iptables

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2024 License: Apache-2.0, MIT Imports: 14 Imported by: 0

README

iptables Tests

iptables tests are run via make iptables-tests.

iptables require some extra Docker configuration to work. Enable IPv6 in /etc/docker/daemon.json (make sure to restart Docker if you change this file):

{
    "experimental": true,
    "fixed-cidr-v6": "2001:db8:1::/64",
    "ipv6": true,
    // Runtimes and other Docker config...
}

And if you're running manually (i.e. not using the make target), you'll need to:

  • Enable iptables via modprobe iptable_filter && modprobe ip6table_filter.
  • Enable --net-raw in your chosen runtime in /etc/docker/daemon.json (make sure to restart Docker if you change this file).

The resulting runtime should look something like this:

"runsc": {
    "path": "/tmp/iptables/runsc",
    "runtimeArgs": [
        "--debug-log",
        "/tmp/iptables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
        "--net-raw"
    ]
},
// ...

Test Structure

Each test implements TestCase, providing (1) a function to run inside the container and (2) a function to run locally. Those processes are given each others' IP addresses. The test succeeds when both functions succeed.

The function inside the container (ContainerAction) typically sets some iptables rules and then tries to send or receive packets. The local function (LocalAction) will typically just send or receive packets.

Adding Tests

  1. Add your test to the iptables package.

  2. Register the test in an init function via RegisterTestCase (see filter_input.go as an example).

  3. Add it to iptables_test.go (see the other tests in that file).

Your test is now runnable with bazel!

Run individual tests

Build and install runsc. Re-run this when you modify gVisor:

$ bazel build //runsc && sudo cp bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/runsc/runsc_/runsc $(which runsc)

Build the testing Docker container. Re-run this when you modify the test code in this directory:

$ make load-iptables

Run an individual test via:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME>

To run an individual test with runc:

$ bazel test //test/iptables:iptables_test --test_filter=<TESTNAME> --test_env=RUNTIME=runc

Documentation

Overview

Package iptables contains a set of iptables tests implemented as TestCases

Index

Constants

View Source 
const IPExchangePort = 2349

IPExchangePort is the port the container listens on to receive the IP address of the local process.

View Source 
const NegativeTimeout = 2 * time.Second

NegativeTimeout is the time tests should wait to establish the negative case, i.e. that connections are not made.

View Source 
const SO_ORIGINAL_DST = 80

SO_ORIGINAL_DST gets the original destination of a redirected packet via getsockopt.

View Source 
const TerminalStatement = "Finished!"

TerminalStatement is the last statement in the test runner.

View Source 
const TestTimeout = 10 * time.Second

TestTimeout is the timeout used for all tests.

Variables

View Source 
var Tests = map[string]TestCase{}

Tests maps test names to TestCase.

New TestCases are added by calling RegisterTestCase in an init function.

Functions

func RegisterTestCase 

func RegisterTestCase(tc TestCase)

RegisterTestCase registers tc so it can be run.

Types

type FilterInputCreateUserChain 

type FilterInputCreateUserChain struct {
	// contains filtered or unexported fields
}

FilterInputCreateUserChain tests chain creation.

func (*FilterInputCreateUserChain) ContainerAction 

func (*FilterInputCreateUserChain) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputCreateUserChain) ContainerSufficient 

func (*FilterInputCreateUserChain) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputCreateUserChain) LocalAction 

func (*FilterInputCreateUserChain) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputCreateUserChain) LocalSufficient 

func (*FilterInputCreateUserChain) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputCreateUserChain) Name 

func (*FilterInputCreateUserChain) Name() string

Name implements TestCase.Name.

type FilterInputDefaultPolicyAccept 

type FilterInputDefaultPolicyAccept struct {
	// contains filtered or unexported fields
}

FilterInputDefaultPolicyAccept tests the default ACCEPT policy.

func (*FilterInputDefaultPolicyAccept) ContainerAction 

func (*FilterInputDefaultPolicyAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDefaultPolicyAccept) ContainerSufficient 

func (*FilterInputDefaultPolicyAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDefaultPolicyAccept) LocalAction 

func (*FilterInputDefaultPolicyAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDefaultPolicyAccept) LocalSufficient 

func (*FilterInputDefaultPolicyAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDefaultPolicyAccept) Name 

func (*FilterInputDefaultPolicyAccept) Name() string

Name implements TestCase.Name.

type FilterInputDefaultPolicyDrop 

type FilterInputDefaultPolicyDrop struct {
	// contains filtered or unexported fields
}

FilterInputDefaultPolicyDrop tests the default DROP policy.

func (*FilterInputDefaultPolicyDrop) ContainerAction 

func (*FilterInputDefaultPolicyDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDefaultPolicyDrop) ContainerSufficient 

func (*FilterInputDefaultPolicyDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDefaultPolicyDrop) LocalAction 

func (*FilterInputDefaultPolicyDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDefaultPolicyDrop) LocalSufficient 

func (*FilterInputDefaultPolicyDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDefaultPolicyDrop) Name 

func (*FilterInputDefaultPolicyDrop) Name() string

Name implements TestCase.Name.

type FilterInputDestination 

type FilterInputDestination struct {
	// contains filtered or unexported fields
}

FilterInputDestination verifies that we can filter packets via `-d <ipaddr>`.

func (*FilterInputDestination) ContainerAction 

func (*FilterInputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDestination) ContainerSufficient 

func (*FilterInputDestination) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDestination) LocalAction 

func (*FilterInputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDestination) LocalSufficient 

func (*FilterInputDestination) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDestination) Name 

func (*FilterInputDestination) Name() string

Name implements TestCase.Name.

type FilterInputDropAll 

type FilterInputDropAll struct {
	// contains filtered or unexported fields
}

FilterInputDropAll tests that we can drop all traffic to the INPUT chain.

func (*FilterInputDropAll) ContainerAction 

func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropAll) ContainerSufficient 

func (*FilterInputDropAll) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropAll) LocalAction 

func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropAll) LocalSufficient 

func (*FilterInputDropAll) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropAll) Name 

func (*FilterInputDropAll) Name() string

Name implements TestCase.Name.

type FilterInputDropDifferentUDPPort 

type FilterInputDropDifferentUDPPort struct {
	// contains filtered or unexported fields
}

FilterInputDropDifferentUDPPort tests that dropping traffic for a single UDP port doesn't drop packets on other ports.

func (*FilterInputDropDifferentUDPPort) ContainerAction 

func (*FilterInputDropDifferentUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropDifferentUDPPort) ContainerSufficient 

func (*FilterInputDropDifferentUDPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropDifferentUDPPort) LocalAction 

func (*FilterInputDropDifferentUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropDifferentUDPPort) LocalSufficient 

func (*FilterInputDropDifferentUDPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropDifferentUDPPort) Name 

func (*FilterInputDropDifferentUDPPort) Name() string

Name implements TestCase.Name.

type FilterInputDropOnlyUDP 

type FilterInputDropOnlyUDP struct {
	// contains filtered or unexported fields
}

FilterInputDropOnlyUDP tests that "-p udp -j DROP" only affects UDP traffic.

