proxy/iptables: port packet-flow tests to use new parsing stuff

This commit is contained in:
Dan Winship
2022-03-10 12:08:04 -05:00
parent 913f4bc0ba
commit 24e1e3d9ee

View File

@@ -1387,202 +1387,36 @@ func assertIPTablesRulesNotEqual(t *testing.T, line int, expected, result string
} }
} }
// ruleMatchesIP helps test whether an iptables rule such as "! -s 192.168.0.0/16" matches // addressMatches helps test whether an iptables rule such as "! -s 192.168.0.0/16" matches
// ipStr. ruleAddress is either an IP address ("1.2.3.4") or a CIDR string // ipStr. address.Value is either an IP address ("1.2.3.4") or a CIDR string
// ("1.2.3.0/24"). negated is whether the iptables rule negates the match. // ("1.2.3.0/24").
func ruleMatchesIP(t *testing.T, negated bool, ruleAddress, ipStr string) bool { func addressMatches(t *testing.T, address *iptablestest.IPTablesValue, ipStr string) bool {
ip := netutils.ParseIPSloppy(ipStr) ip := netutils.ParseIPSloppy(ipStr)
if ip == nil { if ip == nil {
t.Fatalf("Bad IP in test case: %s", ipStr) t.Fatalf("Bad IP in test case: %s", ipStr)
} }
var matches bool var matches bool
if strings.Contains(ruleAddress, "/") { if strings.Contains(address.Value, "/") {
_, cidr, err := netutils.ParseCIDRSloppy(ruleAddress) _, cidr, err := netutils.ParseCIDRSloppy(address.Value)
if err != nil { if err != nil {
t.Errorf("Bad CIDR in kube-proxy output: %v", err) t.Errorf("Bad CIDR in kube-proxy output: %v", err)
} }
matches = cidr.Contains(ip) matches = cidr.Contains(ip)
} else { } else {
ip2 := netutils.ParseIPSloppy(ruleAddress) ip2 := netutils.ParseIPSloppy(address.Value)
if ip2 == nil { if ip2 == nil {
t.Errorf("Bad IP/CIDR in kube-proxy output: %s", ruleAddress) t.Errorf("Bad IP/CIDR in kube-proxy output: %s", address.Value)
} }
matches = ip.Equal(ip2) matches = ip.Equal(ip2)
} }
return (!negated && matches) || (negated && !matches) return (!address.Negated && matches) || (address.Negated && !matches)
} }
// Regular expressions used by iptablesTracer. Note that these are not fully general-purpose
// and may need to be updated if we make large changes to our iptable rules.
var addRuleToChainRegex = regexp.MustCompile(`-A ([^ ]*) `)
var moduleRegex = regexp.MustCompile("-m ([^ ]*)")
var commentRegex = regexp.MustCompile(`-m comment --comment ("[^"]*"|[^" ]*) `)
var srcLocalRegex = regexp.MustCompile("(!)? --src-type LOCAL")
var destLocalRegex = regexp.MustCompile("(!)? --dst-type LOCAL")
var destIPRegex = regexp.MustCompile("(!)? -d ([^ ]*) ")
var destPortRegex = regexp.MustCompile(" --dport ([^ ]*) ")
var sourceIPRegex = regexp.MustCompile("(!)? -s ([^ ]*) ")
var affinityRegex = regexp.MustCompile(" --rcheck ")
// (If `--probability` appears, it can only appear before the `-j`, and if `--to-destination`
// appears it can only appear after the `-j`, so this is not as fragile as it looks.
var jumpRegex = regexp.MustCompile("(--probability.*)? -j ([^ ]*)( --to-destination (.*))?$")
func Test_iptablesTracerRegexps(t *testing.T) {
testCases := []struct {
name string
regex *regexp.Regexp
rule string
matches []string
}{
{
name: "addRuleToChainRegex",
regex: addRuleToChainRegex,
rule: `-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT`,
matches: []string{`-A KUBE-NODEPORTS `, "KUBE-NODEPORTS"},
},
{
name: "addRuleToChainRegex requires an actual rule, not just a chain name",
regex: addRuleToChainRegex,
rule: `-A KUBE-NODEPORTS`,
matches: nil,
},
{
name: "addRuleToChainRegex only matches adds",
regex: addRuleToChainRegex,
rule: `-D KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT`,
matches: nil,
},
{
name: "commentRegex with quoted comment",
regex: commentRegex,
rule: `-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT`,
matches: []string{`-m comment --comment "ns2/svc2:p80 health check node port" `, `"ns2/svc2:p80 health check node port"`},
},
{
name: "commentRegex with unquoted comment",
regex: commentRegex,
rule: `-A KUBE-SVC-XPGD46QRK7WJZT7O -m comment --comment ns1/svc1:p80 -j KUBE-SEP-SXIVWICOYRO3J4NJ`,
matches: []string{`-m comment --comment ns1/svc1:p80 `, "ns1/svc1:p80"},
},
{
name: "no comment",
regex: commentRegex,
rule: `-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000`,
matches: nil,
},
{
name: "moduleRegex",
regex: moduleRegex,
rule: `-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT`,
matches: []string{"-m comment", "comment"},
},
{
name: "local source",
regex: srcLocalRegex,
rule: `-A KUBE-XLB-GNZBNJ2PO5MGZ6GT -m comment --comment "masquerade LOCAL traffic for ns2/svc2:p80 LB IP" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ`,
matches: []string{" --src-type LOCAL", ""},
},
{
name: "not local destination",
regex: destLocalRegex,
rule: `-A RULE-TYPE-NOT-CURRENTLY-USED-BY-KUBE-PROXY -m addrtype ! --dst-type LOCAL -j KUBE-MARK-MASQ`,
matches: []string{"! --dst-type LOCAL", "!"},
},
{
name: "destination IP",
regex: destIPRegex,
rule: `-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O`,
matches: []string{" -d 172.30.0.41 ", "", "172.30.0.41"},
},
{
name: "destination port",
regex: destPortRegex,
rule: `-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O`,
matches: []string{" --dport 80 ", "80"},
},
{
name: "destination IP but no port",
regex: destPortRegex,
rule: `-A KUBE-SVC-XPGD46QRK7WJZT7O -d 172.30.0.41 ! -s 10.0.0.0/8 -j KUBE-MARK-MASQ`,
matches: nil,
},
{
name: "source IP",
regex: sourceIPRegex,
rule: `-A KUBE-SEP-SXIVWICOYRO3J4NJ -m comment --comment ns1/svc1:p80 -s 10.180.0.1 -j KUBE-MARK-MASQ`,
matches: []string{" -s 10.180.0.1 ", "", "10.180.0.1"},
},
{
name: "not source IP",
regex: sourceIPRegex,
rule: `-A KUBE-SVC-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 ! -s 10.0.0.0/8 -j KUBE-MARK-MASQ`,
matches: []string{"! -s 10.0.0.0/8 ", "!", "10.0.0.0/8"},
},
{
name: "affinityRegex",
regex: affinityRegex,
rule: `-A KUBE-SVC-XPGD46QRK7WJZT7O -m comment --comment ns1/svc1:p80 -m recent --name KUBE-SEP-SXIVWICOYRO3J4NJ --rcheck --seconds 10800 --reap -j KUBE-SEP-SXIVWICOYRO3J4NJ`,
matches: []string{" --rcheck "},
},
{
name: "jump to internal target",
regex: jumpRegex,
rule: `-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT`,
matches: []string{" -j ACCEPT", "", "ACCEPT", "", ""},
},
{
name: "jump to KUBE chain",
regex: jumpRegex,
rule: `-A KUBE-SVC-XPGD46QRK7WJZT7O -m comment --comment ns1/svc1:p80 -j KUBE-SEP-SXIVWICOYRO3J4NJ`,
matches: []string{" -j KUBE-SEP-SXIVWICOYRO3J4NJ", "", "KUBE-SEP-SXIVWICOYRO3J4NJ", "", ""},
},
{
name: "jump to DNAT",
regex: jumpRegex,
rule: `-A KUBE-SEP-SXIVWICOYRO3J4NJ -m comment --comment ns1/svc1:p80 -m tcp -p tcp -j DNAT --to-destination 10.180.0.1:80`,
matches: []string{" -j DNAT --to-destination 10.180.0.1:80", "", "DNAT", " --to-destination 10.180.0.1:80", "10.180.0.1:80"},
},
{
name: "jump to endpoint",
regex: jumpRegex,
rule: `-A KUBE-SVC-4SW47YFZTEDKD3PK -m comment --comment ns4/svc4:p80 -m statistic --mode random --probability 0.5000000000 -j KUBE-SEP-UKSFD7AGPMPPLUHC`,
matches: []string{"--probability 0.5000000000 -j KUBE-SEP-UKSFD7AGPMPPLUHC", "--probability 0.5000000000", "KUBE-SEP-UKSFD7AGPMPPLUHC", "", ""},
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {
matches := testCase.regex.FindStringSubmatch(testCase.rule)
if !reflect.DeepEqual(matches, testCase.matches) {
t.Errorf("bad match: expected %#v, got %#v", testCase.matches, matches)
}
})
}
}
// knownModules is the set of modules (ie "-m foo") that we allow to be present in rules passed
// to an iptablesTracer. If a rule using another module is found in a rule, the test will
// fail.
