k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/util/iptables/save_restore_test.go (about) 1 //go:build linux 2 // +build linux 3 4 /* 5 Copyright 2018 The Kubernetes Authors. 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 */ 19 20 package iptables 21 22 import ( 23 "testing" 24 25 "github.com/lithammer/dedent" 26 27 "k8s.io/apimachinery/pkg/util/sets" 28 ) 29 30 func checkChains(t *testing.T, save []byte, expected sets.Set[Chain]) { 31 chains := GetChainsFromTable(save) 32 missing := expected.Difference(chains) 33 if len(missing) != 0 { 34 t.Errorf("GetChainsFromTable expected chains not present: %v", missing.UnsortedList()) 35 } 36 extra := chains.Difference(expected) 37 if len(extra) != 0 { 38 t.Errorf("GetChainsFromTable expected chains unexpectedly present: %v", extra.UnsortedList()) 39 } 40 } 41 42 func TestGetChainsFromTable(t *testing.T) { 43 iptablesSave := dedent.Dedent(` 44 # Generated by iptables-save v1.4.21 on Fri Aug 7 14:47:37 2015 45 *nat 46 :PREROUTING ACCEPT [2:138] 47 :INPUT ACCEPT [0:0] 48 :OUTPUT ACCEPT [0:0] 49 :POSTROUTING ACCEPT [0:0] 50 :DOCKER - [0:0] 51 :KUBE-NODEPORT-CONTAINER - [0:0] 52 :KUBE-NODEPORT-HOST - [0:0] 53 :KUBE-PORTALS-CONTAINER - [0:0] 54 :KUBE-PORTALS-HOST - [0:0] 55 :KUBE-SVC-1111111111111111 - [0:0] 56 :KUBE-SVC-2222222222222222 - [0:0] 57 :KUBE-SVC-3333333333333333 - [0:0] 58 :KUBE-SVC-4444444444444444 - [0:0] 59 :KUBE-SVC-5555555555555555 - [0:0] 60 :KUBE-SVC-6666666666666666 - [0:0] 61 -A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER 62 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER 63 -A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER 64 -A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST 65 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER 66 -A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST 67 -A POSTROUTING -s 10.246.1.0/24 ! -o cbr0 -j MASQUERADE 68 -A POSTROUTING -s 10.0.2.15 -d 10.0.2.15 -m comment --comment "handle pod connecting to self" -j MASQUERADE 69 -A KUBE-PORTALS-CONTAINER -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555 70 -A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666 71 -A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222 72 -A KUBE-PORTALS-HOST -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555 73 -A KUBE-PORTALS-HOST -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666 74 -A KUBE-PORTALS-HOST -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222 75 -A KUBE-SVC-1111111111111111 -p udp -m comment --comment "kube-system/kube-dns:dns" -m recent --set --name KUBE-SVC-1111111111111111 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53 76 -A KUBE-SVC-2222222222222222 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SVC-3333333333333333 77 -A KUBE-SVC-3333333333333333 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m recent --set --name KUBE-SVC-3333333333333333 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53 78 -A KUBE-SVC-4444444444444444 -p tcp -m comment --comment "default/kubernetes:" -m recent --set --name KUBE-SVC-4444444444444444 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.245.1.2:443 79 -A KUBE-SVC-5555555555555555 -m comment --comment "default/kubernetes:" -j KUBE-SVC-4444444444444444 80 -A KUBE-SVC-6666666666666666 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SVC-1111111111111111 81 COMMIT 82 `) 83 84 expected := sets.New( 85 ChainPrerouting, 86 Chain("INPUT"), 87 Chain("OUTPUT"), 88 ChainPostrouting, 89 Chain("DOCKER"), 90 Chain("KUBE-NODEPORT-CONTAINER"), 91 Chain("KUBE-NODEPORT-HOST"), 92 Chain("KUBE-PORTALS-CONTAINER"), 93 Chain("KUBE-PORTALS-HOST"), 94 Chain("KUBE-SVC-1111111111111111"), 95 Chain("KUBE-SVC-2222222222222222"), 96 Chain("KUBE-SVC-3333333333333333"), 97 Chain("KUBE-SVC-4444444444444444"), 98 Chain("KUBE-SVC-5555555555555555"), 99 Chain("KUBE-SVC-6666666666666666"), 100 ) 101 checkChains(t, []byte(iptablesSave), expected) 102 }