func (*FilterInputDropOnlyUDP) ContainerAction 

func (*FilterInputDropOnlyUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropOnlyUDP) ContainerSufficient 

func (*FilterInputDropOnlyUDP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropOnlyUDP) LocalAction 

func (*FilterInputDropOnlyUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropOnlyUDP) LocalSufficient 

func (*FilterInputDropOnlyUDP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropOnlyUDP) Name 

func (*FilterInputDropOnlyUDP) Name() string

Name implements TestCase.Name.

type FilterInputDropTCPDestPort 

type FilterInputDropTCPDestPort struct {
	// contains filtered or unexported fields
}

FilterInputDropTCPDestPort tests that connections are not accepted on specified source ports.

func (*FilterInputDropTCPDestPort) ContainerAction 

func (*FilterInputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropTCPDestPort) ContainerSufficient 

func (*FilterInputDropTCPDestPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropTCPDestPort) LocalAction 

func (*FilterInputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropTCPDestPort) LocalSufficient 

func (*FilterInputDropTCPDestPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropTCPDestPort) Name 

func (*FilterInputDropTCPDestPort) Name() string

Name implements TestCase.Name.

type FilterInputDropTCPSrcPort 

type FilterInputDropTCPSrcPort struct {
	// contains filtered or unexported fields
}

FilterInputDropTCPSrcPort tests that connections are not accepted on specified source ports.

func (*FilterInputDropTCPSrcPort) ContainerAction 

func (*FilterInputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropTCPSrcPort) ContainerSufficient 

func (*FilterInputDropTCPSrcPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropTCPSrcPort) LocalAction 

func (*FilterInputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropTCPSrcPort) LocalSufficient 

func (*FilterInputDropTCPSrcPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropTCPSrcPort) Name 

func (*FilterInputDropTCPSrcPort) Name() string

Name implements TestCase.Name.

type FilterInputDropUDP 

type FilterInputDropUDP struct {
	// contains filtered or unexported fields
}

FilterInputDropUDP tests that we can drop UDP traffic.

func (*FilterInputDropUDP) ContainerAction 

func (*FilterInputDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropUDP) ContainerSufficient 

func (*FilterInputDropUDP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropUDP) LocalAction 

func (*FilterInputDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropUDP) LocalSufficient 

func (*FilterInputDropUDP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropUDP) Name 

func (*FilterInputDropUDP) Name() string

Name implements TestCase.Name.

type FilterInputDropUDPPort 

type FilterInputDropUDPPort struct {
	// contains filtered or unexported fields
}

FilterInputDropUDPPort tests that we can drop UDP traffic by port.

func (*FilterInputDropUDPPort) ContainerAction 

func (*FilterInputDropUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputDropUDPPort) ContainerSufficient 

func (*FilterInputDropUDPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputDropUDPPort) LocalAction 

func (*FilterInputDropUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputDropUDPPort) LocalSufficient 

func (*FilterInputDropUDPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputDropUDPPort) Name 

func (*FilterInputDropUDPPort) Name() string

Name implements TestCase.Name.

type FilterInputInterface 

type FilterInputInterface struct {
	// contains filtered or unexported fields
}

FilterInputInterface tests that packets are not dropped from interface which is not matching the interface name in the iptables rule.

func (*FilterInputInterface) ContainerAction 

func (*FilterInputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterface) ContainerSufficient 

func (*FilterInputInterface) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterface) LocalAction 

func (*FilterInputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterface) LocalSufficient 

func (*FilterInputInterface) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterface) Name 

func (*FilterInputInterface) Name() string

Name implements TestCase.Name.

type FilterInputInterfaceAccept 

type FilterInputInterfaceAccept struct {
	// contains filtered or unexported fields
}

FilterInputInterfaceAccept tests that packets are accepted from interface matching the iptables rule.

func (*FilterInputInterfaceAccept) ContainerAction 

func (*FilterInputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterfaceAccept) ContainerSufficient 

func (*FilterInputInterfaceAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterfaceAccept) LocalAction 

func (*FilterInputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterfaceAccept) LocalSufficient 

func (*FilterInputInterfaceAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterfaceAccept) Name 

func (*FilterInputInterfaceAccept) Name() string

Name implements TestCase.Name.

type FilterInputInterfaceBeginsWith 

type FilterInputInterfaceBeginsWith struct {
	// contains filtered or unexported fields
}

FilterInputInterfaceBeginsWith tests that packets are dropped from an interface which begins with the given interface name.

func (*FilterInputInterfaceBeginsWith) ContainerAction 

func (*FilterInputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterfaceBeginsWith) ContainerSufficient 

func (*FilterInputInterfaceBeginsWith) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterfaceBeginsWith) LocalAction 

func (*FilterInputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterfaceBeginsWith) LocalSufficient 

func (*FilterInputInterfaceBeginsWith) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterfaceBeginsWith) Name 

func (*FilterInputInterfaceBeginsWith) Name() string

Name implements TestCase.Name.

type FilterInputInterfaceDrop 

type FilterInputInterfaceDrop struct {
	// contains filtered or unexported fields
}

FilterInputInterfaceDrop tests that packets are dropped from interface matching the iptables rule.

func (*FilterInputInterfaceDrop) ContainerAction 

func (*FilterInputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterfaceDrop) ContainerSufficient 

func (*FilterInputInterfaceDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterfaceDrop) LocalAction 

func (*FilterInputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterfaceDrop) LocalSufficient 

func (*FilterInputInterfaceDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterfaceDrop) Name 

func (*FilterInputInterfaceDrop) Name() string

Name implements TestCase.Name.

type FilterInputInterfaceInvertAccept 

type FilterInputInterfaceInvertAccept struct {
	// contains filtered or unexported fields
}

FilterInputInterfaceInvertAccept tests that we can selectively accept packets not matching the specific incoming interface.

func (*FilterInputInterfaceInvertAccept) ContainerAction 

func (*FilterInputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterfaceInvertAccept) ContainerSufficient 

func (*FilterInputInterfaceInvertAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterfaceInvertAccept) LocalAction 

func (*FilterInputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterfaceInvertAccept) LocalSufficient 

func (*FilterInputInterfaceInvertAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterfaceInvertAccept) Name 

func (*FilterInputInterfaceInvertAccept) Name() string

Name implements TestCase.Name.

type FilterInputInterfaceInvertDrop 

type FilterInputInterfaceInvertDrop struct {
	// contains filtered or unexported fields
}

FilterInputInterfaceInvertDrop tests that we selectively drop packets from interface not matching the interface name.

func (*FilterInputInterfaceInvertDrop) ContainerAction 

func (*FilterInputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInterfaceInvertDrop) ContainerSufficient 

func (*FilterInputInterfaceInvertDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInterfaceInvertDrop) LocalAction 

func (*FilterInputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInterfaceInvertDrop) LocalSufficient 

func (*FilterInputInterfaceInvertDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInterfaceInvertDrop) Name 

func (*FilterInputInterfaceInvertDrop) Name() string

Name implements TestCase.Name.

type FilterInputInvertDestination 

type FilterInputInvertDestination struct {
	// contains filtered or unexported fields
}

FilterInputInvertDestination verifies that we can filter packets via `! -d <ipaddr>`.

