github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/libnetwork/firewall_linux_test.go

github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/libnetwork/firewall_linux_test.go (about)

     1  package libnetwork
     2  
     3  import (
     4  	"fmt"
     5  	"strings"
     6  	"testing"
     7  
     8  	"github.com/docker/docker/libnetwork/iptables"
     9  	"github.com/docker/docker/libnetwork/netlabel"
    10  	"github.com/docker/docker/libnetwork/options"
    11  	"gotest.tools/v3/assert"
    12  )
    13  
    14  const (
    15  	fwdChainName = "FORWARD"
    16  	usrChainName = userChain
    17  )
    18  
    19  func TestUserChain(t *testing.T) {
    20  	iptable := iptables.GetIptable(iptables.IPv4)
    21  
    22  	nc, err := New()
    23  	assert.NilError(t, err)
    24  
    25  	tests := []struct {
    26  		iptables  bool
    27  		insert    bool // insert other rules to FORWARD
    28  		fwdChain  []string
    29  		userChain []string
    30  	}{
    31  		{
    32  			iptables: false,
    33  			insert:   false,
    34  			fwdChain: []string{"-P FORWARD ACCEPT"},
    35  		},
    36  		{
    37  			iptables:  true,
    38  			insert:    false,
    39  			fwdChain:  []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"},
    40  			userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
    41  		},
    42  		{
    43  			iptables:  true,
    44  			insert:    true,
    45  			fwdChain:  []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"},
    46  			userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
    47  		},
    48  	}
    49  
    50  	resetIptables(t)
    51  	for _, tc := range tests {
    52  		tc := tc
    53  		t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) {
    54  			c := nc.(*controller)
    55  			c.cfg.Daemon.DriverCfg["bridge"] = map[string]interface{}{
    56  				netlabel.GenericData: options.Generic{
    57  					"EnableIPTables": tc.iptables,
    58  				},
    59  			}
    60  
    61  			// init. condition, FORWARD chain empty DOCKER-USER not exist
    62  			assert.DeepEqual(t, getRules(t, fwdChainName), []string{"-P FORWARD ACCEPT"})
    63  
    64  			if tc.insert {
    65  				_, err = iptable.Raw("-A", fwdChainName, "-j", "DROP")
    66  				assert.NilError(t, err)
    67  			}
    68  			arrangeUserFilterRule()
    69  
    70  			assert.DeepEqual(t, getRules(t, fwdChainName), tc.fwdChain)
    71  			if tc.userChain != nil {
    72  				assert.DeepEqual(t, getRules(t, usrChainName), tc.userChain)
    73  			} else {
    74  				_, err := iptable.Raw("-S", usrChainName)
    75  				assert.Assert(t, err != nil, "chain %v: created unexpectedly", usrChainName)
    76  			}
    77  		})
    78  		resetIptables(t)
    79  	}
    80  }
    81  
    82  func getRules(t *testing.T, chain string) []string {
    83  	iptable := iptables.GetIptable(iptables.IPv4)
    84  
    85  	t.Helper()
    86  	output, err := iptable.Raw("-S", chain)
    87  	assert.NilError(t, err, "chain %s: failed to get rules", chain)
    88  
    89  	rules := strings.Split(string(output), "\n")
    90  	if len(rules) > 0 {
    91  		rules = rules[:len(rules)-1]
    92  	}
    93  	return rules
    94  }
    95  
    96  func resetIptables(t *testing.T) {
    97  	iptable := iptables.GetIptable(iptables.IPv4)
    98  
    99  	t.Helper()
   100  	_, err := iptable.Raw("-F", fwdChainName)
   101  	assert.NilError(t, err)
   102  	_ = iptable.RemoveExistingChain(usrChainName, "")
   103  }