// getLine returns a string containing the file and line number of the caller, if // possible. This is useful in tests with a large number of cases - when something goes // wrong you can find which case more easily. func getLine() string { … } var objectOrder … // sortNFTablesTransaction sorts an nftables transaction into a standard order for comparison func sortNFTablesTransaction(tx string) string { … } // diffNFTablesTransaction is a (testable) helper function for assertNFTablesTransactionEqual func diffNFTablesTransaction(expected, result string) string { … } // assertNFTablesTransactionEqual asserts that expected and result are equal, ignoring // irrelevant differences. func assertNFTablesTransactionEqual(t *testing.T, line string, expected, result string) { … } // diffNFTablesChain is a (testable) helper function for assertNFTablesChainEqual func diffNFTablesChain(nft *knftables.Fake, chain, expected string) string { … } type nftablesTracer … // newNFTablesTracer creates an nftablesTracer. nodeIPs are the IP to treat as local node // IPs (for determining whether rules with "fib saddr type local" or "fib daddr type // local" match). func newNFTablesTracer(t *testing.T, nft *knftables.Fake, nodeIPs []string) *nftablesTracer { … } func (tracer *nftablesTracer) addressMatches(ipStr string, wantMatch bool, ruleAddress string) bool { … } func (tracer *nftablesTracer) addressMatchesSet(ipStr string, wantMatch bool, ruleAddress string) bool { … } // matchDestIPOnly checks an "ip daddr" against a set/map, and returns the matching // Element, if found. func (tracer *nftablesTracer) matchDestIPOnly(elements []*knftables.Element, destIP string) *knftables.Element { … } // matchDest checks an "ip daddr . meta l4proto . th dport" against a set/map, and returns // the matching Element, if found. func (tracer *nftablesTracer) matchDest(elements []*knftables.Element, destIP, protocol, destPort string) *knftables.Element { … } // matchDestPort checks an "meta l4proto . th dport" against a set/map, and returns the // matching Element, if found. func (tracer *nftablesTracer) matchDestPort(elements []*knftables.Element, protocol, destPort string) *knftables.Element { … } var destAddrRegexp … var destAddrLookupRegexp … var destAddrLocalRegexp … var destPortRegexp … var destIPOnlyLookupRegexp … var destDispatchRegexp … var destPortDispatchRegexp … var sourceAddrRegexp … var sourceAddrLookupRegexp … var sourceAddrLocalRegexp … var endpointVMAPRegexp … var endpointVMapEntryRegexp … var masqueradeRegexp … var jumpRegexp … var returnRegexp … var verdictRegexp … var dnatRegexp … var ignoredRegexp … // runChain runs the given packet through the rules in the given table and chain, updating // tracer's internal state accordingly. It returns true if it hits a terminal action. func (tracer *nftablesTracer) runChain(chname, sourceIP, protocol, destIP, destPort string) bool { … } // tracePacket determines what would happen to a packet with the given sourceIP, destIP, // and destPort, given the indicated iptables ruleData. nodeIPs are the local node IPs (for // rules matching "local"). (The protocol value should be lowercase as in nftables // rules, not uppercase as in corev1.) // // The return values are: an array of matched rules (for debugging), the final packet // destinations (a comma-separated list of IPs, or one of the special targets "ACCEPT", // "DROP", or "REJECT"), and whether the packet would be masqueraded. func tracePacket(t *testing.T, nft *knftables.Fake, sourceIP, protocol, destIP, destPort string, nodeIPs []string) ([]string, string, bool) { … } type packetFlowTest … func runPacketFlowTests(t *testing.T, line string, nft *knftables.Fake, nodeIPs []string, testCases []packetFlowTest) { … } var testInput … var testExpected … func Test_sortNFTablesTransaction(t *testing.T) { … } func Test_diffNFTablesTransaction(t *testing.T) { … } func Test_diffNFTablesChain(t *testing.T) { … } // This tests tracePacket against static data, just to make sure we match things in the // way we expect to. We need separate tests for ipv4 and ipv6 because knftables.Fake only supports // one address family at a time. // The test data is based on the TestOverallNFTablesRules. func TestTracePacketV4(t *testing.T) { … } // This tests tracePacket against static data, just to make sure we match things in the // way we expect to. We need separate tests for ipv4 and ipv6 because knftables.Fake only supports // one address family at a time. // The test data is based on "basic tests" of TestNodePorts for ipv6. func TestTracePacketV6(t *testing.T) { … }
Codebase Browser
kubernetes