func (*FilterInputInvertDestination) ContainerAction 

func (*FilterInputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInvertDestination) ContainerSufficient 

func (*FilterInputInvertDestination) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInvertDestination) LocalAction 

func (*FilterInputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInvertDestination) LocalSufficient 

func (*FilterInputInvertDestination) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInvertDestination) Name 

func (*FilterInputInvertDestination) Name() string

Name implements TestCase.Name.

type FilterInputInvertDportAccept 

type FilterInputInvertDportAccept struct {
	// contains filtered or unexported fields
}

FilterInputInvertDportAccept tests that we can send packets on a negated --dport match

func (*FilterInputInvertDportAccept) ContainerAction 

func (*FilterInputInvertDportAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInvertDportAccept) ContainerSufficient 

func (*FilterInputInvertDportAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInvertDportAccept) LocalAction 

func (*FilterInputInvertDportAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInvertDportAccept) LocalSufficient 

func (*FilterInputInvertDportAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInvertDportAccept) Name 

func (*FilterInputInvertDportAccept) Name() string

Name implements TestCase.Name.

type FilterInputInvertDportDrop 

type FilterInputInvertDportDrop struct {
	// contains filtered or unexported fields
}

FilterInputInvertDportDrop tests that we can send packets on a negated --dport match

func (*FilterInputInvertDportDrop) ContainerAction 

func (*FilterInputInvertDportDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInvertDportDrop) ContainerSufficient 

func (*FilterInputInvertDportDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInvertDportDrop) LocalAction 

func (*FilterInputInvertDportDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInvertDportDrop) LocalSufficient 

func (*FilterInputInvertDportDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInvertDportDrop) Name 

func (*FilterInputInvertDportDrop) Name() string

Name implements TestCase.Name.

type FilterInputInvertSource 

type FilterInputInvertSource struct {
	// contains filtered or unexported fields
}

FilterInputInvertSource verifies that we can filter packets via `! -s <ipaddr>`.

func (*FilterInputInvertSource) ContainerAction 

func (*FilterInputInvertSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputInvertSource) ContainerSufficient 

func (*FilterInputInvertSource) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputInvertSource) LocalAction 

func (*FilterInputInvertSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputInvertSource) LocalSufficient 

func (*FilterInputInvertSource) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputInvertSource) Name 

func (*FilterInputInvertSource) Name() string

Name implements TestCase.Name.

type FilterInputJumpBasic 

type FilterInputJumpBasic struct {
	// contains filtered or unexported fields
}

FilterInputJumpBasic jumps to a chain and executes a rule there.

func (*FilterInputJumpBasic) ContainerAction 

func (*FilterInputJumpBasic) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputJumpBasic) ContainerSufficient 

func (*FilterInputJumpBasic) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputJumpBasic) LocalAction 

func (*FilterInputJumpBasic) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputJumpBasic) LocalSufficient 

func (*FilterInputJumpBasic) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputJumpBasic) Name 

func (*FilterInputJumpBasic) Name() string

Name implements TestCase.Name.

type FilterInputJumpBuiltin 

type FilterInputJumpBuiltin struct {
	// contains filtered or unexported fields
}

FilterInputJumpBuiltin verifies that jumping to a top-levl chain is illegal.

func (*FilterInputJumpBuiltin) ContainerAction 

func (*FilterInputJumpBuiltin) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputJumpBuiltin) ContainerSufficient 

func (*FilterInputJumpBuiltin) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputJumpBuiltin) LocalAction 

func (*FilterInputJumpBuiltin) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputJumpBuiltin) LocalSufficient 

func (*FilterInputJumpBuiltin) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputJumpBuiltin) Name 

func (*FilterInputJumpBuiltin) Name() string

Name implements TestCase.Name.

type FilterInputJumpReturn 

type FilterInputJumpReturn struct {
	// contains filtered or unexported fields
}

FilterInputJumpReturn jumps, returns, and executes a rule.

func (*FilterInputJumpReturn) ContainerAction 

func (*FilterInputJumpReturn) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputJumpReturn) ContainerSufficient 

func (*FilterInputJumpReturn) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputJumpReturn) LocalAction 

func (*FilterInputJumpReturn) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputJumpReturn) LocalSufficient 

func (*FilterInputJumpReturn) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputJumpReturn) Name 

func (*FilterInputJumpReturn) Name() string

Name implements TestCase.Name.

type FilterInputJumpReturnDrop 

type FilterInputJumpReturnDrop struct {
	// contains filtered or unexported fields
}

FilterInputJumpReturnDrop jumps to a chain, returns, and DROPs packets.

func (*FilterInputJumpReturnDrop) ContainerAction 

func (*FilterInputJumpReturnDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputJumpReturnDrop) ContainerSufficient 

func (*FilterInputJumpReturnDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputJumpReturnDrop) LocalAction 

func (*FilterInputJumpReturnDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputJumpReturnDrop) LocalSufficient 

func (*FilterInputJumpReturnDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputJumpReturnDrop) Name 

func (*FilterInputJumpReturnDrop) Name() string

Name implements TestCase.Name.

type FilterInputJumpTwice 

type FilterInputJumpTwice struct {
	// contains filtered or unexported fields
}

FilterInputJumpTwice jumps twice, then returns twice and executes a rule.

func (*FilterInputJumpTwice) ContainerAction 

func (*FilterInputJumpTwice) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputJumpTwice) ContainerSufficient 

func (*FilterInputJumpTwice) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputJumpTwice) LocalAction 

func (*FilterInputJumpTwice) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputJumpTwice) LocalSufficient 

func (*FilterInputJumpTwice) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputJumpTwice) Name 

func (*FilterInputJumpTwice) Name() string

Name implements TestCase.Name.

type FilterInputMultiUDPRules 

type FilterInputMultiUDPRules struct {
	// contains filtered or unexported fields
}

FilterInputMultiUDPRules verifies that multiple UDP rules are applied correctly. This has the added benefit of testing whether we're serializing rules correctly -- if we do it incorrectly, the iptables tool will misunderstand and save the wrong tables.

func (*FilterInputMultiUDPRules) ContainerAction 

func (*FilterInputMultiUDPRules) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputMultiUDPRules) ContainerSufficient 

func (*FilterInputMultiUDPRules) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputMultiUDPRules) LocalAction 

func (*FilterInputMultiUDPRules) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputMultiUDPRules) LocalSufficient 

func (*FilterInputMultiUDPRules) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputMultiUDPRules) Name 

func (*FilterInputMultiUDPRules) Name() string

Name implements TestCase.Name.

type FilterInputRequireProtocolUDP 

type FilterInputRequireProtocolUDP struct {
	// contains filtered or unexported fields
}

FilterInputRequireProtocolUDP checks that "-m udp" requires "-p udp" to be specified.

func (*FilterInputRequireProtocolUDP) ContainerAction 

func (*FilterInputRequireProtocolUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputRequireProtocolUDP) ContainerSufficient 

func (*FilterInputRequireProtocolUDP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputRequireProtocolUDP) LocalAction 

func (*FilterInputRequireProtocolUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputRequireProtocolUDP) LocalSufficient 

func (*FilterInputRequireProtocolUDP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputRequireProtocolUDP) Name 

func (*FilterInputRequireProtocolUDP) Name() string

Name implements TestCase.Name.

