2021-05-28 20:59:41 +00:00
|
|
|
package libnetwork
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/docker/docker/libnetwork/iptables"
|
|
|
|
"github.com/docker/docker/libnetwork/netlabel"
|
|
|
|
"github.com/docker/docker/libnetwork/options"
|
|
|
|
"gotest.tools/v3/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
fwdChainName = "FORWARD"
|
|
|
|
usrChainName = userChain
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestUserChain(t *testing.T) {
|
2022-12-28 12:21:07 +00:00
|
|
|
iptable4 := iptables.GetIptable(iptables.IPv4)
|
|
|
|
iptable6 := iptables.GetIptable(iptables.IPv6)
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
nc, err := New()
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
iptables bool
|
|
|
|
insert bool // insert other rules to FORWARD
|
|
|
|
fwdChain []string
|
|
|
|
userChain []string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
iptables: false,
|
|
|
|
insert: false,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
iptables: true,
|
|
|
|
insert: false,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER"},
|
|
|
|
userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
iptables: true,
|
|
|
|
insert: true,
|
|
|
|
fwdChain: []string{"-P FORWARD ACCEPT", "-A FORWARD -j DOCKER-USER", "-A FORWARD -j DROP"},
|
|
|
|
userChain: []string{"-N DOCKER-USER", "-A DOCKER-USER -j RETURN"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
resetIptables(t)
|
|
|
|
for _, tc := range tests {
|
|
|
|
tc := tc
|
|
|
|
t.Run(fmt.Sprintf("iptables=%v,insert=%v", tc.iptables, tc.insert), func(t *testing.T) {
|
|
|
|
c := nc.(*controller)
|
2022-09-23 17:40:11 +00:00
|
|
|
c.cfg.DriverCfg["bridge"] = map[string]interface{}{
|
2021-05-28 20:59:41 +00:00
|
|
|
netlabel.GenericData: options.Generic{
|
2022-12-28 12:21:07 +00:00
|
|
|
"EnableIPTables": tc.iptables,
|
|
|
|
"EnableIP6Tables": tc.iptables,
|
2021-05-28 20:59:41 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// init. condition, FORWARD chain empty DOCKER-USER not exist
|
2022-12-28 12:21:07 +00:00
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), []string{"-P FORWARD ACCEPT"})
|
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), []string{"-P FORWARD ACCEPT"})
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
if tc.insert {
|
2022-12-28 12:21:07 +00:00
|
|
|
_, err = iptable4.Raw("-A", fwdChainName, "-j", "DROP")
|
|
|
|
assert.NilError(t, err)
|
|
|
|
_, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP")
|
2021-05-28 20:59:41 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
}
|
|
|
|
arrangeUserFilterRule()
|
|
|
|
|
2022-12-28 12:21:07 +00:00
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), tc.fwdChain)
|
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), tc.fwdChain)
|
2021-05-28 20:59:41 +00:00
|
|
|
if tc.userChain != nil {
|
2022-12-28 12:21:07 +00:00
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv4, usrChainName), tc.userChain)
|
|
|
|
assert.DeepEqual(t, getRules(t, iptables.IPv6, usrChainName), tc.userChain)
|
2021-05-28 20:59:41 +00:00
|
|
|
} else {
|
2022-12-28 12:21:07 +00:00
|
|
|
_, err := iptable4.Raw("-S", usrChainName)
|
|
|
|
assert.Assert(t, err != nil, "ipv4 chain %v: created unexpectedly", usrChainName)
|
|
|
|
_, err = iptable6.Raw("-S", usrChainName)
|
|
|
|
assert.Assert(t, err != nil, "ipv6 chain %v: created unexpectedly", usrChainName)
|
2021-05-28 20:59:41 +00:00
|
|
|
}
|
|
|
|
})
|
|
|
|
resetIptables(t)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-28 12:21:07 +00:00
|
|
|
func getRules(t *testing.T, ipVer iptables.IPVersion, chain string) []string {
|
|
|
|
iptable := iptables.GetIptable(ipVer)
|
2021-05-28 20:59:41 +00:00
|
|
|
|
|
|
|
t.Helper()
|
|
|
|
output, err := iptable.Raw("-S", chain)
|
|
|
|
assert.NilError(t, err, "chain %s: failed to get rules", chain)
|
|
|
|
|
|
|
|
rules := strings.Split(string(output), "\n")
|
|
|
|
if len(rules) > 0 {
|
|
|
|
rules = rules[:len(rules)-1]
|
|
|
|
}
|
|
|
|
return rules
|
|
|
|
}
|
|
|
|
|
|
|
|
func resetIptables(t *testing.T) {
|
|
|
|
t.Helper()
|
2022-12-28 12:21:07 +00:00
|
|
|
|
|
|
|
for _, ipVer := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} {
|
|
|
|
iptable := iptables.GetIptable(ipVer)
|
|
|
|
|
|
|
|
_, err := iptable.Raw("-F", fwdChainName)
|
|
|
|
assert.Check(t, err)
|
|
|
|
_ = iptable.RemoveExistingChain(usrChainName, "")
|
|
|
|
}
|
2021-05-28 20:59:41 +00:00
|
|
|
}
|