Skip to content

Commit

Permalink
Deflake //test/iptables:iptables_test
Browse files Browse the repository at this point in the history 
We were opening dual-stack sockets, but tests only set iptables rules for a
single network protocol. Thus, packets (probably sent by previous tests) could
sneak in and break tests.

Tested with:
bazel test ///test/iptables:iptables_test
--test_arg=--runtime=runsc --nocache_test_results --test_output=errors
--runs_per_test=1000 --test_filter=TestFilterInputDropUDP
PiperOrigin-RevId: 357972385
  • Loading branch information
@kevinGC @gvisor-bot
kevinGC authored and gvisor-bot committed Feb 17, 2021
1 parent 3ef0129 commit 2f35fa1
Show file tree
Hide file tree
Showing 4 changed files with 139 additions and 123 deletions.
96 changes: 48 additions & 48 deletions test/iptables/filter_input.go
View file
Expand Up @@ -78,7 +78,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, dropPort); err == nil {
if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -91,7 +91,7 @@ func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, dropPort)
return sendUDPLoop(ctx, ip, dropPort, ipv6)
}

// FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.
Expand All @@ -111,7 +111,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i
}

// Listen for a TCP connection, which should be allowed.
if err := listenTCP(ctx, acceptPort); err != nil {
if err := listenTCP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("failed to establish a connection %v", err)
}

Expand All @@ -122,7 +122,7 @@ func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, i
func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
// Try to establish a TCP connection with the container, which should
// succeed.
return connectTCP(ctx, ip, acceptPort)
return connectTCP(ctx, ip, acceptPort, ipv6)
}

// FilterInputDropUDPPort tests that we can drop UDP traffic by port.
Expand All @@ -144,7 +144,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, dropPort); err == nil {
if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -157,7 +157,7 @@ func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, i

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, dropPort)
return sendUDPLoop(ctx, ip, dropPort, ipv6)
}

// FilterInputDropDifferentUDPPort tests that dropping traffic for a single UDP port
Expand All @@ -178,7 +178,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip
}

// Listen for UDP packets on another port.
if err := listenUDP(ctx, acceptPort); err != nil {
if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %v", acceptPort, err)
}

Expand All @@ -187,7 +187,7 @@ func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports.
Expand All @@ -209,7 +209,7 @@ func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.I
// Listen for TCP packets on drop port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenTCP(timedCtx, dropPort); err == nil {
if err := listenTCP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("connection on port %d should not be accepted, but got accepted", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -223,7 +223,7 @@ func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, i
// Ensure we cannot connect to the container.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := connectTCP(timedCtx, ip, dropPort); err == nil {
if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil {
return fmt.Errorf("expected not to connect, but was able to connect on port %d", dropPort)
}
return nil
Expand All @@ -249,7 +249,7 @@ func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP
// Listen for TCP packets on accept port.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenTCP(timedCtx, acceptPort); err == nil {
if err := listenTCP(timedCtx, acceptPort, ipv6); err == nil {
return fmt.Errorf("connection destined to port %d should not be accepted, but was", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -263,7 +263,7 @@ func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ip
// Ensure we cannot connect to the container.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := connectTCP(timedCtx, ip, dropPort); err == nil {
if err := connectTCP(timedCtx, ip, dropPort, ipv6); err == nil {
return fmt.Errorf("expected not to connect, but was able to connect on port %d", acceptPort)
}
return nil
Expand All @@ -288,7 +288,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6
// Listen for all packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, dropPort); err == nil {
if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets should have been dropped, but got a packet")
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -301,7 +301,7 @@ func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, dropPort)
return sendUDPLoop(ctx, ip, dropPort, ipv6)
}

// FilterInputMultiUDPRules verifies that multiple UDP rules are applied
Expand Down Expand Up @@ -401,12 +401,12 @@ func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip n
if err := filterTable(ipv6, "-P", "INPUT", "ACCEPT"); err != nil {
return err
}
return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputDefaultPolicyDrop tests the default DROP policy.
Expand All @@ -428,7 +428,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, dropPort); err == nil {
if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -441,7 +441,7 @@ func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputReturnUnderflow tests that -j RETURN in a built-in chain causes
Expand Down Expand Up @@ -470,12 +470,12 @@ func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.I

// We should receive packets, as the RETURN rule will trigger the default
// ACCEPT policy.
return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputSerializeJump verifies that we can serialize jumps.
Expand Down Expand Up @@ -528,12 +528,12 @@ func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv
}

