mock iptables in cns and add ut

Author: QxBytes

cns/client/client_test.go

@@ -152,7 +152,7 @@ func TestMain(m *testing.M) {
 	config := common.ServiceConfig{}
 
 	httpRestService, err := restserver.NewHTTPRestService(&config, &fakes.WireserverClientFake{},
-		&fakes.WireserverProxyFake{}, &fakes.NMAgentClientFake{}, nil, nil, nil,
+		&fakes.WireserverProxyFake{}, &restserver.IPtablesProvider{}, &fakes.NMAgentClientFake{}, nil, nil, nil,
 		fakes.NewMockIMDSClient())
 	svc = httpRestService
 	httpRestService.Name = "cns-test-server"

cns/fakes/iptablesfake.go

@@ -0,0 +1,111 @@
+package fakes
+
+import (
+	"errors"
+	"strings"
+
+	"github.com/Azure/azure-container-networking/iptables"
+)
+
+var (
+	errChainExists   = errors.New("chain already exists")
+	errChainNotFound = errors.New("chain not found")
+	errRuleExists    = errors.New("rule already exists")
+)
+
+type IPTablesMock struct {
+	state map[string]map[string][]string
+}
+
+func NewIPTablesMock() *IPTablesMock {
+	return &IPTablesMock{
+		state: make(map[string]map[string][]string),
+	}
+}
+
+type iptablesClient interface {
+	ChainExists(table string, chain string) (bool, error)
+	NewChain(table string, chain string) error
+	Exists(table string, chain string, rulespec ...string) (bool, error)
+	Append(table string, chain string, rulespec ...string) error
+	Insert(table string, chain string, pos int, rulespec ...string) error
+}
+
+func (c *IPTablesMock) ensureTableExists(table string) {
+	_, exists := c.state[table]
+	if !exists {
+		c.state[table] = make(map[string][]string)
+	}
+}
+
+func (c *IPTablesMock) ChainExists(table, chain string) (bool, error) {
+	c.ensureTableExists(table)
+
+	builtins := []string{iptables.Input, iptables.Output, iptables.Prerouting, iptables.Postrouting, iptables.Forward}
+
+	_, exists := c.state[table][chain]
+
+	// these chains always exist
+	for _, val := range builtins {
+		if chain == val && !exists {
+			c.state[table][chain] = []string{}
+			return true, nil
+		}
+	}
+
+	return exists, nil
+}
+
+func (c *IPTablesMock) NewChain(table, chain string) error {
+	c.ensureTableExists(table)
+
+	exists, _ := c.ChainExists(table, chain)
+
+	if exists {
+		return errChainExists
+	}
+
+	c.state[table][chain] = []string{}
+	return nil
+}
+
+func (c *IPTablesMock) Exists(table string, chain string, rulespec ...string) (bool, error) {
+	c.ensureTableExists(table)
+
+	chainExists, _ := c.ChainExists(table, chain)
+	if !chainExists {
+		return false, nil
+	}
+
+	targetRule := strings.Join(rulespec[:], " ")
+	chainRules := c.state[table][chain]
+
+	for _, chainRule := range chainRules {
+		if targetRule == chainRule {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func (c *IPTablesMock) Append(table string, chain string, rulespec ...string) error {
+	c.ensureTableExists(table)
+
+	chainExists, _ := c.ChainExists(table, chain)
+	if !chainExists {
+		return errChainNotFound
+	}
+
+	ruleExists, _ := c.Exists(table, chain, rulespec...)
+	if ruleExists {
+		return errRuleExists
+	}
+
+	targetRule := strings.Join(rulespec[:], " ")
+	c.state[table][chain] = append(c.state[table][chain], targetRule)
+	return nil
+}
+
+func (c *IPTablesMock) Insert(table string, chain string, _ int, rulespec ...string) error {
+	return c.Append(table, chain, rulespec...)
+}

cns/restserver/api_test.go

@@ -1735,7 +1735,7 @@ func startService(serviceConfig common.ServiceConfig, _ configuration.CNSConfig)
 	config.Store = fileStore
 
 	nmagentClient := &fakes.NMAgentClientFake{}
-	service, err = NewHTTPRestService(&config, &fakes.WireserverClientFake{}, &fakes.WireserverProxyFake{},
+	service, err = NewHTTPRestService(&config, &fakes.WireserverClientFake{}, &fakes.WireserverProxyFake{}, &IPtablesProvider{},
 		nmagentClient, nil, nil, nil, fakes.NewMockIMDSClient())
 	if err != nil {
 		return err

cns/restserver/internalapi_linux.go

@@ -15,6 +15,14 @@ import (
 
 const SWIFT = "SWIFT-POSTROUTING"
 
