mirror of
https://github.com/netbirdio/netbird.git
synced 2024-12-02 13:03:56 +01:00
ba7a39a4fc
Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
93 lines
2.1 KiB
Go
93 lines
2.1 KiB
Go
package acl
|
|
|
|
import (
|
|
"runtime"
|
|
"testing"
|
|
|
|
"github.com/golang/mock/gomock"
|
|
|
|
"github.com/netbirdio/netbird/client/internal/acl/mocks"
|
|
mgmProto "github.com/netbirdio/netbird/management/proto"
|
|
)
|
|
|
|
func TestDefaultManager(t *testing.T) {
|
|
// TODO: enable when other platform will be added
|
|
if runtime.GOOS != "linux" {
|
|
t.Skipf("ACL manager not supported in the: %s", runtime.GOOS)
|
|
return
|
|
}
|
|
|
|
fwRules := []*mgmProto.FirewallRule{
|
|
{
|
|
PeerIP: "10.93.0.1",
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
Action: mgmProto.FirewallRule_ACCEPT,
|
|
Protocol: mgmProto.FirewallRule_TCP,
|
|
Port: "80",
|
|
},
|
|
{
|
|
PeerIP: "10.93.0.2",
|
|
Direction: mgmProto.FirewallRule_OUT,
|
|
Action: mgmProto.FirewallRule_DROP,
|
|
Protocol: mgmProto.FirewallRule_UDP,
|
|
Port: "53",
|
|
},
|
|
}
|
|
|
|
ctrl := gomock.NewController(t)
|
|
defer ctrl.Finish()
|
|
|
|
iface := mocks.NewMockIFaceMapper(ctrl)
|
|
iface.EXPECT().IsUserspaceBind().Return(false)
|
|
iface.EXPECT().Name().Return("lo")
|
|
|
|
// we receive one rule from the management so for testing purposes ignore it
|
|
acl, err := Create(iface)
|
|
if err != nil {
|
|
t.Errorf("create ACL manager: %v", err)
|
|
return
|
|
}
|
|
defer acl.Stop()
|
|
|
|
t.Run("apply firewall rules", func(t *testing.T) {
|
|
acl.ApplyFiltering(fwRules)
|
|
|
|
if len(acl.rulesPairs) != 2 {
|
|
t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
|
|
return
|
|
}
|
|
})
|
|
|
|
t.Run("add extra rules", func(t *testing.T) {
|
|
// remove first rule
|
|
fwRules = fwRules[1:]
|
|
fwRules = append(fwRules, &mgmProto.FirewallRule{
|
|
PeerIP: "10.93.0.3",
|
|
Direction: mgmProto.FirewallRule_IN,
|
|
Action: mgmProto.FirewallRule_DROP,
|
|
Protocol: mgmProto.FirewallRule_ICMP,
|
|
})
|
|
|
|
existedRulesID := map[string]struct{}{}
|
|
for id := range acl.rulesPairs {
|
|
existedRulesID[id] = struct{}{}
|
|
}
|
|
|
|
acl.ApplyFiltering(fwRules)
|
|
|
|
// we should have one old and one new rule in the existed rules
|
|
if len(acl.rulesPairs) != 2 {
|
|
t.Errorf("firewall rules not applied")
|
|
return
|
|
}
|
|
|
|
// check that old rules was removed
|
|
for id := range existedRulesID {
|
|
if _, ok := acl.rulesPairs[id]; ok {
|
|
t.Errorf("old rule was not removed")
|
|
return
|
|
}
|
|
}
|
|
})
|
|
}
|