//
// If a module is in knownModules but is not in noMatchModules and is not handled by
// ruleMatches, then the result is that match rules using that module will have no effect
// for tracing purposes.
var knownModules = sets.NewString("addrtype", "comment", "conntrack", "mark", "recent", "statistic", "tcp", "udp")
// noMatchModules is the list of modules that if we see them in a rule, we just
// assume the rule doesn't match and ignore it (because rules with these modules exist
// in the data we are testing against, but aren't relevant to what we're testing).
var noMatchModules = sets.NewString("conntrack", "mark")
type iptablesChain []string
type iptablesTable map[string]iptablesChain
// iptablesTracer holds data used while virtually tracing a packet through a set of // iptablesTracer holds data used while virtually tracing a packet through a set of
// iptables rules // iptables rules
type iptablesTracer struct { type iptablesTracer struct {
tables map[string]iptablesTable ipt *iptablestest.FakeIPTables
nodeIP string nodeIP string
t *testing.T t *testing.T
@@ -1600,109 +1434,56 @@ type iptablesTracer struct {
markDrop bool markDrop bool
} }
// newIPTablesTracer creates an iptablesTracer. ruleData is an iptables rule dump (as with // newIPTablesTracer creates an iptablesTracer. nodeIP is the IP to treat as the local
// "iptables-save"). nodeIP is the IP to treat as the local node IP (for determining // node IP (for determining whether rules with "--src-type LOCAL" or "--dst-type LOCAL"
// whether rules with "--src-type LOCAL" or "--dst-type LOCAL" match). // match).
func newIPTablesTracer(t *testing.T, ruleData, nodeIP string) (*iptablesTracer, error) { func newIPTablesTracer(t *testing.T, ipt *iptablestest.FakeIPTables, nodeIP string) *iptablesTracer {
tables, err := parseIPTablesData(ruleData) return &iptablesTracer{
if err != nil { ipt: ipt,
return nil, err
}
tracer := &iptablesTracer{
tables: make(map[string]iptablesTable),
nodeIP: nodeIP, nodeIP: nodeIP,
t: t, t: t,
} }
for name, rules := range tables {
table := make(iptablesTable)
for _, rule := range rules {
match := addRuleToChainRegex.FindStringSubmatch(rule)
if match != nil {
chainName := match[1]
table[chainName] = append(table[chainName], rule)
}
}
tracer.tables[name] = table
}
return tracer, nil
} }
// ruleMatches checks if the given iptables rule matches (at least probabilistically) a // ruleMatches checks if the given iptables rule matches (at least probabilistically) a
// packet with the given sourceIP, destIP, and destPort. (Note that protocol is currently // packet with the given sourceIP, destIP, and destPort. (Note that protocol is currently
// ignored.) // ignored.)
func (tracer *iptablesTracer) ruleMatches(rule, sourceIP, destIP, destPort string) bool { func (tracer *iptablesTracer) ruleMatches(rule *iptablestest.Rule, sourceIP, destIP, destPort string) bool {
var match []string
// Delete comments so we don't mistakenly match something in a comment string later
rule = commentRegex.ReplaceAllString(rule, "")
// Make sure the rule only uses modules ("-m foo") that we are aware of
for _, matches := range moduleRegex.FindAllStringSubmatch(rule, -1) {
moduleName := matches[1]
if !knownModules.Has(moduleName) {
tracer.t.Errorf("Rule %q uses unknown iptables module %q", rule, moduleName)
}
if noMatchModules.Has(moduleName) {
// This rule is doing something irrelevant to iptablesTracer
return false
}
}
// The sub-rules within an iptables rule are ANDed together, so the rule only // The sub-rules within an iptables rule are ANDed together, so the rule only
// matches if all of them match. So go through the subrules, and if any of them // matches if all of them match. So go through the subrules, and if any of them
// DON'T match, then fail. // DON'T match, then fail.
