test: fix integration tests for ICMP egress

Fix integration tests for ICMP egresss. The test now listens for raw ICMP packets originating from the Gateway and thus needs to be run as root. By default, the test is skipped. The test can be run by specifying the env var RUN_ICMP_TEST. A Makeile target, `test.icmp.integration` has been added to make this straightforward. Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
kubernetes-sigs · Dec 26, 2023 · d4c355e · d4c355e
1 parent 11aae3b
commit d4c355e
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 20 deletions.
diff --git a/Makefile b/Makefile
@@ -136,6 +136,19 @@ test.integration: manifests generate fmt vet
 	BLIXT_UDP_SERVER_IMAGE=$(BLIXT_UDP_SERVER_IMAGE):$(TAG) \
 	GOFLAGS="-tags=integration_tests" go test -race -v ./test/integration/...
 
+test.icmp.integration:
+	go clean -testcache
+	# This needs to run as sudo as the test involves listening for raw ICMP packets, which
+	# requires you to be root.
+	sudo env PATH=$(PATH) \
+	DOCKER_API_VERSION=1.41 \
+	BLIXT_TEST_KEEP_CLUSTER=true \
+	BLIXT_CONTROLPLANE_IMAGE=$(BLIXT_CONTROLPLANE_IMAGE):$(TAG) \
+	BLIXT_DATAPLANE_IMAGE=$(BLIXT_DATAPLANE_IMAGE):$(TAG) \
+	BLIXT_UDP_SERVER_IMAGE=$(BLIXT_UDP_SERVER_IMAGE):$(TAG) \
+	RUN_ICMP_TEST=true \
+	go test --tags=integration_tests -run "TestUDPRouteNoReach" -race -v ./test/integration/...
+
 .PHONY: test.performance
 test.performance: manifests generate fmt vet
 	go clean -testcache

diff --git a/go.mod b/go.mod
@@ -10,6 +10,8 @@ require (
 	github.com/onsi/ginkgo/v2 v2.13.2
 	github.com/onsi/gomega v1.30.0
 	github.com/stretchr/testify v1.8.4
+	github.com/vishvananda/netlink v1.1.0
+	golang.org/x/net v0.19.0
 	google.golang.org/grpc v1.60.0
 	google.golang.org/protobuf v1.31.0
 	k8s.io/api v0.29.0
@@ -72,18 +74,18 @@ require (
 	github.com/prometheus/procfs v0.11.1 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
 	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.13.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.4.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -201,6 +201,10 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
+github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
+github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
+github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -247,8 +251,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
 golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
@@ -265,6 +269,7 @@ golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -275,19 +280,19 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

diff --git a/test/integration/udproute_test.go b/test/integration/udproute_test.go
@@ -33,6 +33,8 @@ import (
 	"github.com/google/uuid"
 	"github.com/kong/kubernetes-testing-framework/pkg/clusters"
 	"github.com/stretchr/testify/require"
+	"github.com/vishvananda/netlink"
+	"golang.org/x/net/icmp"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
@@ -216,8 +218,8 @@ func sendUDPPacket(t *testing.T, msg, gwaddr string) int {
 	t.Helper()
 
 	conn, err := net.Dial("udp", gwaddr)
-	defer conn.Close()
 	require.NoError(t, err)
+	defer conn.Close()
 
 	bytesWritten, err := conn.Write([]byte(msg))
 	require.NoError(t, err)
@@ -233,7 +235,9 @@ func sendUDPPacket(t *testing.T, msg, gwaddr string) int {
 }
 
 func TestUDPRouteNoReach(t *testing.T) {
-	t.Skip("TODO: temporarily skipped due to instability, see https://github.com/kubernetes-sigs/blixt/issues/104")
+	if os.Getenv("RUN_ICMP_TEST") == "" {
+		t.Skip("skipping ICMP integration test")
+	}
 
 	udpRouteNoReachCleanupKey := "udproutenoreach"
 	defer func() {
@@ -269,6 +273,20 @@ func TestUDPRouteNoReach(t *testing.T) {
 		return server.Status.AvailableReplicas > 0
 	}, time.Minute, time.Second)
 
+	// start listening for ICMP packets originating from the cluster
+	gwHost := strings.Split(gwaddr, ":")[0]
+	ip := net.ParseIP(gwHost)
+	routes, err := netlink.RouteGet(ip)
+	require.NoError(t, err)
+	require.Len(t, routes, 1)
+
+	msgs := make(chan icmp.Message, 2)
+	errs := make(chan error, 1)
+	go listenForICMPPacket(routes[0].Src.String(), gwHost, msgs, errs)
+	// Block unitl we get a ping that indicates that we have an active connection
+	// listening for ICMP packets, otherwise we might be too late to capture the packet.
+	<-msgs
+
 	t.Logf("sending a datagram to the UDP server at %s", gwaddr)
 	message := uuid.NewString()
 	conn, err := net.Dial("udp", gwaddr)
@@ -278,10 +296,43 @@ func TestUDPRouteNoReach(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, len(message), bytesWritten)
 
-	// ensure server sent back icmp host unreachable
-	t.Logf("ensuring UDP server sent back icmp host unreachable")
-	err = conn.SetReadDeadline(time.Now().Add(5 * time.Second))
-	require.NoError(t, err)
-	_, err = conn.Read(make([]byte, 2048))
-	require.ErrorContains(t, err, "read: connection refused")
+	t.Logf("ensuring UDP server sent back icmp destination unreachable")
+	select {
+	case msg := <-msgs:
+		require.Contains(t, fmt.Sprintf("%s", msg.Type), "destination unreachable")
+	case err := <-errs:
+		t.Fatalf("received error while listening for ICMP packets: %s", err)
+	}
+}
+
+// listenForICMPPacket listens on the provided network interfacr IP for ICMP packets.
+// It sends the parsed ICMP message to the given channel if the packet arose from the
+// provided host.
+func listenForICMPPacket(interfaceIP, gwHost string, msgs chan icmp.Message, errs chan error) {
+	conn, err := icmp.ListenPacket("ip4:icmp", interfaceIP)
+	if err != nil {
+		errs <- err
+		return
+	}
+	defer conn.Close()
+	// Send an empty message which acts like a ping indicating that we have an active ICMP listener.
+	msgs <- icmp.Message{}
+
+	for {
+		packet := make([]byte, 1024)
+		length, src, err := conn.ReadFrom(packet)
+		if err != nil {
+			errs <- err
+			return
+		}
+
+		if src != nil && src.String() == gwHost {
+			msg, err := icmp.ParseMessage(1, packet[:length])
+			if err != nil {
+				errs <- err
+				return
+			}
+			msgs <- *msg
+		}
+	}
 }