testing

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2024 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Chain added in v1.5.0

type Chain struct {
	Name    iptables.Chain
	Packets uint64
	Bytes   uint64
	Rules   []*Rule

	// Deleted is set if the input contained a "-X Name" line; this would never
	// appear in iptables-save output but it could appear in iptables-restore *input*.
	Deleted bool
}

Chain represents an IPTables chain

type FakeIPTables

type FakeIPTables struct {
	Dump *IPTablesDump
	// contains filtered or unexported fields
}

FakeIPTables is no-op implementation of iptables Interface.

func NewFake

func NewFake() *FakeIPTables

NewFake returns a no-op iptables.Interface

func NewIPv6Fake added in v1.5.0

func NewIPv6Fake() *FakeIPTables

NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true

func (*FakeIPTables) ChainExists added in v1.5.0

func (f *FakeIPTables) ChainExists(table iptables.Table, chain iptables.Chain) (bool, error)

ChainExists is part of iptables.Interface

func (*FakeIPTables) DeleteChain

func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error

DeleteChain is part of iptables.Interface

func (*FakeIPTables) DeleteRule

func (f *FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args ...string) error

DeleteRule is part of iptables.Interface

func (*FakeIPTables) EnsureChain

func (f *FakeIPTables) EnsureChain(table iptables.Table, chain iptables.Chain) (bool, error)

EnsureChain is part of iptables.Interface

func (*FakeIPTables) EnsureRule

func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, args ...string) (bool, error)

EnsureRule is part of iptables.Interface

func (*FakeIPTables) FlushChain

func (f *FakeIPTables) FlushChain(table iptables.Table, chain iptables.Chain) error

FlushChain is part of iptables.Interface

func (*FakeIPTables) HasRandomFully

func (f *FakeIPTables) HasRandomFully() bool

HasRandomFully is part of iptables.Interface

func (*FakeIPTables) IsIPv6 added in v1.5.0

func (f *FakeIPTables) IsIPv6() bool

IsIPv6 is part of iptables.Interface

func (*FakeIPTables) Monitor

func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})

Monitor is part of iptables.Interface

func (*FakeIPTables) Present added in v1.5.0

func (f *FakeIPTables) Present() bool

func (*FakeIPTables) Protocol added in v1.5.0

func (f *FakeIPTables) Protocol() iptables.Protocol

Protocol is part of iptables.Interface

func (*FakeIPTables) Restore

func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

Restore is part of iptables.Interface

func (*FakeIPTables) RestoreAll

func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

RestoreAll is part of iptables.Interface

func (*FakeIPTables) SaveInto

func (f *FakeIPTables) SaveInto(table iptables.Table, buffer *bytes.Buffer) error

SaveInto is part of iptables.Interface

func (*FakeIPTables) SetHasRandomFully

func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables

SetHasRandomFully sets f's return value for HasRandomFully()

type IPTablesDump added in v1.5.0

type IPTablesDump struct {
	Tables []Table
}

IPTablesDump represents a parsed IPTables rules dump (ie, the output of "iptables-save" or input to "iptables-restore")

func ParseIPTablesDump added in v1.5.0

func ParseIPTablesDump(data string) (*IPTablesDump, error)

ParseIPTablesDump parses an IPTables rules dump. Note: this may ignore some bad data.

func (*IPTablesDump) GetChain added in v1.5.0

func (dump *IPTablesDump) GetChain(table iptables.Table, chain iptables.Chain) (*Chain, error)

func (*IPTablesDump) GetTable added in v1.5.0

func (dump *IPTablesDump) GetTable(table iptables.Table) (*Table, error)

func (*IPTablesDump) String added in v1.5.0

func (dump *IPTablesDump) String() string

type IPTablesValue added in v1.5.0

type IPTablesValue struct {
	Negated bool
	Value   string
}

IPTablesValue is a value of a parameter in an Rule, where the parameter is possibly negated.

func (*IPTablesValue) Matches added in v1.5.0

func (v *IPTablesValue) Matches(cmp string) bool

Matches returns true if cmp equals / doesn't equal v.Value (depending on v.Negated).

func (*IPTablesValue) String added in v1.5.0

func (v *IPTablesValue) String() string

for debugging; otherwise %v will just print the pointer value

type Rule

type Rule struct {
	// Raw contains the original raw rule string
	Raw string

	Chain   iptables.Chain `param:"-A"`
	Comment *IPTablesValue `param:"--comment"`

	Protocol *IPTablesValue `param:"-p" negatable:"true"`

	SourceAddress *IPTablesValue `param:"-s" negatable:"true"`
	SourceType    *IPTablesValue `param:"--src-type" negatable:"true"`
	SourcePort    *IPTablesValue `param:"--sport" negatable:"true"`

	DestinationAddress *IPTablesValue `param:"-d" negatable:"true"`
	DestinationType    *IPTablesValue `param:"--dst-type" negatable:"true"`
	DestinationPort    *IPTablesValue `param:"--dport" negatable:"true"`

	MatchSet *IPTablesValue `param:"--match-set" negatable:"true"`

	Jump            *IPTablesValue `param:"-j"`
	RandomFully     *bool          `param:"--random-fully"`
	Probability     *IPTablesValue `param:"--probability"`
	DNATDestination *IPTablesValue `param:"--to-destination"`

	// We don't actually use the values of these, but we care if they are present
	AffinityCheck *bool          `param:"--rcheck" negatable:"true"`
	MarkCheck     *IPTablesValue `param:"--mark" negatable:"true"`
	CTStateCheck  *IPTablesValue `param:"--ctstate" negatable:"true"`

	// We don't currently care about any of these in the unit tests, but we expect
	// them to be present in some rules that we parse, so we define how to parse them.
	AffinityName    *IPTablesValue `param:"--name"`
	AffinitySeconds *IPTablesValue `param:"--seconds"`
	AffinitySet     *bool          `param:"--set" negatable:"true"`
	AffinityReap    *bool          `param:"--reap"`
	StatisticMode   *IPTablesValue `param:"--mode"`
}

Rule represents a single parsed IPTables rule. (This currently covers all of the rule types that we actually use in pkg/proxy/iptables or pkg/proxy/ipvs.)

The parsing is mostly-automated based on type reflection. The `param` tag on a field indicates the parameter whose value will be placed into that field. (The code assumes that we don't use both the short and long forms of any parameter names (eg, "-s" vs "--source"), which is currently true, but it could be extended if necessary.) The `negatable` tag indicates if a parameter is allowed to be preceded by "!".

Parameters that take a value are stored as type `*IPTablesValue`, which encapsulates a string value and whether the rule was negated (ie, whether the rule requires that we *match* or *don't match* that value). But string-valued parameters that can't be negated use `IPTablesValue` rather than `string` too, just for API consistency.

Parameters that don't take a value are stored as `*bool`, where the value is `nil` if the parameter was not present, `&true` if the parameter was present, or `&false` if the parameter was present but negated.

Parsing skips over "-m MODULE" parameters because most parameters have unique names anyway even ignoring the module name, and in the cases where they don't (eg "-m tcp --sport" vs "-m udp --sport") the parameters are mutually-exclusive and it's more convenient to store them in the same struct field anyway.

func ParseRule added in v1.5.0

func ParseRule(rule string, strict bool) (*Rule, error)

ParseRule parses rule. If strict is false, it will parse the recognized parameters and ignore unrecognized ones. If it is true, parsing will fail if there are unrecognized parameters.

type Table added in v1.5.0

type Table struct {
	Name   iptables.Table
	Chains []Chain
}

Table represents an IPTables table

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL