istio.io/istio@v0.0.0-20240520182934-d79c90f27776/cni/pkg/iptables/iptables_test.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package iptables 16 17 import ( 18 "net/netip" 19 "path/filepath" 20 "strings" 21 "testing" 22 23 testutil "istio.io/istio/pilot/test/util" 24 dep "istio.io/istio/tools/istio-iptables/pkg/dependencies" 25 ) 26 27 func TestIptables(t *testing.T) { 28 cases := []struct { 29 name string 30 config func(cfg *Config) 31 }{ 32 { 33 "default", 34 func(cfg *Config) { 35 cfg.RedirectDNS = true 36 }, 37 }, 38 } 39 probeSNATipv4 := netip.MustParseAddr("169.254.7.127") 40 probeSNATipv6 := netip.MustParseAddr("e9ac:1e77:90ca:399f:4d6d:ece2:2f9b:3164") 41 42 for _, tt := range cases { 43 for _, ipv6 := range []bool{false, true} { 44 t.Run(tt.name+"_"+ipstr(ipv6), func(t *testing.T) { 45 cfg := constructTestConfig() 46 cfg.EnableIPv6 = ipv6 47 tt.config(cfg) 48 ext := &dep.DependenciesStub{} 49 iptConfigurator, _ := NewIptablesConfigurator(cfg, ext, EmptyNlDeps()) 50 var probeIP *netip.Addr 51 if ipv6 { 52 probeIP = &probeSNATipv6 53 } else { 54 probeIP = &probeSNATipv4 55 } 56 err := iptConfigurator.CreateInpodRules(probeIP) 57 if err != nil { 58 t.Fatal(err) 59 } 60 61 compareToGolden(t, ipv6, tt.name, ext.ExecutedAll) 62 }) 63 } 64 } 65 } 66 67 func TestIptablesHostRules(t *testing.T) { 68 cases := []struct { 69 name string 70 config func(cfg *Config) 71 }{ 72 { 73 "hostprobe", 74 func(cfg *Config) { 75 }, 76 }, 77 } 78 probeSNATipv4 := netip.MustParseAddr("169.254.7.127") 79 probeSNATipv6 := netip.MustParseAddr("fd16:9254:7127:1337:ffff:ffff:ffff:ffff") 80 81 for _, tt := range cases { 82 for _, ipv6 := range []bool{false, true} { 83 t.Run(tt.name+"_"+ipstr(ipv6), func(t *testing.T) { 84 cfg := constructTestConfig() 85 cfg.EnableIPv6 = ipv6 86 tt.config(cfg) 87 ext := &dep.DependenciesStub{} 88 iptConfigurator, _ := NewIptablesConfigurator(cfg, ext, EmptyNlDeps()) 89 err := iptConfigurator.CreateHostRulesForHealthChecks(&probeSNATipv4, &probeSNATipv6) 90 if err != nil { 91 t.Fatal(err) 92 } 93 94 compareToGolden(t, ipv6, tt.name, ext.ExecutedAll) 95 }) 96 } 97 } 98 } 99 100 func TestInvokedTwiceIsIdempotent(t *testing.T) { 101 tt := struct { 102 name string 103 config func(cfg *Config) 104 }{ 105 "default", 106 func(cfg *Config) { 107 cfg.RedirectDNS = true 108 }, 109 } 110 111 probeSNATipv4 := netip.MustParseAddr("169.254.7.127") 112 113 cfg := constructTestConfig() 114 tt.config(cfg) 115 ext := &dep.DependenciesStub{} 116 iptConfigurator, _ := NewIptablesConfigurator(cfg, ext, EmptyNlDeps()) 117 err := iptConfigurator.CreateInpodRules(&probeSNATipv4) 118 if err != nil { 119 t.Fatal(err) 120 } 121 compareToGolden(t, false, tt.name, ext.ExecutedAll) 122 123 *ext = dep.DependenciesStub{} 124 // run another time to make sure we are idempotent 125 err = iptConfigurator.CreateInpodRules(&probeSNATipv4) 126 if err != nil { 127 t.Fatal(err) 128 } 129 130 compareToGolden(t, false, tt.name, ext.ExecutedAll) 131 } 132 133 func ipstr(ipv6 bool) string { 134 if ipv6 { 135 return "ipv6" 136 } 137 return "ipv4" 138 } 139 140 func compareToGolden(t *testing.T, ipv6 bool, name string, actual []string) { 141 t.Helper() 142 gotBytes := []byte(strings.Join(actual, "\n")) 143 goldenFile := filepath.Join("testdata", name+".golden") 144 if ipv6 { 145 goldenFile = filepath.Join("testdata", name+"_ipv6.golden") 146 } 147 testutil.CompareContent(t, gotBytes, goldenFile) 148 } 149 150 func constructTestConfig() *Config { 151 return &Config{ 152 RestoreFormat: false, 153 } 154 }