pkg/util/iptables/testing: Add better IPTables rule-parsing helpers
There were previously some strange iptables-rule-parsing functions that were only used by two unit tests in pkg/proxy/ipvs. Get rid of them and replace them with some much better iptables-rule-parsing functions.
This commit is contained in:
Dan Winship
@@ -1664,11 +1664,25 @@ func TestMasqueradeRule(t *testing.T) {
|
||||
makeServiceMap(fp)
|
||||
fp.syncProxyRules()
|
||||
|
||||
postRoutingRules := ipt.GetRules(string(kubePostroutingChain))
|
||||
if !hasJump(postRoutingRules, "MASQUERADE", "") {
|
||||
buf := bytes.NewBuffer(nil)
|
||||
_ = ipt.SaveInto(utiliptables.TableNAT, buf)
|
||||
natRules := strings.Split(string(buf.Bytes()), "\n")
|
||||
var hasMasqueradeJump, hasMasqRandomFully bool
|
||||
for _, line := range natRules {
|
||||
rule, _ := iptablestest.ParseRule(line, false)
|
||||
if rule != nil && rule.Chain == kubePostroutingChain && rule.Jump != nil && rule.Jump.Value == "MASQUERADE" {
|
||||
hasMasqueradeJump = true
|
||||
if rule.RandomFully != nil {
|
||||
hasMasqRandomFully = true
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if !hasMasqueradeJump {
|
||||
t.Errorf("Failed to find -j MASQUERADE in %s chain", kubePostroutingChain)
|
||||
}
|
||||
if hasMasqRandomFully(postRoutingRules) != testcase {
|
||||
if hasMasqRandomFully != testcase {
|
||||
probs := map[bool]string{false: "found", true: "did not find"}
|
||||
t.Errorf("%s --random-fully in -j MASQUERADE rule in %s chain for HasRandomFully()=%v", probs[testcase], kubePostroutingChain, testcase)
|
||||
}
|
||||
@@ -3817,42 +3831,45 @@ func buildFakeProxier() (*iptablestest.FakeIPTables, *Proxier) {
|
||||
return ipt, NewFakeProxier(ipt, ipvs, ipset, nil, nil, v1.IPv4Protocol)
|
||||
}
|
||||
|
||||
func hasJump(rules []iptablestest.Rule, destChain, ipSet string) bool {
|
||||
for _, r := range rules {
|
||||
if r[iptablestest.Jump] == destChain {
|
||||
if ipSet == "" {
|
||||
return true
|
||||
}
|
||||
if strings.Contains(r[iptablestest.MatchSet], ipSet) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
func getRules(ipt *iptablestest.FakeIPTables, chain utiliptables.Chain) []*iptablestest.Rule {
|
||||
var rules []*iptablestest.Rule
|
||||
|
||||
func hasMasqRandomFully(rules []iptablestest.Rule) bool {
|
||||
for _, r := range rules {
|
||||
if r[iptablestest.Masquerade] == "--random-fully" {
|
||||
return true
|
||||
buf := bytes.NewBuffer(nil)
|
||||
// FIXME: FakeIPTables.SaveInto is currently broken and ignores the "table"
|
||||
// argument and just echoes whatever was last passed to RestoreAll(), so even
|
||||
// though we want to see the rules from both "nat" and "filter", we have to
|
||||
// only request one of them, or else we'll get all the rules twice...
|
||||
_ = ipt.SaveInto(utiliptables.TableNAT, buf)
|
||||
// _ = ipt.SaveInto(utiliptable.TableFilter, buf)
|
||||
lines := strings.Split(string(buf.Bytes()), "\n")
|
||||
for _, l := range lines {
|
||||
if !strings.HasPrefix(l, "-A ") {
|
||||
continue
|
||||
}
|
||||
rule, _ := iptablestest.ParseRule(l, false)
|
||||
if rule != nil && rule.Chain == chain {
|
||||
rules = append(rules, rule)
|
||||
}
|
||||
}
|
||||
return false
|
||||
return rules
|
||||
}
|
||||
|
||||
// checkIptables to check expected iptables chain and rules. The got rules must have same number and order as the
|
||||
// expected rules.
|
||||
func checkIptables(t *testing.T, ipt *iptablestest.FakeIPTables, epIpt netlinktest.ExpectedIptablesChain) {
|
||||
for epChain, epRules := range epIpt {
|
||||
rules := ipt.GetRules(epChain)
|
||||
rules := getRules(ipt, utiliptables.Chain(epChain))
|
||||
if len(rules) != len(epRules) {
|
||||
t.Errorf("Expected %d iptables rule in chain %s, got %d", len(epRules), epChain, len(rules))
|
||||
continue
|
||||
}
|
||||
for i, epRule := range epRules {
|
||||
rule := rules[i]
|
||||
if rule[iptablestest.Jump] != epRule.JumpChain || !strings.Contains(rule[iptablestest.MatchSet], epRule.MatchSet) {
|
||||
t.Errorf("Expected MatchSet=%s JumpChain=%s, got MatchSet=%s JumpChain=%s", epRule.MatchSet, epRule.JumpChain, rule[iptablestest.MatchSet], rule[iptablestest.Jump])
|
||||
if rule.Jump == nil || rule.Jump.Value != epRule.JumpChain {
|
||||
t.Errorf("Expected MatchSet=%s JumpChain=%s, got %s", epRule.MatchSet, epRule.JumpChain, rule.Raw)
|
||||
}
|
||||
if (epRule.MatchSet == "" && rule.MatchSet != nil) || (epRule.MatchSet != "" && (rule.MatchSet == nil || rule.MatchSet.Value != epRule.MatchSet)) {
|
||||
t.Errorf("Expected MatchSet=%s JumpChain=%s, got %s", epRule.MatchSet, epRule.JumpChain, rule.Raw)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user