kubernetesk8s.io/kubernetes/pkg/util/iptables/testing Index | Files

package testing

import "k8s.io/kubernetes/pkg/util/iptables/testing"

Index

Types

type Chain 

type Chain struct {
	Name    iptables.Chain
	Packets uint64
	Bytes   uint64
	Rules   []*Rule

	// Deleted is set if the input contained a "-X Name" line; this would never
	// appear in iptables-save output but it could appear in iptables-restore *input*.
	Deleted bool
}

Chain represents an IPTables chain

type FakeIPTables 

type FakeIPTables struct {
	Dump *IPTablesDump
	// contains filtered or unexported fields
}

FakeIPTables is no-op implementation of iptables Interface.

func NewFake 

func NewFake() *FakeIPTables

NewFake returns a no-op iptables.Interface

func NewIPv6Fake 

func NewIPv6Fake() *FakeIPTables

NewIPv6Fake returns a no-op iptables.Interface with IsIPv6() == true

func (*FakeIPTables) ChainExists 

func (f *FakeIPTables) ChainExists(table iptables.Table, chain iptables.Chain) (bool, error)

ChainExists is part of iptables.Interface

func (*FakeIPTables) DeleteChain 

func (f *FakeIPTables) DeleteChain(table iptables.Table, chain iptables.Chain) error

DeleteChain is part of iptables.Interface

func (*FakeIPTables) DeleteRule 

func (f *FakeIPTables) DeleteRule(table iptables.Table, chain iptables.Chain, args ...string) error

DeleteRule is part of iptables.Interface

func (*FakeIPTables) EnsureChain 

func (f *FakeIPTables) EnsureChain(table iptables.Table, chain iptables.Chain) (bool, error)

EnsureChain is part of iptables.Interface

func (*FakeIPTables) EnsureRule 

func (f *FakeIPTables) EnsureRule(position iptables.RulePosition, table iptables.Table, chain iptables.Chain, args ...string) (bool, error)

EnsureRule is part of iptables.Interface

func (*FakeIPTables) FlushChain 

func (f *FakeIPTables) FlushChain(table iptables.Table, chain iptables.Chain) error

FlushChain is part of iptables.Interface

func (*FakeIPTables) HasRandomFully 

func (f *FakeIPTables) HasRandomFully() bool

HasRandomFully is part of iptables.Interface

func (*FakeIPTables) IsIPv6 

func (f *FakeIPTables) IsIPv6() bool

IsIPv6 is part of iptables.Interface

func (*FakeIPTables) Monitor 

func (f *FakeIPTables) Monitor(canary iptables.Chain, tables []iptables.Table, reloadFunc func(), interval time.Duration, stopCh <-chan struct{})

Monitor is part of iptables.Interface

func (*FakeIPTables) Present 

func (f *FakeIPTables) Present() bool

func (*FakeIPTables) Protocol 

func (f *FakeIPTables) Protocol() iptables.Protocol

Protocol is part of iptables.Interface

func (*FakeIPTables) Restore 

func (f *FakeIPTables) Restore(table iptables.Table, data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

Restore is part of iptables.Interface

func (*FakeIPTables) RestoreAll 

func (f *FakeIPTables) RestoreAll(data []byte, flush iptables.FlushFlag, counters iptables.RestoreCountersFlag) error

RestoreAll is part of iptables.Interface

func (*FakeIPTables) SaveInto 

func (f *FakeIPTables) SaveInto(table iptables.Table, buffer *bytes.Buffer) error

SaveInto is part of iptables.Interface

func (*FakeIPTables) SetHasRandomFully 

func (f *FakeIPTables) SetHasRandomFully(can bool) *FakeIPTables

SetHasRandomFully sets f's return value for HasRandomFully()

type IPTablesDump 

type IPTablesDump struct {
	Tables []Table
}

IPTablesDump represents a parsed IPTables rules dump (ie, the output of "iptables-save" or input to "iptables-restore")

func ParseIPTablesDump 

func ParseIPTablesDump(data string) (*IPTablesDump, error)

ParseIPTablesDump parses an IPTables rules dump. Note: this may ignore some bad data.

