use a constance for the filter table and re-organize tests

Author: ncode

pkg/iptables/iptables_manager.go

@@ -83,21 +83,21 @@ func NewIPTablesManager(mainChainName, defaultAction, logIdentifier string, dryR
 
 // EnsureMainChainExists creates the main chain if it doesn't exist and inserts a jump in CNI-FORWARD.
 func (m *IPTablesManager) EnsureMainChainExists() error {
-	exists, err := m.ipt.ChainExists("filter", m.mainChainName)
+	exists, err := m.ipt.ChainExists(table, m.mainChainName)
 	if err != nil {
 		return fmt.Errorf("failed to check main chain existence: %v", err)
 	}
 	if !exists {
-		if err := m.ipt.NewChain("filter", m.mainChainName); err != nil {
+		if err := m.ipt.NewChain(table, m.mainChainName); err != nil {
 			return fmt.Errorf("failed to create main chain: %v", err)
 		}
 	}
 
 	// Remove any previous jump rule (just in case)
-	_ = m.ipt.Delete("filter", "CNI-FORWARD", "-j", m.mainChainName)
+	_ = m.ipt.Delete(table, "CNI-FORWARD", "-j", m.mainChainName)
 
 	// Insert jump to the main chain at the top of CNI-FORWARD.
-	if err := m.ipt.Insert("filter", "CNI-FORWARD", 1, "-j", m.mainChainName); err != nil {
+	if err := m.ipt.Insert(table, "CNI-FORWARD", 1, "-j", m.mainChainName); err != nil {
 		return fmt.Errorf("failed to add jump to main chain in CNI-FORWARD: %v", err)
 	}
 	return nil
@@ -127,19 +127,19 @@ func (m *IPTablesManager) buildDefaultActionSpecs() [][]string {
 
 // CreateContainerChain makes a new chain for a specific container and sets up default rules.
 func (m *IPTablesManager) CreateContainerChain(containerChain string) error {
-	if err := m.ipt.NewChain("filter", containerChain); err != nil {
+	if err := m.ipt.NewChain(table, containerChain); err != nil {
 		return fmt.Errorf("failed to create container chain: %v", err)
 	}
 
 	// Accept related and established connections first
-	if err := m.ipt.Append("filter", containerChain,
+	if err := m.ipt.Append(table, containerChain,
 		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil {
 		return fmt.Errorf("failed to add RELATED,ESTABLISHED rule: %v", err)
 	}
 
 	// Now append the default action rule(s)
 	for _, spec := range m.buildDefaultActionSpecs() {
-		if err := m.ipt.Append("filter", containerChain, spec...); err != nil {
+		if err := m.ipt.Append(table, containerChain, spec...); err != nil {
 			return fmt.Errorf("failed to set default action for container chain: %v", err)
 		}
 	}
@@ -182,7 +182,7 @@ func (m *IPTablesManager) AddRule(chainName string, rule OutboundRule) error {
 
 	// Insert each spec at position 1 in reverse order so they appear in the chain in the correct sequence
 	for i := len(ruleSpecs) - 1; i >= 0; i-- {
-		if err := m.ipt.Insert("filter", chainName, 1, ruleSpecs[i]...); err != nil {
+		if err := m.ipt.Insert(table, chainName, 1, ruleSpecs[i]...); err != nil {
 			return fmt.Errorf("failed to add rule: %v", err)
 		}
 	}
@@ -191,20 +191,20 @@ func (m *IPTablesManager) AddRule(chainName string, rule OutboundRule) error {
 
 // AddJumpRule appends a jump from the main chain to the container chain for the given source IP.
 func (m *IPTablesManager) AddJumpRule(sourceIP, targetChain string) error {
-	return m.ipt.Append("filter", m.mainChainName, "-s", sourceIP, "-j", targetChain)
+	return m.ipt.Append(table, m.mainChainName, "-s", sourceIP, "-j", targetChain)
 }
 
 // RemoveJumpRule deletes a jump rule referencing the targetChain for the given source IP.
 func (m *IPTablesManager) RemoveJumpRule(sourceIP, targetChain string) error {
-	if err := m.ipt.Delete("filter", m.mainChainName, "-s", sourceIP, "-j", targetChain); err != nil {
+	if err := m.ipt.Delete(table, m.mainChainName, "-s", sourceIP, "-j", targetChain); err != nil {
 		return fmt.Errorf("failed to remove jump rule: %v", err)
 	}
 	return nil
 }
 
 // RemoveJumpRuleByTargetChain does a more robust token-based matching to avoid partial strings.
 func (m *IPTablesManager) RemoveJumpRuleByTargetChain(targetChain string) error {
-	rules, err := m.ipt.List("filter", m.mainChainName)
+	rules, err := m.ipt.List(table, m.mainChainName)
 	if err != nil {
 		return fmt.Errorf("failed to list rules in main chain: %v", err)
 	}
@@ -218,7 +218,7 @@ func (m *IPTablesManager) RemoveJumpRuleByTargetChain(targetChain string) error
 				// Found the rule referencing the targetChain
 				// We also skip the first two tokens ("-A" <chainname>) when calling Delete
 				toDelete := tokens[2:]
-				if err := m.ipt.Delete("filter", m.mainChainName, toDelete...); err != nil {
+				if err := m.ipt.Delete(table, m.mainChainName, toDelete...); err != nil {
 					return fmt.Errorf("failed to remove jump rule: %v", err)
 				}
 				return nil
@@ -231,23 +231,23 @@ func (m *IPTablesManager) RemoveJumpRuleByTargetChain(targetChain string) error
 
 // ClearAndDeleteChain first clears all rules from the chain, then deletes it.
 func (m *IPTablesManager) ClearAndDeleteChain(chainName string) error {
-	if err := m.ipt.ClearChain("filter", chainName); err != nil {
+	if err := m.ipt.ClearChain(table, chainName); err != nil {
 		return fmt.Errorf("failed to clear chain %s: %v", chainName, err)
 	}
-	if err := m.ipt.DeleteChain("filter", chainName); err != nil {
+	if err := m.ipt.DeleteChain(table, chainName); err != nil {
 		return fmt.Errorf("failed to delete chain %s: %v", chainName, err)
 	}
 	return nil
 }
 
 // ChainExists checks whether the chain is present.
 func (m *IPTablesManager) ChainExists(chainName string) (bool, error) {
-	return m.ipt.ChainExists("filter", chainName)
+	return m.ipt.ChainExists(table, chainName)
 }
 
 // VerifyRules verifies that each of the plugin's rules (and default actions) exist in iptables.
 func (m *IPTablesManager) VerifyRules(chainName string, rules []OutboundRule) error {
-	existingRules, err := m.ipt.List("filter", chainName)
+	existingRules, err := m.ipt.List(table, chainName)
 	if err != nil {
 		return err
 	}