skip processing port ranges for unsupported versions

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

management/server/policy_test.go

@@ -411,69 +411,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers)
 		assert.Len(t, peers, 1)
 		assert.Contains(t, peers, account.Peers["peerI"])
-
-		expectedFirewallRules := []*types.FirewallRule{
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionIN,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9090",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionIN,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9091",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionIN,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9092",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionOUT,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9090",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionOUT,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9091",
-				PolicyID:  "RuleWorkflow",
-			},
-			{
-				PeerIP:    "100.65.31.2",
-				Direction: types.FirewallRuleDirectionOUT,
-				Action:    "accept",
-				Protocol:  "tcp",
-				Port:      "9092",
-				PolicyID:  "RuleWorkflow",
-			},
-		}
-		assert.Len(t, firewallRules, len(expectedFirewallRules))
-
-		for _, rule := range firewallRules {
-			contains := false
-			for _, expectedRule := range expectedFirewallRules {
-				if rule.Equal(expectedRule) {
-					contains = true
-					break
-				}
-			}
-			assert.True(t, contains, "rule not found in expected rules %#v", rule)
-		}
+		assert.Len(t, firewallRules, 0)
 	})
 }
 

management/server/types/account.go

@@ -1585,29 +1585,27 @@ func (a *Account) AddAllGroup() error {
 	return nil
 }
 
-// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rule entries.
+// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
 func expandPortsAndRanges(ctx context.Context, base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
 	var expanded []*FirewallRule
 
-	for _, port := range rule.Ports {
-		fr := base
-		fr.Port = port
-		expanded = append(expanded, &fr)
+	if len(rule.Ports) > 0 {
+		for _, port := range rule.Ports {
+			fr := base
+			fr.Port = port
+			expanded = append(expanded, &fr)
+		}
+		return expanded
+	}
+
+	// skip processing the port ranges if the peer version doesn't support it
+	meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion)
+	if err == nil && !meetMin {
+		log.WithContext(ctx).Warnf("peer %s version doesn't support firewall rules port ranges, requires version %s+", peer.ID, firewallRuleMinPortRangesVer)
+		return expanded
 	}
 
 	for _, portRange := range rule.PortRanges {
-		meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion)
-		if err == nil && !meetMin {
-			log.WithContext(ctx).Debugf("peer %s version doesn't support firewall rules port ranges, fallback to single ports", peer.ID)
-
-			for start := portRange.Start; start <= portRange.End; start++ {
-				fr := base
-				fr.Port = strconv.Itoa(int(start))
-				expanded = append(expanded, &fr)
-			}
-			continue
-		}
-
 		fr := base
 		fr.PortRange = portRange
 		expanded = append(expanded, &fr)