k8s.io/kubernetes@v1.29.3/pkg/util/iptables/save_restore_test.go (about) 1 /* 2 Copyright 2018 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package iptables 18 19 import ( 20 "testing" 21 22 "github.com/lithammer/dedent" 23 ) 24 25 func checkChains(t *testing.T, save []byte, expected map[Chain]struct{}) { 26 chains := GetChainsFromTable(save) 27 for chain := range expected { 28 if _, exists := chains[chain]; !exists { 29 t.Errorf("GetChainsFromTable expected chain not present: %s", chain) 30 } 31 } 32 for chain := range chains { 33 if _, exists := expected[chain]; !exists { 34 t.Errorf("GetChainsFromTable chain unexpectedly present: %s", chain) 35 } 36 } 37 } 38 39 func TestGetChainsFromTable(t *testing.T) { 40 iptablesSave := dedent.Dedent(` 41 # Generated by iptables-save v1.4.21 on Fri Aug 7 14:47:37 2015 42 *nat 43 :PREROUTING ACCEPT [2:138] 44 :INPUT ACCEPT [0:0] 45 :OUTPUT ACCEPT [0:0] 46 :POSTROUTING ACCEPT [0:0] 47 :DOCKER - [0:0] 48 :KUBE-NODEPORT-CONTAINER - [0:0] 49 :KUBE-NODEPORT-HOST - [0:0] 50 :KUBE-PORTALS-CONTAINER - [0:0] 51 :KUBE-PORTALS-HOST - [0:0] 52 :KUBE-SVC-1111111111111111 - [0:0] 53 :KUBE-SVC-2222222222222222 - [0:0] 54 :KUBE-SVC-3333333333333333 - [0:0] 55 :KUBE-SVC-4444444444444444 - [0:0] 56 :KUBE-SVC-5555555555555555 - [0:0] 57 :KUBE-SVC-6666666666666666 - [0:0] 58 -A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER 59 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER 60 -A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER 61 -A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST 62 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER 63 -A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST 64 -A POSTROUTING -s 10.246.1.0/24 ! -o cbr0 -j MASQUERADE 65 -A POSTROUTING -s 10.0.2.15 -d 10.0.2.15 -m comment --comment "handle pod connecting to self" -j MASQUERADE 66 -A KUBE-PORTALS-CONTAINER -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555 67 -A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666 68 -A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222 69 -A KUBE-PORTALS-HOST -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555 70 -A KUBE-PORTALS-HOST -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666 71 -A KUBE-PORTALS-HOST -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222 72 -A KUBE-SVC-1111111111111111 -p udp -m comment --comment "kube-system/kube-dns:dns" -m recent --set --name KUBE-SVC-1111111111111111 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53 73 -A KUBE-SVC-2222222222222222 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SVC-3333333333333333 74 -A KUBE-SVC-3333333333333333 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m recent --set --name KUBE-SVC-3333333333333333 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53 75 -A KUBE-SVC-4444444444444444 -p tcp -m comment --comment "default/kubernetes:" -m recent --set --name KUBE-SVC-4444444444444444 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.245.1.2:443 76 -A KUBE-SVC-5555555555555555 -m comment --comment "default/kubernetes:" -j KUBE-SVC-4444444444444444 77 -A KUBE-SVC-6666666666666666 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SVC-1111111111111111 78 COMMIT 79 `) 80 expected := map[Chain]struct{}{ 81 ChainPrerouting: {}, 82 Chain("INPUT"): {}, 83 Chain("OUTPUT"): {}, 84 ChainPostrouting: {}, 85 Chain("DOCKER"): {}, 86 Chain("KUBE-NODEPORT-CONTAINER"): {}, 87 Chain("KUBE-NODEPORT-HOST"): {}, 88 Chain("KUBE-PORTALS-CONTAINER"): {}, 89 Chain("KUBE-PORTALS-HOST"): {}, 90 Chain("KUBE-SVC-1111111111111111"): {}, 91 Chain("KUBE-SVC-2222222222222222"): {}, 92 Chain("KUBE-SVC-3333333333333333"): {}, 93 Chain("KUBE-SVC-4444444444444444"): {}, 94 Chain("KUBE-SVC-5555555555555555"): {}, 95 Chain("KUBE-SVC-6666666666666666"): {}, 96 } 97 checkChains(t, []byte(iptablesSave), expected) 98 }