),
Entry("with multiple destination networks specified",
garden.NetOutRule{Networks: []garden.IPRange{
{Start: net.ParseIP("1.2.3.4")},
{Start: net.ParseIP("2.2.3.4"), End: net.ParseIP("2.2.3.9")},
}},
[]iptables.SingleFilterRule{
{Networks: &garden.IPRange{Start: net.ParseIP("1.2.3.4")}},
{Networks: &garden.IPRange{Start: net.ParseIP("2.2.3.4"), End: net.ParseIP("2.2.3.9")}},
},
),
Entry("with a single port specified",
garden.NetOutRule{
Protocol: garden.ProtocolTCP,
Ports: []garden.PortRange{
garden.PortRangeFromPort(22),
},
},
[]iptables.SingleFilterRule{
{Protocol: garden.ProtocolTCP, Ports: &garden.PortRange{Start: 22, End: 22}},
},
),
Entry("with multiple ports specified",
garden.NetOutRule{
Protocol: garden.ProtocolTCP,
Ports: []garden.PortRange{
garden.PortRangeFromPort(22),
garden.PortRange{Start: 1000, End: 10000},
},
},
[]iptables.SingleFilterRule{
})
JustBeforeEach(func() {
server.AppendHandlers(
ghttp.CombineHandlers(
ghttp.VerifyRequest("POST", fmt.Sprintf("/containers/%s/net/out", handle)),
verifyRequestBody(&rule, &garden.NetOutRule{}),
ghttp.RespondWith(200, "{}")))
})
Context("when a NetOutRule is passed", func() {
BeforeEach(func() {
rule = garden.NetOutRule{
Protocol: garden.ProtocolICMP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("1.2.3.4"))},
Ports: []garden.PortRange{garden.PortRangeFromPort(2), garden.PortRangeFromPort(4)},
ICMPs: &garden.ICMPControl{Type: 3, Code: garden.ICMPControlCode(3)},
Log: true,
}
})
It("should send the rule over the wire", func() {
Ω(connection.NetOut(handle, rule)).Should(Succeed())
})
})
})
Describe("Listing containers", func() {
BeforeEach(func() {
server.AppendHandlers(
ghttp.CombineHandlers(
// Once we have a good baseline...
//Expect(timed).To(BeNumerically(",", ???))
//Expect(b.Seconds()).To(BeNumerically(",", ???))
}, 20)
})
Measure("BulkNetOut", func(b Benchmarker) {
b.Time("3000 rules", func() {
rules := make([]garden.NetOutRule, 0)
for i := 0; i < 3000; i++ {
rules = append(rules, garden.NetOutRule{
Protocol: garden.ProtocolTCP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("8.8.8.8"))},
Ports: []garden.PortRange{garden.PortRangeFromPort(uint16(i))},
})
}
container, err := gardenClient.Create(garden.ContainerSpec{})
Expect(err).ToNot(HaveOccurred())
Expect(container.BulkNetOut(rules)).To(Succeed())
Expect(gardenClient.Destroy(container.Handle())).To(Succeed())
})
}, 5)
})
func emitMetric(req interface{}) {
if os.Getenv("DATADOG_API_KEY") == "" {
})
Describe("IPRangeFromIPNet", func() {
It("Creates an IPRange with the Start and End set to the extent of the IPNet", func() {
ip, cidr, err := net.ParseCIDR("1.2.3.0/24")
Ω(err).Should(Succeed())
r := garden.IPRangeFromIPNet(cidr)
Ω(r.Start.String()).Should(Equal(ip.String()))
Ω(r.End.String()).Should(Equal("1.2.3.255"))
})
})
Describe("PortRangeFromPort", func() {
It("Creates an PortRange with the Start and End set to the passed port", func() {
r := garden.PortRangeFromPort(2)
Ω(r.Start).Should(Equal(uint16(2)))
Ω(r.End).Should(Equal(r.Start))
})
})
Describe("ICMPControlCode", func() {
It("returns an ICMPCode with the passed uint8", func() {
var icmpVar *garden.ICMPCode
code := garden.ICMPControlCode(uint8(2))
Ω(code).Should(BeAssignableToTypeOf(icmpVar))
Ω(*code).Should(BeNumerically("==", 2))
})
})
})
Expect(checkConnection(container, "8.8.8.8", 53)).To(MatchError("Request failed. Process exited with code 1"))
Expect(checkConnection(container, "8.8.4.4", 53)).To(MatchError("Request failed. Process exited with code 1"))
})
})
})
Describe("NetOut", func() {
var (
rule garden.NetOutRule
)
BeforeEach(func() {
rule = garden.NetOutRule{
Protocol: garden.ProtocolTCP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("8.8.8.8"))},
Ports: []garden.PortRange{garden.PortRangeFromPort(53)},
}
})
Context("when an IP within the denied network range is permitted", func() {
BeforeEach(func() {
args = append(args, "--deny-network", "0.0.0.0/0")
})
JustBeforeEach(func() {
Expect(checkConnection(container, "8.8.8.8", 53)).To(MatchError("Request failed. Process exited with code 1"))
})
It("should access internet", func() {
Expect(container.NetOut(rule)).To(Succeed())
Expect(checkConnection(container, "8.8.8.8", 53)).To(Succeed())