// Match local/non-local. if rule.SourceAddress != nil && !addressMatches(tracer.t, rule.SourceAddress, sourceIP) {
match = srcLocalRegex.FindStringSubmatch(rule)
if match != nil {
wantLocal := (match[1] != "!")
sourceIsLocal := (sourceIP == tracer.nodeIP || sourceIP == "127.0.0.1")
if wantLocal != sourceIsLocal {
return false return false
} }
if rule.SourceType != nil {
addrtype := "not-matched"
if sourceIP == tracer.nodeIP || sourceIP == "127.0.0.1" {
addrtype = "LOCAL"
} }
match = destLocalRegex.FindStringSubmatch(rule) if !rule.SourceType.Matches(addrtype) {
if match != nil {
wantLocal := (match[1] != "!")
destIsLocal := (destIP == tracer.nodeIP || destIP == "127.0.0.1")
if wantLocal != destIsLocal {
return false return false
} }
} }
// Match destination IP/port. if rule.DestinationAddress != nil && !addressMatches(tracer.t, rule.DestinationAddress, destIP) {
match = destIPRegex.FindStringSubmatch(rule) return false
if match != nil { }
negated := match[1] == "!" if rule.DestinationType != nil {
ruleAddress := match[2] addrtype := "not-matched"
if !ruleMatchesIP(tracer.t, negated, ruleAddress, destIP) { if destIP == tracer.nodeIP || destIP == "127.0.0.1" {
addrtype = "LOCAL"
}
if !rule.DestinationType.Matches(addrtype) {
return false return false
} }
} }
match = destPortRegex.FindStringSubmatch(rule) if rule.DestinationPort != nil && !rule.DestinationPort.Matches(destPort) {
if match != nil {
rulePort := match[1]
if rulePort != destPort {
return false return false
} }
}
// Match source IP (but not currently port) // Any rule that checks for past state/history does not match
match = sourceIPRegex.FindStringSubmatch(rule) if rule.AffinityCheck != nil || rule.MarkCheck != nil || rule.CTStateCheck != nil {
if match != nil {
negated := match[1] == "!"
ruleAddress := match[2]
if !ruleMatchesIP(tracer.t, negated, ruleAddress, sourceIP) {
return false
}
}
// The iptablesTracer has no state/history, so any rule that checks whether affinity
// has been established for a particular endpoint must not match.
if affinityRegex.MatchString(rule) {
return false return false
} }
@@ -1712,25 +1493,26 @@ func (tracer *iptablesTracer) ruleMatches(rule, sourceIP, destIP, destPort strin
// runChain runs the given packet through the rules in the given table and chain, updating // runChain runs the given packet through the rules in the given table and chain, updating
// tracer's internal state accordingly. It returns true if it hits a terminal action. // tracer's internal state accordingly. It returns true if it hits a terminal action.
func (tracer *iptablesTracer) runChain(table, chain, sourceIP, destIP, destPort string) bool { func (tracer *iptablesTracer) runChain(table utiliptables.Table, chain utiliptables.Chain, sourceIP, destIP, destPort string) bool {
for _, rule := range tracer.tables[table][chain] { c, _ := tracer.ipt.Dump.GetChain(table, chain)
match := jumpRegex.FindStringSubmatch(rule) if c == nil {
if match == nil { return false
}
for _, rule := range c.Rules {
if rule.Jump == nil {
// You _can_ have rules that don't end in `-j`, but we don't currently // You _can_ have rules that don't end in `-j`, but we don't currently
// do that. // do that.
tracer.t.Errorf("Could not find jump target in rule %q", rule) tracer.t.Errorf("Could not find jump target in rule %q", rule.Raw)
} }
isProbabilisticMatch := (match[1] != "")
target := match[2]
natDestination := match[4]
if !tracer.ruleMatches(rule, sourceIP, destIP, destPort) { if !tracer.ruleMatches(rule, sourceIP, destIP, destPort) {
continue continue
} }
// record the matched rule for debugging purposes // record the matched rule for debugging purposes
tracer.matches = append(tracer.matches, rule) tracer.matches = append(tracer.matches, rule.Raw)
switch target { switch rule.Jump.Value {
case "KUBE-MARK-MASQ": case "KUBE-MARK-MASQ":
tracer.markMasq = true tracer.markMasq = true
continue continue
@@ -1741,24 +1523,24 @@ func (tracer *iptablesTracer) runChain(table, chain, sourceIP, destIP, destPort
case "ACCEPT", "REJECT": case "ACCEPT", "REJECT":
// (only valid in filter) // (only valid in filter)
tracer.outputs = append(tracer.outputs, target) tracer.outputs = append(tracer.outputs, rule.Jump.Value)
return true return true
case "DNAT": case "DNAT":
// (only valid in nat) // (only valid in nat)
tracer.outputs = append(tracer.outputs, natDestination) tracer.outputs = append(tracer.outputs, rule.DNATDestination.Value)
return true return true
default: default:
// We got a "-j KUBE-SOMETHING", so process that chain // We got a "-j KUBE-SOMETHING", so process that chain
terminated := tracer.runChain(table, target, sourceIP, destIP, destPort) terminated := tracer.runChain(table, utiliptables.Chain(rule.Jump.Value), sourceIP, destIP, destPort)
// If the subchain hit a terminal rule AND the rule that sent us // If the subchain hit a terminal rule AND the rule that sent us
// to that chain was non-probabilistic, then this chain terminates // to that chain was non-probabilistic, then this chain terminates
// as well. But if we went there because of a --probability rule, // as well. But if we went there because of a --probability rule,
// then we want to keep accumulating further matches against this // then we want to keep accumulating further matches against this
// chain. // chain.
