go
/
gvisor
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
gvisor/test/iptables
History
Adin Scannell c60613475c Standardize all Docker images. 
This change moves all Docker images to a standard location, and abstracts the
build process so that they can be maintained in an automated fashion. This also
allows the images to be architecture-independent.

All images will now be referred to by the test framework via the canonical
`gvisor.dev/images/<name>`, where `<name>` is a function of the path within the
source tree.

In a subsequent change, continuous integration will be added so that the images
will always be correct and available locally.

In the end, using `bazel` for Docker containers is simply not possible. Given
that we already have the need to use `make` with the base container (for
Docker), we extend this approach to get more flexibility.

This change also adds a self-documenting and powerful Makefile that is intended
to replace the collection of scripts in scripts. Canonical (self-documenting)
targets can be added here for targets that understand which images need to be
loaded and/or built.

PiperOrigin-RevId: 308322438
 		2020-04-24 14:11:42 -07:00
..
runner Standardize all Docker images. 2020-04-24 14:11:42 -07:00
BUILD Simplify Docker test infrastructure. 2020-04-23 11:33:30 -07:00
README.md Simplify Docker test infrastructure. 2020-04-23 11:33:30 -07:00
filter_input.go Check error in DropTCP*Port tests and fix comment. 2020-03-26 10:47:51 -07:00
filter_output.go Support owner matching for iptables. 2020-03-26 12:21:24 -07:00
iptables.go Simplify Docker test infrastructure. 2020-04-23 11:33:30 -07:00
iptables_test.go Simplify Docker test infrastructure. 2020-04-23 11:33:30 -07:00
iptables_util.go Simplify Docker test infrastructure. 2020-04-23 11:33:30 -07:00
nat.go Merge pull request #1943 from kevinGC:ipt-filter-ip 2020-03-16 11:13:14 -07:00

README.md

iptables Tests

iptables tests are run via scripts/iptables_test.sh.

iptables requires raw socket support, so you must add the --net-raw=true flag to /etc/docker/daemon.json in order to use it.

Test Structure

Each test implements TestCase, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed.

The function inside the container (ContainerAction) typically sets some iptables rules and then tries to send or receive packets. The local function (LocalAction) will typically just send or receive packets.

Adding Tests

  1. Add your test to the iptables package.

  2. Register the test in an init function via RegisterTestCase (see filter_input.go as an example).

  3. Add it to iptables_test.go (see the other tests in that file).

Your test is now runnable with bazel!

Run individual tests

Build and install runsc. Re-run this when you modify gVisor:

$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)

Build the testing Docker container. Re-run this when you modify the test code in this directory:

$ make load-iptables

Run an individual test via:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>

To run an individual test with runc:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc