github.com/docker/engine@v22.0.0-20211208180946-d456264580cf+incompatible/libnetwork/firewall_linux_test.go (about) 1 package libnetwork 2 3 import ( 4 "fmt" 5 "strings" 6 "testing" 7 8 "github.com/docker/docker/libnetwork/iptables" 9 "github.com/docker/docker/libnetwork/netlabel" 10 "github.com/docker/docker/libnetwork/options" 11 "gotest.tools/v3/assert" 12 ) 13 14 const ( 15 fwdChainName = "FORWARD" 16 usrChainName = userChain 17 ) 18 19 func TestUserChain(t *testing.T) { 20 iptable := iptables.GetIptable(iptables.IPv4) 21 22 nc, err := New() 23 assert.NilError(t, err) 24 25 tests := []struct { 26 iptables bool 27 insert bool // insert other rules to FORWARD 28 fwdChain []string 29 userChain []string 30 }{ 31 { 32 iptables: false, 33 insert: false, 34 fwdChain: []string{"-P FORWARD ACCEPT"}, 35 }, 36 { 37 iptables: true, 38 insert: false, 39 fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"}, 40 userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"}, 41 }, 42 { 43 iptables: true, 44 insert: true, 45 fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"}, 46 userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"}, 47 }, 48 } 49 50 resetIptables(t) 51 for _, tc := range tests { 52 tc := tc 53 t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) { 54 c := nc.(*controller) 55 c.cfg.Daemon.DriverCfg["bridge"] = map[string]interface{}{ 56 netlabel.GenericData: options.Generic{ 57 "EnableIPTables": tc.iptables, 58 }, 59 } 60 61 // init. condition, FORWARD chain empty DOCKER-USER not exist 62 assert.DeepEqual(t, getRules(t, fwdChainName), []string{"-P FORWARD ACCEPT"}) 63 64 if tc.insert { 65 _, err = iptable.Raw("-A", fwdChainName, "-j", "DROP") 66 assert.NilError(t, err) 67 } 68 arrangeUserFilterRule() 69 70 assert.DeepEqual(t, getRules(t, fwdChainName), tc.fwdChain) 71 if tc.userChain != nil { 72 assert.DeepEqual(t, getRules(t, usrChainName), tc.userChain) 73 } else { 74 _, err := iptable.Raw("-S", usrChainName) 75 assert.Assert(t, err != nil, "chain %v: created unexpectedly", usrChainName) 76 } 77 }) 78 resetIptables(t) 79 } 80 } 81 82 func getRules(t *testing.T, chain string) []string { 83 iptable := iptables.GetIptable(iptables.IPv4) 84 85 t.Helper() 86 output, err := iptable.Raw("-S", chain) 87 assert.NilError(t, err, "chain %s: failed to get rules", chain) 88 89 rules := strings.Split(string(output), "\n") 90 if len(rules) > 0 { 91 rules = rules[:len(rules)-1] 92 } 93 return rules 94 } 95 96 func resetIptables(t *testing.T) { 97 iptable := iptables.GetIptable(iptables.IPv4) 98 99 t.Helper() 100 _, err := iptable.Raw("-F", fwdChainName) 101 assert.NilError(t, err) 102 _ = iptable.RemoveExistingChain(usrChainName, "") 103 }