// Listen for UDP packets on acceptPort.
return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputJumpReturn jumps, returns, and executes a rule.
Expand All @@ -560,12 +560,12 @@ func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ip
}

// Listen for UDP packets on acceptPort.
return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets.
Expand Down Expand Up @@ -593,7 +593,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP
// Listen for UDP packets on dropPort.
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, dropPort); err == nil {
if err := listenUDP(timedCtx, dropPort, ipv6); err == nil {
return fmt.Errorf("packets on port %d should have been dropped, but got a packet", dropPort)
} else if !errors.Is(err, context.DeadlineExceeded) {
return fmt.Errorf("error reading: %v", err)
Expand All @@ -606,7 +606,7 @@ func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP

// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, dropPort)
return sendUDPLoop(ctx, ip, dropPort, ipv6)
}

// FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal.
Expand Down Expand Up @@ -660,12 +660,12 @@ func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv

// UDP packets should jump and return twice, eventually hitting the
// ACCEPT rule.
return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputDestination verifies that we can filter packets via `-d
Expand Down Expand Up @@ -696,12 +696,12 @@ func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, i
return err
}

return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInvertDestination verifies that we can filter packets via `! -d
Expand All @@ -727,12 +727,12 @@ func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net
return err
}

return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputSource verifies that we can filter packets via `-s
Expand All @@ -758,12 +758,12 @@ func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 b
return err
}

return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInvertSource verifies that we can filter packets via `! -s
Expand All @@ -789,12 +789,12 @@ func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP,
return err
}

return listenUDP(ctx, acceptPort)
return listenUDP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInterfaceAccept tests that packets are accepted from interface
Expand All @@ -817,7 +817,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I
if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", ifname, "-j", "ACCEPT"); err != nil {
return err
}
if err := listenUDP(ctx, acceptPort); err != nil {
if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err)
}

Expand All @@ -826,7 +826,7 @@ func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.I

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInterfaceDrop tests that packets are dropped from interface
Expand All @@ -851,7 +851,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP,
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, acceptPort); err != nil {
if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
Expand All @@ -862,7 +862,7 @@ func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP,

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInterface tests that packets are not dropped from interface which
Expand All @@ -881,15 +881,15 @@ func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv
if err := filterTable(ipv6, "-A", "INPUT", "-p", "udp", "-i", "lo", "-j", "DROP"); err != nil {
return err
}
if err := listenUDP(ctx, acceptPort); err != nil {
if err := listenUDP(ctx, acceptPort, ipv6); err != nil {
return fmt.Errorf("packets on port %d should be allowed, but encountered an error: %w", acceptPort, err)
}
return nil
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInterfaceBeginsWith tests that packets are dropped from an
Expand All @@ -910,7 +910,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenUDP(timedCtx, acceptPort); err != nil {
if err := listenUDP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
Expand All @@ -921,7 +921,7 @@ func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip n

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return sendUDPLoop(ctx, ip, acceptPort)
return sendUDPLoop(ctx, ip, acceptPort, ipv6)
}

// FilterInputInterfaceInvertDrop tests that we selectively drop packets from
Expand All @@ -942,7 +942,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n
}
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := listenTCP(timedCtx, acceptPort); err != nil {
if err := listenTCP(timedCtx, acceptPort, ipv6); err != nil {
if errors.Is(err, context.DeadlineExceeded) {
return nil
}
Expand All @@ -955,7 +955,7 @@ func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip n
func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
defer cancel()
if err := connectTCP(timedCtx, ip, acceptPort); err != nil {
if err := connectTCP(timedCtx, ip, acceptPort, ipv6); err != nil {
var operr *net.OpError
if errors.As(err, &operr) && operr.Timeout() {
return nil
Expand All @@ -981,10 +981,10 @@ func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip
if err := filterTable(ipv6, "-A", "INPUT", "-p", "tcp", "!", "-i", "lo", "-j", "ACCEPT"); err != nil {
return err
}
return listenTCP(ctx, acceptPort)
return listenTCP(ctx, acceptPort, ipv6)
}

// LocalAction implements TestCase.LocalAction.
func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
return connectTCP(ctx, ip, acceptPort)
return connectTCP(ctx, ip, acceptPort, ipv6)
}

0 comments on commit 2f35fa1

Please sign in to comment.