type FilterInputReturnUnderflow 

type FilterInputReturnUnderflow struct {
	// contains filtered or unexported fields
}

FilterInputReturnUnderflow tests that -j RETURN in a built-in chain causes the underflow rule (i.e. default policy) to be executed.

func (*FilterInputReturnUnderflow) ContainerAction 

func (*FilterInputReturnUnderflow) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputReturnUnderflow) ContainerSufficient 

func (*FilterInputReturnUnderflow) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputReturnUnderflow) LocalAction 

func (*FilterInputReturnUnderflow) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputReturnUnderflow) LocalSufficient 

func (*FilterInputReturnUnderflow) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputReturnUnderflow) Name 

func (*FilterInputReturnUnderflow) Name() string

Name implements TestCase.Name.

type FilterInputSerializeJump 

type FilterInputSerializeJump struct {
	// contains filtered or unexported fields
}

FilterInputSerializeJump verifies that we can serialize jumps.

func (*FilterInputSerializeJump) ContainerAction 

func (*FilterInputSerializeJump) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputSerializeJump) ContainerSufficient 

func (*FilterInputSerializeJump) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputSerializeJump) LocalAction 

func (*FilterInputSerializeJump) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputSerializeJump) LocalSufficient 

func (*FilterInputSerializeJump) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputSerializeJump) Name 

func (*FilterInputSerializeJump) Name() string

Name implements TestCase.Name.

type FilterInputSource 

type FilterInputSource struct {
	// contains filtered or unexported fields
}

FilterInputSource verifies that we can filter packets via `-s <ipaddr>`.

func (*FilterInputSource) ContainerAction 

func (*FilterInputSource) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterInputSource) ContainerSufficient 

func (*FilterInputSource) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterInputSource) LocalAction 

func (*FilterInputSource) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterInputSource) LocalSufficient 

func (*FilterInputSource) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterInputSource) Name 

func (*FilterInputSource) Name() string

Name implements TestCase.Name.

type FilterOutputAcceptGIDOwner 

type FilterOutputAcceptGIDOwner struct {
	// contains filtered or unexported fields
}

FilterOutputAcceptGIDOwner tests that TCP connections from gid owner are accepted.

func (*FilterOutputAcceptGIDOwner) ContainerAction 

func (*FilterOutputAcceptGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputAcceptGIDOwner) ContainerSufficient 

func (*FilterOutputAcceptGIDOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputAcceptGIDOwner) LocalAction 

func (*FilterOutputAcceptGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputAcceptGIDOwner) LocalSufficient 

func (*FilterOutputAcceptGIDOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputAcceptGIDOwner) Name 

func (*FilterOutputAcceptGIDOwner) Name() string

Name implements TestCase.Name.

type FilterOutputAcceptTCPOwner 

type FilterOutputAcceptTCPOwner struct {
	// contains filtered or unexported fields
}

FilterOutputAcceptTCPOwner tests that TCP connections from uid owner are accepted.

func (*FilterOutputAcceptTCPOwner) ContainerAction 

func (*FilterOutputAcceptTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputAcceptTCPOwner) ContainerSufficient 

func (*FilterOutputAcceptTCPOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputAcceptTCPOwner) LocalAction 

func (*FilterOutputAcceptTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputAcceptTCPOwner) LocalSufficient 

func (*FilterOutputAcceptTCPOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputAcceptTCPOwner) Name 

func (*FilterOutputAcceptTCPOwner) Name() string

Name implements TestCase.Name.

type FilterOutputAcceptUDPOwner 

type FilterOutputAcceptUDPOwner struct {
	// contains filtered or unexported fields
}

FilterOutputAcceptUDPOwner tests that UDP packets from uid owner are accepted.

func (*FilterOutputAcceptUDPOwner) ContainerAction 

func (*FilterOutputAcceptUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputAcceptUDPOwner) ContainerSufficient 

func (*FilterOutputAcceptUDPOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputAcceptUDPOwner) LocalAction 

func (*FilterOutputAcceptUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputAcceptUDPOwner) LocalSufficient 

func (*FilterOutputAcceptUDPOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputAcceptUDPOwner) Name 

func (*FilterOutputAcceptUDPOwner) Name() string

Name implements TestCase.Name.

type FilterOutputDestination 

type FilterOutputDestination struct {
	// contains filtered or unexported fields
}

FilterOutputDestination tests that we can selectively allow packets to certain destinations.

func (*FilterOutputDestination) ContainerAction 

func (*FilterOutputDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDestination) ContainerSufficient 

func (*FilterOutputDestination) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDestination) LocalAction 

func (*FilterOutputDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDestination) LocalSufficient 

func (*FilterOutputDestination) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDestination) Name 

func (*FilterOutputDestination) Name() string

Name implements TestCase.Name.

type FilterOutputDropGIDOwner 

type FilterOutputDropGIDOwner struct {
	// contains filtered or unexported fields
}

FilterOutputDropGIDOwner tests that TCP connections from gid owner are dropped.

func (*FilterOutputDropGIDOwner) ContainerAction 

func (*FilterOutputDropGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDropGIDOwner) ContainerSufficient 

func (*FilterOutputDropGIDOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDropGIDOwner) LocalAction 

func (*FilterOutputDropGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDropGIDOwner) LocalSufficient 

func (*FilterOutputDropGIDOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDropGIDOwner) Name 

func (*FilterOutputDropGIDOwner) Name() string

Name implements TestCase.Name.

type FilterOutputDropTCPDestPort 

type FilterOutputDropTCPDestPort struct {
	// contains filtered or unexported fields
}

FilterOutputDropTCPDestPort tests that connections are not accepted on specified source ports.

func (*FilterOutputDropTCPDestPort) ContainerAction 

func (*FilterOutputDropTCPDestPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDropTCPDestPort) ContainerSufficient 

func (*FilterOutputDropTCPDestPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDropTCPDestPort) LocalAction 

func (*FilterOutputDropTCPDestPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDropTCPDestPort) LocalSufficient 

func (*FilterOutputDropTCPDestPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDropTCPDestPort) Name 

func (*FilterOutputDropTCPDestPort) Name() string

Name implements TestCase.Name.

type FilterOutputDropTCPOwner 

type FilterOutputDropTCPOwner struct {
	// contains filtered or unexported fields
}

FilterOutputDropTCPOwner tests that TCP connections from uid owner are dropped.

func (*FilterOutputDropTCPOwner) ContainerAction 

func (*FilterOutputDropTCPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDropTCPOwner) ContainerSufficient 

func (*FilterOutputDropTCPOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDropTCPOwner) LocalAction 

func (*FilterOutputDropTCPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDropTCPOwner) LocalSufficient 

func (*FilterOutputDropTCPOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDropTCPOwner) Name 

func (*FilterOutputDropTCPOwner) Name() string

Name implements TestCase.Name.

type FilterOutputDropTCPSrcPort 

type FilterOutputDropTCPSrcPort struct {
	// contains filtered or unexported fields
}

FilterOutputDropTCPSrcPort tests that connections are not accepted on specified source ports.

