go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/test/iptables
History
Adin Scannell 7ecf36cc84 Validate flags during install. 
First, this change moves the internal config API to use flag.FlagSet, which
allows more flexibility and fixes many test usages.

Second, the runtime flags are validated during install. The platform is opened
and a warning issued if this fails, but this is not fatal.

This change requires moving the Makefile to --test_env, since the attribute
is not properly supported by test targets. Therefore, the targets can use args
while the Makefile must pass in configuration via --test_env.

PiperOrigin-RevId: 428048274
 		2022-02-11 11:24:01 -08:00
..
runner Speed up iptables tests 2020-08-10 17:50:01 -07:00
BUILD [syserror] Split usermem package 2021-03-29 13:30:21 -07:00
README.md Validate flags during install. 2022-02-11 11:24:01 -08:00
filter_input.go Deflake //test/iptables:iptables_test 2021-02-17 10:02:02 -08:00
filter_output.go Deflake //test/iptables:iptables_test 2021-02-17 10:02:02 -08:00
iptables.go iptables test: Implement testCase interface on pointers 2021-02-11 14:39:41 -08:00
iptables_test.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00
iptables_unsafe.go [op] Replace syscall package usage with golang.org/x/sys/unix in test/. 2021-03-06 09:54:09 -08:00
iptables_util.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00
nat.go iptables: support postrouting hook and SNAT target 2021-04-09 21:11:26 -07:00

README.md

iptables Tests

iptables tests are run via make iptables-tests.

iptables require some extra Docker configuration to work. Enable IPv6 in /etc/docker/daemon.json (make sure to restart Docker if you change this file):

{
    "experimental": true,
    "fixed-cidr-v6": "2001:db8:1::/64",
    "ipv6": true,
    // Runtimes and other Docker config...
}

And if you're running manually (i.e. not using the make target), you'll need to:

  • Enable iptables via modprobe iptable_filter && modprobe ip6table_filter.
  • Enable --net-raw in your chosen runtime in /etc/docker/daemon.json (make sure to restart Docker if you change this file).

The resulting runtime should look something like this:

"runsc": {
    "path": "/tmp/iptables/runsc",
    "runtimeArgs": [
        "--debug-log",
        "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
        "--net-raw"
    ]
},
// ...

Test Structure

Each test implements TestCase, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed.

The function inside the container (ContainerAction) typically sets some iptables rules and then tries to send or receive packets. The local function (LocalAction) will typically just send or receive packets.

Adding Tests

  1. Add your test to the iptables package.

  2. Register the test in an init function via RegisterTestCase (see filter_input.go as an example).

  3. Add it to iptables_test.go (see the other tests in that file).

Your test is now runnable with bazel!

Run individual tests

Build and install runsc. Re-run this when you modify gVisor:

$ bazel build //runsc && sudo cp bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/runsc/runsc_/runsc $(which runsc)

Build the testing Docker container. Re-run this when you modify the test code in this directory:

$ make load-iptables

Run an individual test via:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>

To run an individual test with runc:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_env=RUNTIME=runc