github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/iptablesV4_test.go (about) 1 // +build !windows,!rhel6 2 3 package iptablesctrl 4 5 import ( 6 "bytes" 7 "context" 8 "fmt" 9 "net" 10 "os" 11 "testing" 12 13 "github.com/aporeto-inc/go-ipset/ipset" 14 "github.com/magiconair/properties/assert" 15 . "github.com/smartystreets/goconvey/convey" 16 "go.aporeto.io/enforcerd/trireme-lib/common" 17 "go.aporeto.io/enforcerd/trireme-lib/controller/constants" 18 tacls "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls" 19 provider "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/aclprovider" 20 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/ipsetmanager" 21 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet" 22 "go.aporeto.io/enforcerd/trireme-lib/controller/runtime" 23 "go.aporeto.io/enforcerd/trireme-lib/policy" 24 "go.aporeto.io/enforcerd/trireme-lib/utils/portspec" 25 ) 26 27 func TestNewInstanceV4(t *testing.T) { 28 Convey("When I create a new iptables instance", t, func() { 29 Convey("If I create a remote implemenetation and iptables exists", func() { 30 ips := ipsetmanager.NewTestIpsetProvider() 31 iptv4 := provider.NewTestIptablesProvider() 32 iptv6 := provider.NewTestIptablesProvider() 33 34 i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None) 35 Convey("It should succeed", func() { 36 So(i, ShouldNotBeNil) 37 So(err, ShouldBeNil) 38 }) 39 }) 40 }) 41 42 Convey("When I create a new iptables instance", t, func() { 43 Convey("If I create a Linux server implemenetation and iptables exists", func() { 44 ips := ipsetmanager.NewTestIpsetProvider() 45 iptv4 := provider.NewTestIptablesProvider() 46 iptv6 := provider.NewTestIptablesProvider() 47 48 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 49 Convey("It should succeed", func() { 50 So(i, ShouldNotBeNil) 51 So(err, ShouldBeNil) 52 }) 53 }) 54 }) 55 Convey("When I create a new iptables instance, with Istio serviceMeshType", t, func() { 56 Convey("If I create a Linux server implemenetation and iptables exists with Istio", func() { 57 ips := ipsetmanager.NewTestIpsetProvider() 58 iptv4 := provider.NewTestIptablesProvider() 59 iptv6 := provider.NewTestIptablesProvider() 60 61 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.Istio) 62 Convey("It should succeed", func() { 63 So(i, ShouldNotBeNil) 64 So(err, ShouldBeNil) 65 So(i.iptv4.serviceMeshType, ShouldEqual, policy.Istio) 66 }) 67 }) 68 }) 69 } 70 71 func Test_NegativeConfigureRulesV4(t *testing.T) { 72 Convey("Given a valid instance", t, func() { 73 ips := ipsetmanager.NewTestIpsetProvider() 74 iptv4 := provider.NewTestIptablesProvider() 75 iptv6 := provider.NewTestIptablesProvider() 76 77 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 78 So(err, ShouldBeNil) 79 ctx, cancel := context.WithCancel(context.Background()) 80 defer cancel() 81 82 err = i.Run(ctx) 83 So(err, ShouldBeNil) 84 85 cfg := &runtime.Configuration{} 86 i.SetTargetNetworks(cfg) // nolint 87 So(err, ShouldBeNil) 88 89 ipl := policy.ExtendedMap{} 90 policyrules := policy.NewPUPolicy( 91 "Context", 92 "/ns1", 93 policy.Police, 94 nil, 95 nil, 96 nil, 97 nil, 98 nil, 99 nil, 100 nil, 101 nil, 102 ipl, 103 0, 104 0, 105 nil, 106 nil, 107 []string{}, 108 policy.EnforcerMapping, 109 policy.Reject|policy.Log, 110 policy.Reject|policy.Log, 111 ) 112 containerinfo := policy.NewPUInfo("Context", 113 "/ns1", common.ContainerPU) 114 containerinfo.Policy = policyrules 115 containerinfo.Runtime = policy.NewPURuntimeWithDefaults() 116 containerinfo.Runtime.SetOptions(policy.OptionsType{ 117 CgroupMark: "10", 118 }) 119 120 Convey("When I configure the rules with no errors, it should succeed", func() { 121 err := i.iptv4.ConfigureRules(1, 122 "ID", containerinfo) 123 So(err, ShouldBeNil) 124 }) 125 126 Convey("When I configure the rules and the proxy set fails, it should error", func() { 127 ips.MockNewIpset(t, func(name, hash string, p *ipset.Params) (ipsetmanager.Ipset, error) { 128 return nil, fmt.Errorf("error") 129 }) 130 err := i.iptv4.ConfigureRules(1, 131 "ID", containerinfo) 132 So(err, ShouldNotBeNil) 133 }) 134 135 Convey("When I configure the rules and acls fail, it should error", func() { 136 iptv4.MockAppend(t, func(table, chain string, rulespec ...string) error { 137 return fmt.Errorf("error") 138 }) 139 err := i.iptv4.ConfigureRules(1, 140 "ID", containerinfo) 141 So(err, ShouldNotBeNil) 142 }) 143 144 Convey("When I configure the rules and commit fails, it should error", func() { 145 iptv4.MockCommit(t, func() error { 146 return fmt.Errorf("error") 147 }) 148 err := i.iptv4.ConfigureRules(1, 149 "ID", containerinfo) 150 So(err, ShouldNotBeNil) 151 }) 152 }) 153 } 154 155 var ( 156 expectedGlobalMangleChainsV4 = map[string][]string{ 157 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 158 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 159 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 160 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 161 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 162 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 163 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 164 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 165 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 166 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 167 "INPUT": { 168 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 169 }, 170 "OUTPUT": { 171 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 172 }, 173 174 "TRI-App": { 175 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 176 "-p tcp -m mark --mark 66 -j ACCEPT", 177 "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", 178 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", 179 "-j TRI-Prx-App", 180 "-m connmark --mark 61167 -j ACCEPT", 181 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 182 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App", 183 }, 184 "TRI-Net": { 185 "-j TRI-Prx-Net", 186 "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 187 "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 188 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 189 "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 190 "TRI-Pid-App": {}, 191 "TRI-Pid-Net": {}, 192 "TRI-Prx-App": { 193 "-m mark --mark 0x40 -j ACCEPT", 194 }, 195 "TRI-Prx-Net": { 196 "-m mark --mark 0x40 -j ACCEPT", 197 }, 198 "TRI-Hst-App": {}, 199 "TRI-Hst-Net": {}, 200 "TRI-Svc-App": {}, 201 "TRI-Svc-Net": {}, 202 } 203 204 expectedGlobalMangleChainsV4Istio = map[string][]string{ 205 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 206 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 207 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 208 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 209 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 210 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 211 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 212 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 213 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 214 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 215 "INPUT": { 216 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 217 }, 218 "OUTPUT": { 219 "-j TRI-Istio", 220 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 221 }, 222 "TRI-Istio": {}, 223 224 "TRI-App": { 225 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 226 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", 227 "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 228 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 229 "TRI-Net": { 230 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 231 "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net", 232 "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT"}, 233 "TRI-Pid-App": {}, 234 "TRI-Pid-Net": {}, 235 "TRI-Prx-App": { 236 "-m mark --mark 0x40 -j ACCEPT", 237 }, 238 "TRI-Prx-Net": { 239 "-m mark --mark 0x40 -j ACCEPT", 240 }, 241 "TRI-Hst-App": {}, 242 "TRI-Hst-Net": {}, 243 "TRI-Svc-App": {}, 244 "TRI-Svc-Net": {}, 245 } 246 247 expectedGlobalNATChainsV4Istio = map[string][]string{ 248 "PREROUTING": { 249 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 250 }, 251 "OUTPUT": { 252 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 253 "-p tcp -m mark --mark 68 -j ACCEPT", 254 }, 255 "TRI-Redir-App": { 256 "-m mark --mark 0x40 -j RETURN", 257 }, 258 "TRI-Redir-Net": { 259 "-m mark --mark 0x40 -j ACCEPT", 260 }, 261 } 262 expectedMangleAfterPUInsertV4Istio = map[string][]string{ 263 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 264 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 265 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 266 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 267 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 268 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 269 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 270 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 271 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 272 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 273 "INPUT": { 274 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 275 }, 276 "OUTPUT": { 277 "-j TRI-Istio", 278 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 279 }, 280 "TRI-Istio": {}, 281 "TRI-App": { 282 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 283 "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", 284 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 285 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 286 "TRI-Net": { 287 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 288 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", 289 "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT"}, 290 "TRI-Pid-App": { 291 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 292 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"}, 293 "TRI-Pid-Net": { 294 "-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 295 "-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 296 }, 297 "TRI-Prx-App": { 298 "-m mark --mark 0x40 -j ACCEPT", 299 "-p tcp -m tcp --sport 0 -j ACCEPT", 300 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 301 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 302 "-p udp -m udp --sport 0 -j ACCEPT", 303 }, 304 "TRI-Prx-Net": { 305 "-m mark --mark 0x40 -j ACCEPT", 306 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 307 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 308 "-p tcp -m tcp --dport 0 -j ACCEPT", 309 "-p udp -m udp --dport 0 -j ACCEPT", 310 }, 311 "TRI-Hst-App": {}, 312 "TRI-Hst-Net": {}, 313 "TRI-Svc-App": {}, 314 "TRI-Svc-Net": {}, 315 316 "TRI-Net-pu1N7uS6--0": { 317 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 318 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 319 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 320 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 321 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 322 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 323 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 324 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 325 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6", 326 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP", 327 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3", 328 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT", 329 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 330 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 331 "-s 0.0.0.0/0 -j DROP", 332 }, 333 "TRI-App-pu1N7uS6--0": { 334 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 335 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:6", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3", 