func (*FilterOutputDropTCPSrcPort) ContainerAction 

func (*FilterOutputDropTCPSrcPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDropTCPSrcPort) ContainerSufficient 

func (*FilterOutputDropTCPSrcPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDropTCPSrcPort) LocalAction 

func (*FilterOutputDropTCPSrcPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDropTCPSrcPort) LocalSufficient 

func (*FilterOutputDropTCPSrcPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDropTCPSrcPort) Name 

func (*FilterOutputDropTCPSrcPort) Name() string

Name implements TestCase.Name.

type FilterOutputDropUDPOwner 

type FilterOutputDropUDPOwner struct {
	// contains filtered or unexported fields
}

FilterOutputDropUDPOwner tests that UDP packets from uid owner are dropped.

func (*FilterOutputDropUDPOwner) ContainerAction 

func (*FilterOutputDropUDPOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputDropUDPOwner) ContainerSufficient 

func (*FilterOutputDropUDPOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputDropUDPOwner) LocalAction 

func (*FilterOutputDropUDPOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputDropUDPOwner) LocalSufficient 

func (*FilterOutputDropUDPOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputDropUDPOwner) Name 

func (*FilterOutputDropUDPOwner) Name() string

Name implements TestCase.Name.

type FilterOutputInterface 

type FilterOutputInterface struct {
	// contains filtered or unexported fields
}

FilterOutputInterface tests that packets are sent via interface which is not matching the interface name in the iptables rule.

func (*FilterOutputInterface) ContainerAction 

func (*FilterOutputInterface) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterface) ContainerSufficient 

func (*FilterOutputInterface) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterface) LocalAction 

func (*FilterOutputInterface) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterface) LocalSufficient 

func (*FilterOutputInterface) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterface) Name 

func (*FilterOutputInterface) Name() string

Name implements TestCase.Name.

type FilterOutputInterfaceAccept 

type FilterOutputInterfaceAccept struct {
	// contains filtered or unexported fields
}

FilterOutputInterfaceAccept tests that packets are sent via interface matching the iptables rule.

func (*FilterOutputInterfaceAccept) ContainerAction 

func (*FilterOutputInterfaceAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterfaceAccept) ContainerSufficient 

func (*FilterOutputInterfaceAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterfaceAccept) LocalAction 

func (*FilterOutputInterfaceAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterfaceAccept) LocalSufficient 

func (*FilterOutputInterfaceAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterfaceAccept) Name 

func (*FilterOutputInterfaceAccept) Name() string

Name implements TestCase.Name.

type FilterOutputInterfaceBeginsWith 

type FilterOutputInterfaceBeginsWith struct {
	// contains filtered or unexported fields
}

FilterOutputInterfaceBeginsWith tests that packets are not sent via an interface which begins with the given interface name.

func (*FilterOutputInterfaceBeginsWith) ContainerAction 

func (*FilterOutputInterfaceBeginsWith) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterfaceBeginsWith) ContainerSufficient 

func (*FilterOutputInterfaceBeginsWith) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterfaceBeginsWith) LocalAction 

func (*FilterOutputInterfaceBeginsWith) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterfaceBeginsWith) LocalSufficient 

func (*FilterOutputInterfaceBeginsWith) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterfaceBeginsWith) Name 

func (*FilterOutputInterfaceBeginsWith) Name() string

Name implements TestCase.Name.

type FilterOutputInterfaceDrop 

type FilterOutputInterfaceDrop struct {
	// contains filtered or unexported fields
}

FilterOutputInterfaceDrop tests that packets are not sent via interface matching the iptables rule.

func (*FilterOutputInterfaceDrop) ContainerAction 

func (*FilterOutputInterfaceDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterfaceDrop) ContainerSufficient 

func (*FilterOutputInterfaceDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterfaceDrop) LocalAction 

func (*FilterOutputInterfaceDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterfaceDrop) LocalSufficient 

func (*FilterOutputInterfaceDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterfaceDrop) Name 

func (*FilterOutputInterfaceDrop) Name() string

Name implements TestCase.Name.

type FilterOutputInterfaceInvertAccept 

type FilterOutputInterfaceInvertAccept struct {
	// contains filtered or unexported fields
}

FilterOutputInterfaceInvertAccept tests that we can selectively send packets not matching the specific outgoing interface.

func (*FilterOutputInterfaceInvertAccept) ContainerAction 

func (*FilterOutputInterfaceInvertAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterfaceInvertAccept) ContainerSufficient 

func (*FilterOutputInterfaceInvertAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterfaceInvertAccept) LocalAction 

func (*FilterOutputInterfaceInvertAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterfaceInvertAccept) LocalSufficient 

func (*FilterOutputInterfaceInvertAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterfaceInvertAccept) Name 

func (*FilterOutputInterfaceInvertAccept) Name() string

Name implements TestCase.Name.

type FilterOutputInterfaceInvertDrop 

type FilterOutputInterfaceInvertDrop struct {
	// contains filtered or unexported fields
}

FilterOutputInterfaceInvertDrop tests that we selectively do not send packets via interface not matching the interface name.

func (*FilterOutputInterfaceInvertDrop) ContainerAction 

func (*FilterOutputInterfaceInvertDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInterfaceInvertDrop) ContainerSufficient 

func (*FilterOutputInterfaceInvertDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInterfaceInvertDrop) LocalAction 

func (*FilterOutputInterfaceInvertDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInterfaceInvertDrop) LocalSufficient 

func (*FilterOutputInterfaceInvertDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInterfaceInvertDrop) Name 

func (*FilterOutputInterfaceInvertDrop) Name() string

Name implements TestCase.Name.

type FilterOutputInvertDestination 

type FilterOutputInvertDestination struct {
	// contains filtered or unexported fields
}

FilterOutputInvertDestination tests that we can selectively allow packets not headed for a particular destination.

func (*FilterOutputInvertDestination) ContainerAction 

func (*FilterOutputInvertDestination) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertDestination) ContainerSufficient 

func (*FilterOutputInvertDestination) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertDestination) LocalAction 

func (*FilterOutputInvertDestination) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertDestination) LocalSufficient 

func (*FilterOutputInvertDestination) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertDestination) Name 

func (*FilterOutputInvertDestination) Name() string

Name implements TestCase.Name.

type FilterOutputInvertGIDOwner 

type FilterOutputInvertGIDOwner struct {
	// contains filtered or unexported fields
}

FilterOutputInvertGIDOwner tests that TCP connections from gid owner are dropped.

func (*FilterOutputInvertGIDOwner) ContainerAction 

func (*FilterOutputInvertGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertGIDOwner) ContainerSufficient 

func (*FilterOutputInvertGIDOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertGIDOwner) LocalAction 

func (*FilterOutputInvertGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertGIDOwner) LocalSufficient 

func (*FilterOutputInvertGIDOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertGIDOwner) Name 

func (*FilterOutputInvertGIDOwner) Name() string

Name implements TestCase.Name.

type FilterOutputInvertSportAccept 

type FilterOutputInvertSportAccept struct {
	// contains filtered or unexported fields
}

FilterOutputInvertSportAccept tests that we can send packets on a negated --sport match

func (*FilterOutputInvertSportAccept) ContainerAction 

func (*FilterOutputInvertSportAccept) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertSportAccept) ContainerSufficient 

func (*FilterOutputInvertSportAccept) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertSportAccept) LocalAction 

func (*FilterOutputInvertSportAccept) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertSportAccept) LocalSufficient 

func (*FilterOutputInvertSportAccept) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertSportAccept) Name 

func (*FilterOutputInvertSportAccept) Name() string

Name implements TestCase.Name.

