2021-05-28 20:59:41 +00:00
|
|
|
package libnetwork
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
2023-07-26 19:06:35 +00:00
|
|
|
"github.com/docker/docker/internal/testutils/netnsutils"
|
2023-07-16 15:59:29 +00:00
|
|
|
"github.com/docker/docker/libnetwork/config"
|
2021-05-28 20:59:41 +00:00
|
|
|
"github.com/docker/docker/libnetwork/iptables"
|
|
|
|
"github.com/docker/docker/libnetwork/netlabel"
|
|
|
|
"github.com/docker/docker/libnetwork/options"
|
|
|
|
"gotest.tools/v3/assert"
|
2023-07-16 16:05:47 +00:00
|
|
|
is "gotest.tools/v3/assert/cmp"
|
2021-05-28 20:59:41 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
fwdChainName = "FORWARD"
|
|
|
|
usrChainName = userChain
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestUserChain(t *testing.T) {
|
2022-12-28 12:21:07 +00:00
|
|
|
iptable4 := iptables.GetIptable(iptables.IPv4)
|
|
|
|
iptable6 := iptables.GetIptable(iptables.IPv6)
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
iptables bool
|
|
|
|
insert bool // insert other rules to FORWARD
|
|
|
|
fwdChain []string
|
|
|
|
userChain []string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
iptables: false,
|
|
|
|
insert: false,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
iptables: true,
|
|
|
|
insert: false,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"},
|
|
|
|
userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
iptables: true,
|
|
|
|
insert: true,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"},
|
|
|
|
userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range tests {
|
|
|
|
tc := tc
|
|
|
|
t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) {
|
2023-07-26 19:06:35 +00:00
|
|
|
defer netnsutils.SetupTestOSContext(t)()
|
2022-11-08 21:35:14 +00:00
|
|
|
defer resetIptables(t)
|
|
|
|
|
2023-07-16 15:59:29 +00:00
|
|
|
c, err := New(config.OptionDriverConfig("bridge", map[string]any{
|
2021-05-28 20:59:41 +00:00
|
|
|
netlabel.GenericData: options.Generic{
|
2022-12-28 12:21:07 +00:00
|
|
|
"EnableIPTables": tc.iptables,
|
|
|
|
"EnableIP6Tables": tc.iptables,
|
2021-05-28 20:59:41 +00:00
|
|
|
},
|
2023-07-16 15:59:29 +00:00
|
|
|
}))
|
|
|
|
assert.NilError(t, err)
|
|
|
|
defer c.Stop()
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
// init. condition, FORWARD chain empty DOCKER-USER not exist
|
2023-07-16 16:05:47 +00:00
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable4, fwdChainName), []string{"-P FORWARD ACCEPT"}))
|
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable6, fwdChainName), []string{"-P FORWARD ACCEPT"}))
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
if tc.insert {
|
2022-12-28 12:21:07 +00:00
|
|
|
_, err = iptable4.Raw("-A", fwdChainName, "-j", "DROP")
|
2023-07-16 16:10:28 +00:00
|
|
|
assert.Check(t, err)
|
2022-12-28 12:21:07 +00:00
|
|
|
_, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP")
|
2023-07-16 16:10:28 +00:00
|
|
|
assert.Check(t, err)
|
2021-05-28 20:59:41 +00:00
|
|
|
}
|
|
|
|
arrangeUserFilterRule()
|
|
|
|
|
2023-07-16 16:05:47 +00:00
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable4, fwdChainName), tc.fwdChain))
|
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable6, fwdChainName), tc.fwdChain))
|
2021-05-28 20:59:41 +00:00
|
|
|
if tc.userChain != nil {
|
2023-07-16 16:05:47 +00:00
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable4, usrChainName), tc.userChain))
|
|
|
|
assert.Check(t, is.DeepEqual(getRules(t, iptable6, usrChainName), tc.userChain))
|
2021-05-28 20:59:41 +00:00
|
|
|
} else {
|
2023-07-16 16:10:28 +00:00
|
|
|
_, err = iptable4.Raw("-S", usrChainName)
|
|
|
|
assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv4 chain %v: created unexpectedly", usrChainName)
|
2022-12-28 12:21:07 +00:00
|
|
|
_, err = iptable6.Raw("-S", usrChainName)
|
2023-07-16 16:10:28 +00:00
|
|
|
assert.Check(t, is.ErrorContains(err, "No chain/target/match by that name"), "ipv6 chain %v: created unexpectedly", usrChainName)
|
2021-05-28 20:59:41 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-16 16:05:47 +00:00
|
|
|
func getRules(t *testing.T, iptable *iptables.IPTable, chain string) []string {
|
2021-05-28 20:59:41 +00:00
|
|
|
t.Helper()
|
|
|
|
output, err := iptable.Raw("-S", chain)
|
|
|
|
assert.NilError(t, err, "chain %s: failed to get rules", chain)
|
|
|
|
|
|
|
|
rules := strings.Split(string(output), "\n")
|
|
|
|
if len(rules) > 0 {
|
|
|
|
rules = rules[:len(rules)-1]
|
|
|
|
}
|
|
|
|
return rules
|
|
|
|
}
|
|
|
|
|
|
|
|
func resetIptables(t *testing.T) {
|
2023-01-14 22:27:52 +00:00
|
|
|
t.Helper()
|
2022-12-28 12:21:07 +00:00
|
|
|
|
|
|
|
for _, ipVer := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} {
|
|
|
|
iptable := iptables.GetIptable(ipVer)
|
|
|
|
|
|
|
|
_, err := iptable.Raw("-F", fwdChainName)
|
|
|
|
assert.Check(t, err)
|
2023-07-07 08:54:28 +00:00
|
|
|
_ = iptable.RemoveExistingChain(usrChainName, iptables.Filter)
|
2022-12-28 12:21:07 +00:00
|
|
|
}
|
2021-05-28 20:59:41 +00:00
|
|
|
}
|