From f33eedb6eb2e7dd570c75527175c5076e88c0615 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 11 Feb 2021 20:30:37 -0600 Subject: [PATCH] firewall: increase test coverage to 1.0.0 and older spec versions Signed-off-by: Dan Williams --- .../meta/firewall/firewall_firewalld_test.go | 299 +++++------- .../meta/firewall/firewall_iptables_test.go | 462 +++++++----------- 2 files changed, 296 insertions(+), 465 deletions(-) diff --git a/plugins/meta/firewall/firewall_firewalld_test.go b/plugins/meta/firewall/firewall_firewalld_test.go index 51838791..4c342893 100644 --- a/plugins/meta/firewall/firewall_firewalld_test.go +++ b/plugins/meta/firewall/firewall_firewalld_test.go @@ -34,30 +34,7 @@ import ( . "github.com/onsi/gomega" ) -const ( - confTmpl = `{ - "cniVersion": "0.3.1", - "name": "firewalld-test", - "type": "firewall", - "backend": "firewalld", - "zone": "trusted", - "prevResult": { - "cniVersion": "0.3.0", - "interfaces": [ - {"name": "%s", "sandbox": "%s"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "gateway": "10.0.0.1", - "interface": 0 - } - ] - } -}` - ifname = "eth0" -) +const ifname = "eth0" type fakeFirewalld struct { zone string @@ -125,6 +102,30 @@ func spawnSessionDbus(wg *sync.WaitGroup) (string, *exec.Cmd) { return busAddr, cmd } +func makeFirewalldConf(ver, ifname string, ns ns.NetNS) []byte { + return []byte(fmt.Sprintf(`{ + "cniVersion": "%s", + "name": "firewalld-test", + "type": "firewall", + "backend": "firewalld", + "zone": "trusted", + "prevResult": { + "cniVersion": "%s", + "interfaces": [ + {"name": "%s", "sandbox": "%s"} + ], + "ips": [ + { + "version": "4", + "address": "10.0.0.2/24", + "gateway": "10.0.0.1", + "interface": 0 + } + ] + } + }`, ver, ver, ifname, ns.Path())) +} + var _ = Describe("firewalld test", func() { var ( targetNs ns.NetNS @@ -177,167 +178,119 @@ var _ = Describe("firewalld test", func() { Expect(err).NotTo(HaveOccurred()) wg.Wait() + + Expect(targetNs.Close()).To(Succeed()) + Expect(testutils.UnmountNS(targetNs)).To(Succeed()) }) - It("works with a 0.3.1 config", func() { - Expect(isFirewalldRunning()).To(BeTrue()) + // firewall plugin requires a prevResult and thus only supports 0.3.0 + // and later CNI versions + for _, ver := range []string{"0.3.0", "0.3.1", "0.4.0", "1.0.0"} { + // Redefine ver inside for scope so real value is picked up by each dynamically defined It() + // See Gingkgo's "Patterns for dynamically generating tests" documentation. + ver := ver - conf := fmt.Sprintf(confTmpl, ifname, targetNs.Path()) - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNs.Path(), - IfName: ifname, - StdinData: []byte(conf), - } - _, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { - return cmdAdd(args) + It(fmt.Sprintf("[%s] works with a config", ver), func() { + Expect(isFirewalldRunning()).To(BeTrue()) + + conf := makeFirewalldConf(ver, ifname, targetNs) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNs.Path(), + IfName: ifname, + StdinData: []byte(conf), + } + _, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + Expect(fwd.zone).To(Equal("trusted")) + Expect(fwd.source).To(Equal("10.0.0.2/32")) + fwd.clear() + + err = testutils.CmdDel(targetNs.Path(), args.ContainerID, ifname, func() error { + return cmdDel(args) + }) + Expect(err).NotTo(HaveOccurred()) + Expect(fwd.zone).To(Equal("trusted")) + Expect(fwd.source).To(Equal("10.0.0.2/32")) }) - Expect(err).NotTo(HaveOccurred()) - Expect(fwd.zone).To(Equal("trusted")) - Expect(fwd.source).To(Equal("10.0.0.2/32")) - fwd.clear() - err = testutils.CmdDel(targetNs.Path(), args.ContainerID, ifname, func() error { - return cmdDel(args) + It(fmt.Sprintf("[%s] defaults to the firewalld backend", ver), func() { + Expect(isFirewalldRunning()).To(BeTrue()) + + conf := makeFirewalldConf(ver, ifname, targetNs) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNs.Path(), + IfName: ifname, + StdinData: []byte(conf), + } + _, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + Expect(fwd.zone).To(Equal("trusted")) + Expect(fwd.source).To(Equal("10.0.0.2/32")) }) - Expect(err).NotTo(HaveOccurred()) - Expect(fwd.zone).To(Equal("trusted")) - Expect(fwd.source).To(Equal("10.0.0.2/32")) - }) - It("defaults to the firewalld backend", func() { - conf := `{ - "cniVersion": "0.3.1", - "name": "firewalld-test", - "type": "firewall", - "zone": "trusted", - "prevResult": { - "cniVersion": "0.3.0", - "interfaces": [ - {"name": "eth0", "sandbox": "/foobar"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "gateway": "10.0.0.1", - "interface": 0 - } - ] - } - }` + It(fmt.Sprintf("[%s] passes through the prevResult", ver), func() { + Expect(isFirewalldRunning()).To(BeTrue()) - Expect(isFirewalldRunning()).To(BeTrue()) + conf := makeFirewalldConf(ver, ifname, targetNs) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNs.Path(), + IfName: ifname, + StdinData: []byte(conf), + } + r, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNs.Path(), - IfName: ifname, - StdinData: []byte(conf), - } - _, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { - return cmdAdd(args) + result, err := current.GetResult(r) + Expect(err).NotTo(HaveOccurred()) + + Expect(len(result.Interfaces)).To(Equal(1)) + Expect(result.Interfaces[0].Name).To(Equal("eth0")) + Expect(len(result.IPs)).To(Equal(1)) + Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24")) }) - Expect(err).NotTo(HaveOccurred()) - Expect(fwd.zone).To(Equal("trusted")) - Expect(fwd.source).To(Equal("10.0.0.2/32")) - }) - It("passes through the prevResult", func() { - conf := `{ - "cniVersion": "0.3.1", - "name": "firewalld-test", - "type": "firewall", - "zone": "trusted", - "prevResult": { - "cniVersion": "0.3.0", - "interfaces": [ - {"name": "eth0", "sandbox": "/foobar"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "gateway": "10.0.0.1", - "interface": 0 - } - ] - } - }` + It(fmt.Sprintf("[%s] works with Check", ver), func() { + Expect(isFirewalldRunning()).To(BeTrue()) - Expect(isFirewalldRunning()).To(BeTrue()) + conf := makeFirewalldConf(ver, ifname, targetNs) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNs.Path(), + IfName: ifname, + StdinData: []byte(conf), + } + r, _, err := testutils.CmdAddWithArgs(args, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + Expect(fwd.zone).To(Equal("trusted")) + Expect(fwd.source).To(Equal("10.0.0.2/32")) - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNs.Path(), - IfName: ifname, - StdinData: []byte(conf), - } - r, _, err := testutils.CmdAdd(targetNs.Path(), args.ContainerID, ifname, []byte(conf), func() error { - return cmdAdd(args) + if testutils.SpecVersionHasCHECK(ver) { + _, err = current.GetResult(r) + Expect(err).NotTo(HaveOccurred()) + + err = testutils.CmdCheckWithArgs(args, func() error { + return cmdCheck(args) + }) + Expect(err).NotTo(HaveOccurred()) + } + + err = testutils.CmdDelWithArgs(args, func() error { + return cmdDel(args) + }) + Expect(err).NotTo(HaveOccurred()) + Expect(fwd.zone).To(Equal("trusted")) + Expect(fwd.source).To(Equal("10.0.0.2/32")) }) - Expect(err).NotTo(HaveOccurred()) - - result, err := current.GetResult(r) - Expect(err).NotTo(HaveOccurred()) - - Expect(len(result.Interfaces)).To(Equal(1)) - Expect(result.Interfaces[0].Name).To(Equal("eth0")) - Expect(len(result.IPs)).To(Equal(1)) - Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24")) - }) - - It("works with a 0.4.0 config, including Check", func() { - Expect(isFirewalldRunning()).To(BeTrue()) - - conf := `{ - "cniVersion": "0.4.0", - "name": "firewalld-test", - "type": "firewall", - "backend": "firewalld", - "zone": "trusted", - "prevResult": { - "cniVersion": "0.4.0", - "interfaces": [ - {"name": "eth0", "sandbox": "/foobar"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "gateway": "10.0.0.1", - "interface": 0 - } - ] - } - }` - - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNs.Path(), - IfName: ifname, - StdinData: []byte(conf), - } - r, _, err := testutils.CmdAddWithArgs(args, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - Expect(fwd.zone).To(Equal("trusted")) - Expect(fwd.source).To(Equal("10.0.0.2/32")) - - _, err = current.GetResult(r) - Expect(err).NotTo(HaveOccurred()) - - err = testutils.CmdCheckWithArgs(args, func() error { - return cmdCheck(args) - }) - Expect(err).NotTo(HaveOccurred()) - - err = testutils.CmdDelWithArgs(args, func() error { - return cmdDel(args) - }) - Expect(err).NotTo(HaveOccurred()) - Expect(fwd.zone).To(Equal("trusted")) - Expect(fwd.source).To(Equal("10.0.0.2/32")) - }) + } }) diff --git a/plugins/meta/firewall/firewall_iptables_test.go b/plugins/meta/firewall/firewall_iptables_test.go index b00db45f..364cf4bb 100644 --- a/plugins/meta/firewall/firewall_iptables_test.go +++ b/plugins/meta/firewall/firewall_iptables_test.go @@ -166,11 +166,8 @@ func validateCleanedUp(bytes []byte) { } } -var _ = Describe("firewall plugin iptables backend", func() { - var originalNS, targetNS ns.NetNS - const IFNAME string = "dummy0" - - fullConf := []byte(fmt.Sprintf(`{ +func makeIptablesConf(ver string) []byte { + return []byte(fmt.Sprintf(`{ "name": "test", "type": "firewall", "backend": "iptables", @@ -194,268 +191,13 @@ var _ = Describe("firewall plugin iptables backend", func() { } ] } - }`, current.ImplementedSpecVersion, current.ImplementedSpecVersion)) + }`, ver, ver)) +} - BeforeEach(func() { - // Create a new NetNS so we don't modify the host - var err error - originalNS, err = testutils.NewNS() - Expect(err).NotTo(HaveOccurred()) - - err = originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - err = netlink.LinkAdd(&netlink.Dummy{ - LinkAttrs: netlink.LinkAttrs{ - Name: IFNAME, - }, - }) - Expect(err).NotTo(HaveOccurred()) - _, err = netlink.LinkByName(IFNAME) - Expect(err).NotTo(HaveOccurred()) - return nil - }) - Expect(err).NotTo(HaveOccurred()) - - targetNS, err = testutils.NewNS() - Expect(err).NotTo(HaveOccurred()) - }) - - AfterEach(func() { - Expect(originalNS.Close()).To(Succeed()) - Expect(targetNS.Close()).To(Succeed()) - }) - - It("passes prevResult through unchanged", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - r, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - - result, err := current.GetResult(r) - Expect(err).NotTo(HaveOccurred()) - - Expect(len(result.Interfaces)).To(Equal(1)) - Expect(result.Interfaces[0].Name).To(Equal(IFNAME)) - Expect(len(result.IPs)).To(Equal(2)) - Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24")) - Expect(result.IPs[1].Address.String()).To(Equal("2001:db8:1:2::1/64")) - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) - - It("installs the right iptables rules on the host", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - - validateFullRuleset(fullConf) - - // ensure creation is idempotent - _, _, err = testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) - - It("correctly handles a custom IptablesAdminChainName", func() { - conf := []byte(fmt.Sprintf(`{ - "name": "test", - "type": "firewall", - "backend": "iptables", - "ifName": "dummy0", - "cniVersion": "%s", - "iptablesAdminChainName": "CNI-foobar", - "prevResult": { - "cniVersion": "%s", - "interfaces": [ - {"name": "dummy0"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "interface": 0 - }, - { - "version": "6", - "address": "2001:db8:1:2::1/64", - "interface": 0 - } - ] - } -}`, current.ImplementedSpecVersion, current.ImplementedSpecVersion)) - - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: conf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, conf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - - var ipt *iptables.IPTables - for _, proto := range []iptables.Protocol{iptables.ProtocolIPv4, iptables.ProtocolIPv6} { - ipt, err = iptables.NewWithProtocol(proto) - Expect(err).NotTo(HaveOccurred()) - - // Ensure custom admin chain name - chains, err := ipt.ListChains("filter") - Expect(err).NotTo(HaveOccurred()) - var foundAdmin bool - for _, ch := range chains { - if ch == "CNI-foobar" { - foundAdmin = true - } - } - Expect(foundAdmin).To(Equal(true)) - } - - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) - - It("cleans up on delete", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateFullRuleset(fullConf) - - err = testutils.CmdDel(targetNS.Path(), args.ContainerID, IFNAME, func() error { - return cmdDel(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateCleanedUp(fullConf) - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) - - It("installs the right iptables rules on the host v4.0.x and check is successful", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - - validateFullRuleset(fullConf) - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) - - It("cleans up on delete v4.0.x", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } - - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() - - _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { - return cmdAdd(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateFullRuleset(fullConf) - - err = testutils.CmdDel(targetNS.Path(), args.ContainerID, IFNAME, func() error { - return cmdDel(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateCleanedUp(fullConf) - return nil - }) - Expect(err).NotTo(HaveOccurred()) - }) -}) - -var _ = Describe("firewall plugin iptables backend v0.4.x", func() { +var _ = Describe("firewall plugin iptables backend", func() { var originalNS, targetNS ns.NetNS const IFNAME string = "dummy0" - fullConf := []byte(`{ - "name": "test", - "type": "firewall", - "backend": "iptables", - "ifName": "dummy0", - "cniVersion": "0.4.0", - "prevResult": { - "cniVersion": "0.4.0", - "interfaces": [ - {"name": "dummy0"} - ], - "ips": [ - { - "version": "4", - "address": "10.0.0.2/24", - "interface": 0 - }, - { - "version": "6", - "address": "2001:db8:1:2::1/64", - "interface": 0 - } - ] - } - }`) - BeforeEach(func() { // Create a new NetNS so we don't modify the host var err error @@ -486,38 +228,174 @@ var _ = Describe("firewall plugin iptables backend v0.4.x", func() { Expect(targetNS.Close()).To(Succeed()) }) - It("installs iptables rules, Check rules then cleans up on delete using v4.0.x", func() { - args := &skel.CmdArgs{ - ContainerID: "dummy", - Netns: targetNS.Path(), - IfName: IFNAME, - StdinData: fullConf, - } + // firewall plugin requires a prevResult and thus only supports 0.3.0 + // and later CNI versions + for _, ver := range []string{"0.3.0", "0.3.1", "0.4.0", "1.0.0"} { + // Redefine ver inside for scope so real value is picked up by each dynamically defined It() + // See Gingkgo's "Patterns for dynamically generating tests" documentation. + ver := ver - err := originalNS.Do(func(ns.NetNS) error { - defer GinkgoRecover() + It(fmt.Sprintf("[%s] passes prevResult through unchanged", ver), func() { + fullConf := makeIptablesConf(ver) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNS.Path(), + IfName: IFNAME, + StdinData: fullConf, + } - r, _, err := testutils.CmdAddWithArgs(args, func() error { - return cmdAdd(args) + err := originalNS.Do(func(ns.NetNS) error { + defer GinkgoRecover() + + r, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + + result, err := current.GetResult(r) + Expect(err).NotTo(HaveOccurred()) + + Expect(len(result.Interfaces)).To(Equal(1)) + Expect(result.Interfaces[0].Name).To(Equal(IFNAME)) + Expect(len(result.IPs)).To(Equal(2)) + Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24")) + Expect(result.IPs[1].Address.String()).To(Equal("2001:db8:1:2::1/64")) + return nil }) Expect(err).NotTo(HaveOccurred()) - - _, err = types040.GetResult(r) - Expect(err).NotTo(HaveOccurred()) - - err = testutils.CmdCheckWithArgs(args, func() error { - return cmdCheck(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateFullRuleset(fullConf) - - err = testutils.CmdDelWithArgs(args, func() error { - return cmdDel(args) - }) - Expect(err).NotTo(HaveOccurred()) - validateCleanedUp(fullConf) - return nil }) - Expect(err).NotTo(HaveOccurred()) - }) + + It(fmt.Sprintf("[%s] installs the right iptables rules on the host", ver), func() { + fullConf := makeIptablesConf(ver) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNS.Path(), + IfName: IFNAME, + StdinData: fullConf, + } + + err := originalNS.Do(func(ns.NetNS) error { + defer GinkgoRecover() + + _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + + validateFullRuleset(fullConf) + + // ensure creation is idempotent + _, _, err = testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, fullConf, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + + return nil + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It(fmt.Sprintf("[%s] correctly handles a custom IptablesAdminChainName", ver), func() { + conf := []byte(fmt.Sprintf(`{ + "name": "test", + "type": "firewall", + "backend": "iptables", + "ifName": "dummy0", + "cniVersion": "%s", + "iptablesAdminChainName": "CNI-foobar", + "prevResult": { + "cniVersion": "%s", + "interfaces": [ + {"name": "dummy0"} + ], + "ips": [ + { + "version": "4", + "address": "10.0.0.2/24", + "interface": 0 + }, + { + "version": "6", + "address": "2001:db8:1:2::1/64", + "interface": 0 + } + ] + } + }`, ver, ver)) + + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNS.Path(), + IfName: IFNAME, + StdinData: conf, + } + + err := originalNS.Do(func(ns.NetNS) error { + defer GinkgoRecover() + + _, _, err := testutils.CmdAdd(targetNS.Path(), args.ContainerID, IFNAME, conf, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + + var ipt *iptables.IPTables + for _, proto := range []iptables.Protocol{iptables.ProtocolIPv4, iptables.ProtocolIPv6} { + ipt, err = iptables.NewWithProtocol(proto) + Expect(err).NotTo(HaveOccurred()) + + // Ensure custom admin chain name + chains, err := ipt.ListChains("filter") + Expect(err).NotTo(HaveOccurred()) + var foundAdmin bool + for _, ch := range chains { + if ch == "CNI-foobar" { + foundAdmin = true + } + } + Expect(foundAdmin).To(Equal(true)) + } + + return nil + }) + Expect(err).NotTo(HaveOccurred()) + }) + + It(fmt.Sprintf("[%s] installs iptables rules, checks rules, then cleans up on delete", ver), func() { + fullConf := makeIptablesConf(ver) + args := &skel.CmdArgs{ + ContainerID: "dummy", + Netns: targetNS.Path(), + IfName: IFNAME, + StdinData: fullConf, + } + + err := originalNS.Do(func(ns.NetNS) error { + defer GinkgoRecover() + + r, _, err := testutils.CmdAddWithArgs(args, func() error { + return cmdAdd(args) + }) + Expect(err).NotTo(HaveOccurred()) + + _, err = types040.GetResult(r) + Expect(err).NotTo(HaveOccurred()) + + if testutils.SpecVersionHasCHECK(ver) { + err = testutils.CmdCheckWithArgs(args, func() error { + return cmdCheck(args) + }) + Expect(err).NotTo(HaveOccurred()) + validateFullRuleset(fullConf) + } + + err = testutils.CmdDelWithArgs(args, func() error { + return cmdDel(args) + }) + Expect(err).NotTo(HaveOccurred()) + validateCleanedUp(fullConf) + return nil + }) + Expect(err).NotTo(HaveOccurred()) + }) + } })