feat: add nftables object monitor functions and unit tests
This commit is contained in:
singchia
parent
fe6369b3cd
commit
46100e8684
|
|
@ -0,0 +1,117 @@
|
|||
package nftables_test
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/google/nftables"
|
||||
"github.com/google/nftables/expr"
|
||||
"github.com/google/nftables/internal/nftest"
|
||||
)
|
||||
|
||||
func TestMonitor(t *testing.T) {
|
||||
|
||||
// Create a new network namespace to test these operations,
|
||||
// and tear down the namespace at test completion.
|
||||
c, newNS := nftest.OpenSystemConn(t, *enableSysTests)
|
||||
defer nftest.CleanupSystemConn(t, newNS)
|
||||
// Clear all rules at the beginning + end of the test.
|
||||
c.FlushRuleset()
|
||||
defer c.FlushRuleset()
|
||||
|
||||
// default to monitor all
|
||||
monitor := nftables.NewMonitor()
|
||||
events, err := c.AddMonitor(monitor)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
var gotTable *nftables.Table
|
||||
var gotChain *nftables.Chain
|
||||
var gotRule *nftables.Rule
|
||||
wg := sync.WaitGroup{}
|
||||
wg.Add(1)
|
||||
go func() {
|
||||
defer wg.Done()
|
||||
for {
|
||||
select {
|
||||
case event, ok := <-events:
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
if event.Error != nil {
|
||||
err = fmt.Errorf("monitor err: %s", event.Error)
|
||||
return
|
||||
}
|
||||
switch event.Type {
|
||||
case nftables.EventTypeNewTable:
|
||||
gotTable = event.Data.(*nftables.Table)
|
||||
case nftables.EventTypeNewChain:
|
||||
gotChain = event.Data.(*nftables.Chain)
|
||||
case nftables.EventTypeNewRule:
|
||||
gotRule = event.Data.(*nftables.Rule)
|
||||
}
|
||||
}
|
||||
}
|
||||
}()
|
||||
|
||||
nat := c.AddTable(&nftables.Table{
|
||||
Family: nftables.TableFamilyIPv4,
|
||||
Name: "nat",
|
||||
})
|
||||
|
||||
postrouting := c.AddChain(&nftables.Chain{
|
||||
Name: "postrouting",
|
||||
Hooknum: nftables.ChainHookPostrouting,
|
||||
Priority: nftables.ChainPriorityNATSource,
|
||||
Table: nat,
|
||||
Type: nftables.ChainTypeNAT,
|
||||
})
|
||||
|
||||
rule := c.AddRule(&nftables.Rule{
|
||||
Table: nat,
|
||||
Chain: postrouting,
|
||||
Exprs: []expr.Any{
|
||||
// payload load 4b @ network header + 12 => reg 1
|
||||
&expr.Payload{
|
||||
DestRegister: 1,
|
||||
Base: expr.PayloadBaseNetworkHeader,
|
||||
Offset: 12,
|
||||
Len: 4,
|
||||
},
|
||||
// cmp eq reg 1 0x0245a8c0
|
||||
&expr.Cmp{
|
||||
Op: expr.CmpOpEq,
|
||||
Register: 1,
|
||||
Data: net.ParseIP("192.168.69.2").To4(),
|
||||
},
|
||||
|
||||
// masq
|
||||
&expr.Masq{},
|
||||
},
|
||||
})
|
||||
|
||||
if err := c.Flush(); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
// It takes time for the kernel to take effect
|
||||
time.Sleep(time.Second)
|
||||
monitor.Close()
|
||||
wg.Wait()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if gotTable.Family != nat.Family || gotTable.Name != nat.Name {
|
||||
t.Fatal("no want table", gotTable.Family, gotTable.Name)
|
||||
}
|
||||
if gotChain.Type != postrouting.Type || gotChain.Name != postrouting.Name ||
|
||||
*gotChain.Hooknum != *postrouting.Hooknum {
|
||||
t.Fatal("no want chain", gotChain.Type, gotChain.Name, gotChain.Hooknum)
|
||||
}
|
||||
if len(gotRule.Exprs) != len(rule.Exprs) {
|
||||
t.Fatal("no want rule")
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue