gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/test/iptables/README.md

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/test/iptables/README.md (about)

     1  # iptables Tests
     2  
     3  iptables tests are run via `make iptables-tests`.
     4  
     5  iptables require some extra Docker configuration to work. Enable IPv6 in
     6  `/etc/docker/daemon.json` (make sure to restart Docker if you change this file):
     7  
     8  ```json
     9  {
    10      "experimental": true,
    11      "fixed-cidr-v6": "2001:db8:1::/64",
    12      "ipv6": true,
    13      // Runtimes and other Docker config...
    14  }
    15  ```
    16  
    17  And if you're running manually (i.e. not using the `make` target), you'll need
    18  to:
    19  
    20  *   Enable iptables via `modprobe iptable_filter && modprobe ip6table_filter`.
    21  *   Enable `--net-raw` in your chosen runtime in `/etc/docker/daemon.json` (make
    22      sure to restart Docker if you change this file).
    23  
    24  The resulting runtime should look something like this:
    25  
    26  ```json
    27  "runsc": {
    28      "path": "/tmp/iptables/runsc",
    29      "runtimeArgs": [
    30          "--debug-log",
    31          "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
    32          "--net-raw"
    33      ]
    34  },
    35  // ...
    36  ```
    37  
    38  ## Test Structure
    39  
    40  Each test implements `TestCase`, providing (1) a function to run inside the
    41  container and (2) a function to run locally. Those processes are given each
    42  others' IP addresses. The test succeeds when both functions succeed.
    43  
    44  The function inside the container (`ContainerAction`) typically sets some
    45  iptables rules and then tries to send or receive packets. The local function
    46  (`LocalAction`) will typically just send or receive packets.
    47  
    48  ### Adding Tests
    49  
    50  1) Add your test to the `iptables` package.
    51  
    52  2) Register the test in an `init` function via `RegisterTestCase` (see
    53  `filter_input.go` as an example).
    54  
    55  3) Add it to `iptables_test.go` (see the other tests in that file).
    56  
    57  Your test is now runnable with bazel!
    58  
    59  ## Run individual tests
    60  
    61  Build and install `runsc`. Re-run this when you modify gVisor:
    62  
    63  ```bash
    64  $ bazel build //runsc && sudo cp bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/runsc/runsc_/runsc $(which runsc)
    65  ```
    66  
    67  Build the testing Docker container. Re-run this when you modify the test code in
    68  this directory:
    69  
    70  ```bash
    71  $ make load-iptables
    72  ```
    73  
    74  Run an individual test via:
    75  
    76  ```bash
    77  $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>
    78  ```
    79  
    80  To run an individual test with `runc`:
    81  
    82  ```bash
    83  $ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_env=RUNTIME=runc
    84  ```