github.com/zhuohuang-hust/src-cbuild@v0.0.0-20230105071821-c7aab3e7c840/mergeCode/libnetwork/drivers/bridge/setup_ip_tables_test.go (about)

     1  package bridge
     2  
     3  import (
     4  	"net"
     5  	"testing"
     6  
     7  	"github.com/docker/libnetwork/iptables"
     8  	"github.com/docker/libnetwork/portmapper"
     9  	"github.com/docker/libnetwork/testutils"
    10  	"github.com/vishvananda/netlink"
    11  )
    12  
    13  const (
    14  	iptablesTestBridgeIP = "192.168.42.1"
    15  )
    16  
    17  func TestProgramIPTable(t *testing.T) {
    18  	// Create a test bridge with a basic bridge configuration (name + IPv4).
    19  	defer testutils.SetupTestOSContext(t)()
    20  
    21  	nh, err := netlink.NewHandle()
    22  	if err != nil {
    23  		t.Fatal(err)
    24  	}
    25  
    26  	createTestBridge(getBasicTestConfig(), &bridgeInterface{nlh: nh}, t)
    27  
    28  	// Store various iptables chain rules we care for.
    29  	rules := []struct {
    30  		rule  iptRule
    31  		descr string
    32  	}{
    33  		{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-d", "127.1.2.3", "-i", "lo", "-o", "lo", "-j", "DROP"}}, "Test Loopback"},
    34  		{iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-s", iptablesTestBridgeIP, "!", "-o", DefaultBridgeName, "-j", "MASQUERADE"}}, "NAT Test"},
    35  		{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"},
    36  		{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", DefaultBridgeName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}, "Test ACCEPT INCOMING"},
    37  		{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test enable ICC"},
    38  		{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "DROP"}}, "Test disable ICC"},
    39  	}
    40  
    41  	// Assert the chain rules' insertion and removal.
    42  	for _, c := range rules {
    43  		assertIPTableChainProgramming(c.rule, c.descr, t)
    44  	}
    45  }
    46  
    47  func TestSetupIPChains(t *testing.T) {
    48  	// Create a test bridge with a basic bridge configuration (name + IPv4).
    49  	defer testutils.SetupTestOSContext(t)()
    50  
    51  	nh, err := netlink.NewHandle()
    52  	if err != nil {
    53  		t.Fatal(err)
    54  	}
    55  
    56  	driverconfig := &configuration{
    57  		EnableIPTables: true,
    58  	}
    59  	d := &driver{
    60  		config: driverconfig,
    61  	}
    62  	assertChainConfig(d, t)
    63  
    64  	config := getBasicTestConfig()
    65  	br := &bridgeInterface{nlh: nh}
    66  	createTestBridge(config, br, t)
    67  
    68  	assertBridgeConfig(config, br, d, t)
    69  
    70  	config.EnableIPMasquerade = true
    71  	assertBridgeConfig(config, br, d, t)
    72  
    73  	config.EnableICC = true
    74  	assertBridgeConfig(config, br, d, t)
    75  
    76  	config.EnableIPMasquerade = false
    77  	assertBridgeConfig(config, br, d, t)
    78  }
    79  
    80  func getBasicTestConfig() *networkConfiguration {
    81  	config := &networkConfiguration{
    82  		BridgeName:  DefaultBridgeName,
    83  		AddressIPv4: &net.IPNet{IP: net.ParseIP(iptablesTestBridgeIP), Mask: net.CIDRMask(16, 32)}}
    84  	return config
    85  }
    86  
    87  func createTestBridge(config *networkConfiguration, br *bridgeInterface, t *testing.T) {
    88  	if err := setupDevice(config, br); err != nil {
    89  		t.Fatalf("Failed to create the testing Bridge: %s", err.Error())
    90  	}
    91  	if err := setupBridgeIPv4(config, br); err != nil {
    92  		t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
    93  	}
    94  }
    95  
    96  // Assert base function which pushes iptables chain rules on insertion and removal.
    97  func assertIPTableChainProgramming(rule iptRule, descr string, t *testing.T) {
    98  	// Add
    99  	if err := programChainRule(rule, descr, true); err != nil {
   100  		t.Fatalf("Failed to program iptable rule %s: %s", descr, err.Error())
   101  	}
   102  	if iptables.Exists(rule.table, rule.chain, rule.args...) == false {
   103  		t.Fatalf("Failed to effectively program iptable rule: %s", descr)
   104  	}
   105  
   106  	// Remove
   107  	if err := programChainRule(rule, descr, false); err != nil {
   108  		t.Fatalf("Failed to remove iptable rule %s: %s", descr, err.Error())
   109  	}
   110  	if iptables.Exists(rule.table, rule.chain, rule.args...) == true {
   111  		t.Fatalf("Failed to effectively remove iptable rule: %s", descr)
   112  	}
   113  }
   114  
   115  // Assert function which create chains.
   116  func assertChainConfig(d *driver, t *testing.T) {
   117  	var err error
   118  
   119  	d.natChain, d.filterChain, d.isolationChain, err = setupIPChains(d.config)
   120  	if err != nil {
   121  		t.Fatal(err)
   122  	}
   123  }
   124  
   125  // Assert function which pushes chains based on bridge config parameters.
   126  func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *driver, t *testing.T) {
   127  	nw := bridgeNetwork{portMapper: portmapper.New(""),
   128  		config: config}
   129  	nw.driver = d
   130  
   131  	// Attempt programming of ip tables.
   132  	err := nw.setupIPTables(config, br)
   133  	if err != nil {
   134  		t.Fatalf("%v", err)
   135  	}
   136  }