+type IPtablesProvider struct {
+	iptc iptablesClient
+}
+
+func (c *IPtablesProvider) GetIPTables() (iptablesClient, error) {
+	return goiptables.New()
+}
+
 // nolint
 func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainerRequest) (types.ResponseCode, string) {
 	service.Lock()
@@ -24,7 +32,7 @@ func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainer
 	// in podsubnet case, ncPrimaryIP is the pod subnet's primary ip
 	// in vnet scale case, ncPrimaryIP is the node's ip
 	ncPrimaryIP, _, _ := net.ParseCIDR(req.IPConfiguration.IPSubnet.IPAddress + "/" + fmt.Sprintf("%d", req.IPConfiguration.IPSubnet.PrefixLength))
-	ipt, err := goiptables.New()
+	ipt, err := service.iptables.GetIPTables()
 	if err != nil {
 		return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to create iptables interface : %v", err)
 	}

cns/restserver/internalapi_linux_test.go

@@ -0,0 +1,148 @@
+// Copyright 2020 Microsoft. All rights reserved.
+// MIT License
+
+package restserver
+
+import (
+	"strconv"
+	"testing"
+
+	"github.com/Azure/azure-container-networking/cns"
+	"github.com/Azure/azure-container-networking/cns/fakes"
+	"github.com/Azure/azure-container-networking/cns/types"
+	"github.com/Azure/azure-container-networking/iptables"
+	"github.com/Azure/azure-container-networking/network/networkutils"
+)
+
+type FakeIPTablesProvider struct {
+	iptables *fakes.IPTablesMock
+}
+
+func (c *FakeIPTablesProvider) GetIPTables() (iptablesClient, error) {
+	// persist iptables in testing
+	if c.iptables == nil {
+		c.iptables = fakes.NewIPTablesMock()
+	}
+	return c.iptables, nil
+}
+
+func TestAddSNATRules(t *testing.T) {
+	type expectedScenario struct {
+		table string
+		chain string
+		rule  []string
+	}
+
+	tests := []struct {
+		name     string
+		input    *cns.CreateNetworkContainerRequest
+		expected []expectedScenario
+	}{
+		{
+			// in pod subnet, the primary nic ip is in the same address space as the pod subnet
+			name: "podsubnet",
+			input: &cns.CreateNetworkContainerRequest{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    "240.1.2.1",
+						PrefixLength: 24,
+					},
+				},
+				SecondaryIPConfigs: map[string]cns.SecondaryIPConfig{
+					"abc": {
+						IPAddress: "240.1.2.7",
+					},
+				},
+				HostPrimaryIP: "10.0.0.4",
+			},
+			expected: []expectedScenario{
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/24", "-d",
+						networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", "240.1.2.1",
+					},
+				},
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/24", "-d",
+						networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", "240.1.2.1",
+					},
+				},
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/24", "-d",
+						networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", "10.0.0.4",
+					},
+				},
+			},
+		},
+		{
+			// in vnet scale, the primary nic ip becomes the node ip (diff address space from pod subnet)
+			name: "vnet scale",
+			input: &cns.CreateNetworkContainerRequest{
+				NetworkContainerid: ncID,
+				IPConfiguration: cns.IPConfiguration{
+					IPSubnet: cns.IPSubnet{
+						IPAddress:    "10.0.0.4",
+						PrefixLength: 28,
+					},
+				},
+				SecondaryIPConfigs: map[string]cns.SecondaryIPConfig{
+					"abc": {
+						IPAddress: "240.1.2.15",
+					},
+				},
+				HostPrimaryIP: "10.0.0.4",
+			},
+			expected: []expectedScenario{
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/28", "-d",
+						networkutils.AzureDNS, "-p", iptables.UDP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", "10.0.0.4",
+					},
+				},
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/28", "-d",
+						networkutils.AzureDNS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.DNSPort), "-j", iptables.Snat, "--to", "10.0.0.4",
+					},
+				},
+				{
+					table: iptables.Nat,
+					chain: SWIFT,
+					rule: []string{
+						"-m", "addrtype", "!", "--dst-type", "local", "-s", "240.1.2.0/28", "-d",
+						networkutils.AzureIMDS, "-p", iptables.TCP, "--dport", strconv.Itoa(iptables.HTTPPort), "-j", iptables.Snat, "--to", "10.0.0.4",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		service := getTestService(cns.KubernetesCRD)
+		service.iptables = &FakeIPTablesProvider{}
+		resp, msg := service.programSNATRules(tt.input)
+		if resp != types.Success {
+			t.Fatal("failed to program snat rules", msg, " case: ", tt.name)
+		}
+		finalState, _ := service.iptables.GetIPTables()
+		for _, ex := range tt.expected {
+			exists, err := finalState.Exists(ex.table, ex.chain, ex.rule...)
+			if err != nil || !exists {
+				t.Fatal("rule not found", ex.rule, " case: ", tt.name)
+			}
+		}
+	}
+}

cns/restserver/internalapi_windows.go

@@ -16,6 +16,14 @@ const (
 	pwshTimeout = 120 * time.Second
 )
 