if terminated && !isProbabilisticMatch { if terminated && rule.Probability == nil {
return true return true
} }
} }
@@ -1774,42 +1556,33 @@ func (tracer *iptablesTracer) runChain(table, chain, sourceIP, destIP, destPort
// The return values are: an array of matched rules (for debugging), the final packet // The return values are: an array of matched rules (for debugging), the final packet
// destinations (a comma-separated list of IPs, or one of the special targets "ACCEPT", // destinations (a comma-separated list of IPs, or one of the special targets "ACCEPT",
// "DROP", or "REJECT"), and whether the packet would be masqueraded. // "DROP", or "REJECT"), and whether the packet would be masqueraded.
func tracePacket(t *testing.T, ruleData, sourceIP, destIP, destPort, nodeIP string) ([]string, string, bool) { func tracePacket(t *testing.T, ipt *iptablestest.FakeIPTables, sourceIP, destIP, destPort, nodeIP string) ([]string, string, bool) {
tracer, err := newIPTablesTracer(t, ruleData, nodeIP) tracer := newIPTablesTracer(t, ipt, nodeIP)
if err != nil {
t.Errorf("Bad iptables ruleData: %v", err)
}
// nat:PREROUTING goes first, then the filter chains, then nat:POSTROUTING. For our // nat:PREROUTING goes first
// purposes that means we run through the "nat" chains first, starting from the top of tracer.runChain(utiliptables.TableNAT, utiliptables.ChainPrerouting, sourceIP, destIP, destPort)
// KUBE-SERVICES, then we do the "filter" chains. The only interesting thing that
// happens in nat:POSTROUTING is that the masquerade mark gets turned into actual
// masquerading.
// FIXME: we ought to be able to say // After the PREROUTING rules run, pending DNATs are processed (which would affect
// trace.runChain("nat", "PREROUTING", ...) // the destination IP that later rules match against).
// here instead of
// trace.runChain("nat", "KUBE-SERVICES", ...)
// (and similarly below with the "filter" chains) but this doesn't work because the
// rules like "-A PREROUTING -j KUBE-SERVICES" are created with iptables.EnsureRule(),
// which iptablestest.FakeIPTables doesn't implement, so those rules will be missing
// from the ruleData we have. So we have to explicitly specify each kube-proxy chain
// we want to run through here.
tracer.runChain("nat", "KUBE-SERVICES", sourceIP, destIP, destPort)
// Process pending DNAT (which theoretically might affect REJECT/ACCEPT filter rules)
if len(tracer.outputs) != 0 { if len(tracer.outputs) != 0 {
destIP = strings.Split(tracer.outputs[0], ":")[0] destIP = strings.Split(tracer.outputs[0], ":")[0]
} }
// Now run the filter rules to see if the packet is REJECTed or ACCEPTed. The DROP // Now the filter rules get run; exactly which ones depend on whether this is an
// rule is created by kubelet, not us, so we have to simulate that manually // inbound, outbound, or intra-host packet, which we don't know. So we just run
// the interesting tables manually. (Theoretically this could cause conflicts in
// the future in which case we'd have to do something more complicated.)
