iptables: test real world roundtrip of iptables rules #52860
- Loading branch information
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -29,24 +29,31 @@ import ( | ||
| "github.com/howardjohn/unshare-go/userns" | ||
|
|
||
| "istio.io/istio/pkg/log" | ||
| "istio.io/istio/pkg/slices" | ||
| "istio.io/istio/pkg/test/util/assert" | ||
| cleancmd "istio.io/istio/tools/istio-clean-iptables/pkg/cmd" | ||
| iptablescmd "istio.io/istio/tools/istio-iptables/pkg/cmd" | ||
| ) | ||
|
|
||
| func TestIptablesCleanRoundTrip(t *testing.T) { | ||
| setup(t) | ||
| roundtrip := func(t *testing.T, args ...string) { | ||
| // We only have UID 0 in our namespace, so always set it to that | ||
| args = append([]string{"--proxy-uid=0"}, args...) | ||
| // Apply, cleanup with the old approach | ||
| assert.NoError(t, runIptables(args...)) | ||
| assert.NoError(t, runIptablesOldClean(args...)) | ||
| validateIptablesClean(t) | ||
| // App, cleanup with the new approach | ||
| assert.NoError(t, runIptables(args...)) | ||
| assert.NoError(t, runIptablesClean(args...)) | ||
|
There was a problem hiding this comment. The --cleanup-only option is already verified in TestIdempotentUnequaledRerun in the file istio-iptables/pkg/capture/run_test.go. The difference between the two is that the one in run_test.go uses the cleanup option programmatically by setting the istio-iptables/config instead of relying on the CLI. There was a problem hiding this comment. hmm I guess we probably don't, I missed that part of your PR There was a problem hiding this comment. This does test There was a problem hiding this comment. yes that's true. The old istio-clean-iptables method has currently zero e2e coverage |
||
| validateIptablesClean(t) | ||
| } | ||
| t.Run("basic", func(t *testing.T) { | ||
| roundtrip(t) | ||
| }) | ||
| t.Run("dns", func(t *testing.T) { | ||
| roundtrip(t, "--redirect-dns") | ||
| }) | ||
| } | ||
|
|
||
| @@ -55,6 +62,9 @@ func validateIptablesClean(t *testing.T) { | ||
| if strings.Contains(cur, "ISTIO") { | ||
| t.Fatalf("Istio rules leftover: %v", cur) | ||
|
There was a problem hiding this comment. This will likely not be enough to completely validate that iptables are clean. e.g: For the purpose of #50328 e2e cleanup tests I have exposed VerifyIptablesState() to perform this validation Edit: Actually not even VerifyIptablesState would be enough as I changed it to ignore non-jump rules in non-istio chains. This was done in order to not introduce false positives if the users tinkered with the iptables by themselves. istio/tools/istio-iptables/pkg/capture/run.go Line 815 in 4153713 For the tests there is the need to go deeper and rely directly the parsed output of iptables-restore (obtainable via There was a problem hiding this comment. maybe we can iterate with improved validation There was a problem hiding this comment. These are hard to use directly with this approach since we do not have an I have updated it to use the old and new cleanup approach though |
||
| } | ||
| if strings.Contains(cur, "-A") { | ||
| t.Fatalf("Rules: %v", cur) | ||
| } | ||
| } | ||
|
|
||
| var initialized = &sync.Once{} | ||
| @@ -81,6 +91,13 @@ func runIptables(args ...string) error { | ||
| } | ||
|
|
||
| func runIptablesClean(args ...string) error { | ||
| c := iptablescmd.GetCommand(log.DefaultOptions()) | ||
| args = append(slices.Clone(args), "--cleanup-only") | ||
| c.SetArgs(args) | ||
| return c.Execute() | ||
| } | ||
|
|
||
| func runIptablesOldClean(args ...string) error { | ||
| c := cleancmd.GetCommand(log.DefaultOptions()) | ||
| c.SetArgs(args) | ||
| return c.Execute() | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e2e seems like an odd choice. maybe just
.../pkg/test/cleanup_test.go