@@ -2,6 +2,7 @@ package main

 import (

 	"fmt"

+	"github.com/dotcloud/docker/pkg/iptables"

 	"os/exec"

 	"testing"

 )

@@ -28,3 +29,28 @@ func TestPingLinkedContainers(t *testing.T) {

 	cmd(t, "kill", idB)

 	deleteAllContainers()

 }

+

+func TestIpTablesRulesWhenLinkAndUnlink(t *testing.T) {

+	cmd(t, "run", "-d", "--name", "child", "--publish", "8080:80", "busybox", "sleep", "10")

+	cmd(t, "run", "-d", "--name", "parent", "--link", "child:http", "busybox", "sleep", "10")

+

+	childIp := findContainerIp(t, "child")

+	parentIp := findContainerIp(t, "parent")

+

+	sourceRule := []string{"FORWARD", "-i", "docker0", "-o", "docker0", "-p", "tcp", "-s", childIp, "--sport", "80", "-d", parentIp, "-j", "ACCEPT"}

+	destinationRule := []string{"FORWARD", "-i", "docker0", "-o", "docker0", "-p", "tcp", "-s", parentIp, "--dport", "80", "-d", childIp, "-j", "ACCEPT"}

+	if !iptables.Exists(sourceRule...) || !iptables.Exists(destinationRule...) {

+		t.Fatal("Iptables rules not found")

+	}

+

+	cmd(t, "rm", "--link", "parent/http")

+	if iptables.Exists(sourceRule...) || iptables.Exists(destinationRule...) {

+		t.Fatal("Iptables rules should be removed when unlink")

+	}

+

+	cmd(t, "kill", "child")

+	cmd(t, "kill", "parent")

+	deleteAllContainers()

+

+	logDone("link - verify iptables when link and unlink")

+}

@@ -61,3 +61,13 @@ func cmd(t *testing.T, args ...string) (string, int, error) {

 	errorOut(err, t, fmt.Sprintf("'%s' failed with errors: %v (%v)", strings.Join(args, " "), err, out))

 	return out, status, err

 }

+

+func findContainerIp(t *testing.T, id string) string {

+	cmd := exec.Command(dockerBinary, "inspect", "--format='{{ .NetworkSettings.IPAddress }}'", id)

+	out, _, err := runCommandWithOutput(cmd)

+	if err != nil {

+		t.Fatal(err, out)

+	}

+

+	return strings.Trim(out, " \r\n'")

+}