istio
314 строк · 13.5 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package builder16import (18"reflect"19"testing"20"istio.io/istio/tools/istio-iptables/pkg/config"22"istio.io/istio/tools/istio-iptables/pkg/constants"23iptableslog "istio.io/istio/tools/istio-iptables/pkg/log"24)25// TODO(abhide): Add more testcases once BuildV6Restore() are implemented27func TestBuildV6Restore(t *testing.T) {28iptables := NewIptablesRuleBuilder(nil)29expected := ""30actual := iptables.BuildV6Restore()31if expected != actual {32t.Errorf("Output didn't match: Got: %s, Expected: %s", actual, expected)33}34}35// TODO(abhide): Add more testcases once BuildV4Restore() are implemented37func TestBuildV4Restore(t *testing.T) {38iptables := NewIptablesRuleBuilder(nil)39expected := ""40actual := iptables.BuildV4Restore()41if expected != actual {42t.Errorf("Output didn't match: Got: %s, Expected: %s", actual, expected)43}44}45func TestBuildV4InsertSingleRule(t *testing.T) {47iptables := NewIptablesRuleBuilder(nil)48iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")49if err := len(iptables.rules.rulesv6) != 0; err {50t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)51}52actual := iptables.BuildV4()53expected := [][]string{54{"-t", "table", "-N", "chain"},55{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},56}57if !reflect.DeepEqual(actual, expected) {58t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)59}60// V6 rules should be empty and return an empty slice61actual = iptables.BuildV6()62if !reflect.DeepEqual(actual, [][]string{}) {63t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)64}65}66func TestBuildV4AppendSingleRule(t *testing.T) {68iptables := NewIptablesRuleBuilder(nil)69iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")70if err := len(iptables.rules.rulesv6) != 0; err {71t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)72}73actual := iptables.BuildV4()74expected := [][]string{75{"-t", "table", "-N", "chain"},76{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},77}78if !reflect.DeepEqual(actual, expected) {79t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)80}81// V6 rules should be empty and return an empty slice82actual = iptables.BuildV6()83if !reflect.DeepEqual(actual, [][]string{}) {84t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)85}86}87func TestBuildV4AppendMultipleRules(t *testing.T) {89iptables := NewIptablesRuleBuilder(nil)90iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")91iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "fu", "-b", "bar")92iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "baz")93if err := len(iptables.rules.rulesv6) != 0; err {94t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)95}96actual := iptables.BuildV4()97expected := [][]string{98{"-t", "table", "-N", "chain"},99{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},100{"-t", "table", "-A", "chain", "-f", "fu", "-b", "bar"},101{"-t", "table", "-A", "chain", "-f", "foo", "-b", "baz"},102}103if !reflect.DeepEqual(actual, expected) {104t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)105}106// V6 rules should be empty and return an empty slice107actual = iptables.BuildV6()108if !reflect.DeepEqual(actual, [][]string{}) {109t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)110}111}112func TestBuildV4InsertMultipleRules(t *testing.T) {114iptables := NewIptablesRuleBuilder(nil)115iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 1, "-f", "foo", "-b", "bar")116iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "baaz")117iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 3, "-f", "foo", "-b", "baz")118if err := len(iptables.rules.rulesv6) != 0; err {119t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)120}121actual := iptables.BuildV4()122expected := [][]string{123{"-t", "table", "-N", "chain"},124{"-t", "table", "-I", "chain", "1", "-f", "foo", "-b", "bar"},125{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "baaz"},126{"-t", "table", "-I", "chain", "3", "-f", "foo", "-b", "baz"},127}128if !reflect.DeepEqual(actual, expected) {129t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)130}131// V6 rules should be empty and return an empty slice132actual = iptables.BuildV6()133if !reflect.DeepEqual(actual, [][]string{}) {134t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)135}136}137func TestBuildV4AppendInsertMultipleRules(t *testing.T) {139iptables := NewIptablesRuleBuilder(nil)140iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")141iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")142iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "baz")143if err := len(iptables.rules.rulesv6) != 0; err {144t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)145}146actual := iptables.BuildV4()147expected := [][]string{148{"-t", "table", "-N", "chain"},149{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},150{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},151{"-t", "table", "-A", "chain", "-f", "foo", "-b", "baz"},152}153if !reflect.DeepEqual(actual, expected) {154t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)155}156// V6 rules should be empty and return an empty slice157actual = iptables.BuildV6()158if !reflect.DeepEqual(actual, [][]string{}) {159t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)160}161}162var IPv6Config = &config.Config{164EnableInboundIPv6: true,165}166func TestBuildV6InsertSingleRule(t *testing.T) {168iptables := NewIptablesRuleBuilder(IPv6Config)169iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")170if err := len(iptables.rules.rulesv4) != 0; err {171t.Errorf("Expected rulesV4 to be empty; but got %#v", iptables.rules.rulesv4)172}173actual := iptables.BuildV6()174expected := [][]string{175{"-t", "table", "-N", "chain"},176{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},177}178if !reflect.DeepEqual(actual, expected) {179t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)180}181// V4 rules should be empty and return an empty slice182actual = iptables.BuildV4()183if !reflect.DeepEqual(actual, [][]string{}) {184t.Errorf("Expected V4 rules to be empty; but instead got Actual: %#v", actual)185}186}187func TestBuildV6AppendSingleRule(t *testing.T) {189iptables := NewIptablesRuleBuilder(IPv6Config)190iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")191if err := len(iptables.rules.rulesv4) != 0; err {192t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)193}194actual := iptables.BuildV6()195expected := [][]string{196{"-t", "table", "-N", "chain"},197{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},198}199if !reflect.DeepEqual(actual, expected) {200t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)201}202// V6 rules should be empty and return an empty slice203actual = iptables.BuildV4()204if !reflect.DeepEqual(actual, [][]string{}) {205t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)206}207}208func TestBuildV6AppendMultipleRules(t *testing.T) {210iptables := NewIptablesRuleBuilder(IPv6Config)211iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")212iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "fu", "-b", "bar")213iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "baz")214if err := len(iptables.rules.rulesv4) != 0; err {215t.Errorf("Expected rulesV6 to be empty; but got %#v", iptables.rules.rulesv6)216}217actual := iptables.BuildV6()218expected := [][]string{219{"-t", "table", "-N", "chain"},220{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},221{"-t", "table", "-A", "chain", "-f", "fu", "-b", "bar"},222{"-t", "table", "-A", "chain", "-f", "foo", "-b", "baz"},223}224if !reflect.DeepEqual(actual, expected) {225t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)226}227// V6 rules should be empty and return an empty slice228actual = iptables.BuildV4()229if !reflect.DeepEqual(actual, [][]string{}) {230t.Errorf("Expected V6 rules to be empty; but instead got Actual: %#v", actual)231}232}233func TestBuildV6InsertMultipleRules(t *testing.T) {235iptables := NewIptablesRuleBuilder(IPv6Config)236iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 1, "-f", "foo", "-b", "bar")237iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "baaz")238iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 3, "-f", "foo", "-b", "baz")239if err := len(iptables.rules.rulesv4) != 0; err {240t.Errorf("Expected rulesV4 to be empty; but got %#v", iptables.rules.rulesv4)241}242actual := iptables.BuildV6()243expected := [][]string{244{"-t", "table", "-N", "chain"},245{"-t", "table", "-I", "chain", "1", "-f", "foo", "-b", "bar"},246{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "baaz"},247{"-t", "table", "-I", "chain", "3", "-f", "foo", "-b", "baz"},248}249if !reflect.DeepEqual(actual, expected) {250t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)251}252// V4 rules should be empty and return an empty slice253actual = iptables.BuildV4()254if !reflect.DeepEqual(actual, [][]string{}) {255t.Errorf("Expected V4 rules to be empty; but instead got Actual: %#v", actual)256}257}258func TestBuildV6InsertAppendMultipleRules(t *testing.T) {260iptables := NewIptablesRuleBuilder(IPv6Config)261iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")262iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")263iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 1, "-f", "foo", "-b", "bar")264if err := len(iptables.rules.rulesv4) != 0; err {265t.Errorf("Expected rulesV4 to be empty; but got %#v", iptables.rules.rulesv4)266}267actual := iptables.BuildV6()268expected := [][]string{269{"-t", "table", "-N", "chain"},270{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},271{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},272{"-t", "table", "-I", "chain", "1", "-f", "foo", "-b", "bar"},273}274if !reflect.DeepEqual(actual, expected) {275t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actual, expected)276}277// V4 rules should be empty and return an empty slice278actual = iptables.BuildV4()279if !reflect.DeepEqual(actual, [][]string{}) {280t.Errorf("Expected V4 rules to be empty; but instead got Actual: %#v", actual)281}282}283func TestBuildV4V6MultipleRulesWithNewChain(t *testing.T) {285iptables := NewIptablesRuleBuilder(IPv6Config)286iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")287iptables.InsertRuleV4(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")288iptables.AppendRuleV4(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "baz")289iptables.AppendRuleV6(iptableslog.UndefinedCommand, "chain", "table", "-f", "foo", "-b", "bar")290iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 2, "-f", "foo", "-b", "bar")291iptables.InsertRuleV6(iptableslog.UndefinedCommand, "chain", "table", 1, "-f", "foo", "-b", "bar")292iptables.AppendRuleV4(iptableslog.UndefinedCommand, constants.PREROUTING, constants.NAT, "-f", "foo", "-b", "bar")293actualV4 := iptables.BuildV4()294actualV6 := iptables.BuildV6()295expectedV6 := [][]string{296{"-t", "table", "-N", "chain"},297{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},298{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},299{"-t", "table", "-I", "chain", "1", "-f", "foo", "-b", "bar"},300}301expectedV4 := [][]string{302{"-t", "table", "-N", "chain"},303{"-t", "table", "-A", "chain", "-f", "foo", "-b", "bar"},304{"-t", "table", "-I", "chain", "2", "-f", "foo", "-b", "bar"},305{"-t", "table", "-A", "chain", "-f", "foo", "-b", "baz"},306{"-t", "nat", "-A", "PREROUTING", "-f", "foo", "-b", "bar"},307}308if !reflect.DeepEqual(actualV4, expectedV4) {309t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actualV4, expectedV4)310}311if !reflect.DeepEqual(actualV6, expectedV6) {312t.Errorf("Actual and expected output mismatch; but instead got Actual: %#v ; Expected: %#v", actualV6, expectedV6)313}314}315