gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/test/iptables/nftables_test.sh

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/test/iptables/nftables_test.sh (about)

     1  #!/bin/bash
     2  
     3  # Copyright 2023 The gVisor Authors.
     4  #
     5  # Licensed under the Apache License, Version 2.0 (the "License");
     6  # you may not use this file except in compliance with the License.
     7  # You may obtain a copy of the License at
     8  #
     9  #     http://www.apache.org/licenses/LICENSE-2.0
    10  #
    11  # Unless required by applicable law or agreed to in writing, software
    12  # distributed under the License is distributed on an "AS IS" BASIS,
    13  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  # See the License for the specific language governing permissions and
    15  # limitations under the License.
    16  
    17  set -euxo pipefail
    18  
    19  # expected_regex is generated by running `iptables -t nat -S` inside a runc
    20  # Docker container connected to a custom network. Custom networks cause Docker
    21  # to install DNS routing rules.
    22  expected_regex='-P PREROUTING ACCEPT
    23  -P INPUT ACCEPT
    24  -P OUTPUT ACCEPT
    25  -P POSTROUTING ACCEPT
    26  -N DOCKER_OUTPUT
    27  -N DOCKER_POSTROUTING
    28  -A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
    29  -A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
    30  -A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT (--to-destination 127.0.0.11:[0-9]+|\[unsupported revision\])
    31  -A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT (--to-destination 127.0.0.11:[0-9]+|\[unsupported revision\])
    32  -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport [0-9]+ -j SNAT --to-source :53
    33  -A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport [0-9]+ -j SNAT --to-source :53'
    34  
    35  # The runtime name is the first and only argument.
    36  runtime="$1"
    37  
    38  # The image passed to docker run uses iptables-nft by default, so the above
    39  # rules can't be simply scraped and passed to gVisor. We test that those rules
    40  # are correctly translated to iptables-legacy rules.
    41  net_name="nftables-test-net-$(shuf -i 0-99999999 -n 1)"
    42  docker network create "$net_name"
    43  trap "docker network rm \"$net_name\"" EXIT
    44  got=$(docker run --network="$net_name" --rm --runtime "$runtime" --privileged gvisor.dev/images/iptables iptables-legacy -t nat -S)
    45  if ! [[ "$got" =~ $expected_regex ]]; then
    46    echo "Got incorrect rules: got on the left, want on the right"
    47    diff <(echo "$got") <(echo "$expected_regex")
    48    exit 1
    49  fi