+var errUnsupportedAPI = errors.New("unsupported api")
+
+type IPtablesProvider struct{}
+
+func (_ *IPtablesProvider) GetIPTables() (iptablesClient, error) {
+	return nil, errUnsupportedAPI
+}
+
 // nolint
 func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainerRequest) (types.ResponseCode, string) {
 	return types.Success, ""

cns/restserver/ipam_test.go

@@ -76,7 +76,7 @@ type ncState struct {
 func getTestService(orchestratorType string) *HTTPRestService {
 	var config common.ServiceConfig
 	httpsvc, _ := NewHTTPRestService(&config, &fakes.WireserverClientFake{}, &fakes.WireserverProxyFake{},
-		&fakes.NMAgentClientFake{}, store.NewMockStore(""), nil, nil,
+		&IPtablesProvider{}, &fakes.NMAgentClientFake{}, store.NewMockStore(""), nil, nil,
 		fakes.NewMockIMDSClient())
 	svc = httpsvc
 	setOrchestratorTypeInternal(orchestratorType)

cns/restserver/restserver.go

@@ -54,11 +54,24 @@ type imdsClient interface {
 	GetVMUniqueID(ctx context.Context) (string, error)
 }
 
+type iptablesClient interface {
+	ChainExists(table string, chain string) (bool, error)
+	NewChain(table string, chain string) error
+	Append(table string, chain string, rulespec ...string) error
+	Exists(table string, chain string, rulespec ...string) (bool, error)
+	Insert(table string, chain string, pos int, rulespec ...string) error
+}
+
+type iptablesGetter interface {
+	GetIPTables() (iptablesClient, error)
+}
+
 // HTTPRestService represents http listener for CNS - Container Networking Service.
 type HTTPRestService struct {
 	*cns.Service
 	dockerClient             *dockerclient.Client
 	wscli                    interfaceGetter
+	iptables                 iptablesGetter
 	nma                      nmagentClient
 	wsproxy                  wireserverProxy
 	homeAzMonitor            *HomeAzMonitor
@@ -167,7 +180,7 @@ type networkInfo struct {
 }
 
 // NewHTTPRestService creates a new HTTP Service object.
-func NewHTTPRestService(config *common.ServiceConfig, wscli interfaceGetter, wsproxy wireserverProxy, nmagentClient nmagentClient,
+func NewHTTPRestService(config *common.ServiceConfig, wscli interfaceGetter, wsproxy wireserverProxy, iptg iptablesGetter, nmagentClient nmagentClient,
 	endpointStateStore store.KeyValueStore, gen CNIConflistGenerator, homeAzMonitor *HomeAzMonitor,
 	imdsClient imdsClient,
 ) (*HTTPRestService, error) {
@@ -214,6 +227,7 @@ func NewHTTPRestService(config *common.ServiceConfig, wscli interfaceGetter, wsp
 		store:                    service.Service.Store,
 		dockerClient:             dc,
 		wscli:                    wscli,
+		iptables:                 iptg,
 		nma:                      nmagentClient,
 		wsproxy:                  wsproxy,
 		networkContainer:         nc,

cns/restserver/v2/server_test.go

@@ -50,8 +50,9 @@ func startService(cnsPort, cnsURL string) error {
 
 	nmagentClient := &fakes.NMAgentClientFake{}
 	service, err := restserver.NewHTTPRestService(&config, &fakes.WireserverClientFake{},
-		&fakes.WireserverProxyFake{}, nmagentClient, nil, nil, nil,
+		&fakes.WireserverProxyFake{}, &restserver.IPtablesProvider{}, nmagentClient, nil, nil, nil,
 		fakes.NewMockIMDSClient())
+
 	if err != nil {
 		return errors.Wrap(err, "Failed to initialize service")
 	}

cns/service/main.go

@@ -747,7 +747,7 @@ func main() {
 	}
 
 	imdsClient := imds.NewClient()
-	httpRemoteRestService, err := restserver.NewHTTPRestService(&config, wsclient, &wsProxy, nmaClient,
+	httpRemoteRestService, err := restserver.NewHTTPRestService(&config, wsclient, &wsProxy, &restserver.IPtablesProvider{}, nmaClient,
 		endpointStateStore, conflistGenerator, homeAzMonitor, imdsClient)
 	if err != nil {
 		logger.Errorf("Failed to create CNS object, err:%v.\n", err)