336 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 337 } 338 expectedGlobalNATChainsV4 = map[string][]string{ 339 "PREROUTING": { 340 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 341 }, 342 "OUTPUT": { 343 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 344 }, 345 "TRI-Redir-App": { 346 "-m mark --mark 0x40 -j RETURN", 347 }, 348 "TRI-Redir-Net": { 349 "-m mark --mark 0x40 -j ACCEPT", 350 }, 351 } 352 353 expectedMangleAfterPUInsertV4 = map[string][]string{ 354 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 355 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 356 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 357 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 358 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 359 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 360 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 361 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 362 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 363 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 364 "INPUT": { 365 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 366 }, 367 "OUTPUT": { 368 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 369 }, 370 "TRI-App": { 371 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 372 "-p tcp -m mark --mark 66 -j ACCEPT", 373 "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", 374 "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 375 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 376 "TRI-Net": { 377 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 378 "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 379 "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 380 "TRI-Pid-App": { 381 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 382 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"}, 383 "TRI-Pid-Net": { 384 "-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 385 "-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 386 }, 387 "TRI-Prx-App": { 388 "-m mark --mark 0x40 -j ACCEPT", 389 "-p tcp -m tcp --sport 0 -j ACCEPT", 390 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 391 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 392 "-p udp -m udp --sport 0 -j ACCEPT", 393 }, 394 "TRI-Prx-Net": { 395 "-m mark --mark 0x40 -j ACCEPT", 396 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 397 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 398 "-p tcp -m tcp --dport 0 -j ACCEPT", 399 "-p udp -m udp --dport 0 -j ACCEPT", 400 }, 401 "TRI-Hst-App": {}, 402 "TRI-Hst-Net": {}, 403 "TRI-Svc-App": {}, 404 "TRI-Svc-Net": {}, 405 406 "TRI-Net-pu1N7uS6--0": { 407 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 408 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 409 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 410 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 411 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 412 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 413 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 414 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 415 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:6", 416 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j DROP", 417 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j NFLOG --nflog-group 11 --nflog-prefix 913787369:123a:a3:3", 418 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= src -j ACCEPT", 419 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 420 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 421 "-s 0.0.0.0/0 -j DROP", 422 }, 423 "TRI-App-pu1N7uS6--0": { 424 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:rockstars _4090221238:6", 425 "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j DROP", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j NFLOG --nflog-group 10 --nflog-prefix 913787369:123a:a3:3", "-p ALL -m set --match-set TRI-v4-ext-_qhcdC8NcJc= dst -j ACCEPT", 426 "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 427 } 428 429 expectedMangleAfterPUInsertWithLogV4 = map[string][]string{ 430 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 431 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 432 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 433 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 434 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 435 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 436 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 437 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 438 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 439 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 440 "INPUT": { 441 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 442 }, 443 "OUTPUT": { 444 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 445 }, 446 "TRI-App": { 447 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 448 "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", 449 "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 450 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 451 "TRI-Net": { 452 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 453 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 454 "TRI-Pid-App": { 455 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 456 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"}, 457 "TRI-Pid-Net": { 458 "-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 459 "-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 460 }, 461 "TRI-Prx-App": { 462 "-m mark --mark 0x40 -j ACCEPT", 463 "-p tcp -m tcp --sport 0 -j ACCEPT", 464 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 465 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 466 "-p udp -m udp --sport 0 -j ACCEPT", 467 }, 468 "TRI-Prx-Net": { 469 "-m mark --mark 0x40 -j ACCEPT", 470 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 471 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 472 "-p tcp -m tcp --dport 0 -j ACCEPT", 473 "-p udp -m udp --dport 0 -j ACCEPT", 474 }, 475 "TRI-Hst-App": {}, 476 "TRI-Hst-Net": {}, 477 "TRI-Svc-App": {}, 478 "TRI-Svc-Net": {}, 479 480 "TRI-Net-pu1N7uS6--0": { 481 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 482 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 483 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 484 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 485 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 486 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 487 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 488 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 489 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 490 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 491 "-s 0.0.0.0/0 -j DROP", 492 }, 493 494 "TRI-App-pu1N7uS6--0": { 495 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:3", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", 496 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 497 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 498 } 499 500 expectedMangleAfterPUInsertWithExtensionsV4 = map[string][]string{ 501 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 502 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 503 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 504 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 505 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 506 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 507 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 508 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 509 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 510 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 511 "INPUT": { 512 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 513 }, 514 "OUTPUT": { 515 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 516 }, 517 "TRI-App": { 518 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 519 "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 520 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 521 "TRI-Net": { 522 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 523 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 524 "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 525 "TRI-Pid-App": { 526 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 527 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"}, 528 "TRI-Pid-Net": { 529 "-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 530 "-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 531 }, 532 "TRI-Prx-App": { 533 "-m mark --mark 0x40 -j ACCEPT", 534 "-p tcp -m tcp --sport 0 -j ACCEPT", 535 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 536 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 537 "-p udp -m udp --sport 0 -j ACCEPT", 538 }, 539 "TRI-Prx-Net": { 540 "-m mark --mark 0x40 -j ACCEPT", 541 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 542 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 543 "-p tcp -m tcp --dport 0 -j ACCEPT", 544 "-p udp -m udp --dport 0 -j ACCEPT", 545 }, 546 "TRI-Hst-App": {}, 547 "TRI-Hst-Net": {}, 548 "TRI-Svc-App": {}, 549 "TRI-Svc-Net": {}, 550 551 "TRI-Net-pu1N7uS6--0": { 552 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 553 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 554 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 555 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 556 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 557 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 558 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 559 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 560 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 561 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 562 "-s 0.0.0.0/0 -j DROP", 563 }, 564 "TRI-App-pu1N7uS6--0": { 565 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP", "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", 566 "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 567 "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 568 } 569 570 expectedMangleAfterPUInsertWithExtensionsAndLogV4 = map[string][]string{ 571 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 572 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 573 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 574 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 575 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 576 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 577 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 578 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 579 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 580 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 581 "INPUT": { 582 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 583 }, 584 "OUTPUT": { 585 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 586 }, 587 "TRI-App": { 588 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", 589 "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 590 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 591 "TRI-Net": { 592 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 593 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 594 "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 595 "TRI-Pid-App": { 596 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 597 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--0"}, 598 "TRI-Pid-Net": { 599 "-p tcp -m multiport --destination-ports 9000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 600 "-p udp -m multiport --destination-ports 5000 -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--0", 601 }, 602 "TRI-Prx-App": { 603 "-m mark --mark 