type FilterOutputInvertSportDrop 

type FilterOutputInvertSportDrop struct {
	// contains filtered or unexported fields
}

FilterOutputInvertSportDrop tests that we can send packets on a negated --dport match

func (*FilterOutputInvertSportDrop) ContainerAction 

func (*FilterOutputInvertSportDrop) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertSportDrop) ContainerSufficient 

func (*FilterOutputInvertSportDrop) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertSportDrop) LocalAction 

func (*FilterOutputInvertSportDrop) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertSportDrop) LocalSufficient 

func (*FilterOutputInvertSportDrop) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertSportDrop) Name 

func (*FilterOutputInvertSportDrop) Name() string

Name implements TestCase.Name.

type FilterOutputInvertUIDAndGIDOwner 

type FilterOutputInvertUIDAndGIDOwner struct {
	// contains filtered or unexported fields
}

FilterOutputInvertUIDAndGIDOwner tests that TCP connections from uid and gid owner are dropped.

func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction 

func (*FilterOutputInvertUIDAndGIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertUIDAndGIDOwner) ContainerSufficient 

func (*FilterOutputInvertUIDAndGIDOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertUIDAndGIDOwner) LocalAction 

func (*FilterOutputInvertUIDAndGIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertUIDAndGIDOwner) LocalSufficient 

func (*FilterOutputInvertUIDAndGIDOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertUIDAndGIDOwner) Name 

func (*FilterOutputInvertUIDAndGIDOwner) Name() string

Name implements TestCase.Name.

type FilterOutputInvertUIDOwner 

type FilterOutputInvertUIDOwner struct {
	// contains filtered or unexported fields
}

FilterOutputInvertUIDOwner tests that TCP connections from gid owner are dropped.

func (*FilterOutputInvertUIDOwner) ContainerAction 

func (*FilterOutputInvertUIDOwner) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputInvertUIDOwner) ContainerSufficient 

func (*FilterOutputInvertUIDOwner) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputInvertUIDOwner) LocalAction 

func (*FilterOutputInvertUIDOwner) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputInvertUIDOwner) LocalSufficient 

func (*FilterOutputInvertUIDOwner) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputInvertUIDOwner) Name 

func (*FilterOutputInvertUIDOwner) Name() string

Name implements TestCase.Name.

type FilterOutputOwnerFail 

type FilterOutputOwnerFail struct {
	// contains filtered or unexported fields
}

FilterOutputOwnerFail tests that without uid/gid option, owner rule will fail.

func (*FilterOutputOwnerFail) ContainerAction 

func (*FilterOutputOwnerFail) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*FilterOutputOwnerFail) ContainerSufficient 

func (*FilterOutputOwnerFail) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*FilterOutputOwnerFail) LocalAction 

func (*FilterOutputOwnerFail) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*FilterOutputOwnerFail) LocalSufficient 

func (*FilterOutputOwnerFail) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*FilterOutputOwnerFail) Name 

func (*FilterOutputOwnerFail) Name() string

Name implements TestCase.Name.

type NATAcceptAll 

type NATAcceptAll struct {
	// contains filtered or unexported fields
}

NATAcceptAll tests that all UDP packets are accepted.

func (*NATAcceptAll) ContainerAction 

func (*NATAcceptAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATAcceptAll) ContainerSufficient 

func (*NATAcceptAll) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATAcceptAll) LocalAction 

func (*NATAcceptAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATAcceptAll) LocalSufficient 

func (*NATAcceptAll) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATAcceptAll) Name 

func (*NATAcceptAll) Name() string

Name implements TestCase.Name.

type NATDropUDP 

type NATDropUDP struct {
	// contains filtered or unexported fields
}

NATDropUDP tests that packets are not received in ports other than redirect port.

func (*NATDropUDP) ContainerAction 

func (*NATDropUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATDropUDP) ContainerSufficient 

func (*NATDropUDP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATDropUDP) LocalAction 

func (*NATDropUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATDropUDP) LocalSufficient 

func (*NATDropUDP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATDropUDP) Name 

func (*NATDropUDP) Name() string

Name implements TestCase.Name.

type NATLoopbackSkipsPrerouting 

type NATLoopbackSkipsPrerouting struct {
	// contains filtered or unexported fields
}

NATLoopbackSkipsPrerouting tests that packets sent via loopback aren't affected by PREROUTING rules.

func (*NATLoopbackSkipsPrerouting) ContainerAction 

func (*NATLoopbackSkipsPrerouting) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATLoopbackSkipsPrerouting) ContainerSufficient 

func (*NATLoopbackSkipsPrerouting) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATLoopbackSkipsPrerouting) LocalAction 

func (*NATLoopbackSkipsPrerouting) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATLoopbackSkipsPrerouting) LocalSufficient 

func (*NATLoopbackSkipsPrerouting) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATLoopbackSkipsPrerouting) Name 

func (*NATLoopbackSkipsPrerouting) Name() string

Name implements TestCase.Name.

type NATOutDNAT 

type NATOutDNAT struct {
	// contains filtered or unexported fields
}

NATOutDNAT tests that the source port/IP in the packets are modified as expected. It tests the latest-implemented revision of the DNAT target.

func (*NATOutDNAT) ContainerAction 

func (*NATOutDNAT) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutDNAT) ContainerSufficient 

func (*NATOutDNAT) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutDNAT) LocalAction 

func (*NATOutDNAT) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutDNAT) LocalSufficient 

func (*NATOutDNAT) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutDNAT) Name 

func (*NATOutDNAT) Name() string

Name implements TestCase.Name.

type NATOutDNATAddrOnly 

type NATOutDNATAddrOnly struct {
	// contains filtered or unexported fields
}

NATOutDNATAddrOnly tests that the source IP only in the packets are modified as expected. It tests the latest-implemented revision of the DNAT target.

func (*NATOutDNATAddrOnly) ContainerAction 

func (*NATOutDNATAddrOnly) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutDNATAddrOnly) ContainerSufficient 

func (*NATOutDNATAddrOnly) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutDNATAddrOnly) LocalAction 

func (*NATOutDNATAddrOnly) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutDNATAddrOnly) LocalSufficient 

func (*NATOutDNATAddrOnly) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutDNATAddrOnly) Name 

func (*NATOutDNATAddrOnly) Name() string

Name implements TestCase.Name.

type NATOutDNATPortOnly 

type NATOutDNATPortOnly struct {
	// contains filtered or unexported fields
}

NATOutDNATPortOnly tests that the source port only in the packets are modified as expected. It tests the latest-implemented revision of the DNAT target.

func (*NATOutDNATPortOnly) ContainerAction 

func (*NATOutDNATPortOnly) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutDNATPortOnly) ContainerSufficient 

func (*NATOutDNATPortOnly) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutDNATPortOnly) LocalAction 

func (*NATOutDNATPortOnly) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutDNATPortOnly) LocalSufficient 

func (*NATOutDNATPortOnly) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutDNATPortOnly) Name 

func (*NATOutDNATPortOnly) Name() string

Name implements TestCase.Name.

