From 99a69b003eb3b77550d03c5d5de10e2ebf755cd8 Mon Sep 17 00:00:00 2001 From: bcmmbaga Date: Wed, 18 Jun 2025 17:03:51 +0300 Subject: [PATCH] skip processing port ranges for unsupported versions Signed-off-by: bcmmbaga --- management/server/policy_test.go | 64 +----------------------------- management/server/types/account.go | 32 +++++++-------- 2 files changed, 16 insertions(+), 80 deletions(-) diff --git a/management/server/policy_test.go b/management/server/policy_test.go index e6a1aec81..3a8a72be9 100644 --- a/management/server/policy_test.go +++ b/management/server/policy_test.go @@ -411,69 +411,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) { peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers) assert.Len(t, peers, 1) assert.Contains(t, peers, account.Peers["peerI"]) - - expectedFirewallRules := []*types.FirewallRule{ - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionIN, - Action: "accept", - Protocol: "tcp", - Port: "9090", - PolicyID: "RuleWorkflow", - }, - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionIN, - Action: "accept", - Protocol: "tcp", - Port: "9091", - PolicyID: "RuleWorkflow", - }, - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionIN, - Action: "accept", - Protocol: "tcp", - Port: "9092", - PolicyID: "RuleWorkflow", - }, - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionOUT, - Action: "accept", - Protocol: "tcp", - Port: "9090", - PolicyID: "RuleWorkflow", - }, - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionOUT, - Action: "accept", - Protocol: "tcp", - Port: "9091", - PolicyID: "RuleWorkflow", - }, - { - PeerIP: "100.65.31.2", - Direction: types.FirewallRuleDirectionOUT, - Action: "accept", - Protocol: "tcp", - Port: "9092", - PolicyID: "RuleWorkflow", - }, - } - assert.Len(t, firewallRules, len(expectedFirewallRules)) - - for _, rule := range firewallRules { - contains := false - for _, expectedRule := range expectedFirewallRules { - if rule.Equal(expectedRule) { - contains = true - break - } - } - assert.True(t, contains, "rule not found in expected rules %#v", rule) - } + assert.Len(t, firewallRules, 0) }) } diff --git a/management/server/types/account.go b/management/server/types/account.go index cf09b841b..af08f2205 100644 --- a/management/server/types/account.go +++ b/management/server/types/account.go @@ -1585,29 +1585,27 @@ func (a *Account) AddAllGroup() error { return nil } -// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rule entries. +// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules func expandPortsAndRanges(ctx context.Context, base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule { var expanded []*FirewallRule - for _, port := range rule.Ports { - fr := base - fr.Port = port - expanded = append(expanded, &fr) + if len(rule.Ports) > 0 { + for _, port := range rule.Ports { + fr := base + fr.Port = port + expanded = append(expanded, &fr) + } + return expanded + } + + // skip processing the port ranges if the peer version doesn't support it + meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion) + if err == nil && !meetMin { + log.WithContext(ctx).Warnf("peer %s version doesn't support firewall rules port ranges, requires version %s+", peer.ID, firewallRuleMinPortRangesVer) + return expanded } for _, portRange := range rule.PortRanges { - meetMin, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peer.Meta.WtVersion) - if err == nil && !meetMin { - log.WithContext(ctx).Debugf("peer %s version doesn't support firewall rules port ranges, fallback to single ports", peer.ID) - - for start := portRange.Start; start <= portRange.End; start++ { - fr := base - fr.Port = strconv.Itoa(int(start)) - expanded = append(expanded, &fr) - } - continue - } - fr := base fr.PortRange = portRange expanded = append(expanded, &fr)