0x40 -j ACCEPT", 604 "-p tcp -m tcp --sport 0 -j ACCEPT", 605 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 606 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 607 "-p udp -m udp --sport 0 -j ACCEPT", 608 }, 609 "TRI-Prx-Net": { 610 "-m mark --mark 0x40 -j ACCEPT", 611 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 612 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 613 "-p tcp -m tcp --dport 0 -j ACCEPT", 614 "-p udp -m udp --dport 0 -j ACCEPT", 615 }, 616 "TRI-Hst-App": {}, 617 "TRI-Hst-Net": {}, 618 "TRI-Svc-App": {}, 619 "TRI-Svc-Net": {}, 620 621 "TRI-Net-pu1N7uS6--0": { 622 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 623 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 624 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 625 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 626 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 627 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 628 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 629 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 630 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 631 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 632 "-s 0.0.0.0/0 -j DROP", 633 }, 634 "TRI-App-pu1N7uS6--0": { 635 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:6", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst --match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP", "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:2:s2:3", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-m bpf --bytecode 7,48 0 0 0,84 0 0 240,21 0 3 64,48 0 0 9,21 0 1 1,6 0 0 65535,6 0 0 0 -p icmp -m set --match-set TRI-v4-ext-w5frVvhsnpU= dst -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", 636 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 637 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 638 } 639 640 expectedNATAfterPUInsertV4 = map[string][]string{ 641 "PREROUTING": { 642 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 643 }, 644 "OUTPUT": { 645 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 646 }, 647 "TRI-Redir-App": { 648 "-m mark --mark 0x40 -j RETURN", 649 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 650 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark", 651 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 652 }, 653 "TRI-Redir-Net": { 654 "-m mark --mark 0x40 -j ACCEPT", 655 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 656 }, 657 "POSTROUTING": { 658 "-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT", 659 }, 660 } 661 expectedNATAfterPUInsertV4Istio = map[string][]string{ 662 "PREROUTING": { 663 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 664 }, 665 "OUTPUT": { 666 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 667 "-p tcp -m mark --mark 68 -j ACCEPT", 668 }, 669 "TRI-Redir-App": { 670 "-m mark --mark 0x40 -j RETURN", 671 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 672 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark", 673 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 674 }, 675 "TRI-Redir-Net": { 676 "-m mark --mark 0x40 -j ACCEPT", 677 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 678 }, 679 "POSTROUTING": { 680 "-p udp -m addrtype --src-type LOCAL -m multiport --source-ports 5000 -j ACCEPT", 681 }, 682 } 683 expectedMangleAfterPUUpdateV4 = map[string][]string{ 684 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 685 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 686 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 687 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 688 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 689 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 690 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 691 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 692 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 693 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 694 "INPUT": { 695 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 696 }, 697 "OUTPUT": { 698 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 699 }, 700 "TRI-App": { 701 "-m mark --mark 66 -j CONNMARK --set-mark 61167", 702 "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", 703 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", 704 "-j TRI-Pid-App", "-j TRI-Svc-App", "-j TRI-Hst-App"}, 705 "TRI-Net": { 706 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-j TRI-Pid-Net", "-j TRI-Svc-Net", "-j TRI-Hst-Net"}, 707 "TRI-Pid-App": { 708 "-m cgroup --cgroup 10 -m comment --comment PU-Chain -j MARK --set-mark 10", 709 "-m mark --mark 10 -m comment --comment PU-Chain -j TRI-App-pu1N7uS6--1"}, 710 "TRI-Pid-Net": { 711 "-p tcp -m set --match-set TRI-v4-ProcPort-pu19gtV dst -m comment --comment PU-Chain -j TRI-Net-pu1N7uS6--1", 712 }, 713 "TRI-Prx-App": { 714 "-m mark --mark 0x40 -j ACCEPT", 715 "-p tcp -m tcp --sport 0 -j ACCEPT", 716 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 717 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 718 "-p udp -m udp --sport 0 -j ACCEPT", 719 }, 720 "TRI-Prx-Net": { 721 "-m mark --mark 0x40 -j ACCEPT", 722 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 723 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 724 "-p tcp -m tcp --dport 0 -j ACCEPT", 725 "-p udp -m udp --dport 0 -j ACCEPT", 726 }, 727 "TRI-Hst-App": {}, 728 "TRI-Hst-Net": {}, 729 "TRI-Svc-App": {}, 730 "TRI-Svc-Net": {}, 731 732 "TRI-Net-pu1N7uS6--1": { 733 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 734 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 735 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 736 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 737 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 738 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 739 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 740 "-s 0.0.0.0/0 -j DROP"}, 741 742 "TRI-App-pu1N7uS6--1": { 743 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 40 --hmark-rnd 0xdeadbeef", "-m mark --mark 40 -j NFQUEUE --queue-num 0 --queue-bypass", "-m mark --mark 41 -j NFQUEUE --queue-num 1 --queue-bypass", "-m mark --mark 42 -j NFQUEUE --queue-num 2 --queue-bypass", 744 "-m mark --mark 43 -j NFQUEUE --queue-num 3 --queue-bypass", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", 745 "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 746 } 747 ) 748 749 func Test_OperationWithLinuxServicesV4(t *testing.T) { 750 Convey("Given an iptables controller with a memory backend ", t, func() { 751 cfg := &runtime.Configuration{ 752 TCPTargetNetworks: []string{"0.0.0.0/0"}, 753 UDPTargetNetworks: []string{"10.0.0.0/8"}, 754 ExcludedNetworks: []string{"127.0.0.1"}, 755 } 756 757 commitFunc := func(buf *bytes.Buffer) error { 758 return nil 759 } 760 761 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 762 "mangle"}) 763 So(iptv4, ShouldNotBeNil) 764 765 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 766 "mangle"}) 767 So(iptv6, ShouldNotBeNil) 768 769 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 770 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 771 So(err, ShouldBeNil) 772 So(i, ShouldNotBeNil) 773 774 Convey("When I start the controller, I should get the right global chains and ipsets", func() { 775 ctx, cancel := context.WithCancel(context.Background()) 776 defer cancel() 777 err := i.Run(ctx) 778 i.SetTargetNetworks(cfg) // nolint 779 So(err, ShouldBeNil) 780 781 t := i.iptv4.impl.RetrieveTable() 782 So(t, ShouldNotBeNil) 783 So(len(t), ShouldEqual, 2) 784 So(t["mangle"], ShouldNotBeNil) 785 So(t["nat"], ShouldNotBeNil) 786 for chain, rules := range t["mangle"] { 787 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 788 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 789 } 790 791 for chain, rules := range t["nat"] { 792 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 793 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 794 } 795 796 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 797 appACLs := policy.IPRuleList{ 798 policy.IPRule{ 799 Addresses: []string{"60.0.0.0/24"}, 800 Ports: nil, 801 Protocols: []string{constants.AllProtoString}, 802 Policy: &policy.FlowPolicy{ 803 Action: policy.Accept | policy.Log, 804 ServiceID: "a3", 805 PolicyID: "123a", 806 }, 807 }, 808 policy.IPRule{ 809 Addresses: []string{"30.0.0.0/24"}, 810 Ports: []string{"80"}, 811 Protocols: []string{"TCP"}, 812 Policy: &policy.FlowPolicy{ 813 Action: policy.Reject, 814 ServiceID: "s1", 815 PolicyID: "1", 816 }, 817 }, 818 policy.IPRule{ 819 Addresses: []string{"30.0.0.0/24"}, 820 Ports: []string{"443"}, 821 Protocols: []string{"UDP"}, 822 Policy: &policy.FlowPolicy{ 823 Action: policy.Accept, 824 ServiceID: "s2", 825 PolicyID: "2", 826 }, 827 }, 828 policy.IPRule{ 829 Addresses: []string{"50.0.0.0/24"}, 830 Ports: []string{}, 831 Protocols: []string{"icmp"}, 832 Policy: &policy.FlowPolicy{ 833 Action: policy.Accept, 834 ServiceID: "s3", 835 PolicyID: "3", 836 }, 837 }, 838 policy.IPRule{ 839 Addresses: []string{"60.0.0.0/24"}, 840 Ports: nil, 841 Protocols: []string{constants.AllProtoString}, 842 Policy: &policy.FlowPolicy{ 843 Action: policy.Reject | policy.Log, 844 ServiceID: "a3", 845 PolicyID: "123a", 846 RuleName: "rockstars forev", 847 }, 848 }, 849 } 850 netACLs := policy.IPRuleList{ 851 policy.IPRule{ 852 Addresses: []string{"60.0.0.0/24"}, 853 Ports: nil, 854 Protocols: []string{constants.AllProtoString}, 855 Policy: &policy.FlowPolicy{ 856 Action: policy.Accept | policy.Log, 857 ServiceID: "a3", 858 PolicyID: "123a", 859 }, 860 }, 861 policy.IPRule{ 862 Addresses: []string{"40.0.0.0/24"}, 863 Ports: []string{"80"}, 864 Protocols: []string{"TCP"}, 865 Policy: &policy.FlowPolicy{ 866 Action: policy.Reject, 867 ServiceID: "s3", 868 PolicyID: "1", 869 }, 870 }, 871 policy.IPRule{ 872 Addresses: []string{"40.0.0.0/24"}, 873 Ports: []string{"443"}, 874 Protocols: []string{"UDP"}, 875 Policy: &policy.FlowPolicy{ 876 Action: policy.Accept, 877 ServiceID: "s4", 878 PolicyID: "2", 879 }, 880 }, 881 policy.IPRule{ 882 Addresses: []string{"60.0.0.0/24"}, 883 Ports: nil, 884 Protocols: []string{constants.AllProtoString}, 885 Policy: &policy.FlowPolicy{ 886 Action: policy.Reject | policy.Log, 887 ServiceID: "a3", 888 PolicyID: "123a", 889 }, 890 }, 891 } 892 ipl := policy.ExtendedMap{} 893 policyrules := policy.NewPUPolicy( 894 "Context", 895 "/ns1", 896 policy.Police, 897 appACLs, 898 netACLs, 899 nil, 900 nil, 901 nil, 902 nil, 903 nil, 904 nil, 905 ipl, 906 0, 907 0, 908 nil, 909 nil, 910 []string{}, 911 policy.EnforcerMapping, 912 policy.Reject|policy.Log, 913 policy.Reject|policy.Log, 914 ) 915 puInfo := policy.NewPUInfo("Context", 916 "/ns1", common.LinuxProcessPU) 917 puInfo.Policy = policyrules 918 puInfo.Runtime.SetOptions(policy.OptionsType{ 919 CgroupMark: "10", 920 }) 921 922 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 923 So(err, ShouldBeNil) 924 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 925 So(err, ShouldBeNil) 926 927 puInfo.Runtime.SetServices([]common.Service{ 928 { 929 Ports: udpPortSpec, 930 Protocol: 17, 931 }, 932 { 933 Ports: tcpPortSpec, 934 Protocol: 6, 935 }, 936 }) 937 938 var iprules policy.IPRuleList 939 940 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 941 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 942 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 943 err = i.iptv4.ConfigureRules(0, 944 "pu1", puInfo) 945 So(err, ShouldBeNil) 946 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 947 "8080") 948 So(err, ShouldBeNil) 949 t := i.iptv4.impl.RetrieveTable() 950 951 for chain, rules := range t["mangle"] { 952 So(expectedMangleAfterPUInsertV4, ShouldContainKey, chain) 953 So(rules, ShouldResemble, expectedMangleAfterPUInsertV4[chain]) 954 } 955 956 for chain, rules := range t["nat"] { 957 So(expectedNATAfterPUInsertV4, ShouldContainKey, chain) 958 So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain]) 959 } 960 961 Convey("When I update the policy, the update must result in correct state", func() { 962 appACLs := policy.IPRuleList{ 963 policy.IPRule{ 964 Addresses: []string{"30.0.0.0/24"}, 965 Ports: []string{"80"}, 966 Protocols: []string{"TCP"}, 967 Policy: &policy.FlowPolicy{ 968 Action: policy.Reject, 969 ServiceID: "s1", 970 PolicyID: "1", 971 }, 972 }, 973 } 974 netACLs := policy.IPRuleList{ 975 policy.IPRule{ 976 Addresses: []string{"40.0.0.0/24"}, 977 Ports: []string{"80"}, 978 Protocols: []string{"TCP"}, 979 Policy: &policy.FlowPolicy{ 980 Action: policy.Reject, 981 ServiceID: "s3", 982 PolicyID: "1", 983 }, 984 }, 985 } 986 ipl := policy.ExtendedMap{} 987 policyrules := policy.NewPUPolicy( 988 "Context", 989 "/ns1", 990 policy.Police, 991 appACLs, 992 netACLs, 993 nil, 994 nil, 995 nil, 996 nil, 997 nil, 998 nil, 999 ipl, 1000 0, 1001 0, 1002 nil, 1003 nil, 1004 []string{}, 1005 policy.EnforcerMapping, 1006 policy.Reject|policy.Log, 1007 policy.Reject|policy.Log, 1008 ) 1009 puInfoUpdated := policy.NewPUInfo("Context", 1010 "/ns1", common.LinuxProcessPU) 1011 puInfoUpdated.Policy = policyrules 1012 puInfoUpdated.Runtime.SetOptions(policy.OptionsType{ 1013 CgroupMark: "10", 1014 }) 1015 1016 var iprules policy.IPRuleList 1017 1018 iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...) 