adds missing case

Author: ncode

pkg/iptables/iptables_manager_test.go

@@ -685,6 +685,44 @@ func TestVerifyRules(t *testing.T) {
 	}
 }
 
+func TestVerifyRules_MissingDefaultActionInDryRun(t *testing.T) {
+	mockIpt := newMockIPTables()
+
+	// Make sure the chain exists
+	chainName := "TEST_CHAIN"
+	mockIpt.chains[chainName] = true
+
+	// Add some rules that are missing the final default lines
+	// (The code expects: -A TEST_CHAIN -j LOG --log-prefix "DROP_<logIdentifier> "
+	//  plus a trailing -A TEST_CHAIN -j ACCEPT)
+	// We'll omit them so the code path returns "default rule not found"
+	mockIpt.rules[chainName] = []string{
+		// Possibly also no user rules at all, or partial user rules, doesn't matter
+		`-A TEST_CHAIN -d 192.168.1.1 -p tcp --dport 80 -j LOG --log-prefix "DROP_TEST123 "`,
+		// or we can just have an empty slice if we want
+	}
+
+	manager := &IPTablesManager{
+		ipt:           mockIpt,
+		mainChainName: "CNI-OUTBOUND",
+		defaultAction: "DROP",
+		logIdentifier: "TEST123",
+		dryRun:        true, // CRUCIAL
+	}
+
+	// No user OutboundRules in this example
+	userRules := []OutboundRule{}
+
+	// Now call VerifyRules, expecting it to fail with "default rule not found"
+	err := manager.VerifyRules(chainName, userRules)
+	if err == nil {
+		t.Fatalf("Expected an error about missing default rule but got nil")
+	}
+	if !strings.Contains(err.Error(), "default rule not found") {
+		t.Errorf("Unexpected error: %v", err)
+	}
+}
+
 func TestVerifyRulesListError(t *testing.T) {
 	mockIpt := newMockIPTables()
 	manager := &IPTablesManager{