-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
iptables: check revision numbers and support owner matcher v1
This change also replaces use of kernel.Task with a narrower type (IDMapper) in preparation for a follow-up CL. PiperOrigin-RevId: 578387814
- Loading branch information
1 parent
5f75371
commit 7f08016
Showing
13 changed files
with
328 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
// Copyright 2023 The gVisor Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package netfilter | ||
|
||
import ( | ||
_ "embed" | ||
"testing" | ||
|
||
"gvisor.dev/gvisor/pkg/sentry/kernel/auth" | ||
"gvisor.dev/gvisor/pkg/tcpip/stack" | ||
) | ||
|
||
// istioBlob is a golden iptables ruleset generated by Istio. It is already in | ||
// the format ready to by passed to IPT_SO_SET_REPLACE. | ||
// | ||
// Updating this requires running Istio, calling IPT_SO_GET_INFO and | ||
// IPT_SO_GET_ENTRIES, then stitching the structs up. So be careful when | ||
// updating! | ||
// | ||
//go:embed istio_blob | ||
var istioBlob []byte | ||
|
||
// FakeIDMapper implements IDMapper. | ||
type FakeIDMapper struct{} | ||
|
||
// MapToKUID implements IDMapper. | ||
func (*FakeIDMapper) MapToKUID(auth.UID) auth.KUID { | ||
return 0 | ||
} | ||
|
||
// MapToKGID implements IDMapper. | ||
func (*FakeIDMapper) MapToKGID(auth.GID) auth.KGID { | ||
return 0 | ||
} | ||
|
||
// TestIstioBlob tests that we support the iptables ruleset generated by Istio, | ||
// i.e. that we can parse the rules and set them in netstack. | ||
func TestIstioBlob(t *testing.T) { | ||
mapper := FakeIDMapper{} | ||
stack := stack.New(stack.Options{}) | ||
if err := SetEntries(&mapper, stack, istioBlob, false); err != nil { | ||
t.Fatalf("failed to set Istio rules, try setting enableLogging and running again: %v", err) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.