extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-06-26 20:52:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

update min peer version for port ranges support and allow single-port ranges for old version

Browse Source 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
This commit is contained in:
bcmmbaga 2025-06-18 20:55:20 +03:00
parent 9ab09057de
commit 7ec92ceaf0
No known key found for this signature in database
GPG Key ID: 511EED5C928AD547
2 changed files with 43 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
management/server/policy_test.go
View File

@ -217,9 +217,13 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
Protocol: types.PolicyRuleProtocolTCP,
Action: types.PolicyTrafficActionAccept,
PortRanges: []types.RulePortRange{
{
Start: 8088,
End: 8088,
},
{
Start: 9090,
End: 9092,
End: 9095,
},
},
Sources: []string{
@ -241,13 +245,9 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
t.Run("check that all peers get map", func(t *testing.T) {
for _, p := range account.Peers {
if p.ID == "peerK" {
// skip peerK, it has no connections(old peer with no port range support)
continue
}
peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p, validatedPeers)
assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
assert.GreaterOrEqual(t, len(peers), 1, "minimum number peers should present")
assert.GreaterOrEqual(t, len(firewallRules), 1, "minimum number of firewall rules should present")
}
})
@ -415,7 +415,26 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers)
assert.Len(t, peers, 1)
assert.Contains(t, peers, account.Peers["peerI"])
assert.Len(t, firewallRules, 0)
expectedFirewallRules := []*types.FirewallRule{
{
PeerIP: "100.65.31.2",
Direction: types.FirewallRuleDirectionIN,
Action: "accept",
Protocol: "tcp",
Port: "8088",
PolicyID: "RuleWorkflow",
},
{
PeerIP: "100.65.31.2",
Direction: types.FirewallRuleDirectionOUT,
Action: "accept",
Protocol: "tcp",
Port: "8088",
PolicyID: "RuleWorkflow",
},
}
assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
})
}

19
management/server/types/account.go
View File

@ -38,7 +38,7 @@ const (
UnknownCategory = "unknown"
// firewallRuleMinPortRangesVer defines the minimum peer version that supports port range rules.
firewallRuleMinPortRangesVer = "0.35.0"
firewallRuleMinPortRangesVer = "0.48.0"
)
type LookupMap map[string]struct{}
@ -1598,16 +1598,27 @@ func expandPortsAndRanges(ctx context.Context, base FirewallRule, rule *PolicyRu
return expanded
}
var peerSupportsPortRanges bool
// skip processing the port ranges if the peer version doesn't support it
meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion)
if err == nil && !meetMin {
log.WithContext(ctx).Warnf("peer %s version doesn't support firewall rules port ranges, requires version %s+", peer.ID, firewallRuleMinPortRangesVer)
return expanded
if err == nil && meetMin {
peerSupportsPortRanges = true
}
for _, portRange := range rule.PortRanges {
fr := base
if peerSupportsPortRanges {
fr.PortRange = portRange
} else {
// Peer doesn't support port ranges, only allow single-port ranges
if portRange.Start != portRange.End {
continue
}
fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
}
expanded = append(expanded, &fr)
}