nerdctl/pkg/testutil/iptables/iptables_linux.go at 40a8a2c5cb31b1f9fe6150fee4761e862bece369 · containerd/nerdctl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/*
   Copyright The containerd Authors.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package iptables

import (
	"fmt"
	"regexp"
	"testing"

	"github.com/coreos/go-iptables/iptables"
)

// ForwardExists check that at least 2 rules are present in the CNI-HOSTPORT-DNAT chain
// and checks for regex matches in the list of rules
func ForwardExists(t *testing.T, ipt *iptables.IPTables, chain, containerIP string, port int) bool {
	rules, err := ipt.List("nat", chain)
	if err != nil {
		t.Logf("error listing rules in chain: %q\n", err)
		return false
	}

	if len(rules) < 1 {
		t.Logf("not enough rules: %d", len(rules))
		return false
	}

	// here we check if at least one of the rules in the chain
	// matches the required string to identify that the rule was applied
	found := false
	matchRule := `--dport ` + fmt.Sprintf("%d", port) + ` .+ --to-destination ` + containerIP
	for _, rule := range rules {
		foundInRule, err := regexp.MatchString(matchRule, rule)
		if err != nil {
			t.Logf("error in match string: %q\n", err)
			return false
		}
		if foundInRule {
			found = foundInRule
		}
	}
	return found
}

// GetRedirectedChain returns the chain where the traffic is being redirected.
// This is how libcni manage its port maps.
// Suppose you have the following rule:
// -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"bridge\" id: \"default-YYYYYY\"" -m multiport --dports 9999 -j CNI-DN-XXXXXX
// So the chain where the traffic is redirected is CNI-DN-XXXXXX
// Returns an empty string in case nothing was found.
func GetRedirectedChain(t *testing.T, ipt *iptables.IPTables, chain, namespace, containerID string) string {
	rules, err := ipt.List("nat", chain)
	if err != nil {
		t.Logf("error listing rules in chain: %q\n", err)
		return ""
	}

	if len(rules) < 1 {
		t.Logf("not enough rules: %d", len(rules))
		return ""
	}

	var redirectedChain string
	re := regexp.MustCompile(`-j\s+([^ ]+)`)
	for _, rule := range rules {
		// first we verify the comment section is present: "dnat name: \"bridge\" id: \"default-YYYYYY\""
		matchesContainer, err := regexp.MatchString(namespace+"-"+containerID, rule)
		if err != nil {
			t.Logf("error in match string: %q\n", err)
			return ""
		}
		if matchesContainer {
			// then we find the appropriate chain in the rule
			matches := re.FindStringSubmatch(rule)
			fmt.Println(matches)
			if len(matches) >= 2 {
				redirectedChain = matches[1]
			}
		}
	}
	if redirectedChain == "" {
		t.Logf("no redirectced chain found")
		return ""
	}
	return redirectedChain
}

// ForwardExistsFromRules checks whether any rule in the given slice
// matches the expected DNAT forwarding pattern.
func ForwardExistsFromRules(rules []string, containerIP string, port int) (bool, error) {
	if len(rules) < 1 {
		return false, fmt.Errorf("not enough rules: %d", len(rules))
	}

	// here we check if at least one of the rules in the chain
	// matches the required string to identify that the rule was applied
	found := false
	matchRule := `--dport ` + fmt.Sprintf("%d", port) + ` .+ --to-destination ` + containerIP
	for _, rule := range rules {
		foundInRule, err := regexp.MatchString(matchRule, rule)
		if err != nil {
			return false, fmt.Errorf("error in match string: %q", err)
		}
		if foundInRule {
			found = foundInRule
		}
	}
	return found, nil
}