// The DROP rule is created by kubelet, not us, so we have to simulate that manually.
if tracer.markDrop { if tracer.markDrop {
return tracer.matches, "DROP", false return tracer.matches, "DROP", false
} }
tracer.runChain("filter", "KUBE-SERVICES", sourceIP, destIP, destPort) tracer.runChain(utiliptables.TableFilter, kubeServicesChain, sourceIP, destIP, destPort)
tracer.runChain("filter", "KUBE-EXTERNAL-SERVICES", sourceIP, destIP, destPort) tracer.runChain(utiliptables.TableFilter, kubeExternalServicesChain, sourceIP, destIP, destPort)
tracer.runChain("filter", "KUBE-NODEPORTS", sourceIP, destIP, destPort) tracer.runChain(utiliptables.TableFilter, kubeNodePortsChain, sourceIP, destIP, destPort)
// Finally, the nat:POSTROUTING rules run, but the only interesting thing that
// happens there is that the masquerade mark gets turned into actual masquerading.
return tracer.matches, strings.Join(tracer.outputs, ", "), tracer.markMasq return tracer.matches, strings.Join(tracer.outputs, ", "), tracer.markMasq
} }
@@ -1823,14 +1596,14 @@ type packetFlowTest struct {
masq bool masq bool
} }
func runPacketFlowTests(t *testing.T, line int, ruleData, nodeIP string, testCases []packetFlowTest) { func runPacketFlowTests(t *testing.T, line int, ipt *iptablestest.FakeIPTables, nodeIP string, testCases []packetFlowTest) {
lineStr := "" lineStr := ""
if line != 0 { if line != 0 {
lineStr = fmt.Sprintf(" (from line %d)", line) lineStr = fmt.Sprintf(" (from line %d)", line)
} }
for _, tc := range testCases { for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) { t.Run(tc.name, func(t *testing.T) {
matches, output, masq := tracePacket(t, ruleData, tc.sourceIP, tc.destIP, fmt.Sprintf("%d", tc.destPort), nodeIP) matches, output, masq := tracePacket(t, ipt, tc.sourceIP, tc.destIP, fmt.Sprintf("%d", tc.destPort), nodeIP)
var errors []string var errors []string
if output != tc.output { if output != tc.output {
errors = append(errors, fmt.Sprintf("wrong output: expected %q got %q", tc.output, output)) errors = append(errors, fmt.Sprintf("wrong output: expected %q got %q", tc.output, output))
@@ -1851,10 +1624,19 @@ func runPacketFlowTests(t *testing.T, line int, ruleData, nodeIP string, testCas
func TestTracePackets(t *testing.T) { func TestTracePackets(t *testing.T) {
rules := dedent.Dedent(` rules := dedent.Dedent(`
*filter *filter
:INPUT - [0:0]
:FORWARD - [0:0]
:OUTPUT - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FORWARD - [0:0] :KUBE-FORWARD - [0:0]
:KUBE-NODEPORTS - [0:0] :KUBE-NODEPORTS - [0:0]
:KUBE-SERVICES - [0:0] :KUBE-SERVICES - [0:0]
-A INPUT -m comment --comment kubernetes health check service ports -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate NEW -m comment --comment kubernetes externally-visible service portals -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment kubernetes forwarding rules -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment kubernetes service portals -j KUBE-SERVICES
-A FORWARD -m conntrack --ctstate NEW -m comment --comment kubernetes externally-visible service portals -j KUBE-EXTERNAL-SERVICES
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment kubernetes service portals -j KUBE-SERVICES
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT -A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j REJECT -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j REJECT
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
@@ -1862,6 +1644,10 @@ func TestTracePackets(t *testing.T) {
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT COMMIT
*nat *nat
:PREROUTING - [0:0]
:INPUT - [0:0]
:OUTPUT - [0:0]
:POSTROUTING - [0:0]
:KUBE-EXT-4SW47YFZTEDKD3PK - [0:0] :KUBE-EXT-4SW47YFZTEDKD3PK - [0:0]
:KUBE-EXT-GNZBNJ2PO5MGZ6GT - [0:0] :KUBE-EXT-GNZBNJ2PO5MGZ6GT - [0:0]
:KUBE-EXT-PAZTZYUUMV5KCDZL - [0:0] :KUBE-EXT-PAZTZYUUMV5KCDZL - [0:0]
@@ -1879,6 +1665,13 @@ func TestTracePackets(t *testing.T) {
:KUBE-SVC-GNZBNJ2PO5MGZ6GT - [0:0] :KUBE-SVC-GNZBNJ2PO5MGZ6GT - [0:0]
:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0] :KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
:KUBE-SVL-GNZBNJ2PO5MGZ6GT - [0:0] :KUBE-SVL-GNZBNJ2PO5MGZ6GT - [0:0]
-A PREROUTING -m comment --comment kubernetes service portals -j KUBE-SERVICES
-A OUTPUT -m comment --comment kubernetes service portals -j KUBE-SERVICES
-A POSTROUTING -m comment --comment kubernetes postrouting rules -j KUBE-POSTROUTING
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
-A KUBE-NODEPORTS -m comment --comment ns2/svc2:p80 -m tcp -p tcp --dport 3001 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT -A KUBE-NODEPORTS -m comment --comment ns2/svc2:p80 -m tcp -p tcp --dport 3001 -j KUBE-EXT-GNZBNJ2PO5MGZ6GT
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