1019 iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...) 1020 1021 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1022 1023 err := i.iptv4.UpdateRules(1, 1024 "pu1", puInfoUpdated, puInfo) 1025 So(err, ShouldBeNil) 1026 1027 i.iptv4.ipsetmanager.DestroyUnusedIPsets() 1028 1029 t := i.iptv4.impl.RetrieveTable() 1030 for chain, rules := range t["mangle"] { 1031 So(expectedMangleAfterPUUpdateV4, ShouldContainKey, chain) 1032 So(rules, ShouldResemble, expectedMangleAfterPUUpdateV4[chain]) 1033 } 1034 1035 Convey("When I delete the same rule, the chains must be restored in the global state", func() { 1036 err = i.iptv4.ipsetmanager.DeletePortFromServerPortSet("pu1", 1037 "8080") 1038 err := i.iptv4.DeleteRules(1, 1039 "pu1", 1040 "0", 1041 "5000", 1042 "10", 1043 "", puInfoUpdated) 1044 i.iptv4.ipsetmanager.RemoveExternalNets("pu1") 1045 So(err, ShouldBeNil) 1046 So(err, ShouldBeNil) 1047 t := i.iptv4.impl.RetrieveTable() 1048 So(t["mangle"], ShouldNotBeNil) 1049 So(t["nat"], ShouldNotBeNil) 1050 for chain, rules := range t["mangle"] { 1051 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 1052 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 1053 } 1054 1055 for chain, rules := range t["nat"] { 1056 if len(rules) > 0 { 1057 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 1058 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 1059 } 1060 } 1061 }) 1062 }) 1063 }) 1064 }) 1065 }) 1066 } 1067 1068 func Test_OperationWithLinuxServicesV4Istio(t *testing.T) { 1069 Convey("Given an iptables controller with a memory backend ", t, func() { 1070 cfg := &runtime.Configuration{ 1071 TCPTargetNetworks: []string{"0.0.0.0/0"}, 1072 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1073 ExcludedNetworks: []string{"127.0.0.1"}, 1074 } 1075 1076 commitFunc := func(buf *bytes.Buffer) error { 1077 return nil 1078 } 1079 1080 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1081 "mangle"}) 1082 So(iptv4, ShouldNotBeNil) 1083 1084 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1085 "mangle"}) 1086 So(iptv6, ShouldNotBeNil) 1087 1088 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1089 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.Istio) 1090 So(err, ShouldBeNil) 1091 So(i, ShouldNotBeNil) 1092 1093 Convey("When I start the controller, I should get the right global chains and ipsets", func() { 1094 ctx, cancel := context.WithCancel(context.Background()) 1095 defer cancel() 1096 err := i.Run(ctx) 1097 i.SetTargetNetworks(cfg) // nolint 1098 So(err, ShouldBeNil) 1099 1100 t := i.iptv4.impl.RetrieveTable() 1101 So(t, ShouldNotBeNil) 1102 So(len(t), ShouldEqual, 2) 1103 So(t["mangle"], ShouldNotBeNil) 1104 So(t["nat"], ShouldNotBeNil) 1105 for chain, rules := range t["mangle"] { 1106 So(expectedGlobalMangleChainsV4Istio, ShouldContainKey, chain) 1107 So(rules, ShouldResemble, expectedGlobalMangleChainsV4Istio[chain]) 1108 } 1109 1110 for chain, rules := range t["nat"] { 1111 So(expectedGlobalNATChainsV4Istio, ShouldContainKey, chain) 1112 So(rules, ShouldResemble, expectedGlobalNATChainsV4Istio[chain]) 1113 } 1114 Convey("When I configure a new PU with ISTIO and new ACLs, all rules must be correct", func() { 1115 appACLs := policy.IPRuleList{ 1116 policy.IPRule{ 1117 Addresses: []string{"60.0.0.0/24"}, 1118 Ports: nil, 1119 Protocols: []string{constants.AllProtoString}, 1120 Policy: &policy.FlowPolicy{ 1121 Action: policy.Accept | policy.Log, 1122 ServiceID: "a3", 1123 PolicyID: "123a", 1124 }, 1125 }, 1126 policy.IPRule{ 1127 Addresses: []string{"30.0.0.0/24"}, 1128 Ports: []string{"80"}, 1129 Protocols: []string{"TCP"}, 1130 Policy: &policy.FlowPolicy{ 1131 Action: policy.Reject, 1132 ServiceID: "s1", 1133 PolicyID: "1", 1134 }, 1135 }, 1136 policy.IPRule{ 1137 Addresses: []string{"30.0.0.0/24"}, 1138 Ports: []string{"443"}, 1139 Protocols: []string{"UDP"}, 1140 Policy: &policy.FlowPolicy{ 1141 Action: policy.Accept, 1142 ServiceID: "s2", 1143 PolicyID: "2", 1144 }, 1145 }, 1146 policy.IPRule{ 1147 Addresses: []string{"50.0.0.0/24"}, 1148 Ports: []string{}, 1149 Protocols: []string{"icmp"}, 1150 Policy: &policy.FlowPolicy{ 1151 Action: policy.Accept, 1152 ServiceID: "s3", 1153 PolicyID: "3", 1154 }, 1155 }, 1156 policy.IPRule{ 1157 Addresses: []string{"60.0.0.0/24"}, 1158 Ports: nil, 1159 Protocols: []string{constants.AllProtoString}, 1160 Policy: &policy.FlowPolicy{ 1161 Action: policy.Reject | policy.Log, 1162 ServiceID: "a3", 1163 PolicyID: "123a", 1164 }, 1165 }, 1166 } 1167 netACLs := policy.IPRuleList{ 1168 policy.IPRule{ 1169 Addresses: []string{"60.0.0.0/24"}, 1170 Ports: nil, 1171 Protocols: []string{constants.AllProtoString}, 1172 Policy: &policy.FlowPolicy{ 1173 Action: policy.Accept | policy.Log, 1174 ServiceID: "a3", 1175 PolicyID: "123a", 1176 }, 1177 }, 1178 policy.IPRule{ 1179 Addresses: []string{"40.0.0.0/24"}, 1180 Ports: []string{"80"}, 1181 Protocols: []string{"TCP"}, 1182 Policy: &policy.FlowPolicy{ 1183 Action: policy.Reject, 1184 ServiceID: "s3", 1185 PolicyID: "1", 1186 }, 1187 }, 1188 policy.IPRule{ 1189 Addresses: []string{"40.0.0.0/24"}, 1190 Ports: []string{"443"}, 1191 Protocols: []string{"UDP"}, 1192 Policy: &policy.FlowPolicy{ 1193 Action: policy.Accept, 1194 ServiceID: "s4", 1195 PolicyID: "2", 1196 }, 1197 }, 1198 policy.IPRule{ 1199 Addresses: []string{"60.0.0.0/24"}, 1200 Ports: nil, 1201 Protocols: []string{constants.AllProtoString}, 1202 Policy: &policy.FlowPolicy{ 1203 Action: policy.Reject | policy.Log, 1204 ServiceID: "a3", 1205 PolicyID: "123a", 1206 }, 1207 }, 1208 } 1209 ipl := policy.ExtendedMap{} 1210 policyrules := policy.NewPUPolicy( 1211 "Context", 1212 "/ns1", 1213 policy.Police, 1214 appACLs, 1215 netACLs, 1216 nil, 1217 nil, 1218 nil, 1219 nil, 1220 nil, 1221 nil, 1222 ipl, 1223 0, 1224 0, 1225 nil, 1226 nil, 1227 []string{}, 1228 policy.EnforcerMapping, 1229 policy.Reject|policy.Log, 1230 policy.Reject|policy.Log, 1231 ) 1232 puInfo := policy.NewPUInfo("Context", 1233 "/ns1", common.LinuxProcessPU) 1234 puInfo.Policy = policyrules 1235 puInfo.Runtime.SetOptions(policy.OptionsType{ 1236 CgroupMark: "10", 1237 }) 1238 1239 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 1240 So(err, ShouldBeNil) 1241 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 1242 So(err, ShouldBeNil) 1243 1244 puInfo.Runtime.SetServices([]common.Service{ 1245 { 1246 Ports: udpPortSpec, 1247 Protocol: 17, 1248 }, 1249 { 1250 Ports: tcpPortSpec, 1251 Protocol: 6, 1252 }, 1253 }) 1254 1255 var iprules policy.IPRuleList 1256 1257 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1258 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1259 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1260 1261 err = i.iptv4.ConfigureRules(0, 1262 "pu1", puInfo) 1263 So(err, ShouldBeNil) 1264 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 1265 "8080") 1266 So(err, ShouldBeNil) 1267 t := i.iptv4.impl.RetrieveTable() 1268 1269 for chain, rules := range t["mangle"] { 1270 So(expectedMangleAfterPUInsertV4Istio, ShouldContainKey, chain) 1271 So(rules, ShouldResemble, expectedMangleAfterPUInsertV4Istio[chain]) 1272 } 1273 1274 for chain, rules := range t["nat"] { 1275 So(expectedNATAfterPUInsertV4Istio, ShouldContainKey, chain) 1276 So(rules, ShouldResemble, expectedNATAfterPUInsertV4Istio[chain]) 1277 } 1278 }) 1279 }) 1280 }) 1281 } 1282 func Test_Extensions1V4(t *testing.T) { 1283 Convey("Given an iptables controller with a memory backend with extensions in policy and log disabled", t, func() { 1284 cfg := &runtime.Configuration{ 1285 TCPTargetNetworks: []string{"0.0.0.0/0"}, 1286 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1287 ExcludedNetworks: []string{"127.0.0.1"}, 1288 } 1289 1290 commitFunc := func(buf *bytes.Buffer) error { 1291 return nil 1292 } 1293 1294 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1295 "mangle"}) 1296 So(iptv4, ShouldNotBeNil) 1297 1298 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1299 "mangle"}) 1300 So(iptv6, ShouldNotBeNil) 1301 1302 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1303 1304 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 1305 So(err, ShouldBeNil) 1306 So(i, ShouldNotBeNil) 1307 1308 Convey("When I start the controller, I should get the right global chains and ipsets and proper extensions should be configured", func() { 1309 ctx, cancel := context.WithCancel(context.Background()) 1310 defer cancel() 1311 err := i.Run(ctx) 1312 i.SetTargetNetworks(cfg) // nolint 1313 So(err, ShouldBeNil) 1314 1315 t := i.iptv4.impl.RetrieveTable() 1316 So(t, ShouldNotBeNil) 1317 So(len(t), ShouldEqual, 2) 1318 So(t["mangle"], ShouldNotBeNil) 1319 So(t["nat"], ShouldNotBeNil) 1320 1321 for chain, rules := range t["mangle"] { 1322 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 1323 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 1324 } 1325 1326 for chain, rules := range t["nat"] { 1327 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 1328 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 1329 } 1330 1331 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 1332 appACLs := policy.IPRuleList{ 1333 policy.IPRule{ 1334 Addresses: []string{"30.0.0.0/24"}, 1335 Ports: []string{"80"}, 1336 Protocols: []string{"TCP"}, 1337 Policy: &policy.FlowPolicy{ 1338 Action: policy.Reject, 1339 ServiceID: "s1", 1340 PolicyID: "1", 1341 }, 1342 }, 1343 policy.IPRule{ 1344 Addresses: []string{"30.0.0.0/24"}, 1345 Ports: []string{"443"}, 1346 Protocols: []string{"UDP"}, 1347 Policy: &policy.FlowPolicy{ 1348 Action: policy.Accept, 1349 ServiceID: "s2", 1350 PolicyID: "2", 1351 }, 1352 Extensions: []string{"--match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP"}, 1353 }, 1354 policy.IPRule{ 1355 Addresses: []string{"50.0.0.0/24"}, 1356 Ports: []string{}, 1357 Protocols: []string{"icmp"}, 1358 Policy: &policy.FlowPolicy{ 1359 Action: policy.Accept, 1360 ServiceID: "s3", 1361 PolicyID: "3", 1362 }, 1363 }, 1364 } 1365 netACLs := policy.IPRuleList{ 1366 policy.IPRule{ 1367 Addresses: []string{"40.0.0.0/24"}, 1368 Ports: []string{"80"}, 1369 Protocols: []string{"TCP"}, 1370 Policy: &policy.FlowPolicy{ 1371 Action: policy.Reject, 1372 ServiceID: "s3", 1373 PolicyID: "1", 1374 }, 1375 }, 1376 policy.IPRule{ 1377 Addresses: []string{"40.0.0.0/24"}, 1378 Ports: []string{"443"}, 1379 Protocols: []string{"UDP"}, 1380 Policy: &policy.FlowPolicy{ 1381 Action: policy.Accept, 1382 ServiceID: "s4", 1383 PolicyID: "2", 1384 }, 1385 }, 1386 } 1387 ipl := policy.ExtendedMap{} 1388 policyrules := policy.NewPUPolicy( 1389 "Context", 1390 "/ns1", 1391 policy.Police, 1392 appACLs, 1393 netACLs, 1394 nil, 1395 nil, 1396 nil, 1397 nil, 1398 nil, 1399 nil, 1400 ipl, 1401 0, 1402 0, 1403 nil, 1404 nil, 1405 []string{}, 1406 policy.EnforcerMapping, 1407 policy.Reject|policy.Log, 1408 policy.Reject|policy.Log, 1409 ) 1410 puInfo := policy.NewPUInfo("Context", 1411 "/ns1", common.LinuxProcessPU) 1412 puInfo.Policy = policyrules 1413 puInfo.Runtime.SetOptions(policy.OptionsType{ 1414 CgroupMark: "10", 1415 }) 1416 1417 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 1418 So(err, ShouldBeNil) 1419 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 1420 So(err, ShouldBeNil) 1421 1422 puInfo.Runtime.SetServices([]common.Service{ 1423 { 1424 Ports: udpPortSpec, 1425 Protocol: 17, 1426 }, 1427 { 1428 Ports: tcpPortSpec, 1429 Protocol: 6, 1430 }, 1431 }) 1432 1433 var iprules policy.IPRuleList 1434 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1435 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1436 1437 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1438 1439 err = i.iptv4.ConfigureRules(0, 1440 "pu1", puInfo) 1441 So(err, ShouldBeNil) 1442 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 1443 "8080") 1444 So(err, ShouldBeNil) 1445 t := i.iptv4.impl.RetrieveTable() 1446 1447 for chain, rules := range t["mangle"] { 1448 So(expectedMangleAfterPUInsertWithExtensionsV4, ShouldContainKey, chain) 1449 So(rules, ShouldResemble, expectedMangleAfterPUInsertWithExtensionsV4[chain]) 1450 } 1451 1452 for chain, rules := range t["nat"] { 1453 So(expectedNATAfterPUInsertV4, ShouldContainKey, chain) 1454 So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain]) 1455 } 1456 1457 }) 1458 }) 1459 }) 1460 } 1461 1462 func Test_Extensions2V4(t *testing.T) { 1463 1464 Convey("Given an iptables controller with a memory backend with bad extensions in policy and log enabled", t, func() { 1465 cfg := &runtime.Configuration{ 1466 TCPTargetNetworks: []string{"0.0.0.0/0"}, 1467 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1468 ExcludedNetworks: []string{"127.0.0.1"}, 1469 } 1470 1471 commitFunc := func(buf *bytes.Buffer) error { 1472 return nil 1473 } 1474 1475 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1476 "mangle"}) 1477 So(iptv4, ShouldNotBeNil) 1478 1479 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1480 "mangle"}) 1481 So(iptv6, ShouldNotBeNil) 1482 1483 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1484 1485 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 1486 So(err, ShouldBeNil) 1487 So(i, ShouldNotBeNil) 1488 1489 Convey("When I start the controller, I should get the right global chains and ipsets and proper drop extension should be configured", func() { 1490 ctx, cancel := context.WithCancel(context.Background()) 1491 defer cancel() 1492 err := i.Run(ctx) 1493 i.SetTargetNetworks(cfg) // nolint 1494 So(err, ShouldBeNil) 1495 1496 t := i.iptv4.impl.RetrieveTable() 1497 So(t, ShouldNotBeNil) 1498 So(len(t), ShouldEqual, 2) 1499 So(t["mangle"], ShouldNotBeNil) 1500 So(t["nat"], ShouldNotBeNil) 1501 1502 for chain, rules := range t["mangle"] { 1503 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 1504 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 1505 } 1506 1507 for chain, rules := range t["nat"] { 1508 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 1509 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 1510 } 1511 1512 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 1513 appACLs := policy.IPRuleList{ 1514 policy.IPRule{ 1515 Addresses: []string{"30.0.0.0/24"}, 1516 Ports: []string{"80"}, 1517 Protocols: []string{"TCP"}, 1518 Policy: &policy.FlowPolicy{ 1519 Action: policy.Reject, 1520 ServiceID: "s1", 1521 PolicyID: "1", 1522 }, 1523 }, 1524 policy.IPRule{ 1525 Addresses: []string{"30.0.0.0/24"}, 1526 Ports: []string{"443"}, 1527 Protocols: []string{"UDP"}, 1528 Policy: &policy.FlowPolicy{ 1529 Action: policy.Accept | policy.Log, 1530 ServiceID: "s2", 1531 PolicyID: "2", 1532 }, 1533 Extensions: []string{" -j DROP"}, 1534 }, 1535 policy.IPRule{ 1536 Addresses: []string{"50.0.0.0/24"}, 1537 Ports: []string{}, 1538 Protocols: []string{"icmp"}, 1539 Policy: &policy.FlowPolicy{ 1540 Action: policy.Accept, 1541 ServiceID: "s3", 1542 PolicyID: "3", 1543 }, 1544 }, 1545 } 1546 netACLs := policy.IPRuleList{ 1547 policy.IPRule{ 1548 Addresses: []string{"40.0.0.0/24"}, 1549 Ports: []string{"80"}, 1550 Protocols: []string{"TCP"}, 1551 Policy: &policy.FlowPolicy{ 1552 Action: policy.Reject, 1553 ServiceID: "s3", 1554 PolicyID: "1", 1555 }, 1556 }, 1557 policy.IPRule{ 1558 Addresses: []string{"40.0.0.0/24"}, 1559 Ports: []string{"443"}, 1560 Protocols: []string{"UDP"}, 1561 Policy: &policy.FlowPolicy{ 1562 Action: policy.Accept, 1563 ServiceID: "s4", 1564 PolicyID: "2", 1565 }, 1566 }, 1567 } 1568 ipl := policy.ExtendedMap{} 1569 policyrules := policy.NewPUPolicy( 1570 "Context", 1571 "/ns1", 1572 policy.Police, 1573 appACLs, 1574 netACLs, 1575 nil, 1576 nil, 1577 nil, 1578 nil, 1579 nil, 1580 nil, 1581 ipl, 1582 0, 1583 0, 1584 nil, 1585 nil, 1586 []string{}, 1587 policy.EnforcerMapping, 1588 policy.Reject|policy.Log, 1589 policy.Reject|policy.Log, 1590 ) 1591 puInfo := policy.NewPUInfo("Context", 1592 "/ns1", common.LinuxProcessPU) 1593 puInfo.Policy = policyrules 1594 puInfo.Runtime.SetOptions(policy.OptionsType{ 1595 CgroupMark: "10", 1596 }) 1597 1598 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 1599 So(err, ShouldBeNil) 1600 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 1601 So(err, ShouldBeNil) 1602 1603 puInfo.Runtime.SetServices([]common.Service{ 1604 { 1605 Ports: udpPortSpec, 1606 Protocol: 17, 1607 }, 1608 { 1609 Ports: tcpPortSpec, 1610 Protocol: 6, 1611 }, 1612 }) 1613 1614 var iprules policy.IPRuleList 1615 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1616 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1617 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1618 1619 err = i.iptv4.ConfigureRules(0, 1620 "pu1", puInfo) 1621 So(err, ShouldBeNil) 1622 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 1623 "8080") 1624 So(err, ShouldBeNil) 1625 t := i.iptv4.impl.RetrieveTable() 1626 1627 for chain, rules := range t["mangle"] { 1628 So(expectedMangleAfterPUInsertWithLogV4, ShouldContainKey, chain) 1629 So(rules, ShouldResemble, expectedMangleAfterPUInsertWithLogV4[chain]) 1630 } 1631 1632 for chain, rules := range t["nat"] { 1633 So(expectedNATAfterPUInsertV4, ShouldContainKey, chain) 1634 So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain]) 1635 } 1636 1637 }) 1638 }) 1639 }) 1640 } 1641 1642 func Test_Extensions3V4(t *testing.T) { 1643 1644 Convey("Given an iptables controller with a memory backend with extensions in policy and log enabled", t, func() { 1645 cfg := &runtime.Configuration{ 1646 TCPTargetNetworks: []string{"0.0.0.0/0"}, 1647 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1648 ExcludedNetworks: []string{"127.0.0.1"}, 1649 } 1650 1651 commitFunc := func(buf *bytes.Buffer) error { 1652 return nil 1653 } 1654 1655 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1656 "mangle"}) 1657 So(iptv4, ShouldNotBeNil) 1658 1659 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1660 "mangle"}) 1661 So(iptv6, ShouldNotBeNil) 1662 1663 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1664 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 1665 So(err, ShouldBeNil) 1666 So(i, ShouldNotBeNil) 1667 1668 Convey("When I start the controller, I should get the right global chains and ipsets and proper drop extension should be configured", func() { 1669 ctx, cancel := context.WithCancel(context.Background()) 1670 defer cancel() 1671 err := i.Run(ctx) 1672 i.SetTargetNetworks(cfg) // nolint 1673 So(err, ShouldBeNil) 1674 1675 t := i.iptv4.impl.RetrieveTable() 1676 So(t, ShouldNotBeNil) 1677 So(len(t), ShouldEqual, 2) 1678 So(t["mangle"], ShouldNotBeNil) 1679 So(t["nat"], ShouldNotBeNil) 1680 1681 for chain, rules := range t["mangle"] { 1682 So(expectedGlobalMangleChainsV4, ShouldContainKey, chain) 1683 So(rules, ShouldResemble, expectedGlobalMangleChainsV4[chain]) 1684 } 1685 1686 for chain, rules := range t["nat"] { 1687 So(expectedGlobalNATChainsV4, ShouldContainKey, chain) 1688 So(rules, ShouldResemble, expectedGlobalNATChainsV4[chain]) 1689 } 1690 1691 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 1692 appACLs := policy.IPRuleList{ 1693 policy.IPRule{ 1694 Addresses: []string{"30.0.0.0/24"}, 1695 Ports: []string{"80"}, 1696 Protocols: []string{"TCP"}, 1697 Policy: &policy.FlowPolicy{ 1698 Action: policy.Reject, 1699 ServiceID: "s1", 1700 PolicyID: "1", 1701 }, 1702 }, 1703 policy.IPRule{ 1704 Addresses: []string{"30.0.0.0/24"}, 1705 Ports: []string{"443"}, 1706 Protocols: []string{"UDP"}, 1707 Policy: &policy.FlowPolicy{ 1708 // Log enabled. 1709 Action: policy.Accept | policy.Log, 1710 ServiceID: "s2", 1711 PolicyID: "2", 1712 }, 1713 Extensions: []string{"--match multiport --dports 443 -m bpf --bytecode 20,0 0 0 0,177 0 0 0,12 0 0 0,7 0 0 0,72 0 0 4,53 0 13 29,135 0 0 0,4 0 0 8,7 0 0 0,72 0 0 2,84 0 0 64655,21 0 7 0,72 0 0 4,21 0 5 1,64 0 0 6,21 0 3 0,72 0 0 10,37 1 0 1,6 0 0 0,6 0 0 65535 -j DROP"}, 1714 }, 1715 policy.IPRule{ 1716 Addresses: []string{"50.0.0.0/24"}, 1717 Ports: []string{}, 1718 Protocols: []string{"icmp"}, 1719 Policy: &policy.FlowPolicy{ 1720 Action: policy.Accept, 1721 ServiceID: "s3", 1722 PolicyID: "3", 1723 }, 1724 }, 1725 } 1726 netACLs := policy.IPRuleList{ 1727 policy.IPRule{ 1728 Addresses: []string{"40.0.0.0/24"}, 1729 Ports: []string{"80"}, 1730 Protocols: []string{"TCP"}, 1731 Policy: &policy.FlowPolicy{ 1732 Action: policy.Reject, 1733 ServiceID: "s3", 1734 PolicyID: "1", 1735 }, 1736 }, 1737 policy.IPRule{ 1738 Addresses: []string{"40.0.0.0/24"}, 1739 Ports: []string{"443"}, 1740 Protocols: []string{"UDP"}, 1741 Policy: &policy.FlowPolicy{ 1742 Action: policy.Accept, 1743 ServiceID: "s4", 1744 PolicyID: "2", 1745 }, 1746 }, 1747 } 1748 ipl := policy.ExtendedMap{} 1749 policyrules := policy.NewPUPolicy( 1750 "Context", 1751 "/ns1", 1752 policy.Police, 1753 appACLs, 1754 netACLs, 1755 nil, 1756 nil, 1757 nil, 1758 nil, 1759 nil, 1760 nil, 1761 ipl, 1762 0, 1763 0, 1764 nil, 1765 nil, 1766 []string{}, 1767 policy.EnforcerMapping, 1768 policy.Reject|policy.Log, 1769 policy.Reject|policy.Log, 1770 ) 1771 puInfo := policy.NewPUInfo("Context", 1772 "/ns1", common.LinuxProcessPU) 1773 puInfo.Policy = policyrules 1774 puInfo.Runtime.SetOptions(policy.OptionsType{ 1775 CgroupMark: "10", 1776 }) 1777 1778 udpPortSpec, err := portspec.NewPortSpecFromString("5000", nil) 1779 So(err, ShouldBeNil) 1780 tcpPortSpec, err := portspec.NewPortSpecFromString("9000", nil) 1781 So(err, ShouldBeNil) 1782 1783 puInfo.Runtime.SetServices([]common.Service{ 1784 { 1785 Ports: udpPortSpec, 1786 Protocol: 17, 1787 }, 1788 { 1789 Ports: tcpPortSpec, 1790 Protocol: 6, 1791 }, 1792 }) 1793 1794 var iprules policy.IPRuleList 1795 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1796 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1797 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 1798 1799 err = i.iptv4.ConfigureRules(0, 1800 "pu1", puInfo) 1801 So(err, ShouldBeNil) 1802 err = i.iptv4.ipsetmanager.AddPortToServerPortSet("pu1", 1803 "8080") 1804 So(err, ShouldBeNil) 1805 t := i.iptv4.impl.RetrieveTable() 