github.com/rawahars/moby@v24.0.4+incompatible/libnetwork/firewall_linux_test.go (about) 1 package libnetwork 2 3 import ( 4 "fmt" 5 "strings" 6 "testing" 7 8 "github.com/docker/docker/libnetwork/iptables" 9 "github.com/docker/docker/libnetwork/netlabel" 10 "github.com/docker/docker/libnetwork/options" 11 "github.com/docker/docker/libnetwork/testutils" 12 "gotest.tools/v3/assert" 13 ) 14 15 const ( 16 fwdChainName = "FORWARD" 17 usrChainName = userChain 18 ) 19 20 func TestUserChain(t *testing.T) { 21 iptable4 := iptables.GetIptable(iptables.IPv4) 22 iptable6 := iptables.GetIptable(iptables.IPv6) 23 24 tests := []struct { 25 iptables bool 26 insert bool // insert other rules to FORWARD 27 fwdChain []string 28 userChain []string 29 }{ 30 { 31 iptables: false, 32 insert: false, 33 fwdChain: []string{"-P FORWARD ACCEPT"}, 34 }, 35 { 36 iptables: true, 37 insert: false, 38 fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"}, 39 userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"}, 40 }, 41 { 42 iptables: true, 43 insert: true, 44 fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"}, 45 userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"}, 46 }, 47 } 48 49 for _, tc := range tests { 50 tc := tc 51 t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) { 52 defer testutils.SetupTestOSContext(t)() 53 defer resetIptables(t) 54 55 c, err := New() 56 assert.NilError(t, err) 57 defer c.Stop() 58 c.cfg.DriverCfg["bridge"] = map[string]interface{}{ 59 netlabel.GenericData: options.Generic{ 60 "EnableIPTables": tc.iptables, 61 "EnableIP6Tables": tc.iptables, 62 }, 63 } 64 65 // init. condition, FORWARD chain empty DOCKER-USER not exist 66 assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), []string{"-P FORWARD ACCEPT"}) 67 assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), []string{"-P FORWARD ACCEPT"}) 68 69 if tc.insert { 70 _, err = iptable4.Raw("-A", fwdChainName, "-j", "DROP") 71 assert.NilError(t, err) 72 _, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP") 73 assert.NilError(t, err) 74 } 75 arrangeUserFilterRule() 76 77 assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), tc.fwdChain) 78 assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), tc.fwdChain) 79 if tc.userChain != nil { 80 assert.DeepEqual(t, getRules(t, iptables.IPv4, usrChainName), tc.userChain) 81 assert.DeepEqual(t, getRules(t, iptables.IPv6, usrChainName), tc.userChain) 82 } else { 83 _, err := iptable4.Raw("-S", usrChainName) 84 assert.Assert(t, err != nil, "ipv4 chain %v: created unexpectedly", usrChainName) 85 _, err = iptable6.Raw("-S", usrChainName) 86 assert.Assert(t, err != nil, "ipv6 chain %v: created unexpectedly", usrChainName) 87 } 88 }) 89 } 90 } 91 92 func getRules(t *testing.T, ipVer iptables.IPVersion, chain string) []string { 93 iptable := iptables.GetIptable(ipVer) 94 95 t.Helper() 96 output, err := iptable.Raw("-S", chain) 97 assert.NilError(t, err, "chain %s: failed to get rules", chain) 98 99 rules := strings.Split(string(output), "\n") 100 if len(rules) > 0 { 101 rules = rules[:len(rules)-1] 102 } 103 return rules 104 } 105 106 func resetIptables(t *testing.T) { 107 t.Helper() 108 109 for _, ipVer := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} { 110 iptable := iptables.GetIptable(ipVer) 111 112 _, err := iptable.Raw("-F", fwdChainName) 113 assert.Check(t, err) 114 _ = iptable.RemoveExistingChain(usrChainName, "") 115 } 116 }