InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
moby/daemon/libnetwork/drivers/bridge/bridge_linux_test.go
Paweł Gronowski 3df05205f4 modernize: Use range int 
Added in Go 1.22

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2025-12-15 18:56:34 +01:00

1335 lines
38 KiB
Go
Raw Permalink Blame History

package bridge
import (
"bytes"
"context"
"encoding/json"
"fmt"
"maps"
"net"
"net/netip"
"slices"
"strconv"
"testing"
cerrdefs "github.com/containerd/errdefs"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/moby/moby/v2/daemon/internal/netiputil"
"github.com/moby/moby/v2/daemon/libnetwork/driverapi"
"github.com/moby/moby/v2/daemon/libnetwork/drivers/bridge/internal/firewaller"
"github.com/moby/moby/v2/daemon/libnetwork/drvregistry"
"github.com/moby/moby/v2/daemon/libnetwork/ipamapi"
"github.com/moby/moby/v2/daemon/libnetwork/ipams/defaultipam"
"github.com/moby/moby/v2/daemon/libnetwork/ipamutils"
"github.com/moby/moby/v2/daemon/libnetwork/netlabel"
"github.com/moby/moby/v2/daemon/libnetwork/netutils"
"github.com/moby/moby/v2/daemon/libnetwork/nlwrap"
"github.com/moby/moby/v2/daemon/libnetwork/options"
"github.com/moby/moby/v2/daemon/libnetwork/portallocator"
"github.com/moby/moby/v2/daemon/libnetwork/portmapperapi"
"github.com/moby/moby/v2/daemon/libnetwork/types"
"github.com/moby/moby/v2/internal/testutil/netnsutils"
"github.com/moby/moby/v2/internal/testutil/storeutils"
"github.com/vishvananda/netlink"
"github.com/vishvananda/netns"
"gotest.tools/v3/assert"
is "gotest.tools/v3/assert/cmp"
"gotest.tools/v3/icmd"
)
func TestEndpointMarshalling(t *testing.T) {
ip1, _ := types.ParseCIDR("172.22.0.9/16")
ip2, _ := types.ParseCIDR("2001:db8::9")
mac, _ := net.ParseMAC("ac:bd:24:57:66:77")
e := &bridgeEndpoint{
id: "d2c015a1fe5930650cbcd50493efba0500bcebd8ee1f4401a16319f8a567de33",
nid: "ee33fbb43c323f1920b6b35a0101552ac22ede960d0e5245e9738bccc68b2415",
addr: ip1,
addrv6: ip2,
macAddress: mac,
srcName: "veth123456",
containerConfig: &containerConfiguration{
ParentEndpoints: []string{"one", "due", "three"},
ChildEndpoints: []string{"four", "five", "six"},
},
extConnConfig: &connectivityConfiguration{
ExposedPorts: []types.TransportPort{
{
Proto: 6,
Port: 18,
},
},
PortBindings: []portmapperapi.PortBindingReq{
{
PortBinding: types.PortBinding{
Proto: 6,
IP: net.ParseIP("17210.33.9.56"),
Port: 18,
HostPort: 3000,
HostPortEnd: 14000,
},
},
},
},
portMapping: []portmapperapi.PortBinding{
{
PortBinding: types.PortBinding{
Proto: 17,
IP: net.ParseIP("172.33.9.56"),
Port: 99,
HostIP: net.ParseIP("10.10.100.2"),
HostPort: 9900,
HostPortEnd: 10000,
},
},
{
PortBinding: types.PortBinding{
Proto: 6,
IP: net.ParseIP("171.33.9.56"),
Port: 55,
HostIP: net.ParseIP("10.11.100.2"),
HostPort: 5500,
HostPortEnd: 55000,
},
},
},
}
b, err := json.Marshal(e)
if err != nil {
t.Fatal(err)
}
ee := &bridgeEndpoint{}
err = json.Unmarshal(b, ee)
if err != nil {
t.Fatal(err)
}
if e.id != ee.id || e.nid != ee.nid || e.srcName != ee.srcName || !bytes.Equal(e.macAddress, ee.macAddress) ||
!types.CompareIPNet(e.addr, ee.addr) || !types.CompareIPNet(e.addrv6, ee.addrv6) ||
!compareContainerConfig(e.containerConfig, ee.containerConfig) ||
!compareConnConfig(e.extConnConfig, ee.extConnConfig) {
t.Fatalf("JSON marsh/unmarsh failed.\nOriginal:\n%#v\nDecoded:\n%#v", e, ee)
}
// On restore, the HostPortEnd in portMapping is set to HostPort (so that
// a different port cannot be selected on live-restore if the original is
// already in-use). So, fix up portMapping in the original before running
// the comparison.
