func securityGroupRuleToNetOutRule(securityRule *models.SecurityGroupRule) (garden.NetOutRule, error) {
var protocol garden.Protocol
var portRanges []garden.PortRange
var networks []garden.IPRange
var icmp *garden.ICMPControl
switch securityRule.Protocol {
case models.TCPProtocol:
protocol = garden.ProtocolTCP
case models.UDPProtocol:
protocol = garden.ProtocolUDP
case models.ICMPProtocol:
protocol = garden.ProtocolICMP
icmp = &garden.ICMPControl{
Type: garden.ICMPType(securityRule.IcmpInfo.Type),
Code: garden.ICMPControlCode(uint8(securityRule.IcmpInfo.Code)),
}
case models.AllProtocol:
protocol = garden.ProtocolAll
}
if securityRule.PortRange != nil {
portRanges = append(portRanges, garden.PortRange{Start: uint16(securityRule.PortRange.Start), End: uint16(securityRule.PortRange.End)})
} else if securityRule.Ports != nil {
for _, port := range securityRule.Ports {
portRanges = append(portRanges, garden.PortRangeFromPort(uint16(port)))
}
}
for _, dest := range securityRule.Destinations {
ipRange, err := toIPRange(dest)
if err != nil {
return garden.NetOutRule{}, err
}
networks = append(networks, ipRange)
}
netOutRule := garden.NetOutRule{
Protocol: protocol,
Networks: networks,
Ports: portRanges,
ICMPs: icmp,
Log: securityRule.Log,
}
return netOutRule, nil
}
JustBeforeEach(func() {
server.AppendHandlers(
ghttp.CombineHandlers(
ghttp.VerifyRequest("POST", fmt.Sprintf("/containers/%s/net/out", handle)),
verifyRequestBody(&rule, &garden.NetOutRule{}),
ghttp.RespondWith(200, "{}")))
})
Context("when a NetOutRule is passed", func() {
BeforeEach(func() {
rule = garden.NetOutRule{
Protocol: garden.ProtocolICMP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("1.2.3.4"))},
Ports: []garden.PortRange{garden.PortRangeFromPort(2), garden.PortRangeFromPort(4)},
ICMPs: &garden.ICMPControl{Type: 3, Code: garden.ICMPControlCode(3)},
Log: true,
}
})
It("should send the rule over the wire", func() {
Ω(connection.NetOut(handle, rule)).Should(Succeed())
})
})
})
Describe("Listing containers", func() {
BeforeEach(func() {
server.AppendHandlers(
ghttp.CombineHandlers(
ghttp.VerifyRequest("GET", "/containers", "foo=bar"),
})
Describe("IPRangeFromIPNet", func() {
It("Creates an IPRange with the Start and End set to the extent of the IPNet", func() {
ip, cidr, err := net.ParseCIDR("1.2.3.0/24")
Ω(err).Should(Succeed())
r := garden.IPRangeFromIPNet(cidr)
Ω(r.Start.String()).Should(Equal(ip.String()))
Ω(r.End.String()).Should(Equal("1.2.3.255"))
})
})
Describe("PortRangeFromPort", func() {
It("Creates an PortRange with the Start and End set to the passed port", func() {
r := garden.PortRangeFromPort(2)
Ω(r.Start).Should(Equal(uint16(2)))
Ω(r.End).Should(Equal(r.Start))
})
})
Describe("ICMPControlCode", func() {
It("returns an ICMPCode with the passed uint8", func() {
var icmpVar *garden.ICMPCode
code := garden.ICMPControlCode(uint8(2))
Ω(code).Should(BeAssignableToTypeOf(icmpVar))
Ω(*code).Should(BeNumerically("==", 2))
})
})
})
})).To(Succeed())
Expect(fakeRunner).To(HaveExecutedSerially(fake_command_runner.CommandSpec{
Path: "/sbin/iptables",
Args: []string{"-w", "-I", "foo-bar-baz", "1", "--protocol", "icmp", "--icmp-type", "99", "--jump", "RETURN"},
}))
})
})
Context("when icmp type and code are specified", func() {
It("passes icmp protcol type and code to iptables", func() {
Expect(subject.PrependFilterRule(garden.NetOutRule{
Protocol: garden.ProtocolICMP,
ICMPs: &garden.ICMPControl{
Type: 99,
Code: garden.ICMPControlCode(11),
},
})).To(Succeed())
Expect(fakeRunner).To(HaveExecutedSerially(fake_command_runner.CommandSpec{
Path: "/sbin/iptables",
Args: []string{"-w", "-I", "foo-bar-baz", "1", "--protocol", "icmp", "--icmp-type", "99/11", "--jump", "RETURN"},
}))
})
})
})
})
Describe("Log", func() {
It("redirects via the log chain if log is specified", func() {
Expect(subject.PrependFilterRule(garden.NetOutRule{
container *linux_container.LinuxContainer
fakePortPool *fake_port_pool.FakePortPool
fakeProcessTracker *fake_process_tracker.FakeProcessTracker
fakeFilter *networkFakes.FakeFilter
fakeOomWatcher *fake_watcher.FakeWatcher
containerDir string
containerProps map[string]string
containerVersion semver.Version
fakeIPTablesManager *fake_iptables_manager.FakeIPTablesManager
)
netOutRule1 := garden.NetOutRule{
Protocol: garden.ProtocolUDP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("1.2.3.4"))},
Ports: []garden.PortRange{{Start: 12, End: 24}},
ICMPs: &garden.ICMPControl{Type: 3, Code: garden.ICMPControlCode(12)},
Log: true,
}
netOutRule2 := garden.NetOutRule{
Protocol: garden.ProtocolTCP,
Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("1.2.5.4"))},
Ports: []garden.PortRange{{Start: 13, End: 34}},
ICMPs: &garden.ICMPControl{Type: 3, Code: garden.ICMPControlCode(5)},
Log: false,
}
BeforeEach(func() {
fakeRunner = fake_command_runner.New()
fakeCgroups = fake_cgroups_manager.New("/cgroups", "some-id")