fix: handle both nerdctl and docker test targets

Signed-off-by: Alessio Greggi <[email protected]>

Author: alegrey91

cmd/nerdctl/container_kill_linux_test.go

@@ -49,14 +49,30 @@ func TestKillCleanupForwards(t *testing.T) {
 	ipt, err := iptables.New()
 	assert.NilError(t, err)
 
-	cmd := base.Cmd("run", "-d",
+	containerID := base.Cmd("run", "-d",
 		"--restart=no",
 		"--name", testContainerName,
 		"-p", fmt.Sprintf("127.0.0.1:%d:80", hostPort),
-		testutil.NginxAlpineImage)
-	containerID := strings.TrimSpace(cmd.Run().Stdout())
-	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), true)
+		testutil.NginxAlpineImage).Run().Stdout()
+	containerID = strings.TrimSuffix(containerID, "\n")
+
+	containerIP := base.Cmd("inspect",
+		"-f",
+		"'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'",
+		testContainerName).Run().Stdout()
+	containerIP = strings.ReplaceAll(containerIP, "'", "")
+	containerIP = strings.TrimSuffix(containerIP, "\n")
+
+	// define iptables chain name depending on the target (docker/nerdctl)
+	var chain string
+	if testutil.GetTarget() == testutil.Docker {
+		chain = "DOCKER"
+	} else {
+		redirectChain := "CNI-HOSTPORT-DNAT"
+		chain = iptablesutil.GetRedirectedChain(t, ipt, redirectChain, testutil.Namespace, containerID)
+	}
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), true)
 
 	base.Cmd("kill", testContainerName).AssertOK()
-	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), false)
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), false)
 }

cmd/nerdctl/container_stop_linux_test.go

@@ -108,14 +108,30 @@ func TestStopCleanupForwards(t *testing.T) {
 	ipt, err := iptables.New()
 	assert.NilError(t, err)
 
-	cmd := base.Cmd("run", "-d",
+	containerID := base.Cmd("run", "-d",
 		"--restart=no",
 		"--name", testContainerName,
 		"-p", fmt.Sprintf("127.0.0.1:%d:80", hostPort),
-		testutil.NginxAlpineImage)
-	containerID := strings.TrimSpace(cmd.Run().Stdout())
-	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), true)
+		testutil.NginxAlpineImage).Run().Stdout()
+	containerID = strings.TrimSuffix(containerID, "\n")
+
+	containerIP := base.Cmd("inspect",
+		"-f",
+		"'{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}'",
+		testContainerName).Run().Stdout()
+	containerIP = strings.ReplaceAll(containerIP, "'", "")
+	containerIP = strings.TrimSuffix(containerIP, "\n")
+
+	// define iptables chain name depending on the target (docker/nerdctl)
+	var chain string
+	if testutil.GetTarget() == testutil.Docker {
+		chain = "DOCKER"
+	} else {
+		redirectChain := "CNI-HOSTPORT-DNAT"
+		chain = iptablesutil.GetRedirectedChain(t, ipt, redirectChain, testutil.Namespace, containerID)
+	}
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), true)
 
 	base.Cmd("stop", testContainerName).AssertOK()
-	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, testutil.Namespace, containerID), false)
+	assert.Equal(t, iptablesutil.ForwardExists(t, ipt, chain, containerIP, hostPort), false)
 }

pkg/testutil/iptables/iptables.go

@@ -17,18 +17,20 @@
 package iptables
 
 import (
+	"fmt"
 	"regexp"
 	"testing"
 
 	"github.com/coreos/go-iptables/iptables"
 )
 
-// forwardExists check that at least 2 rules are present in the CNI-HOSTPORT-DNAT chain
+// ForwardExists check that at least 2 rules are present in the CNI-HOSTPORT-DNAT chain
 // and checks for regex matches in the list of rules
-func ForwardExists(t *testing.T, ipt *iptables.IPTables, namespace, containerID string) bool {
-	rules, err := ipt.List("nat", "CNI-HOSTPORT-DNAT")
+func ForwardExists(t *testing.T, ipt *iptables.IPTables, chain, containerIP string, port int) bool {
+	rules, err := ipt.List("nat", chain)
 	if err != nil {
 		t.Logf("error listing rules in chain: %q\n", err)
+		return false
 	}
 
 	if len(rules) < 1 {
@@ -39,8 +41,9 @@ func ForwardExists(t *testing.T, ipt *iptables.IPTables, namespace, containerID
 	// here we check if at least one of the rules in the chain
 	// matches the required string to identify that the rule was applied
 	found := false
+	matchRule := `--dport ` + fmt.Sprintf("%d", port) + ` .+ --to-destination ` + containerIP
 	for _, rule := range rules {
-		foundInRule, err := regexp.MatchString(namespace+"-"+containerID, rule)
+		foundInRule, err := regexp.MatchString(matchRule, rule)
 		if err != nil {
 			t.Logf("error in match string: %q\n", err)
 			return false
@@ -51,3 +54,46 @@ func ForwardExists(t *testing.T, ipt *iptables.IPTables, namespace, containerID
 	}
 	return found
 }
+
+// GetRedirectedChain returns the chain where the traffic is being redirected.
+// This is how libcni manage its port maps.
+// Suppose you have the following rule:
+// -A CNI-HOSTPORT-DNAT -p tcp -m comment --comment "dnat name: \"bridge\" id: \"default-YYYYYY\"" -m multiport --dports 9999 -j CNI-DN-XXXXXX
+// So the chain where the traffic is redirected is CNI-DN-XXXXXX
+// Returns an empty string in case nothing was found.
+func GetRedirectedChain(t *testing.T, ipt *iptables.IPTables, chain, namespace, containerID string) string {
+	rules, err := ipt.List("nat", chain)
+	if err != nil {
+		t.Logf("error listing rules in chain: %q\n", err)
+		return ""
+	}
+
+	if len(rules) < 1 {
+		t.Logf("not enough rules: %d", len(rules))
+		return ""
+	}
+
+	var redirectedChain string
+	re := regexp.MustCompile(`-j\s+([^ ]+)`)
+	for _, rule := range rules {
+		// first we verify the comment section is present: "dnat name: \"bridge\" id: \"default-YYYYYY\""
+		matchesContainer, err := regexp.MatchString(namespace+"-"+containerID, rule)
+		if err != nil {
+			t.Logf("error in match string: %q\n", err)
+			return ""
+		}
+		if matchesContainer {
+			// then we find the appropriate chain in the rule
+			matches := re.FindStringSubmatch(rule)
+			fmt.Println(matches)
+			if len(matches) >= 2 {
+				redirectedChain = matches[1]
+			}
+		}
+	}
+	if redirectedChain == "" {
+		t.Logf("no redirectced chain found")
+		return ""
+	}
+	return redirectedChain
+}