epms := make([]portmapperapi.PortBinding, len(e.portMapping))
for i, p := range e.portMapping {
epms[i] = p
epms[i].HostPortEnd = epms[i].HostPort
}
if !compareBindings(epms, ee.portMapping) {
t.Fatalf("JSON marsh/unmarsh failed.\nOriginal portMapping:\n%#v\nDecoded portMapping:\n%#v", e, ee)
}
}
func compareContainerConfig(a, b *containerConfiguration) bool {
if a == b {
return true
}
if a == nil || b == nil {
return false
}
if len(a.ParentEndpoints) != len(b.ParentEndpoints) ||
len(a.ChildEndpoints) != len(b.ChildEndpoints) {
return false
}
for i := 0; i < len(a.ParentEndpoints); i++ {
if a.ParentEndpoints[i] != b.ParentEndpoints[i] {
return false
}
}
for i := 0; i < len(a.ChildEndpoints); i++ {
if a.ChildEndpoints[i] != b.ChildEndpoints[i] {
return false
}
}
return true
}
func compareConnConfig(a, b *connectivityConfiguration) bool {
if a == b {
return true
}
if a == nil || b == nil {
return false
}
if !slices.Equal(a.ExposedPorts, b.ExposedPorts) {
return false
}
for i := 0; i < len(a.PortBindings); i++ {
if !comparePortBinding(&a.PortBindings[i].PortBinding, &b.PortBindings[i].PortBinding) {
return false
}
}
return true
}
// comparePortBinding returns whether the given PortBindings are equal.
func comparePortBinding(p *types.PortBinding, o *types.PortBinding) bool {
if p == o {
return true
}
if o == nil {
return false
}
if p.Proto != o.Proto || p.Port != o.Port ||
p.HostPort != o.HostPort || p.HostPortEnd != o.HostPortEnd {
return false
}
if p.IP != nil {
if !p.IP.Equal(o.IP) {
return false
}
} else {
if o.IP != nil {
return false
}
}
if p.HostIP != nil {
if !p.HostIP.Equal(o.HostIP) {
return false
}
} else {
if o.HostIP != nil {
return false
}
}
return true
}
func compareBindings(a, b []portmapperapi.PortBinding) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if !comparePortBinding(&a[i].PortBinding, &b[i].PortBinding) {
return false
}
}
return true
}
func TestNetworkConfigurationMarshalling(t *testing.T) {
nc := &networkConfiguration{
ID: "nid",
BridgeName: "bridgename",
EnableIPv4: true,
EnableIPv6: true,
EnableIPMasquerade: true,
GwModeIPv4: gwModeRouted,
GwModeIPv6: gwModeIsolated,
EnableICC: true,
TrustedHostInterfaces: []string{"foo0", "bar1"},
InhibitIPv4: true,
Mtu: 1234,
DefaultBindingIP: net.ParseIP("192.0.2.1"),
DefaultBridge: true,
HostIPv4: net.ParseIP("192.0.2.2"),
HostIPv6: net.ParseIP("2001:db8::1"),
ContainerIfacePrefix: "baz",
}
b, err := json.Marshal(nc)
assert.Assert(t, err)
nnc := &networkConfiguration{}
err = json.Unmarshal(b, nnc)
assert.Assert(t, err)
assert.Check(t, is.DeepEqual(nnc, nc, cmpopts.IgnoreUnexported(networkConfiguration{})))
}
func getIPv4Data(t *testing.T) []driverapi.IPAMData {
t.Helper()
a, _ := defaultipam.NewAllocator(ipamutils.GetLocalScopeDefaultNetworks(), nil)
alloc, err := a.RequestPool(ipamapi.PoolRequest{
AddressSpace: "LocalDefault",
Exclude: netutils.InferReservedNetworks(false),
})
assert.NilError(t, err)
gw, _, err := a.RequestAddress(alloc.PoolID, nil, nil)
assert.NilError(t, err)
return []driverapi.IPAMData{{AddressSpace: "LocalDefault", Pool: netiputil.ToIPNet(alloc.Pool), Gateway: gw}}
}
func getIPv6Data(t *testing.T) []driverapi.IPAMData {
ipd := driverapi.IPAMData{AddressSpace: "full"}
// There's no default IPv6 address pool, so use an arbitrary unique-local prefix.
addr, nw, _ := net.ParseCIDR("fdcd:d1b1:99d2:abcd::1/64")
ipd.Pool = nw
ipd.Gateway = &net.IPNet{IP: addr, Mask: nw.Mask}
return []driverapi.IPAMData{ipd}
}
func TestCreateFullOptions(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPForwarding: true,
EnableIPTables: true,
}, &drvregistry.PortMappers{})
assert.NilError(t, err)
// Test this scenario: Default gw address does not belong to
// container network and it's greater than bridge address
cnw, _ := types.ParseCIDR("172.16.122.0/24")
bnw, _ := types.ParseCIDR("172.16.0.0/24")
br, _ := types.ParseCIDR("172.16.0.1/16")
defgw, _ := types.ParseCIDR("172.16.0.100/16")
netOption := make(map[string]any)
netOption[netlabel.EnableIPv4] = true
netOption[netlabel.EnableIPv6] = true
netOption[netlabel.GenericData] = &networkConfiguration{
BridgeName: DefaultBridgeName,
}
ipdList := []driverapi.IPAMData{
{
Pool: bnw,
Gateway: br,
AuxAddresses: map[string]*net.IPNet{DefaultGatewayV4AuxKey: defgw},
},
}
err = d.CreateNetwork(context.Background(), "dummy", netOption, nil, ipdList, getIPv6Data(t))
if err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
// Verify the IP address allocated for the endpoint belongs to the container network
epOptions := make(map[string]any)
te := newTestEndpoint(cnw, 10)
