mirror of
https://github.com/netbirdio/netbird.git
synced 2025-01-26 07:48:48 +01:00
f03aadf064
Add a standard interface for the client firewall to support ACL.
106 lines
2.6 KiB
Go
106 lines
2.6 KiB
Go
package iptables
|
|
|
|
import (
|
|
"net"
|
|
"testing"
|
|
|
|
"github.com/coreos/go-iptables/iptables"
|
|
fw "github.com/netbirdio/netbird/client/firewall"
|
|
)
|
|
|
|
func TestNewManager(t *testing.T) {
|
|
ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
manager, err := Create()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
var rule1 fw.Rule
|
|
t.Run("add first rule", func(t *testing.T) {
|
|
ip := net.ParseIP("10.20.0.2")
|
|
port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
|
|
rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
|
|
if err != nil {
|
|
t.Errorf("failed to add rule: %v", err)
|
|
}
|
|
|
|
checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
|
|
})
|
|
|
|
var rule2 fw.Rule
|
|
t.Run("add second rule", func(t *testing.T) {
|
|
ip := net.ParseIP("10.20.0.3")
|
|
port := &fw.Port{
|
|
Proto: fw.PortProtocolTCP,
|
|
Values: []int{8043: 8046},
|
|
}
|
|
rule2, err = manager.AddFiltering(
|
|
ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
|
|
if err != nil {
|
|
t.Errorf("failed to add rule: %v", err)
|
|
}
|
|
|
|
checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
|
|
})
|
|
|
|
t.Run("delete first rule", func(t *testing.T) {
|
|
if err := manager.DeleteRule(rule1); err != nil {
|
|
t.Errorf("failed to delete rule: %v", err)
|
|
}
|
|
|
|
checkRuleSpecs(t, ipv4Client, false, rule1.(*Rule).specs...)
|
|
})
|
|
|
|
t.Run("delete second rule", func(t *testing.T) {
|
|
if err := manager.DeleteRule(rule2); err != nil {
|
|
t.Errorf("failed to delete rule: %v", err)
|
|
}
|
|
|
|
checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
|
|
})
|
|
|
|
t.Run("reset check", func(t *testing.T) {
|
|
// add second rule
|
|
ip := net.ParseIP("10.20.0.3")
|
|
port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
|
|
_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
|
|
if err != nil {
|
|
t.Errorf("failed to add rule: %v", err)
|
|
}
|
|
|
|
if err := manager.Reset(); err != nil {
|
|
t.Errorf("failed to reset: %v", err)
|
|
}
|
|
|
|
ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
|
|
if err != nil {
|
|
t.Errorf("failed to drop chain: %v", err)
|
|
}
|
|
|
|
if ok {
|
|
t.Errorf("chain '%v' still exists after Reset", ChainFilterName)
|
|
}
|
|
})
|
|
}
|
|
|
|
func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, mustExists bool, rulespec ...string) {
|
|
exists, err := ipv4Client.Exists("filter", ChainFilterName, rulespec...)
|
|
if err != nil {
|
|
t.Errorf("failed to check rule: %v", err)
|
|
return
|
|
}
|
|
|
|
if !exists && mustExists {
|
|
t.Errorf("rule '%v' does not exist", rulespec)
|
|
return
|
|
}
|
|
if exists && !mustExists {
|
|
t.Errorf("rule '%v' exist", rulespec)
|
|
return
|
|
}
|
|
}
|