func (*IPTablesDump) GetChain 

func (dump *IPTablesDump) GetChain(table iptables.Table, chain iptables.Chain) (*Chain, error)

func (*IPTablesDump) GetTable 

func (dump *IPTablesDump) GetTable(table iptables.Table) (*Table, error)

func (*IPTablesDump) String 

func (dump *IPTablesDump) String() string

type IPTablesValue 

type IPTablesValue struct {
	Negated bool
	Value   string
}

IPTablesValue is a value of a parameter in an Rule, where the parameter is possibly negated.

func (*IPTablesValue) Matches 

func (v *IPTablesValue) Matches(cmp string) bool

Matches returns true if cmp equals / doesn't equal v.Value (depending on v.Negated).

func (*IPTablesValue) String 

func (v *IPTablesValue) String() string

for debugging; otherwise %v will just print the pointer value

type Rule 

type Rule struct {
	// Raw contains the original raw rule string
	Raw string

	Chain   iptables.Chain `param:"-A"`
	Comment *IPTablesValue `param:"--comment"`

	Protocol *IPTablesValue `param:"-p" negatable:"true"`

	SourceAddress *IPTablesValue `param:"-s" negatable:"true"`
	SourceType    *IPTablesValue `param:"--src-type" negatable:"true"`
	SourcePort    *IPTablesValue `param:"--sport" negatable:"true"`

	DestinationAddress *IPTablesValue `param:"-d" negatable:"true"`
	DestinationType    *IPTablesValue `param:"--dst-type" negatable:"true"`
	DestinationPort    *IPTablesValue `param:"--dport" negatable:"true"`

	MatchSet *IPTablesValue `param:"--match-set" negatable:"true"`

	Jump            *IPTablesValue `param:"-j"`
	RandomFully     *bool          `param:"--random-fully"`
	Probability     *IPTablesValue `param:"--probability"`
	DNATDestination *IPTablesValue `param:"--to-destination"`

	// We don't actually use the values of these, but we care if they are present
	AffinityCheck *bool          `param:"--rcheck" negatable:"true"`
	MarkCheck     *IPTablesValue `param:"--mark" negatable:"true"`
	CTStateCheck  *IPTablesValue `param:"--ctstate" negatable:"true"`

	// We don't currently care about any of these in the unit tests, but we expect
	// them to be present in some rules that we parse, so we define how to parse them.
	AffinityName    *IPTablesValue `param:"--name"`
	AffinitySeconds *IPTablesValue `param:"--seconds"`
	AffinitySet     *bool          `param:"--set" negatable:"true"`
	AffinityReap    *bool          `param:"--reap"`
	StatisticMode   *IPTablesValue `param:"--mode"`
}

Rule represents a single parsed IPTables rule. (This currently covers all of the rule types that we actually use in pkg/proxy/iptables or pkg/proxy/ipvs.)

The parsing is mostly-automated based on type reflection. The `param` tag on a field indicates the parameter whose value will be placed into that field. (The code assumes that we don't use both the short and long forms of any parameter names (eg, "-s" vs "--source"), which is currently true, but it could be extended if necessary.) The `negatable` tag indicates if a parameter is allowed to be preceded by "!".

Parameters that take a value are stored as type `*IPTablesValue`, which encapsulates a string value and whether the rule was negated (ie, whether the rule requires that we *match* or *don't match* that value). But string-valued parameters that can't be negated use `IPTablesValue` rather than `string` too, just for API consistency.

Parameters that don't take a value are stored as `*bool`, where the value is `nil` if the parameter was not present, `&true` if the parameter was present, or `&false` if the parameter was present but negated.

Parsing skips over "-m MODULE" parameters because most parameters have unique names anyway even ignoring the module name, and in the cases where they don't (eg "-m tcp --sport" vs "-m udp --sport") the parameters are mutually-exclusive and it's more convenient to store them in the same struct field anyway.

func ParseRule 

func ParseRule(rule string, strict bool) (*Rule, error)

ParseRule parses rule. If strict is false, it will parse the recognized parameters and ignore unrecognized ones. If it is true, parsing will fail if there are unrecognized parameters.

type Table 

type Table struct {
	Name   iptables.Table
	Chains []Chain
}

Table represents an IPTables table

Source Files

doc.go fake.go parse.go

Version
v1.33.0 (latest)
Published
Apr 23, 2025
Platform
linux/amd64
Imports
9 packages
Last checked
3 hours ago

Tools for package owners.