err = d.CreateEndpoint(context.Background(), "dummy", "ep1", te.Interface(), epOptions)
if err != nil {
t.Fatalf("Failed to create an endpoint : %s", err.Error())
}
if !cnw.Contains(te.Interface().Address().IP) {
t.Fatalf("endpoint got assigned address outside of container network(%s): %s", cnw.String(), te.Interface().Address())
}
}
func TestCreateNoConfig(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
netconfig := &networkConfiguration{BridgeName: DefaultBridgeName, EnableIPv4: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
if err := d.CreateNetwork(context.Background(), "dummy", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
}
func TestCreateFullOptionsLabels(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPForwarding: true,
}, &drvregistry.PortMappers{})
assert.NilError(t, err)
bndIPs := "127.0.0.1"
testHostIPv4 := "1.2.3.4"
nwV6s := "2001:db8:2600:2700:2800::/80"
gwV6s := "2001:db8:2600:2700:2800::25/80"
nwV6, _ := types.ParseCIDR(nwV6s)
gwV6, _ := types.ParseCIDR(gwV6s)
labels := map[string]string{
BridgeName: DefaultBridgeName,
DefaultBridge: "true",
EnableICC: "true",
EnableIPMasquerade: "true",
DefaultBindingIP: bndIPs,
netlabel.HostIPv4: testHostIPv4,
}
netOption := make(map[string]any)
netOption[netlabel.EnableIPv4] = true
netOption[netlabel.EnableIPv6] = true
netOption[netlabel.GenericData] = labels
ipdList := getIPv4Data(t)
ipd6List := []driverapi.IPAMData{
{
Pool: nwV6,
AuxAddresses: map[string]*net.IPNet{
DefaultGatewayV6AuxKey: gwV6,
},
},
}
err = d.CreateNetwork(context.Background(), "dummy", netOption, nil, ipdList, ipd6List)
if err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
nw, ok := d.networks["dummy"]
if !ok {
t.Fatal("Cannot find dummy network in bridge driver")
}
if nw.config.BridgeName != DefaultBridgeName {
t.Fatal("incongruent name in bridge network")
}
if !nw.config.EnableIPv4 {
t.Fatal("incongruent EnableIPv4 in bridge network")
}
if !nw.config.EnableIPv6 {
t.Fatal("incongruent EnableIPv6 in bridge network")
}
if !nw.config.EnableICC {
t.Fatal("incongruent EnableICC in bridge network")
}
if !nw.config.EnableIPMasquerade {
t.Fatal("incongruent EnableIPMasquerade in bridge network")
}
bndIP := net.ParseIP(bndIPs)
if !bndIP.Equal(nw.config.DefaultBindingIP) {
t.Fatalf("Unexpected: %v", nw.config.DefaultBindingIP)
}
hostIP := net.ParseIP(testHostIPv4)
if !hostIP.Equal(nw.config.HostIPv4) {
t.Fatalf("Unexpected: %v", nw.config.HostIPv4)
}
if !types.CompareIPNet(nw.config.AddressIPv6, nwV6) {
t.Fatalf("Unexpected: %v", nw.config.AddressIPv6)
}
if !gwV6.IP.Equal(nw.config.DefaultGatewayIPv6) {
t.Fatalf("Unexpected: %v", nw.config.DefaultGatewayIPv6)
}
// Check that a MAC address is generated if not already configured.
te1 := newTestEndpoint(ipdList[0].Pool, 20)
err = d.CreateEndpoint(context.Background(), "dummy", "ep1", te1.Interface(), map[string]any{})
assert.NilError(t, err)
assert.Check(t, is.Len(te1.iface.mac, 6))
// Check that a configured --mac-address isn't overwritten by a generated address.
te2 := newTestEndpoint(ipdList[0].Pool, 20)
const macAddr = "aa:bb:cc:dd:ee:ff"
te2.iface.mac = netutils.MustParseMAC(macAddr)
err = d.CreateEndpoint(context.Background(), "dummy", "ep2", te2.Interface(), map[string]any{})
assert.NilError(t, err)
assert.Check(t, is.Equal(te2.iface.mac.String(), macAddr))
}
func TestCreateVeth(t *testing.T) {
tests := []struct {
name string
netnsName string
createNetns bool
expCreatedInContainer bool
}{
{
name: "host netns",
},
{
name: "container netns",
netnsName: "testnsctr",
createNetns: true,
expCreatedInContainer: true,
},
{
name: "netns not created",
netnsName: "testnsctr",
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
// Create a "host" network namespace with a netlink handle.
const hostNsName = "testnshost"
res := icmd.RunCommand("ip", "netns", "add", hostNsName)
assert.Assert(t, is.Equal(res.ExitCode, 0))
defer icmd.RunCommand("ip", "netns", "del", hostNsName)
nsh, err := netns.GetFromPath("/var/run/netns/" + hostNsName)
assert.NilError(t, err)
defer nsh.Close()
nlh, err := nlwrap.NewHandleAt(nsh)
assert.NilError(t, err)
defer nlh.Close()
netnsPath := ""
if tc.netnsName != "" {
netnsPath = "/var/run/netns/" + tc.netnsName
}
if tc.createNetns {
res := icmd.RunCommand("ip", "netns", "add", tc.netnsName)
assert.Assert(t, is.Equal(res.ExitCode, 0))
defer icmd.RunCommand("ip", "netns", "del", tc.netnsName)
}
const hostIfName = "vethtesth"
const containerIfName = "vethtestc"
defer func() {
// Just in case anything ends up in the host's netns, make sure it doesn't hang around ...