-A KUBE-SERVICES -m comment --comment "ns2/svc2:p80 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 80 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT -A KUBE-SERVICES -m comment --comment "ns2/svc2:p80 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 80 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
@@ -1918,7 +1711,13 @@ func TestTracePackets(t *testing.T) {
COMMIT COMMIT
`) `)
runPacketFlowTests(t, getLine(), rules, testNodeIP, []packetFlowTest{ ipt := iptablestest.NewFake()
err := ipt.RestoreAll([]byte(rules), utiliptables.NoFlushTables, utiliptables.RestoreCounters)
if err != nil {
t.Fatalf("Restore of test data failed: %v", err)
}
runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "no match", name: "no match",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -2273,7 +2072,7 @@ func TestClusterIPReject(t *testing.T) {
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "cluster IP rejected", name: "cluster IP rejected",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -2355,7 +2154,7 @@ func TestClusterIPEndpointsJump(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "cluster IP accepted", name: "cluster IP accepted",
sourceIP: "10.180.0.2", sourceIP: "10.180.0.2",
@@ -2474,7 +2273,7 @@ func TestLoadBalancer(t *testing.T) {
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP", name: "pod to cluster IP",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -2661,7 +2460,7 @@ func TestNodePort(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP", name: "pod to cluster IP",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -2755,7 +2554,7 @@ func TestHealthCheckNodePort(t *testing.T) {
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "firewall accepts HealthCheckNodePort", name: "firewall accepts HealthCheckNodePort",
sourceIP: "1.2.3.4", sourceIP: "1.2.3.4",
@@ -2769,7 +2568,7 @@ func TestHealthCheckNodePort(t *testing.T) {
fp.OnServiceDelete(svc) fp.OnServiceDelete(svc)
fp.syncProxyRules() fp.syncProxyRules()
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "HealthCheckNodePort no longer has any rule", name: "HealthCheckNodePort no longer has any rule",
sourceIP: "1.2.3.4", sourceIP: "1.2.3.4",
@@ -2871,7 +2670,7 @@ func TestExternalIPsReject(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "cluster IP with no endpoints", name: "cluster IP with no endpoints",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -2979,7 +2778,7 @@ func TestOnlyLocalExternalIPs(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "cluster IP hits both endpoints", name: "cluster IP hits both endpoints",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3086,7 +2885,7 @@ func TestNonLocalExternalIPs(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP", name: "pod to cluster IP",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3158,7 +2957,7 @@ func TestNodePortReject(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP", name: "pod to cluster IP",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3249,7 +3048,7 @@ func TestLoadBalancerReject(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP", name: "pod to cluster IP",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3381,7 +3180,7 @@ func TestOnlyLocalLoadBalancing(t *testing.T) {
`) `)
assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, getLine(), expected, fp.iptablesData.String())
runPacketFlowTests(t, getLine(), fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, getLine(), ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP hits both endpoints", name: "pod to cluster IP hits both endpoints",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3555,7 +3354,7 @@ func onlyLocalNodePorts(t *testing.T, fp *Proxier, ipt *iptablestest.FakeIPTable
assertIPTablesRulesEqual(t, line, expected, fp.iptablesData.String()) assertIPTablesRulesEqual(t, line, expected, fp.iptablesData.String())
runPacketFlowTests(t, line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to cluster IP hit both endpoints", name: "pod to cluster IP hit both endpoints",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3583,7 +3382,7 @@ func onlyLocalNodePorts(t *testing.T, fp *Proxier, ipt *iptablestest.FakeIPTable
if fp.localDetector.IsImplemented() { if fp.localDetector.IsImplemented() {
// pod-to-NodePort is treated as internal traffic, so we see both endpoints // pod-to-NodePort is treated as internal traffic, so we see both endpoints
runPacketFlowTests(t, line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to NodePort hits both endpoints", name: "pod to NodePort hits both endpoints",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -3596,7 +3395,7 @@ func onlyLocalNodePorts(t *testing.T, fp *Proxier, ipt *iptablestest.FakeIPTable
} else { } else {
// pod-to-NodePort is (incorrectly) treated as external traffic // pod-to-NodePort is (incorrectly) treated as external traffic
// when there is no LocalTrafficDetector. // when there is no LocalTrafficDetector.