type NATOutDontRedirectIP 

type NATOutDontRedirectIP struct {
	// contains filtered or unexported fields
}

NATOutDontRedirectIP tests that iptables matching with "-d" does not match packets it shouldn't.

func (*NATOutDontRedirectIP) ContainerAction 

func (*NATOutDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutDontRedirectIP) ContainerSufficient 

func (*NATOutDontRedirectIP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutDontRedirectIP) LocalAction 

func (*NATOutDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutDontRedirectIP) LocalSufficient 

func (*NATOutDontRedirectIP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutDontRedirectIP) Name 

func (*NATOutDontRedirectIP) Name() string

Name implements TestCase.Name.

type NATOutOriginalDst 

type NATOutOriginalDst struct {
	// contains filtered or unexported fields
}

NATOutOriginalDst tests that SO_ORIGINAL_DST returns the pre-NAT destination of OUTBOUND NATted packets.

func (*NATOutOriginalDst) ContainerAction 

func (*NATOutOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutOriginalDst) ContainerSufficient 

func (*NATOutOriginalDst) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutOriginalDst) LocalAction 

func (*NATOutOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutOriginalDst) LocalSufficient 

func (*NATOutOriginalDst) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutOriginalDst) Name 

func (*NATOutOriginalDst) Name() string

Name implements TestCase.Name.

type NATOutRECVORIGDSTADDR 

type NATOutRECVORIGDSTADDR struct {
	// contains filtered or unexported fields
}

NATOutRECVORIGDSTADDR tests that IP{V6}_RECVORIGDSTADDR gets the post-NAT address on the OUTPUT chain.

func (*NATOutRECVORIGDSTADDR) ContainerAction 

func (*NATOutRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRECVORIGDSTADDR) ContainerSufficient 

func (*NATOutRECVORIGDSTADDR) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRECVORIGDSTADDR) LocalAction 

func (*NATOutRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRECVORIGDSTADDR) LocalSufficient 

func (*NATOutRECVORIGDSTADDR) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRECVORIGDSTADDR) Name 

func (*NATOutRECVORIGDSTADDR) Name() string

Name implements TestCase.Name.

type NATOutRedirectIP 

type NATOutRedirectIP struct {
	// contains filtered or unexported fields
}

NATOutRedirectIP uses iptables to select packets based on destination IP and redirects them.

func (*NATOutRedirectIP) ContainerAction 

func (*NATOutRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRedirectIP) ContainerSufficient 

func (*NATOutRedirectIP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRedirectIP) LocalAction 

func (*NATOutRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRedirectIP) LocalSufficient 

func (*NATOutRedirectIP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRedirectIP) Name 

func (*NATOutRedirectIP) Name() string

Name implements TestCase.Name.

type NATOutRedirectInvert 

type NATOutRedirectInvert struct {
	// contains filtered or unexported fields
}

NATOutRedirectInvert tests that iptables can match with "! -d".

func (*NATOutRedirectInvert) ContainerAction 

func (*NATOutRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRedirectInvert) ContainerSufficient 

func (*NATOutRedirectInvert) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRedirectInvert) LocalAction 

func (*NATOutRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRedirectInvert) LocalSufficient 

func (*NATOutRedirectInvert) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRedirectInvert) Name 

func (*NATOutRedirectInvert) Name() string

Name implements TestCase.Name.

type NATOutRedirectTCPIncoming 

type NATOutRedirectTCPIncoming struct {
	// contains filtered or unexported fields
}

NATOutRedirectTCPIncoming verifies that incoming TCP connections aren't affected by OUTPUT connection tracking.

func (*NATOutRedirectTCPIncoming) ContainerAction 

func (*NATOutRedirectTCPIncoming) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRedirectTCPIncoming) ContainerSufficient 

func (*NATOutRedirectTCPIncoming) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRedirectTCPIncoming) LocalAction 

func (*NATOutRedirectTCPIncoming) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRedirectTCPIncoming) LocalSufficient 

func (*NATOutRedirectTCPIncoming) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRedirectTCPIncoming) Name 

func (*NATOutRedirectTCPIncoming) Name() string

Name implements TestCase.Name.

type NATOutRedirectTCPPort 

type NATOutRedirectTCPPort struct {
	// contains filtered or unexported fields
}

NATOutRedirectTCPPort tests that connections are redirected on specified ports.

func (*NATOutRedirectTCPPort) ContainerAction 

func (*NATOutRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRedirectTCPPort) ContainerSufficient 

func (*NATOutRedirectTCPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRedirectTCPPort) LocalAction 

func (*NATOutRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRedirectTCPPort) LocalSufficient 

func (*NATOutRedirectTCPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRedirectTCPPort) Name 

func (*NATOutRedirectTCPPort) Name() string

Name implements TestCase.Name.

type NATOutRedirectUDPPort 

type NATOutRedirectUDPPort struct {
	// contains filtered or unexported fields
}

NATOutRedirectUDPPort tests that packets are redirected to different port.

func (*NATOutRedirectUDPPort) ContainerAction 

func (*NATOutRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATOutRedirectUDPPort) ContainerSufficient 

func (*NATOutRedirectUDPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATOutRedirectUDPPort) LocalAction 

func (*NATOutRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATOutRedirectUDPPort) LocalSufficient 

func (*NATOutRedirectUDPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATOutRedirectUDPPort) Name 

func (*NATOutRedirectUDPPort) Name() string

Name implements TestCase.Name.

type NATPostSNATTCP 

type NATPostSNATTCP struct {
	// contains filtered or unexported fields
}

NATPostSNATTCP tests that the source port/IP in the packets are modified as expected. It tests the latest-implemented revision of the SNAT target.

func (*NATPostSNATTCP) ContainerAction 

func (*NATPostSNATTCP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPostSNATTCP) ContainerSufficient 

func (*NATPostSNATTCP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPostSNATTCP) LocalAction 

func (*NATPostSNATTCP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPostSNATTCP) LocalSufficient 

func (*NATPostSNATTCP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPostSNATTCP) Name 

func (*NATPostSNATTCP) Name() string

Name implements TestCase.Name.

type NATPostSNATUDP 

type NATPostSNATUDP struct {
	// contains filtered or unexported fields
}

NATPostSNATUDP tests that the source port/IP in the packets are modified as expected. It tests the latest-implemented revision of the SNAT target.

func (*NATPostSNATUDP) ContainerAction 

func (*NATPostSNATUDP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPostSNATUDP) ContainerSufficient 

func (*NATPostSNATUDP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPostSNATUDP) LocalAction 

func (*NATPostSNATUDP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPostSNATUDP) LocalSufficient 

func (*NATPostSNATUDP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPostSNATUDP) Name 

func (*NATPostSNATUDP) Name() string

Name implements TestCase.Name.

type NATPreDontRedirectIP 

type NATPreDontRedirectIP struct {
	// contains filtered or unexported fields
}

NATPreDontRedirectIP tests that iptables matching with "-d" does not match packets it shouldn't.

