From 40bcfbd676b8996c0155382b7fc3f5ad2fd2f4a3 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Mon, 15 Apr 2024 13:38:33 +0200
Subject: [PATCH] add unit tests

---
 tools/istio-iptables/pkg/capture/run_test.go  | 37 ++++++++++++++
 .../pkg/capture/testdata/cleanup-dns.golden   | 48 +++++++++++++++++++
 .../pkg/capture/testdata/cleanup-empty.golden |  7 +++
 3 files changed, 92 insertions(+)
 create mode 100644 tools/istio-iptables/pkg/capture/testdata/cleanup-dns.golden
 create mode 100644 tools/istio-iptables/pkg/capture/testdata/cleanup-empty.golden

diff --git a/tools/istio-iptables/pkg/capture/run_test.go b/tools/istio-iptables/pkg/capture/run_test.go
index b3524133dd6..e5b178bc6d0 100644
--- a/tools/istio-iptables/pkg/capture/run_test.go
+++ b/tools/istio-iptables/pkg/capture/run_test.go
@@ -337,6 +337,43 @@ func TestSeparateV4V6(t *testing.T) {
 	}
 }
 
+func TestCleanup(t *testing.T) {
+	cases := []struct {
+		name   string
+		config func(cfg *config.Config)
+	}{
+		{
+			"cleanup-empty",
+			func(cfg *config.Config) {
+				cfg.PreemptiveCleanup = true
+			},
+		},
+		{
+			"cleanup-dns",
+			func(cfg *config.Config) {
+				cfg.RedirectDNS = true
+				cfg.DNSServersV4 = []string{"127.0.0.53"}
+				cfg.DNSServersV6 = []string{"::127.0.0.53"}
+				cfg.ProxyGID = "1,2"
+				cfg.ProxyUID = "3,4"
+				cfg.EnableInboundIPv6 = true
+				cfg.PreemptiveCleanup = true
+			},
+		},
+	}
+	for _, tt := range cases {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := constructTestConfig()
+			tt.config(cfg)
+
+			ext := &dep.DependenciesStub{}
+			iptConfigurator := NewIptablesConfigurator(cfg, ext)
+			iptConfigurator.Run()
+			compareToGolden(t, tt.name, ext.ExecutedQuietly)
+		})
+	}
+}
+
 func compareToGolden(t *testing.T, name string, actual []string) {
 	t.Helper()
 	gotBytes := []byte(strings.Join(actual, "\n"))
diff --git a/tools/istio-iptables/pkg/capture/testdata/cleanup-dns.golden b/tools/istio-iptables/pkg/capture/testdata/cleanup-dns.golden
new file mode 100644
index 00000000000..302429a4cf6
--- /dev/null
+++ b/tools/istio-iptables/pkg/capture/testdata/cleanup-dns.golden
@@ -0,0 +1,48 @@
+iptables -t raw -D PREROUTING -p udp --sport 53 -s 127.0.0.53/32 -j CT --zone 1
+iptables -t raw -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j CT --zone 2
+iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+iptables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+iptables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+iptables -t nat -D OUTPUT -p udp --dport 53 -d 127.0.0.53/32 -j REDIRECT --to-port 15053
+iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+iptables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --gid-owner 2 -j ISTIO_IN_REDIRECT
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --gid-owner 1 -j ISTIO_IN_REDIRECT
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp -m multiport ! --dports 53,15008 -m owner --uid-owner 4 -j ISTIO_IN_REDIRECT
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp -m multiport ! --dports 53,15008 -m owner --uid-owner 3 -j ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT
+iptables -X ISTIO_OUTPUT
+iptables -X ISTIO_IN_REDIRECT
+iptables -X ISTIO_REDIRECT
+iptables -X ISTIO_INBOUND
+ip6tables -t raw -D PREROUTING -p udp --sport 53 -s ::127.0.0.53/128 -j CT --zone 1
+ip6tables -t raw -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j CT --zone 2
+ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 2 -j CT --zone 2
+ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j CT --zone 1
+ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --gid-owner 1 -j CT --zone 2
+ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j CT --zone 1
+ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 4 -j CT --zone 2
+ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j CT --zone 1
+ip6tables -t raw -D OUTPUT -p udp --sport 15053 -m owner --uid-owner 3 -j CT --zone 2
+ip6tables -t raw -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j CT --zone 1
+ip6tables -t nat -D OUTPUT -p udp --dport 53 -d ::127.0.0.53/128 -j REDIRECT --to-port 15053
+ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 2 -j RETURN
+ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --gid-owner 1 -j RETURN
+ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 4 -j RETURN
+ip6tables -t nat -D OUTPUT -p udp --dport 53 -m owner --uid-owner 3 -j RETURN
+ip6tables -t nat -D ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m owner --gid-owner 2 -j ISTIO_IN_REDIRECT
+ip6tables -t nat -D ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp ! --dport 15008 -m owner --gid-owner 1 -j ISTIO_IN_REDIRECT
+ip6tables -t nat -D ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp -m multiport ! --dports 53,15008 -m owner --uid-owner 4 -j ISTIO_IN_REDIRECT
+ip6tables -t nat -D ISTIO_OUTPUT -o lo ! -d ::1/128 -p tcp -m multiport ! --dports 53,15008 -m owner --uid-owner 3 -j ISTIO_IN_REDIRECT
+ip6tables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT
+ip6tables -X ISTIO_OUTPUT
+ip6tables -X ISTIO_IN_REDIRECT
+ip6tables -X ISTIO_REDIRECT
+ip6tables -X ISTIO_INBOUND
\ No newline at end of file
diff --git a/tools/istio-iptables/pkg/capture/testdata/cleanup-empty.golden b/tools/istio-iptables/pkg/capture/testdata/cleanup-empty.golden
new file mode 100644
index 00000000000..28d2c464f6e
--- /dev/null
+++ b/tools/istio-iptables/pkg/capture/testdata/cleanup-empty.golden
@@ -0,0 +1,7 @@
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --gid-owner 1337 -j ISTIO_IN_REDIRECT
+iptables -t nat -D ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -p tcp ! --dport 15008 -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
+iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT
+iptables -X ISTIO_OUTPUT
+iptables -X ISTIO_IN_REDIRECT
+iptables -X ISTIO_REDIRECT
+iptables -X ISTIO_INBOUND
\ No newline at end of file