runPacketFlowTests(t, line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to NodePort hits only local endpoint", name: "pod to NodePort hits only local endpoint",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -5503,7 +5302,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
fp.OnEndpointSliceAdd(endpointSlice) fp.OnEndpointSliceAdd(endpointSlice)
fp.syncProxyRules() fp.syncProxyRules()
assertIPTablesRulesEqual(t, tc.line, tc.expectedIPTablesWithSlice, fp.iptablesData.String()) assertIPTablesRulesEqual(t, tc.line, tc.expectedIPTablesWithSlice, fp.iptablesData.String())
runPacketFlowTests(t, tc.line, fp.iptablesData.String(), testNodeIP, tc.flowTests) runPacketFlowTests(t, tc.line, ipt, testNodeIP, tc.flowTests)
fp.OnEndpointSliceDelete(endpointSlice) fp.OnEndpointSliceDelete(endpointSlice)
fp.syncProxyRules() fp.syncProxyRules()
@@ -5512,7 +5311,7 @@ func TestInternalTrafficPolicyE2E(t *testing.T) {
fp.syncProxyRules() fp.syncProxyRules()
assertIPTablesRulesNotEqual(t, tc.line, tc.expectedIPTablesWithSlice, fp.iptablesData.String()) assertIPTablesRulesNotEqual(t, tc.line, tc.expectedIPTablesWithSlice, fp.iptablesData.String())
} }
runPacketFlowTests(t, tc.line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, tc.line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "endpoints deleted", name: "endpoints deleted",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -6278,7 +6077,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
fp.OnEndpointSliceAdd(testcase.endpointslice) fp.OnEndpointSliceAdd(testcase.endpointslice)
fp.syncProxyRules() fp.syncProxyRules()
assertIPTablesRulesEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String()) assertIPTablesRulesEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String())
runPacketFlowTests(t, testcase.line, fp.iptablesData.String(), testNodeIP, testcase.flowTests) runPacketFlowTests(t, testcase.line, ipt, testNodeIP, testcase.flowTests)
fp.OnEndpointSliceDelete(testcase.endpointslice) fp.OnEndpointSliceDelete(testcase.endpointslice)
fp.syncProxyRules() fp.syncProxyRules()
@@ -6288,7 +6087,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyLocal(t *testing.T) {
} else { } else {
assertIPTablesRulesNotEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String()) assertIPTablesRulesNotEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String())
} }
runPacketFlowTests(t, testcase.line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, testcase.line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to clusterIP after endpoints deleted", name: "pod to clusterIP after endpoints deleted",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -7018,7 +6817,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
fp.OnEndpointSliceAdd(testcase.endpointslice) fp.OnEndpointSliceAdd(testcase.endpointslice)
fp.syncProxyRules() fp.syncProxyRules()
assertIPTablesRulesEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String()) assertIPTablesRulesEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String())
runPacketFlowTests(t, testcase.line, fp.iptablesData.String(), testNodeIP, testcase.flowTests) runPacketFlowTests(t, testcase.line, ipt, testNodeIP, testcase.flowTests)
fp.OnEndpointSliceDelete(testcase.endpointslice) fp.OnEndpointSliceDelete(testcase.endpointslice)
fp.syncProxyRules() fp.syncProxyRules()
@@ -7028,7 +6827,7 @@ func TestEndpointSliceWithTerminatingEndpointsTrafficPolicyCluster(t *testing.T)
} else { } else {
assertIPTablesRulesNotEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String()) assertIPTablesRulesNotEqual(t, testcase.line, testcase.expectedIPTables, fp.iptablesData.String())
} }
runPacketFlowTests(t, testcase.line, fp.iptablesData.String(), testNodeIP, []packetFlowTest{ runPacketFlowTests(t, testcase.line, ipt, testNodeIP, []packetFlowTest{
{ {
name: "pod to clusterIP after endpoints deleted", name: "pod to clusterIP after endpoints deleted",
sourceIP: "10.0.0.2", sourceIP: "10.0.0.2",
@@ -7613,7 +7412,7 @@ func TestInternalExternalMasquerade(t *testing.T) {
if overridesApplied != len(tc.overrides) { if overridesApplied != len(tc.overrides) {
t.Errorf("%d overrides did not match any test case name!", len(tc.overrides)-overridesApplied) t.Errorf("%d overrides did not match any test case name!", len(tc.overrides)-overridesApplied)
} }
runPacketFlowTests(t, tc.line, fp.iptablesData.String(), testNodeIP, tcFlowTests) runPacketFlowTests(t, tc.line, ipt, testNodeIP, tcFlowTests)
}) })
} }
} }