func (*NATPreDontRedirectIP) ContainerAction 

func (*NATPreDontRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreDontRedirectIP) ContainerSufficient 

func (*NATPreDontRedirectIP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreDontRedirectIP) LocalAction 

func (*NATPreDontRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreDontRedirectIP) LocalSufficient 

func (*NATPreDontRedirectIP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreDontRedirectIP) Name 

func (*NATPreDontRedirectIP) Name() string

Name implements TestCase.Name.

type NATPreOriginalDst 

type NATPreOriginalDst struct {
	// contains filtered or unexported fields
}

NATPreOriginalDst tests that SO_ORIGINAL_DST returns the pre-NAT destination of PREROUTING NATted packets.

func (*NATPreOriginalDst) ContainerAction 

func (*NATPreOriginalDst) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreOriginalDst) ContainerSufficient 

func (*NATPreOriginalDst) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreOriginalDst) LocalAction 

func (*NATPreOriginalDst) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreOriginalDst) LocalSufficient 

func (*NATPreOriginalDst) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreOriginalDst) Name 

func (*NATPreOriginalDst) Name() string

Name implements TestCase.Name.

type NATPreRECVORIGDSTADDR 

type NATPreRECVORIGDSTADDR struct {
	// contains filtered or unexported fields
}

NATPreRECVORIGDSTADDR tests that IP{V6}_RECVORIGDSTADDR gets the post-NAT address on the PREROUTING chain.

func (*NATPreRECVORIGDSTADDR) ContainerAction 

func (*NATPreRECVORIGDSTADDR) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRECVORIGDSTADDR) ContainerSufficient 

func (*NATPreRECVORIGDSTADDR) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRECVORIGDSTADDR) LocalAction 

func (*NATPreRECVORIGDSTADDR) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRECVORIGDSTADDR) LocalSufficient 

func (*NATPreRECVORIGDSTADDR) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRECVORIGDSTADDR) Name 

func (*NATPreRECVORIGDSTADDR) Name() string

Name implements TestCase.Name.

type NATPreRedirectIP 

type NATPreRedirectIP struct {
	// contains filtered or unexported fields
}

NATPreRedirectIP tests that we can use iptables to select packets based on destination IP and redirect them.

func (*NATPreRedirectIP) ContainerAction 

func (*NATPreRedirectIP) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRedirectIP) ContainerSufficient 

func (*NATPreRedirectIP) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRedirectIP) LocalAction 

func (*NATPreRedirectIP) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRedirectIP) LocalSufficient 

func (*NATPreRedirectIP) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRedirectIP) Name 

func (*NATPreRedirectIP) Name() string

Name implements TestCase.Name.

type NATPreRedirectInvert 

type NATPreRedirectInvert struct {
	// contains filtered or unexported fields
}

NATPreRedirectInvert tests that iptables can match with "! -d".

func (*NATPreRedirectInvert) ContainerAction 

func (*NATPreRedirectInvert) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRedirectInvert) ContainerSufficient 

func (*NATPreRedirectInvert) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRedirectInvert) LocalAction 

func (*NATPreRedirectInvert) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRedirectInvert) LocalSufficient 

func (*NATPreRedirectInvert) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRedirectInvert) Name 

func (*NATPreRedirectInvert) Name() string

Name implements TestCase.Name.

type NATPreRedirectTCPOutgoing 

type NATPreRedirectTCPOutgoing struct {
	// contains filtered or unexported fields
}

NATPreRedirectTCPOutgoing verifies that outgoing TCP connections aren't affected by PREROUTING connection tracking.

func (*NATPreRedirectTCPOutgoing) ContainerAction 

func (*NATPreRedirectTCPOutgoing) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRedirectTCPOutgoing) ContainerSufficient 

func (*NATPreRedirectTCPOutgoing) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRedirectTCPOutgoing) LocalAction 

func (*NATPreRedirectTCPOutgoing) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRedirectTCPOutgoing) LocalSufficient 

func (*NATPreRedirectTCPOutgoing) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRedirectTCPOutgoing) Name 

func (*NATPreRedirectTCPOutgoing) Name() string

Name implements TestCase.Name.

type NATPreRedirectTCPPort 

type NATPreRedirectTCPPort struct {
	// contains filtered or unexported fields
}

NATPreRedirectTCPPort tests that connections are redirected on specified ports.

func (*NATPreRedirectTCPPort) ContainerAction 

func (*NATPreRedirectTCPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRedirectTCPPort) ContainerSufficient 

func (*NATPreRedirectTCPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRedirectTCPPort) LocalAction 

func (*NATPreRedirectTCPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRedirectTCPPort) LocalSufficient 

func (*NATPreRedirectTCPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRedirectTCPPort) Name 

func (*NATPreRedirectTCPPort) Name() string

Name implements TestCase.Name.

type NATPreRedirectUDPPort 

type NATPreRedirectUDPPort struct {
	// contains filtered or unexported fields
}

NATPreRedirectUDPPort tests that packets are redirected to different port.

func (*NATPreRedirectUDPPort) ContainerAction 

func (*NATPreRedirectUDPPort) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATPreRedirectUDPPort) ContainerSufficient 

func (*NATPreRedirectUDPPort) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATPreRedirectUDPPort) LocalAction 

func (*NATPreRedirectUDPPort) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATPreRedirectUDPPort) LocalSufficient 

func (*NATPreRedirectUDPPort) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATPreRedirectUDPPort) Name 

func (*NATPreRedirectUDPPort) Name() string

Name implements TestCase.Name.

type NATRedirectRequiresProtocol 

type NATRedirectRequiresProtocol struct {
	// contains filtered or unexported fields
}

NATRedirectRequiresProtocol tests that use of the --to-ports flag requires a protocol to be specified with -p.

func (*NATRedirectRequiresProtocol) ContainerAction 

func (*NATRedirectRequiresProtocol) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

ContainerAction implements TestCase.ContainerAction.

func (*NATRedirectRequiresProtocol) ContainerSufficient 

func (*NATRedirectRequiresProtocol) ContainerSufficient() bool

ContainerSufficient implements TestCase.ContainerSufficient.

func (*NATRedirectRequiresProtocol) LocalAction 

func (*NATRedirectRequiresProtocol) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

LocalAction implements TestCase.LocalAction.

func (*NATRedirectRequiresProtocol) LocalSufficient 

func (*NATRedirectRequiresProtocol) LocalSufficient() bool

LocalSufficient implements TestCase.LocalSufficient.

func (*NATRedirectRequiresProtocol) Name 

func (*NATRedirectRequiresProtocol) Name() string

Name implements TestCase.Name.

type TestCase 

type TestCase interface {
	// Name returns the name of the test.
	Name() string

	// ContainerAction runs inside the container. It receives the IP of the
	// local process.
	ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error

	// LocalAction runs locally. It receives the IP of the container.
	LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error

	// ContainerSufficient indicates whether ContainerAction's return value
	// alone indicates whether the test succeeded.
	ContainerSufficient() bool

	// LocalSufficient indicates whether LocalAction's return value alone
	// indicates whether the test succeeded.
	LocalSufficient() bool
}

A TestCase contains one action to run in the container and one to run locally. The actions run concurrently and each must succeed for the test pass.

Source Files

View all Source files

Directories

Path Synopsis
Package main runs iptables tests from within a docker container.
 Package main runs iptables tests from within a docker container.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.