92b9069b67
This feature will match UID and GID of the packet creator, for locally generated packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel threads do have a socket, but usually no owner. |
||
|---|---|---|
| .. | ||
| runner | ||
| BUILD | ||
| README.md | ||
| filter_input.go | ||
| filter_output.go | ||
| iptables.go | ||
| iptables_test.go | ||
| iptables_util.go | ||
| nat.go | ||
README.md
iptables Tests
iptables tests are run via scripts/iptables_test.sh.
iptables requires raw socket support, so you must add the --net-raw=true flag
to /etc/docker/daemon.json in order to use it.
Test Structure
Each test implements TestCase, providing (1) a function to run inside the
container and (2) a function to run locally. Those processes are given each
others' IP addresses. The test succeeds when both functions succeed.
The function inside the container (ContainerAction) typically sets some
iptables rules and then tries to send or receive packets. The local function
(LocalAction) will typically just send or receive packets.
Adding Tests
-
Add your test to the
iptablespackage. -
Register the test in an
initfunction viaRegisterTestCase(seefilter_input.goas an example). -
Add it to
iptables_test.go(see the other tests in that file).
Your test is now runnable with bazel!
Run individual tests
Build and install runsc. Re-run this when you modify gVisor:
$ bazel build //runsc && sudo cp bazel-bin/runsc/linux_amd64_pure_stripped/runsc $(which runsc)
Build the testing Docker container. Re-run this when you modify the test code in this directory:
$ bazel run //test/iptables/runner:runner-image -- --norun
Run an individual test via:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
To run an individual test with runc:
$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_arg=--runtime=runc