icmd.RunCommand("ip", "link", "del", hostIfName)
icmd.RunCommand("ip", "link", "del", containerIfName)
}()
iface := &testInterface{netnsPath: netnsPath}
nlhCtr, err := createVeth(context.Background(), hostIfName, containerIfName, iface, nlh)
assert.Check(t, err)
assert.Check(t, is.Equal(iface.createdInContainer, tc.expCreatedInContainer))
if tc.expCreatedInContainer {
assert.Check(t, nlhCtr != nil)
res := icmd.RunCommand("ip", "netns", "exec", hostNsName, "ip", "link", "show", hostIfName)
assert.Check(t, is.Equal(res.ExitCode, 0))
res = icmd.RunCommand("ip", "netns", "exec", hostNsName, "ip", "link", "show", containerIfName)
assert.Check(t, is.Equal(res.ExitCode, 1))
res = icmd.RunCommand("ip", "netns", "exec", tc.netnsName, "ip", "link", "show", containerIfName)
assert.Check(t, is.Equal(res.ExitCode, 0))
} else {
assert.Check(t, nlhCtr == nil)
res := icmd.RunCommand("ip", "netns", "exec", hostNsName, "ip", "link", "show", hostIfName)
assert.Check(t, is.Equal(res.ExitCode, 0))
res = icmd.RunCommand("ip", "netns", "exec", hostNsName, "ip", "link", "show", containerIfName)
assert.Check(t, is.Equal(res.ExitCode, 0))
}
})
}
}
func TestCreate(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
netconfig := &networkConfiguration{BridgeName: DefaultBridgeName, EnableIPv4: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
if err := d.CreateNetwork(context.Background(), "dummy", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
err = d.CreateNetwork(context.Background(), "dummy", genericOption, nil, getIPv4Data(t), nil)
if err == nil {
t.Fatal("Expected bridge driver to refuse creation of second network with default name")
}
if !cerrdefs.IsPermissionDenied(err) {
t.Fatal("Creation of second network with default name failed with unexpected error type")
}
}
func TestCreateFail(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
netconfig := &networkConfiguration{BridgeName: "dummy0", DefaultBridge: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
if err := d.CreateNetwork(context.Background(), "dummy", genericOption, nil, getIPv4Data(t), nil); err == nil {
t.Fatal("Bridge creation was expected to fail")
}
}
func TestCreateMultipleNetworks(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
useStubFirewaller(t)
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPTables: true,
}, &drvregistry.PortMappers{})
assert.NilError(t, err)
checkFirewallerNetworks := func() {
t.Helper()
fw := d.firewaller.(*firewaller.StubFirewaller)
got := maps.Clone(fw.Networks)
for _, wantNw := range d.networks {
_, ok := got[wantNw.config.BridgeName]
assert.Check(t, ok, "Rules for bridge %s (nid:%s) have been deleted", wantNw.config.BridgeName, wantNw.id)
delete(got, wantNw.config.BridgeName)
}
assert.Check(t, is.Len(slices.Collect(maps.Keys(got)), 0), "Rules for bridges have not been deleted")
}
config1 := &networkConfiguration{BridgeName: "net_test_1", EnableIPv4: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = config1
if err := d.CreateNetwork(context.Background(), "1", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
checkFirewallerNetworks()
config2 := &networkConfiguration{BridgeName: "net_test_2", EnableIPv4: true}
genericOption[netlabel.GenericData] = config2
if err := d.CreateNetwork(context.Background(), "2", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
checkFirewallerNetworks()
config3 := &networkConfiguration{BridgeName: "net_test_3", EnableIPv4: true}
genericOption[netlabel.GenericData] = config3
if err := d.CreateNetwork(context.Background(), "3", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
checkFirewallerNetworks()
config4 := &networkConfiguration{BridgeName: "net_test_4", EnableIPv4: true}
genericOption[netlabel.GenericData] = config4
if err := d.CreateNetwork(context.Background(), "4", genericOption, nil, getIPv4Data(t), nil); err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
checkFirewallerNetworks()
if err := d.DeleteNetwork("1"); err != nil {
t.Log(err)
}
checkFirewallerNetworks()
if err := d.DeleteNetwork("2"); err != nil {
t.Log(err)
}
checkFirewallerNetworks()
if err := d.DeleteNetwork("3"); err != nil {
t.Log(err)
}
checkFirewallerNetworks()
if err := d.DeleteNetwork("4"); err != nil {
t.Log(err)
}
checkFirewallerNetworks()
}
type testInterface struct {
mac net.HardwareAddr
addr *net.IPNet
addrv6 *net.IPNet
srcName string
dstPrefix string
dstName string
createdInContainer bool
netnsPath string
}
type testEndpoint struct {
iface *testInterface
gw net.IP
gw6 net.IP
routes []types.StaticRoute
}
func newTestEndpoint(nw *net.IPNet, ordinal byte) *testEndpoint {
addr := types.GetIPNetCopy(nw)
addr.IP[len(addr.IP)-1] = ordinal
return &testEndpoint{iface: &testInterface{addr: addr}}
}
// newTestEndpoint46 is like newTestEndpoint, but assigns an IPv6 address as well as IPv4.
