add test to check if test case flushes chain

Author: QxBytes

cns/fakes/iptablesfake.go

@@ -13,10 +13,12 @@ var (
 	errChainNotFound = errors.New("chain not found")
 	errRuleExists    = errors.New("rule already exists")
 	errRuleNotFound  = errors.New("rule not found")
+	errIndexBounds   = errors.New("index out of bounds")
 )
 
 type IPTablesMock struct {
-	state map[string]map[string][]string
+	state            map[string]map[string][]string
+	clearChainCalled int
 }
 
 func NewIPTablesMock() *IPTablesMock {
@@ -106,8 +108,10 @@ func (c *IPTablesMock) Insert(table, chain string, pos int, rulespec ...string)
 		index = 0
 	}
 
-	if index >= len(chainRules) {
+	if index == len(chainRules) {
 		c.state[table][chain] = append(chainRules, targetRule)
+	} else if index > len(chainRules) {
+		return errIndexBounds
 	} else {
 		c.state[table][chain] = append(chainRules[:index], append([]string{targetRule}, chainRules[index:]...)...)
 	}
@@ -151,6 +155,7 @@ func (c *IPTablesMock) List(table, chain string) ([]string, error) {
 }
 
 func (c *IPTablesMock) ClearChain(table, chain string) error {
+	c.clearChainCalled++
 	c.ensureTableExists(table)
 
 	chainExists, _ := c.ChainExists(table, chain)
@@ -183,3 +188,7 @@ func (c *IPTablesMock) Delete(table, chain string, rulespec ...string) error {
 
 	return errRuleNotFound
 }
+
+func (c *IPTablesMock) ClearChainCallCount() int {
+	return c.clearChainCalled
+}

cns/restserver/internalapi_linux.go

@@ -72,6 +72,7 @@ func (service *HTTPRestService) programSNATRules(req *cns.CreateNetworkContainer
 	if swiftRuleIndex != -1 {
 		// jump SWIFT rule exists, insert SWIFT-POSTROUTING rule at the same position so it ends up running first
 		// first, remove any existing SWIFT-POSTROUTING rules to avoid duplicates
+		// note: inserting at len(rules) and deleting a jump to SWIFT-POSTROUTING is mutually exclusive
 		swiftPostroutingExists, err := ipt.Exists(iptables.Nat, iptables.Postrouting, "-j", SWIFT)
 		if err != nil {
 			return types.UnexpectedError, fmt.Sprintf("[Azure CNS] Error. Failed to check for existence of SWIFT-POSTROUTING rule: %v", err)

cns/restserver/internalapi_linux_test.go

@@ -40,10 +40,11 @@ func TestAddSNATRules(t *testing.T) {
 	}
 
 	tests := []struct {
-		name             string
-		input            *cns.CreateNetworkContainerRequest
-		preExistingRules []preExistingRule
-		expectedChains   []chainExpectation
+		name                    string
+		input                   *cns.CreateNetworkContainerRequest
+		preExistingRules        []preExistingRule
+		expectedChains          []chainExpectation
+		expectedClearChainCalls int
 	}{
 		{
 			// in pod subnet, the primary nic ip is in the same address space as the pod subnet
@@ -83,6 +84,7 @@ func TestAddSNATRules(t *testing.T) {
 					},
 				},
 			},
+			expectedClearChainCalls: 1,
 		},
 		{
 			// test with pre-existing SWIFT rule that should be migrated
@@ -156,6 +158,7 @@ func TestAddSNATRules(t *testing.T) {
 					},
 				},
 			},
+			expectedClearChainCalls: 1,
 		},
 		{
 			// test after migration has already completed
@@ -238,6 +241,7 @@ func TestAddSNATRules(t *testing.T) {
 					},
 				},
 			},
+			expectedClearChainCalls: 0,
 		},
 		{
 			// in vnet scale, the primary nic ip becomes the node ip (diff address space from pod subnet)
@@ -277,17 +281,16 @@ func TestAddSNATRules(t *testing.T) {
 					},
 				},
 			},
+			expectedClearChainCalls: 1,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			service := getTestService(cns.KubernetesCRD)
-			service.iptables = &FakeIPTablesProvider{}
-
-			ipt, err := service.iptables.GetIPTables()
-			if err != nil {
-				t.Fatal("failed to get iptables client:", err)
+			ipt := fakes.NewIPTablesMock()
+			service.iptables = &FakeIPTablesProvider{
+				iptables: ipt,
 			}
 
 			// setup pre-existing rules
@@ -296,13 +299,13 @@ func TestAddSNATRules(t *testing.T) {
 					chainExists, _ := ipt.ChainExists(preRule.table, preRule.chain)
 
 					if !chainExists {
-						err = ipt.NewChain(preRule.table, preRule.chain)
+						err := ipt.NewChain(preRule.table, preRule.chain)
 						if err != nil {
 							t.Fatal("failed to setup pre-existing rule chain:", err)
 						}
 					}
 
-					err = ipt.Append(preRule.table, preRule.chain, preRule.rule...)
+					err := ipt.Append(preRule.table, preRule.chain, preRule.rule...)
 					if err != nil {
 						t.Fatal("failed to setup pre-existing rule:", err)
 					}
@@ -333,6 +336,12 @@ func TestAddSNATRules(t *testing.T) {
 					}
 				}
 			}
+
+			// verify ClearChain was called the expected number of times
+			actualClearChainCalls := ipt.ClearChainCallCount()
+			if actualClearChainCalls != tt.expectedClearChainCalls {
+				t.Fatalf("ClearChain call count mismatch: got %d, expected %d", actualClearChainCalls, tt.expectedClearChainCalls)
+			}
 		})
 	}
 }