other tests in that file).

Your test is now runnable with bazel!

Run individual tests

Build and install runsc. Re-run this when you modify gVisor:

$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)

Build the testing Docker container. Re-run this when you modify the test code in this directory:

$ make load-iptables

Run an individual test via:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>

To run an individual test with runc:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc