github.com/containerd/nerdctl/v2@v2.0.0-beta.5.0.20240520001846-b5758f54fa28/pkg/testutil/iptables/iptables.go (about) 1 /* 2 Copyright The containerd Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package iptables 18 19 import ( 20 "fmt" 21 "regexp" 22 "testing" 23 24 "github.com/coreos/go-iptables/iptables" 25 ) 26 27 // ForwardExists check that at least 2 rules are present in the CNI-HOSTPORT-DNAT chain 28 // and checks for regex matches in the list of rules 29 func ForwardExists(t *testing.T, ipt *iptables.IPTables, chain, containerIP string, port int) bool { 30 rules, err := ipt.List("nat", chain) 31 if err != nil { 32 t.Logf("error listing rules in chain: %q\n", err) 33 return false 34 } 35 36 if len(rules) < 1 { 37 t.Logf("not enough rules: %d", len(rules)) 38 return false 39 } 40 41 // here we check if at least one of the rules in the chain 42 // matches the required string to identify that the rule was applied 43 found := false 44 matchRule := `--dport ` + fmt.Sprintf("%d", port) + ` .+ --to-destination ` + containerIP 45 for _, rule := range rules { 46 foundInRule, err := regexp.MatchString(matchRule, rule) 47 if err != nil { 48 t.Logf("error in match string: %q\n", err) 49 return false 50 } 51 if foundInRule { 52 found = foundInRule 53 } 54 } 55 return found 56 } 57 58 // GetRedirectedChain returns the chain where the traffic is being redirected. 59 // This is how libcni manage its port maps. 60 // Suppose you have the following rule: 61 // -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"bridge\" id: \"default-YYYYYY\"" -m multiport --dports 9999 -j CNI-DN-XXXXXX 62 // So the chain where the traffic is redirected is CNI-DN-XXXXXX 63 // Returns an empty string in case nothing was found. 64 func GetRedirectedChain(t *testing.T, ipt *iptables.IPTables, chain, namespace, containerID string) string { 65 rules, err := ipt.List("nat", chain) 66 if err != nil { 67 t.Logf("error listing rules in chain: %q\n", err) 68 return "" 69 } 70 71 if len(rules) < 1 { 72 t.Logf("not enough rules: %d", len(rules)) 73 return "" 74 } 75 76 var redirectedChain string 77 re := regexp.MustCompile(`-j\s+([^ ]+)`) 78 for _, rule := range rules { 79 // first we verify the comment section is present: "dnat name: \"bridge\" id: \"default-YYYYYY\"" 80 matchesContainer, err := regexp.MatchString(namespace+"-"+containerID, rule) 81 if err != nil { 82 t.Logf("error in match string: %q\n", err) 83 return "" 84 } 85 if matchesContainer { 86 // then we find the appropriate chain in the rule 87 matches := re.FindStringSubmatch(rule) 88 fmt.Println(matches) 89 if len(matches) >= 2 { 90 redirectedChain = matches[1] 91 } 92 } 93 } 94 if redirectedChain == "" { 95 t.Logf("no redirectced chain found") 96 return "" 97 } 98 return redirectedChain 99 }