func newTestEndpoint46(nw4, nw6 *net.IPNet, ordinal byte) *testEndpoint {
addr4 := types.GetIPNetCopy(nw4)
addr4.IP[len(addr4.IP)-1] = ordinal
addr6 := types.GetIPNetCopy(nw6)
addr6.IP[len(addr6.IP)-1] = ordinal
return &testEndpoint{
iface: &testInterface{
addr: addr4,
addrv6: addr6,
},
}
}
func (te *testEndpoint) Interface() *testInterface {
return te.iface
}
func (i *testInterface) MacAddress() net.HardwareAddr {
return i.mac
}
func (i *testInterface) Address() *net.IPNet {
return i.addr
}
func (i *testInterface) AddressIPv6() *net.IPNet {
return i.addrv6
}
func (i *testInterface) SetMacAddress(mac net.HardwareAddr) error {
if i.mac != nil {
return types.ForbiddenErrorf("endpoint interface MAC address present (%s). Cannot be modified with %s.", i.mac, mac)
}
if mac == nil {
return types.InvalidParameterErrorf("tried to set nil MAC address to endpoint interface")
}
i.mac = slices.Clone(mac)
return nil
}
func (i *testInterface) SetIPAddress(address *net.IPNet) error {
if address.IP == nil {
return types.InvalidParameterErrorf("tried to set nil IP address to endpoint interface")
}
if address.IP.To4() == nil {
return setAddress(&i.addrv6, address)
}
return setAddress(&i.addr, address)
}
func setAddress(ifaceAddr **net.IPNet, address *net.IPNet) error {
if *ifaceAddr != nil {
return types.ForbiddenErrorf("endpoint interface IP present (%s). Cannot be modified with (%s).", *ifaceAddr, address)
}
*ifaceAddr = types.GetIPNetCopy(address)
return nil
}
func (i *testInterface) NetnsPath() string {
return i.netnsPath
}
func (i *testInterface) SetCreatedInContainer(cic bool) {
i.createdInContainer = cic
}
func (i *testInterface) SetNames(srcName, dstPrefix, dstName string) error {
i.srcName = srcName
i.dstPrefix = dstPrefix
i.dstName = dstName
return nil
}
func (te *testEndpoint) InterfaceName() driverapi.InterfaceNameInfo {
if te.iface != nil {
return te.iface
}
return nil
}
func (te *testEndpoint) SetGateway(gw net.IP) error {
te.gw = gw
return nil
}
func (te *testEndpoint) SetGatewayIPv6(gw6 net.IP) error {
te.gw6 = gw6
return nil
}
func (te *testEndpoint) AddStaticRoute(destination *net.IPNet, routeType types.RouteType, nextHop net.IP) error {
te.routes = append(te.routes, types.StaticRoute{Destination: destination, RouteType: routeType, NextHop: nextHop})
return nil
}
func (te *testEndpoint) AddTableEntry(tableName string, key string, value []byte) error {
return nil
}
func (te *testEndpoint) DisableGatewayService() {}
func (te *testEndpoint) ForceGw4() {}
func (te *testEndpoint) ForceGw6() {}
func TestQueryEndpointInfo(t *testing.T) {
testQueryEndpointInfo(t, true)
}
func TestQueryEndpointInfoHairpin(t *testing.T) {
testQueryEndpointInfo(t, false)
}
func testQueryEndpointInfo(t *testing.T, ulPxyEnabled bool) {
defer netnsutils.SetupTestOSContext(t)()
useStubFirewaller(t)
pms := drvregistry.PortMappers{}
pm := &stubPortMapper{}
err := pms.Register("nat", pm)
assert.NilError(t, err)
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPTables: true,
}, &pms)
assert.NilError(t, err)
portallocator.Get().ReleaseAll()
netconfig := &networkConfiguration{
BridgeName: DefaultBridgeName,
EnableIPv4: true,
EnableICC: false,
}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
ipdList := getIPv4Data(t)
err = d.CreateNetwork(context.Background(), "net1", genericOption, nil, ipdList, nil)
if err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
sbOptions := make(map[string]any)
sbOptions[netlabel.PortMap] = getPortMapping()
te := newTestEndpoint(ipdList[0].Pool, 11)
err = d.CreateEndpoint(context.Background(), "net1", "ep1", te.Interface(), nil)
if err != nil {
t.Fatalf("Failed to create an endpoint : %s", err.Error())
}
err = d.Join(context.Background(), "net1", "ep1", "sbox", te, nil, sbOptions)
if err != nil {
t.Fatalf("Failed to join the endpoint: %v", err)
}
err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "ep1", "")
if err != nil {
t.Fatalf("Failed to program external connectivity: %v", err)
}
network, ok := d.networks["net1"]
if !ok {
t.Fatalf("Cannot find network %s inside driver", "net1")
}
ep := network.endpoints["ep1"]
data, err := d.EndpointOperInfo(network.id, ep.id)
if err != nil {
t.Fatalf("Failed to ask for endpoint operational data: %v", err)
}
pmd, ok := data[netlabel.PortMap]
if !ok {
t.Fatal("Endpoint operational data does not contain port mapping data")
}
pbs, ok := pmd.([]types.PortBinding)
if !ok {
t.Fatal("Unexpected format for port mapping in endpoint operational data")
}
if len(ep.portMapping) != len(pbs) {
t.Fatal("Incomplete data for port mapping in endpoint operational data")
}
for i, pb := range ep.portMapping {
if !comparePortBinding(&pb.PortBinding, &pbs[i]) {
t.Fatal("Unexpected data for port mapping in endpoint operational data")
}
}
err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "", "")
if err != nil {
t.Fatal(err)
}
// release host mapped ports
err = d.Leave("net1", "ep1")
if err != nil {
t.Fatal(err)
}
}
func getExposedPorts() []types.TransportPort {
return []types.TransportPort{
{Proto: types.TCP, Port: 5000},
{Proto: types.UDP, Port: 400},