1806 1807 for chain, rules := range t["mangle"] { 1808 So(expectedMangleAfterPUInsertWithExtensionsAndLogV4, ShouldContainKey, chain) 1809 So(rules, ShouldResemble, expectedMangleAfterPUInsertWithExtensionsAndLogV4[chain]) 1810 } 1811 1812 for chain, rules := range t["nat"] { 1813 So(expectedNATAfterPUInsertV4, ShouldContainKey, chain) 1814 So(rules, ShouldResemble, expectedNATAfterPUInsertV4[chain]) 1815 } 1816 1817 }) 1818 }) 1819 }) 1820 } 1821 1822 func Test_OperationNomatchIpsetsV4(t *testing.T) { 1823 Convey("Given an iptables controller with a memory backend ", t, func() { 1824 cfg := &runtime.Configuration{ 1825 TCPTargetNetworks: []string{"0.0.0.0/0", 1826 "!10.10.10.0/24", 1827 "!10.0.0.0/8", 1828 "10.10.0.0/16"}, 1829 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1830 ExcludedNetworks: []string{"127.0.0.1"}, 1831 } 1832 1833 commitFunc := func(buf *bytes.Buffer) error { 1834 return nil 1835 } 1836 1837 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1838 "mangle"}) 1839 So(iptv4, ShouldNotBeNil) 1840 1841 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1842 "mangle"}) 1843 So(iptv6, ShouldNotBeNil) 1844 1845 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1846 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 1847 So(err, ShouldBeNil) 1848 So(i, ShouldNotBeNil) 1849 1850 Convey("When I start the controller, I should get the right ipsets", func() { 1851 ctx, cancel := context.WithCancel(context.Background()) 1852 defer cancel() 1853 err := i.Run(ctx) 1854 i.SetTargetNetworks(cfg) // nolint 1855 So(err, ShouldBeNil) 1856 1857 So(ips.sets, ShouldContainKey, 1858 "TRI-v4-TargetTCP") 1859 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1860 "10.0.0.0/8") 1861 So(ips.sets["TRI-v4-TargetTCP"].set["10.0.0.0/8"], ShouldBeTrue) 1862 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1863 "10.10.0.0/16") 1864 So(ips.sets["TRI-v4-TargetTCP"].set["10.10.0.0/16"], ShouldBeFalse) 1865 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1866 "0.0.0.0/1") 1867 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1868 "128.0.0.0/1") 1869 1870 // update target networks 1871 cfgNew := &runtime.Configuration{ 1872 TCPTargetNetworks: []string{"0.0.0.0/0", 1873 "!10.10.0.0/16"}, 1874 UDPTargetNetworks: []string{}, 1875 ExcludedNetworks: []string{"127.0.0.1"}, 1876 } 1877 i.SetTargetNetworks(cfgNew) // nolint 1878 So(err, ShouldBeNil) 1879 1880 So(ips.sets, ShouldContainKey, 1881 "TRI-v4-TargetTCP") 1882 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldNotContainKey, 1883 "10.0.0.0/8") 1884 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1885 "10.10.0.0/16") 1886 So(ips.sets["TRI-v4-TargetTCP"].set["10.10.0.0/16"], ShouldBeTrue) 1887 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1888 "0.0.0.0/1") 1889 So(ips.sets["TRI-v4-TargetTCP"].set, ShouldContainKey, 1890 "128.0.0.0/1") 1891 1892 }) 1893 }) 1894 } 1895 1896 func Test_OperationNomatchIpsetsInExternalNetworksV4(t *testing.T) { 1897 Convey("Given an iptables controller with a memory backend ", t, func() { 1898 cfg := &runtime.Configuration{ 1899 TCPTargetNetworks: []string{"0.0.0.0/0", 1900 "!10.10.10.0/24", 1901 "!10.0.0.0/8", 1902 "10.10.0.0/16"}, 1903 UDPTargetNetworks: []string{"10.0.0.0/8"}, 1904 ExcludedNetworks: []string{"127.0.0.1"}, 1905 } 1906 1907 commitFunc := func(buf *bytes.Buffer) error { 1908 return nil 1909 } 1910 1911 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1912 "mangle"}) 1913 So(iptv4, ShouldNotBeNil) 1914 1915 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 1916 "mangle"}) 1917 So(iptv6, ShouldNotBeNil) 1918 1919 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 1920 i, err := createTestInstance(ips, iptv4, iptv6, constants.LocalServer, policy.None) 1921 So(err, ShouldBeNil) 1922 So(i, ShouldNotBeNil) 1923 1924 Convey("When I start the controller, I should get the right ipsets", func() { 1925 ctx, cancel := context.WithCancel(context.Background()) 1926 defer cancel() 1927 err := i.Run(ctx) 1928 i.SetTargetNetworks(cfg) // nolint 1929 So(err, ShouldBeNil) 1930 1931 // Setup external networks 1932 appACLs := policy.IPRuleList{ 1933 policy.IPRule{ 1934 Addresses: []string{"10.0.0.0/8", 1935 "!10.0.0.0/16", 1936 "!10.0.2.0/24", 1937 "10.0.2.7"}, 1938 Ports: []string{"80"}, 1939 Protocols: []string{constants.TCPProtoNum}, 1940 Policy: &policy.FlowPolicy{ 1941 Action: policy.Accept | policy.Log, 1942 ServiceID: "a1", 1943 PolicyID: "123a", 1944 }, 1945 }, 1946 } 1947 netACLs := policy.IPRuleList{ 1948 policy.IPRule{ 1949 Addresses: []string{"0.0.0.0/0", 1950 "!10.0.0.0/8", 1951 "10.0.0.0/16", 1952 "!10.0.2.8"}, 1953 Ports: []string{"80"}, 1954 Protocols: []string{constants.TCPProtoNum}, 1955 Policy: &policy.FlowPolicy{ 1956 Action: policy.Accept | policy.Log, 1957 ServiceID: "a2", 1958 PolicyID: "123b", 1959 }, 1960 }, 1961 } 1962 1963 policyRules := policy.NewPUPolicy("Context", 1964 "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 1965 1966 puInfo := policy.NewPUInfo("Context", 1967 "/ns1", common.HostPU) 1968 puInfo.Policy = policyRules 1969 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 1970 puInfo.Runtime.SetPUType(common.HostPU) 1971 puInfo.Runtime.SetOptions(policy.OptionsType{ 1972 CgroupMark: "10", 1973 }) 1974 1975 // configure rules 1976 var iprules policy.IPRuleList 1977 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 1978 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 1979 err = i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) 1980 So(err, ShouldBeNil) 1981 1982 err = i.ConfigureRules(0, 1983 "pu1", puInfo) 1984 So(err, ShouldBeNil) 1985 1986 // Check ipsets 1987 setName := i.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0] 1988 So(ips.sets[setName].set, ShouldContainKey, 1989 "10.0.0.0/8") 1990 So(ips.sets[setName].set, ShouldContainKey, 1991 "10.0.0.0/16") 1992 So(ips.sets[setName].set, ShouldContainKey, 1993 "10.0.2.0/24") 1994 So(ips.sets[setName].set, ShouldContainKey, 1995 "10.0.2.7") 1996 So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse) 1997 So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeTrue) 1998 So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeTrue) 1999 So(ips.sets[setName].set["10.0.2.7"], ShouldBeFalse) 2000 2001 setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0] 2002 So(ips.sets[setName].set, ShouldContainKey, 2003 "0.0.0.0/1") 2004 So(ips.sets[setName].set, ShouldContainKey, 2005 "128.0.0.0/1") 2006 So(ips.sets[setName].set, ShouldContainKey, 2007 "10.0.0.0/8") 2008 So(ips.sets[setName].set, ShouldContainKey, 2009 "10.0.0.0/16") 2010 So(ips.sets[setName].set, ShouldContainKey, 2011 "10.0.2.8") 2012 So(ips.sets[setName].set["0.0.0.0/1"], ShouldBeFalse) 2013 So(ips.sets[setName].set["128.0.0.0/1"], ShouldBeFalse) 2014 So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeTrue) 2015 So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeFalse) 2016 So(ips.sets[setName].set["10.0.2.8"], ShouldBeTrue) 2017 2018 // Reconfigure external networks 2019 appACLs = policy.IPRuleList{ 2020 policy.IPRule{ 2021 Addresses: []string{"10.0.0.0/8", 2022 "!10.0.0.0/16", 2023 "10.0.2.0/24", 2024 "!10.0.2.7"}, 2025 Ports: []string{"80"}, 2026 Protocols: []string{constants.TCPProtoNum}, 2027 Policy: &policy.FlowPolicy{ 2028 Action: policy.Accept | policy.Log, 2029 ServiceID: "a1", 2030 PolicyID: "123a", 2031 }, 2032 }, 2033 } 2034 netACLs = policy.IPRuleList{ 2035 policy.IPRule{ 2036 Addresses: []string{"0.0.0.0/0", 2037 "10.0.0.0/8", 2038 "!10.0.2.0/24"}, 2039 Ports: []string{"80"}, 2040 Protocols: []string{constants.TCPProtoNum}, 2041 Policy: &policy.FlowPolicy{ 2042 Action: policy.Accept | policy.Log, 2043 ServiceID: "a2", 2044 PolicyID: "123b", 2045 }, 2046 }, 2047 } 2048 2049 policyRules = policy.NewPUPolicy("Context", 2050 "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 2051 2052 puInfoUpdated := policy.NewPUInfo("Context", 2053 "/ns1", common.HostPU) 2054 puInfoUpdated.Policy = policyRules 2055 puInfoUpdated.Runtime = policy.NewPURuntimeWithDefaults() 2056 puInfoUpdated.Runtime.SetPUType(common.HostPU) 2057 puInfoUpdated.Runtime.SetOptions(policy.OptionsType{ 2058 CgroupMark: "10", 2059 }) 2060 2061 // Reconfigure rules 2062 iprules = nil 2063 iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...) 2064 iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...) 2065 err = i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) 2066 So(err, ShouldBeNil) 2067 2068 err = i.UpdateRules(1, 2069 "pu1", puInfoUpdated, puInfo) 2070 So(err, ShouldBeNil) 2071 2072 i.iptv4.ipsetmanager.DestroyUnusedIPsets() 2073 2074 // Check ipsets again 2075 setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0] 2076 So(ips.sets[setName].set, ShouldContainKey, 2077 "10.0.0.0/8") 2078 So(ips.sets[setName].set, ShouldContainKey, 2079 "10.0.0.0/16") 2080 So(ips.sets[setName].set, ShouldContainKey, 2081 "10.0.2.0/24") 2082 So(ips.sets[setName].set, ShouldContainKey, 2083 "10.0.2.7") 2084 So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse) 2085 So(ips.sets[setName].set["10.0.0.0/16"], ShouldBeTrue) 2086 So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeFalse) 2087 So(ips.sets[setName].set["10.0.2.7"], ShouldBeTrue) 2088 2089 setName = i.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0] 2090 So(ips.sets[setName].set, ShouldContainKey, 2091 "0.0.0.0/1") 2092 So(ips.sets[setName].set, ShouldContainKey, 2093 "128.0.0.0/1") 2094 So(ips.sets[setName].set, ShouldContainKey, 2095 "10.0.0.0/8") 2096 So(ips.sets[setName].set, ShouldContainKey, 2097 "10.0.2.0/24") 2098 So(ips.sets[setName].set, ShouldNotContainKey, 2099 "10.0.2.8") 2100 So(ips.sets[setName].set["0.0.0.0/1"], ShouldBeFalse) 2101 So(ips.sets[setName].set["128.0.0.0/1"], ShouldBeFalse) 2102 So(ips.sets[setName].set["10.0.0.0/8"], ShouldBeFalse) 2103 So(ips.sets[setName].set["10.0.2.0/24"], ShouldBeTrue) 2104 2105 // Configure and check acl cache 2106 aclCache := tacls.NewACLCache() 2107 err = aclCache.AddRuleList(puInfoUpdated.Policy.ApplicationACLs()) 2108 So(err, ShouldBeNil) 2109 2110 defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"} 2111 2112 report, _, err := aclCache.GetMatchingAction(net.ParseIP("10.0.2.7"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 2113 So(err, ShouldNotBeNil) 2114 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 2115 2116 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.2.8"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 2117 So(err, ShouldBeNil) 2118 So(report.Action, ShouldEqual, policy.Accept|policy.Log) 2119 2120 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 2121 So(err, ShouldNotBeNil) 2122 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 2123 2124 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 2125 So(err, ShouldBeNil) 2126 So(report.Action, ShouldEqual, policy.Accept|policy.Log) 2127 2128 report, _, err = aclCache.GetMatchingAction(net.ParseIP("11.