github.com/containerd/nerdctl/v2@v2.0.0-beta.5.0.20240520001846-b5758f54fa28/pkg/testutil/iptables/iptables.go (about)

     1  /*
     2     Copyright The containerd Authors.
     3  
     4     Licensed under the Apache License, Version 2.0 (the "License");
     5     you may not use this file except in compliance with the License.
     6     You may obtain a copy of the License at
     7  
     8         http://www.apache.org/licenses/LICENSE-2.0
     9  
    10     Unless required by applicable law or agreed to in writing, software
    11     distributed under the License is distributed on an "AS IS" BASIS,
    12     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13     See the License for the specific language governing permissions and
    14     limitations under the License.
    15  */
    16  
    17  package iptables
    18  
    19  import (
    20  	"fmt"
    21  	"regexp"
    22  	"testing"
    23  
    24  	"github.com/coreos/go-iptables/iptables"
    25  )
    26  
    27  // ForwardExists check that at least 2 rules are present in the CNI-HOSTPORT-DNAT chain
    28  // and checks for regex matches in the list of rules
    29  func ForwardExists(t *testing.T, ipt *iptables.IPTables, chain, containerIP string, port int) bool {
    30  	rules, err := ipt.List("nat", chain)
    31  	if err != nil {
    32  		t.Logf("error listing rules in chain: %q\n", err)
    33  		return false
    34  	}
    35  
    36  	if len(rules) < 1 {
    37  		t.Logf("not enough rules: %d", len(rules))
    38  		return false
    39  	}
    40  
    41  	// here we check if at least one of the rules in the chain
    42  	// matches the required string to identify that the rule was applied
    43  	found := false
    44  	matchRule := `--dport ` + fmt.Sprintf("%d", port) + ` .+ --to-destination ` + containerIP
    45  	for _, rule := range rules {
    46  		foundInRule, err := regexp.MatchString(matchRule, rule)
    47  		if err != nil {
    48  			t.Logf("error in match string: %q\n", err)
    49  			return false
    50  		}
    51  		if foundInRule {
    52  			found = foundInRule
    53  		}
    54  	}
    55  	return found
    56  }
    57  
    58  // GetRedirectedChain returns the chain where the traffic is being redirected.
    59  // This is how libcni manage its port maps.
    60  // Suppose you have the following rule:
    61  // -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"bridge\" id: \"default-YYYYYY\"" -m multiport --dports 9999 -j CNI-DN-XXXXXX
    62  // So the chain where the traffic is redirected is CNI-DN-XXXXXX
    63  // Returns an empty string in case nothing was found.
    64  func GetRedirectedChain(t *testing.T, ipt *iptables.IPTables, chain, namespace, containerID string) string {
    65  	rules, err := ipt.List("nat", chain)
    66  	if err != nil {
    67  		t.Logf("error listing rules in chain: %q\n", err)
    68  		return ""
    69  	}
    70  
    71  	if len(rules) < 1 {
    72  		t.Logf("not enough rules: %d", len(rules))
    73  		return ""
    74  	}
    75  
    76  	var redirectedChain string
    77  	re := regexp.MustCompile(`-j\s+([^ ]+)`)
    78  	for _, rule := range rules {
    79  		// first we verify the comment section is present: "dnat name: \"bridge\" id: \"default-YYYYYY\""
    80  		matchesContainer, err := regexp.MatchString(namespace+"-"+containerID, rule)
    81  		if err != nil {
    82  			t.Logf("error in match string: %q\n", err)
    83  			return ""
    84  		}
    85  		if matchesContainer {
    86  			// then we find the appropriate chain in the rule
    87  			matches := re.FindStringSubmatch(rule)
    88  			fmt.Println(matches)
    89  			if len(matches) >= 2 {
    90  				redirectedChain = matches[1]
    91  			}
    92  		}
    93  	}
    94  	if redirectedChain == "" {
    95  		t.Logf("no redirectced chain found")
    96  		return ""
    97  	}
    98  	return redirectedChain
    99  }