{Proto: types.TCP, Port: 600},
}
}
func getPortMapping() []types.PortBinding {
return []types.PortBinding{
{Proto: types.TCP, Port: 230, HostPort: 23000},
{Proto: types.UDP, Port: 200, HostPort: 22000},
{Proto: types.TCP, Port: 120, HostPort: 12000},
}
}
func TestLinkContainers(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
useStubFirewaller(t)
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPTables: true,
}, &drvregistry.PortMappers{})
assert.NilError(t, err)
netconfig := &networkConfiguration{
BridgeName: DefaultBridgeName,
EnableIPv4: true,
EnableICC: false,
}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
ipdList := getIPv4Data(t)
err = d.CreateNetwork(context.Background(), "net1", genericOption, nil, ipdList, nil)
if err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
te1 := newTestEndpoint(ipdList[0].Pool, 11)
err = d.CreateEndpoint(context.Background(), "net1", "ep1", te1.Interface(), nil)
if err != nil {
t.Fatalf("Failed to create an endpoint : %s", err.Error())
}
exposedPorts := getExposedPorts()
sbOptions := make(map[string]any)
sbOptions[netlabel.ExposedPorts] = exposedPorts
err = d.Join(context.Background(), "net1", "ep1", "sbox", te1, nil, sbOptions)
if err != nil {
t.Fatalf("Failed to join the endpoint: %v", err)
}
err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep1", "ep1", "")
if err != nil {
t.Fatalf("Failed to program external connectivity: %v", err)
}
addr1 := te1.iface.addr
if addr1.IP.To4() == nil {
t.Fatal("No Ipv4 address assigned to the endpoint: ep1")
}
te2 := newTestEndpoint(ipdList[0].Pool, 22)
err = d.CreateEndpoint(context.Background(), "net1", "ep2", te2.Interface(), nil)
if err != nil {
t.Fatalf("Failed to create an endpoint : %s", err.Error())
}
addr2 := te2.iface.addr
if addr2.IP.To4() == nil {
t.Fatal("No Ipv4 address assigned to the endpoint: ep2")
}
sbOptions = make(map[string]any)
sbOptions[netlabel.GenericData] = options.Generic{
"ChildEndpoints": []string{"ep1"},
}
err = d.Join(context.Background(), "net1", "ep2", "", te2, nil, sbOptions)
if err != nil {
t.Fatal("Failed to link ep1 and ep2")
}
err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", "ep2", "ep2")
if err != nil {
t.Fatalf("Failed to program external connectivity: %v", err)
}
checkLink := func(expExists bool) {
t.Helper()
dnw, ok := d.networks["net1"]
assert.Assert(t, ok)
fnw := dnw.firewallerNetwork.(*firewaller.StubFirewallerNetwork)
parentAddr, ok := netip.AddrFromSlice(te2.iface.addr.IP)
assert.Assert(t, ok)
childAddr, ok := netip.AddrFromSlice(te1.iface.addr.IP)
assert.Assert(t, ok)
exists := fnw.LinkExists(parentAddr, childAddr, exposedPorts)
assert.Check(t, is.Equal(exists, expExists))
}
checkLink(true)
err = d.ProgramExternalConnectivity(context.Background(), "net1", "ep2", "", "")
if err != nil {
t.Fatalf("Failed to revoke external connectivity: %v", err)
}
err = d.Leave("net1", "ep2")
if err != nil {
t.Fatal("Failed to unlink ep1 and ep2")
}
checkLink(false)
// Error condition test with an invalid endpoint-id "ep4"
sbOptions = make(map[string]any)
sbOptions[netlabel.GenericData] = options.Generic{
"ChildEndpoints": []string{"ep1", "ep4"},
}
err = d.Join(context.Background(), "net1", "ep2", "", te2, nil, sbOptions)
assert.Check(t, err != nil, "Expected Join to fail given link conditions are not satisfied")
checkLink(false)
}
func TestValidateConfig(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
// Bridge network
_, network, _ := net.ParseCIDR("172.28.0.0/16")
c := networkConfiguration{
AddressIPv4: network,
EnableIPv4: true,
}
err := c.Validate()
if err != nil {
t.Fatal("unexpected validation error:", err)
}
// Test mtu
c.Mtu = -2
err = c.Validate()
if err == nil {
t.Fatal("Failed to detect invalid MTU number")
}
c.Mtu = 9000
err = c.Validate()
if err != nil {
t.Fatal("unexpected validation error on MTU number:", err)
}
err = c.Validate()
if err != nil {
t.Fatal(err)
}
// Test v4 gw
c.DefaultGatewayIPv4 = net.ParseIP("172.27.30.234")
err = c.Validate()
if err == nil {
t.Fatal("Failed to detect invalid default gateway")
}
c.DefaultGatewayIPv4 = net.ParseIP("172.28.30.234")
err = c.Validate()
if err != nil {
t.Fatal("Unexpected validation error on default gateway")
}
// Test v6 gw
_, v6nw, _ := net.ParseCIDR("2001:db8:ae:b004::/64")
c = networkConfiguration{
EnableIPv6: true,
AddressIPv6: v6nw,
DefaultGatewayIPv6: net.ParseIP("2001:db8:ac:b004::bad:a55"),
}
err = c.Validate()
if err == nil {
t.Fatal("Failed to detect invalid v6 default gateway")
}
c.DefaultGatewayIPv6 = net.ParseIP("2001:db8:ae:b004::bad:a55")
err = c.Validate()
if err != nil {
t.Fatal("Unexpected validation error on v6 default gateway")
}
c.AddressIPv6 = nil
err = c.Validate()
if err == nil {
t.Fatal("Failed to detect invalid v6 default gateway")
}
c.AddressIPv6 = nil
err = c.Validate()
if err == nil {
t.Fatal("Failed to detect invalid v6 default gateway")
}
}
func TestValidateFixedCIDRV6(t *testing.T) {
tests := []struct {
doc, input, expectedErr string
}{
{
doc: "valid",
input: "2001:db8::/32",
},
{
// fixed-cidr-v6 doesn't have to be specified.