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 2129 So(err, ShouldNotBeNil) 2130 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 2131 2132 }) 2133 }) 2134 } 2135 2136 var ( 2137 expectedContainerGlobalMangleChainsV4Istio = map[string][]string{ 2138 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 2139 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 2140 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 2141 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 2142 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2143 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 2144 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 2145 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 2146 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 2147 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2148 "INPUT": { 2149 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 2150 }, 2151 "OUTPUT": { 2152 "-j TRI-Istio", 2153 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 2154 }, 2155 "TRI-Istio": {}, 2156 "TRI-App": { 2157 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 2158 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 2159 "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT"}, 2160 "TRI-Net": { 2161 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", 2162 "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 2163 "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", 2164 "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT", 2165 }, 2166 2167 "TRI-Prx-App": { 2168 "-m mark --mark 0x40 -j ACCEPT", 2169 }, 2170 "TRI-Prx-Net": { 2171 "-m mark --mark 0x40 -j ACCEPT", 2172 }, 2173 } 2174 2175 expectedContainerGlobalMangleChainsV4 = map[string][]string{ 2176 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 2177 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 2178 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 2179 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 2180 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2181 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 2182 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 2183 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 2184 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 2185 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2186 "INPUT": { 2187 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 2188 }, 2189 "OUTPUT": { 2190 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 2191 }, 2192 "TRI-App": { 2193 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", 2194 "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", 2195 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT"}, 2196 "TRI-Net": { 2197 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", 2198 "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 2199 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", "-m connmark --mark 61166 -p udp -j ACCEPT"}, 2200 "TRI-Prx-App": { 2201 "-m mark --mark 0x40 -j ACCEPT", 2202 }, 2203 "TRI-Prx-Net": { 2204 "-m mark --mark 0x40 -j ACCEPT", 2205 }, 2206 } 2207 2208 expectedContainerGlobalNATChainsV4 = map[string][]string{ 2209 "PREROUTING": { 2210 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 2211 }, 2212 "OUTPUT": { 2213 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 2214 }, 2215 "TRI-Redir-App": { 2216 "-m mark --mark 0x40 -j RETURN", 2217 }, 2218 "TRI-Redir-Net": { 2219 "-m mark --mark 0x40 -j ACCEPT", 2220 }, 2221 } 2222 2223 expectedContainerGlobalNATChainsV4Istio = map[string][]string{ 2224 "PREROUTING": { 2225 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 2226 }, 2227 "OUTPUT": { 2228 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 2229 "-p tcp -m mark --mark 68 -j ACCEPT", 2230 }, 2231 "TRI-Redir-App": { 2232 "-m mark --mark 0x40 -j RETURN", 2233 }, 2234 "TRI-Redir-Net": { 2235 "-m mark --mark 0x40 -j ACCEPT", 2236 }, 2237 } 2238 2239 expectedContainerMangleAfterPUInsertV4 = map[string][]string{ 2240 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 2241 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 2242 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 2243 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 2244 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2245 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 2246 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 2247 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 2248 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 2249 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2250 "INPUT": { 2251 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 2252 }, 2253 "OUTPUT": { 2254 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 2255 }, 2256 "TRI-App": { 2257 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 2258 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", 2259 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-m comment --comment Container-specific-chain -j TRI-App-pu1N7uS6--0"}, 2260 "TRI-Net": { 2261 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 2262 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 2263 "-m connmark --mark 61166 -p udp -j ACCEPT", "-m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0"}, 2264 "TRI-Prx-App": { 2265 "-m mark --mark 0x40 -j ACCEPT", 2266 "-p tcp -m tcp --sport 0 -j ACCEPT", 2267 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -j ACCEPT", 2268 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -j ACCEPT", 2269 "-p udp -m udp --sport 0 -j ACCEPT", 2270 }, 2271 "TRI-Prx-Net": { 2272 "-m mark --mark 0x40 -j ACCEPT", 2273 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst src,src -j ACCEPT", 2274 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv src -m addrtype --src-type LOCAL -j ACCEPT", 2275 "-p tcp -m tcp --dport 0 -j ACCEPT", 2276 "-p udp -m udp --dport 0 -j ACCEPT", 2277 }, 2278 "TRI-Net-pu1N7uS6--0": { 2279 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 2280 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 2281 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 2282 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 2283 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 2284 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 2285 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 2286 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 2287 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 2288 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 2289 "-s 0.0.0.0/0 -j DROP", 2290 }, 2291 "TRI-App-pu1N7uS6--0": { 2292 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j TRI-Nfq-OUT", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j TRI-Nfq-OUT", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 2293 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 2294 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 2295 } 2296 2297 expectedContainerMangleAfterPUInsertV4Istio = map[string][]string{ 2298 "TRI-Nfq-IN": {"-j HMARK --hmark-tuple dport,sport --hmark-mod 4 --hmark-offset 67 --hmark-rnd 0xdeadbeef", 2299 "-m mark --mark 67 -j NFQUEUE --queue-num 0 --queue-bypass", 2300 "-m mark --mark 68 -j NFQUEUE --queue-num 1 --queue-bypass", 2301 "-m mark --mark 69 -j NFQUEUE --queue-num 2 --queue-bypass", 2302 "-m mark --mark 70 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2303 "TRI-Nfq-OUT": {"-j HMARK --hmark-tuple sport,dport --hmark-mod 4 --hmark-offset 0 --hmark-rnd 0xdeadbeef", 2304 "-m mark --mark 0 -j NFQUEUE --queue-num 0 --queue-bypass", 2305 "-m mark --mark 1 -j NFQUEUE --queue-num 1 --queue-bypass", 2306 "-m mark --mark 2 -j NFQUEUE --queue-num 2 --queue-bypass", 2307 "-m mark --mark 3 -j NFQUEUE --queue-num 3 --queue-bypass"}, 2308 "INPUT": { 2309 "-m set ! --match-set TRI-v4-Excluded src -j TRI-Net", 2310 }, 2311 "OUTPUT": { 2312 "-j TRI-Istio", 2313 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-App", 2314 }, 2315 "TRI-Istio": { 2316 "-p tcp -m owner ! --uid-owner 1337 -j ACCEPT", 2317 "-p tcp -m owner --uid-owner 1337 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j CONNMARK --set-mark 61167", 2318 "-p tcp -m owner --uid-owner 1337 -m addrtype --dst-type LOCAL -j ACCEPT", 2319 }, 2320 "TRI-App": { 2321 "-m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup 1536 -j CONNMARK --set-mark 61167", "-p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark 61167", "-j TRI-Prx-App", "-m connmark --mark 61167 -j ACCEPT", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 2322 "-m connmark --mark 61166 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m connmark --mark 61166 -p udp -j ACCEPT", "-m mark --mark 1073741922 -j ACCEPT", 2323 "-p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-OUT", "-m comment --comment Container-specific-chain -j TRI-App-pu1N7uS6--0"}, 2324 "TRI-Net": { 2325 "-j TRI-Prx-Net", "-p tcp -m mark --mark 66 -j CONNMARK --set-mark 61167", "-p tcp -m mark --mark 66 -j ACCEPT", "-m connmark --mark 61167 -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j TRI-Nfq-IN", 2326 "-p udp -m string --string n30njxq7bmiwr6dtxq --algo bm --to 65535 -j TRI-Nfq-IN", "-p udp -m connmark --mark 61165 -m comment --comment Drop UDP ACL -j DROP", 2327 "-m connmark --mark 61166 -p udp -j ACCEPT", "-p tcp --dport 15001 -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT", "-m comment --comment Container-specific-chain -j TRI-Net-pu1N7uS6--0"}, 2328 "TRI-Prx-App": { 2329 "-m mark --mark 0x40 -j ACCEPT", 2330 "-p udp -m udp --sport 0 -j ACCEPT", 2331 }, 2332 "TRI-Prx-Net": { 2333 "-m mark --mark 0x40 -j ACCEPT", 2334 "-p udp -m udp --dport 0 -j ACCEPT", 2335 }, 2336 "TRI-Net-pu1N7uS6--0": { 2337 "-p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j TRI-Nfq-IN", 2338 "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= src -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", 2339 "-p TCP -m set --match-set TRI-v4-ext-w5frVvhsnpU= src -m state --state NEW --match multiport --dports 80 -j DROP", 2340 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j CONNMARK --set-mark 61167", 2341 "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= src -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 --match multiport --dports 443 -j ACCEPT", 2342 "-p tcp -m set --match-set TRI-v4-TargetTCP src -m tcp --tcp-flags SYN NONE -j TRI-Nfq-IN", 2343 "-p udp -m set --match-set TRI-v4-TargetUDP src --match limit --limit 1000/s -j TRI-Nfq-IN", 2344 "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 2345 "-s 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:6", 2346 "-s 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 913787369:default:default:10", 2347 "-s 0.0.0.0/0 -j DROP", 2348 }, 2349 "TRI-App-pu1N7uS6--0": { 2350 "-p TCP -m set --match-set TRI-v4-ext-uNdc0vdcFZA= dst -m state --state NEW --match multiport --dports 80 -j DROP", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j CONNMARK --set-mark 61167", "-p UDP -m set --match-set TRI-v4-ext-6zlJIvP3B68= dst -m string ! --string n30njxq7bmiwr6dtxq --algo bm --to 128 -m set ! --match-set TRI-v4-TargetUDP dst --match multiport --dports 443 -j ACCEPT", "-p UDP -m set --match-set TRI-v4-ext-IuSLsD1R-mE= dst -m state --state ESTABLISHED -m connmark --mark 61167 -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT", "-m set --match-set TRI-v4-TargetTCP dst -p tcp -j TRI-Nfq-OUT", "-p udp -m set --match-set TRI-v4-TargetUDP dst -j TRI-Nfq-OUT", "-p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT", 2351 "-p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT", "-d 0.0.0.0/0 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:6", 2352 "-d 0.0.0.0/0 -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 913787369:default:default:10", "-d 0.0.0.0/0 -j DROP"}, 2353 } 2354 expectedContainerNATAfterPUInsertV4 = map[string][]string{ 2355 "PREROUTING": { 2356 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 2357 }, 2358 "OUTPUT": { 2359 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 2360 }, 2361 "TRI-Redir-App": { 2362 "-m mark --mark 0x40 -j RETURN", 2363 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-dst dst,dst -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 2364 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark", 2365 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 2366 }, 2367 "TRI-Redir-Net": { 2368 "-m mark --mark 0x40 -j ACCEPT", 2369 "-p tcp -m set --match-set TRI-v4-Proxy-pu19gtV-srv dst -m mark ! --mark 0x40 -j REDIRECT --to-ports 0", 2370 }, 2371 } 2372 expectedContainerNATAfterPUInsertV4Istio = map[string][]string{ 2373 "PREROUTING": { 2374 "-p tcp -m addrtype --dst-type LOCAL -m set ! --match-set TRI-v4-Excluded src -j TRI-Redir-Net", 2375 }, 2376 "OUTPUT": { 2377 "-m set ! --match-set TRI-v4-Excluded dst -j TRI-Redir-App", 2378 "-p tcp -m mark --mark 68 -j ACCEPT", 2379 }, 2380 "TRI-Redir-App": { 2381 "-m mark --mark 0x40 -j RETURN", 2382 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j CONNMARK --save-mark", 2383 "-d 0.0.0.0/0 -p udp --dport 53 -m mark ! --mark 0x40 -m cgroup --cgroup 10 -j REDIRECT --to-ports 0", 2384 }, 2385 "TRI-Redir-Net": { 2386 "-m mark --mark 0x40 -j ACCEPT", 2387 }, 2388 } 2389 ) 2390 2391 func Test_OperationWithContainersV4(t *testing.T) { 2392 Convey("Given an iptables controller with a memory backend for containers ", t, func() { 2393 cfg := &runtime.Configuration{ 2394 TCPTargetNetworks: []string{"0.0.0.0/0"}, 2395 UDPTargetNetworks: []string{"10.0.0.0/8"}, 2396 ExcludedNetworks: []string{"127.0.0.1"}, 2397 } 2398 2399 commitFunc := func(buf *bytes.Buffer) error { 2400 return nil 2401 } 2402 2403 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 2404 "mangle"}) 2405 So(iptv4, ShouldNotBeNil) 2406 2407 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 2408 "mangle"}) 2409 So(iptv6, ShouldNotBeNil) 2410 2411 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 2412 i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.None) 2413 So(err, ShouldBeNil) 2414 So(i, ShouldNotBeNil) 2415 2416 Convey("When I start the controller, I should get the right global chains and sets", func() { 2417 ctx, cancel := context.WithCancel(context.Background()) 2418 defer cancel() 2419 err := i.Run(ctx) 2420 i.SetTargetNetworks(cfg) // nolint 2421 So(err, ShouldBeNil) 2422 2423 t := i.iptv4.impl.RetrieveTable() 2424 So(t, ShouldNotBeNil) 2425 So(len(t), ShouldEqual, 2) 2426 So(t["mangle"], ShouldNotBeNil) 2427 So(t["nat"], ShouldNotBeNil) 2428 2429 for chain, rules := range t["mangle"] { 2430 So(expectedContainerGlobalMangleChainsV4, ShouldContainKey, chain) 2431 So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4[chain]) 2432 } 2433 2434 for chain, rules := range t["nat"] { 2435 So(expectedContainerGlobalNATChainsV4, ShouldContainKey, chain) 2436 So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4[chain]) 2437 } 2438 2439 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 2440 appACLs := policy.IPRuleList{ 2441 policy.IPRule{ 2442 Addresses: []string{"30.0.0.0/24"}, 2443 Ports: []string{"80"}, 2444 Protocols: []string{"TCP"}, 2445 Policy: &policy.FlowPolicy{ 2446 Action: policy.Reject, 2447 ServiceID: "s1", 2448 PolicyID: "1", 2449 }, 2450 }, 2451 policy.IPRule{ 2452 Addresses: []string{"30.0.0.0/24"}, 2453 Ports: []string{"443"}, 2454 Protocols: []string{"UDP"}, 2455 Policy: &policy.FlowPolicy{ 2456 Action: policy.Accept, 2457 ServiceID: "s2", 2458 PolicyID: "2", 2459 }, 2460 }, 2461 } 2462 netACLs := policy.IPRuleList{ 2463 policy.IPRule{ 2464 Addresses: []string{"40.0.0.0/24"}, 2465 Ports: []string{"80"}, 2466 Protocols: []string{"TCP"}, 2467 Policy: &policy.FlowPolicy{ 2468 Action: policy.Reject, 2469 ServiceID: "s3", 2470 PolicyID: "1", 2471 }, 2472 }, 2473 policy.IPRule{ 2474 Addresses: []string{"40.0.0.0/24"}, 2475 Ports: []string{"443"}, 2476 Protocols: []string{"UDP"}, 2477 Policy: &policy.FlowPolicy{ 2478 Action: policy.Accept, 2479 ServiceID: "s4", 2480 PolicyID: "2", 2481 }, 2482 }, 2483 } 2484 ipl := policy.ExtendedMap{} 2485 policyrules := policy.NewPUPolicy( 2486 "Context", 2487 "/ns1", 2488 policy.Police, 2489 appACLs, 2490 netACLs, 2491 nil, 2492 nil, 2493 nil, 2494 nil, 2495 nil, 2496 nil, 2497 ipl, 2498 0, 2499 0, 2500 nil, 2501 nil, 2502 []string{}, 2503 policy.EnforcerMapping, 2504 policy.Reject|policy.Log, 2505 policy.Reject|policy.Log, 2506 ) 2507 puInfo := policy.NewPUInfo("Context", 2508 "/ns1", common.ContainerPU) 2509 puInfo.Policy = policyrules 2510 puInfo.Runtime.SetOptions(policy.OptionsType{ 2511 CgroupMark: "10", 2512 }) 2513 2514 var iprules policy.IPRuleList 2515 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 2516 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 2517 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 2518 2519 err := i.iptv4.ConfigureRules(0, 2520 "pu1", puInfo) 2521 So(err, ShouldBeNil) 2522 t := i.iptv4.impl.RetrieveTable() 2523 2524 for chain, rules := range t["mangle"] { 2525 So(expectedContainerMangleAfterPUInsertV4, ShouldContainKey, chain) 2526 So(rules, ShouldResemble, expectedContainerMangleAfterPUInsertV4[chain]) 2527 } 2528 2529 for chain, rules := range t["nat"] { 2530 So(expectedContainerNATAfterPUInsertV4, ShouldContainKey, chain) 2531 So(rules, ShouldResemble, expectedContainerNATAfterPUInsertV4[chain]) 2532 } 2533 2534 Convey("When I delete the same rule, the chains must be restored in the global state", func() { 2535 err := i.iptv4.DeleteRules(0, 2536 "pu1", 2537 "0", 2538 "0", 2539 "10", 2540 "", puInfo) 2541 So(err, ShouldBeNil) 2542 2543 t := i.iptv4.impl.RetrieveTable() 2544 if err != nil { 2545 printTable(t) 2546 } 2547 2548 So(t["mangle"], ShouldNotBeNil) 2549 So(t["nat"], ShouldNotBeNil) 2550 2551 for chain, rules := range t["mangle"] { 2552 So(expectedContainerGlobalMangleChainsV4, ShouldContainKey, chain) 2553 So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4[chain]) 2554 } 2555 2556 for chain, rules := range t["nat"] { 2557 So(expectedContainerGlobalNATChainsV4, ShouldContainKey, chain) 2558 So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4[chain]) 2559 } 2560 }) 2561 2562 }) 2563 }) 2564 }) 2565 } 2566 2567 func Test_OperationWithContainersV4Istio(t *testing.T) { 2568 Convey("Given an iptables controller with a memory backend for containers ", t, func() { 2569 cfg := &runtime.Configuration{ 2570 TCPTargetNetworks: []string{"0.0.0.0/0"}, 2571 UDPTargetNetworks: []string{"10.0.0.0/8"}, 2572 ExcludedNetworks: []string{"127.0.0.1"}, 2573 } 2574 2575 commitFunc := func(buf *bytes.Buffer) error { 2576 return nil 2577 } 2578 2579 iptv4 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 2580 "mangle"}) 2581 So(iptv4, ShouldNotBeNil) 2582 2583 iptv6 := provider.NewCustomBatchProvider(&baseIpt{}, commitFunc, []string{"nat", 2584 "mangle"}) 2585 So(iptv6, ShouldNotBeNil) 2586 2587 ips := &memoryIPSetProvider{sets: map[string]*memoryIPSet{}} 2588 i, err := createTestInstance(ips, iptv4, iptv6, constants.RemoteContainer, policy.Istio) 2589 So(err, ShouldBeNil) 2590 So(i, ShouldNotBeNil) 2591 2592 Convey("When I start the controller, I should get the right global chains and sets of Istio", func() { 2593 ctx, cancel := context.WithCancel(context.Background()) 2594 defer cancel() 2595 err := i.Run(ctx) 2596 i.SetTargetNetworks(cfg) // nolint 2597 So(err, ShouldBeNil) 2598 2599 t := i.iptv4.impl.RetrieveTable() 2600 So(t, ShouldNotBeNil) 2601 So(len(t), ShouldEqual, 2) 2602 So(t["mangle"], ShouldNotBeNil) 2603 So(t["nat"], ShouldNotBeNil) 2604 2605 for chain, rules := range t["mangle"] { 2606 So(expectedContainerGlobalMangleChainsV4Istio, ShouldContainKey, chain) 2607 So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4Istio[chain]) 2608 } 2609 2610 for chain, rules := range t["nat"] { 2611 So(expectedContainerGlobalNATChainsV4Istio, ShouldContainKey, chain) 2612 So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4Istio[chain]) 2613 } 2614 2615 Convey("When I configure a new set of rules, the ACLs must be correct", func() { 2616 appACLs := policy.IPRuleList{ 2617 policy.IPRule{ 2618 Addresses: []string{"30.0.0.0/24"}, 2619 Ports: []string{"80"}, 2620 Protocols: []string{"TCP"}, 2621 Policy: &policy.FlowPolicy{ 2622 Action: policy.Reject, 2623 ServiceID: "s1", 2624 PolicyID: "1", 2625 }, 2626 }, 2627 policy.IPRule{ 2628 Addresses: []string{"30.0.0.0/24"}, 2629 Ports: []string{"443"}, 2630 Protocols: []string{"UDP"}, 2631 Policy: &policy.FlowPolicy{ 2632 Action: policy.Accept, 2633 ServiceID: "s2", 2634 PolicyID: "2", 2635 }, 2636 }, 2637 } 2638 netACLs := policy.IPRuleList{ 2639 policy.IPRule{ 2640 Addresses: []string{"40.0.0.0/24"}, 2641 Ports: []string{"80"}, 2642 Protocols: []string{"TCP"}, 2643 Policy: &policy.FlowPolicy{ 2644 Action: policy.Reject, 2645 ServiceID: "s3", 2646 PolicyID: "1", 2647 }, 2648 }, 2649 policy.IPRule{ 2650 Addresses: []string{"40.0.0.0/24"}, 2651 Ports: []string{"443"}, 2652 Protocols: []string{"UDP"}, 2653 Policy: &policy.FlowPolicy{ 2654 Action: policy.Accept, 2655 ServiceID: "s4", 2656 PolicyID: "2", 2657 }, 2658 }, 2659 } 2660 ipl := policy.ExtendedMap{} 2661 policyrules := policy.NewPUPolicy( 2662 "Context", 2663 "/ns1", 2664 policy.Police, 2665 appACLs, 2666 netACLs, 2667 nil, 2668 nil, 2669 nil, 2670 nil, 2671 nil, 2672 nil, 2673 ipl, 2674 0, 2675 0, 2676 nil, 2677 nil, 2678 []string{}, 2679 policy.EnforcerMapping, 2680 policy.Reject|policy.Log, 2681 policy.Reject|policy.Log, 2682 ) 2683 puInfo := policy.NewPUInfo("Context", 2684 "/ns1", common.ContainerPU) 2685 puInfo.Policy = policyrules 2686 puInfo.Runtime.SetOptions(policy.OptionsType{ 2687 CgroupMark: "10", 2688 }) 2689 2690 var iprules policy.IPRuleList 2691 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 2692 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 2693 i.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) // nolint 2694 2695 err := i.iptv4.ConfigureRules(0, 2696 "pu1", puInfo) 2697 So(err, ShouldBeNil) 2698 t := i.iptv4.impl.RetrieveTable() 2699 2700 for chain, rules := range t["mangle"] { 2701 So(expectedContainerMangleAfterPUInsertV4Istio, ShouldContainKey, chain) 2702 So(rules, ShouldResemble, expectedContainerMangleAfterPUInsertV4Istio[chain]) 2703 } 2704 2705 for chain, rules := range t["nat"] { 2706 So(expectedContainerNATAfterPUInsertV4Istio, ShouldContainKey, chain) 2707 So(rules, ShouldResemble, expectedContainerNATAfterPUInsertV4Istio[chain]) 2708 } 2709 2710 Convey("When I delete the same rule, the chains must be restored in the global state of Istio", func() { 2711 err := i.iptv4.DeleteRules(0, 2712 "pu1", 2713 "0", 2714 "0", 2715 "10", 2716 "", puInfo) 2717 So(err, ShouldBeNil) 2718 2719 t := i.iptv4.impl.RetrieveTable() 2720 if err != nil { 2721 printTable(t) 2722 } 2723 2724 So(t["mangle"], ShouldNotBeNil) 2725 So(t["nat"], ShouldNotBeNil) 2726 2727 for chain, rules := range t["mangle"] { 2728 So(expectedContainerGlobalMangleChainsV4Istio, ShouldContainKey, chain) 2729 So(rules, ShouldResemble, expectedContainerGlobalMangleChainsV4Istio[chain]) 2730 } 2731 2732 for chain, rules := range t["nat"] { 2733 So(expectedContainerGlobalNATChainsV4Istio, ShouldContainKey, chain) 2734 So(rules, ShouldResemble, expectedContainerGlobalNATChainsV4Istio[chain]) 2735 } 2736 }) 2737 2738 }) 2739 }) 2740 }) 2741 } 2742 2743 func TestImplDefaultLock(t *testing.T) { 2744 instance, err := NewInstance(nil, constants.LocalServer, true, nil, 2745 "", policy.None) 2746 assert.Equal(t, instance != nil, true, 2747 "instance should not be nil") 2748 assert.Equal(t, err == nil, true, 2749 "err should be nil") 2750 } 2751 2752 func TestImplWithLock(t *testing.T) { 2753 instance, err := NewInstance(nil, constants.LocalServer, true, nil, 2754 "/tmp/xtables.lock", policy.None) 2755 assert.Equal(t, instance != nil, true, 2756 "instance should not be nil") 2757 assert.Equal(t, err == nil, true, 2758 "err should be nil") 2759 assert.Equal(t, os.Getenv("XT_LOCK_NAME") == "/tmp/xtables.lock", true, 2760 "err env var XT_LOCK_NAME is not set") 2761 } 2762 2763 func printTable(t map[string]map[string][]string) { 2764 fmt.Printf("\n") 2765 for table, chains := range t { 2766 fmt.Println(table) 2767 for chain, rules := range chains { 2768 fmt.Println(chain) 2769 for _, rule := range rules { 2770 fmt.Println(rule) 2771 } 2772 } 2773 } 2774 }