doc: "empty",
},
{
// Using the LL subnet prefix is ok.
doc: "Link-Local subnet prefix",
input: "fe80::/64",
},
{
// Using a nonstandard LL prefix that doesn't overlap with the standard LL prefix
// is ok.
doc: "non-overlapping link-local prefix",
input: "fe80:1234::/80",
},
{
// Overlapping with the standard LL prefix isn't allowed.
doc: "overlapping link-local prefix fe80::/63",
input: "fe80::/63",
expectedErr: "invalid fixed-cidr-v6: 'fe80::/63' clashes with the Link-Local prefix 'fe80::/64'",
},
{
// Overlapping with the standard LL prefix isn't allowed.
doc: "overlapping link-local subnet fe80::/65",
input: "fe80::/65",
expectedErr: "invalid fixed-cidr-v6: 'fe80::/65' clashes with the Link-Local prefix 'fe80::/64'",
},
{
// The address has to be valid IPv6 subnet.
doc: "invalid IPv6 subnet",
input: "2000:db8::",
expectedErr: "invalid fixed-cidr-v6: netip.ParsePrefix(\"2000:db8::\"): no '/'",
},
{
doc: "non-IPv6 subnet",
input: "10.3.4.5/24",
expectedErr: "invalid fixed-cidr-v6: '10.3.4.5/24' is not a valid IPv6 subnet",
},
{
doc: "IPv4-mapped subnet 1",
input: "::ffff:10.2.4.0/24",
expectedErr: "invalid fixed-cidr-v6: '::ffff:10.2.4.0/24' is not a valid IPv6 subnet",
},
{
doc: "IPv4-mapped subnet 2",
input: "::ffff:a01:203/24",
expectedErr: "invalid fixed-cidr-v6: '::ffff:10.1.2.3/24' is not a valid IPv6 subnet",
},
{
doc: "invalid subnet",
input: "nonsense",
expectedErr: "invalid fixed-cidr-v6: netip.ParsePrefix(\"nonsense\"): no '/'",
},
{
doc: "multicast IPv6 subnet",
input: "ff05::/64",
expectedErr: "invalid fixed-cidr-v6: multicast subnet 'ff05::/64' is not allowed",
},
}
for _, tc := range tests {
t.Run(tc.doc, func(t *testing.T) {
err := ValidateFixedCIDRV6(tc.input)
if tc.expectedErr == "" {
assert.Check(t, err)
} else {
assert.Check(t, is.Error(err, tc.expectedErr))
}
})
}
}
func TestSetDefaultGw(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
ipam4 := getIPv4Data(t)
gw4 := slices.Clone(ipam4[0].Pool.IP).To4()
gw4[3] = 254
ipam6 := getIPv6Data(t)
gw6 := slices.Clone(ipam6[0].Pool.IP)
gw6[15] = 0x42
option := map[string]any{
netlabel.EnableIPv4: true,
netlabel.EnableIPv6: true,
netlabel.GenericData: &networkConfiguration{
BridgeName: DefaultBridgeName,
DefaultGatewayIPv4: gw4,
DefaultGatewayIPv6: gw6,
},
}
err = d.CreateNetwork(context.Background(), "dummy", option, nil, ipam4, ipam6)
if err != nil {
t.Fatalf("Failed to create bridge: %v", err)
}
te := newTestEndpoint(ipam4[0].Pool, 10)
err = d.CreateEndpoint(context.Background(), "dummy", "ep", te.Interface(), nil)
if err != nil {
t.Fatalf("Failed to create endpoint: %v", err)
}
err = d.Join(context.Background(), "dummy", "ep", "sbox", te, nil, nil)
if err != nil {
t.Fatalf("Failed to join endpoint: %v", err)
}
if !gw4.Equal(te.gw) {
t.Fatalf("Failed to configure default gateway. Expected %v. Found %v", gw4, te.gw)
}
if !gw6.Equal(te.gw6) {
t.Fatalf("Failed to configure default gateway. Expected %v. Found %v", gw6, te.gw6)
}
}
func TestCreateWithExistingBridge(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
brName := "br111"
br := &netlink.Bridge{
LinkAttrs: netlink.LinkAttrs{
Name: brName,
},
}
if err := netlink.LinkAdd(br); err != nil {
t.Fatalf("Failed to create bridge interface: %v", err)
}
defer netlink.LinkDel(br)
if err := netlink.LinkSetUp(br); err != nil {
t.Fatalf("Failed to set bridge interface up: %v", err)
}
ip := net.IP{192, 168, 122, 1}
addr := &netlink.Addr{IPNet: &net.IPNet{
IP: ip,
Mask: net.IPv4Mask(255, 255, 255, 0),
}}
if err := netlink.AddrAdd(br, addr); err != nil {
t.Fatalf("Failed to add IP address to bridge: %v", err)
}
netconfig := &networkConfiguration{BridgeName: brName, EnableIPv4: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = netconfig
ipv4Data := []driverapi.IPAMData{{
AddressSpace: "full",
Pool: types.GetIPNetCopy(addr.IPNet),
Gateway: types.GetIPNetCopy(addr.IPNet),
}}
// Set network gateway to X.X.X.1
ipv4Data[0].Gateway.IP[len(ipv4Data[0].Gateway.IP)-1] = 1
if err := d.CreateNetwork(context.Background(), brName, genericOption, nil, ipv4Data, nil); err != nil {
t.Fatalf("Failed to create bridge network: %v", err)
}
nw, err := d.getNetwork(brName)
if err != nil {
t.Fatalf("Failed to getNetwork(%s): %v", brName, err)
}
addrs4, err := nw.bridge.addresses(netlink.FAMILY_V4)
if err != nil {
t.Fatalf("Failed to get the bridge network's address: %v", err)
}
if !addrs4[0].IP.Equal(ip) {
t.Fatal("Creating bridge network with existing bridge interface unexpectedly modified the IP address of the bridge")
}
if err := d.DeleteNetwork(brName); err != nil {
t.Fatalf("Failed to delete network %s: %v", brName, err)
}
if _, err := nlwrap.LinkByName(brName); err != nil {
t.Fatal("Deleting bridge network that using existing bridge interface unexpectedly deleted the bridge interface")
}
}
func TestCreateParallel(t *testing.T) {
c := netnsutils.SetupTestOSContextEx(t)
defer c.Cleanup(t)
d, err := newDriver(storeutils.NewTempStore(t), Configuration{}, &drvregistry.PortMappers{})
assert.NilError(t, err)
portallocator.Get().ReleaseAll()
ipV4Data := getIPv4Data(t)
ch := make(chan error, 100)
for i := range 100 {
name := "net" + strconv.Itoa(i)
c.Go(t, func() {
config := &networkConfiguration{BridgeName: name, EnableIPv4: true}
genericOption := make(map[string]any)
genericOption[netlabel.GenericData] = config
if err := d.CreateNetwork(context.Background(), name, genericOption, nil, ipV4Data, nil); err != nil {
ch <- fmt.Errorf("failed to create %s", name)
return
}
if err := d.CreateNetwork(context.Background(), name, genericOption, nil, ipV4Data, nil); err == nil {
ch <- fmt.Errorf("failed was able to create overlap %s", name)
return
}
ch <- nil
})
}
// wait for the go routines
var success int
for range 100 {
val := <-ch
if val == nil {
success++
}
}
if success != 1 {
t.Fatalf("Success should be 1 instead: %d", success)
}
}
func useStubFirewaller(t *testing.T) {
origNewFirewaller := newFirewaller
newFirewaller = func(_ context.Context, config firewaller.Config) (firewaller.Firewaller, error) {
return firewaller.NewStubFirewaller(config), nil
}
t.Cleanup(func() { newFirewaller = origNewFirewaller })
}
// Regression test for https://github.com/moby/moby/issues/46445
func TestSetupIP6TablesWithHostIPv4(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d, err := newDriver(storeutils.NewTempStore(t), Configuration{
EnableIPTables: true,
EnableIP6Tables: true,
}, &drvregistry.PortMappers{})
assert.NilError(t, err)
nc := &networkConfiguration{
BridgeName: DefaultBridgeName,
AddressIPv4: &net.IPNet{IP: net.ParseIP("192.168.42.1"), Mask: net.CIDRMask(16, 32)},
EnableIPMasquerade: true,
EnableIPv4: true,
EnableIPv6: true,
AddressIPv6: &net.IPNet{IP: net.ParseIP("2001:db8::1"), Mask: net.CIDRMask(64, 128)},
HostIPv4: net.ParseIP("192.0.2.2"),
}
// Create test bridge.
nh, err := nlwrap.NewHandle()
if err != nil {
t.Fatal(err)
}
br := &bridgeInterface{nlh: nh}
if err := setupDevice(nc, br); err != nil {
t.Fatalf("Failed to create the testing Bridge: %s", err.Error())
}
if err := setupBridgeIPv4(nc, br); err != nil {
t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
}
if err := setupBridgeIPv6(nc, br); err != nil {
t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
}
// Check firewall configuration succeeds.
nw := bridgeNetwork{
config: nc,
driver: d,
bridge: br,
}
fwn, err := nw.newFirewallerNetwork(context.Background())
assert.NilError(t, err)
assert.Check(t, fwn != nil, "no firewaller network")
}
Reference in New Issue View Git Blame Copy Permalink