Stowage/nebula
2
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-04 07:11:08 +00:00
Code Issues Projects Releases Packages Wiki Activity
nebula/firewall_test.go

851 lines
30 KiB
Go
Raw Normal View History

Public Release
2019-11-19 17:00:20 +00:00
package nebula
import (
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
"bytes"
Public Release
2019-11-19 17:00:20 +00:00
"errors"
"math"
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
"net/netip"
Public Release
2019-11-19 17:00:20 +00:00
"testing"
"time"
subnet support
2019-12-12 16:34:17 +00:00
"github.com/slackhq/nebula/cert"
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
"github.com/slackhq/nebula/config"
"github.com/slackhq/nebula/firewall"
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
"github.com/slackhq/nebula/test"
subnet support
2019-12-12 16:34:17 +00:00
"github.com/stretchr/testify/assert"
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
"github.com/stretchr/testify/require"
Public Release
2019-11-19 17:00:20 +00:00
)
func TestNewFirewall(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &dummyCert{}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
conntrack := fw.Conntrack
assert.NotNil(t, conntrack)
assert.NotNil(t, conntrack.Conns)
assert.NotNil(t, conntrack.TimerWheel)
Public Release
2019-11-19 17:00:20 +00:00
assert.NotNil(t, fw.InRules)
assert.NotNil(t, fw.OutRules)
assert.Equal(t, time.Second, fw.TCPTimeout)
assert.Equal(t, time.Minute, fw.UDPTimeout)
assert.Equal(t, time.Hour, fw.DefaultTimeout)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Hour, time.Minute, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Hour, time.Second, time.Minute, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Hour, time.Minute, time.Second, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Minute, time.Hour, time.Second, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Minute, time.Second, time.Hour, c)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
assert.Equal(t, time.Hour, conntrack.TimerWheel.wheelDuration)
Fix possible panic in the timerwheels (#802)
2023-01-11 19:35:19 -06:00
assert.Equal(t, 3602, conntrack.TimerWheel.wheelLen)
Public Release
2019-11-19 17:00:20 +00:00
}
func TestFirewall_AddRule(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &dummyCert{}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Public Release
2019-11-19 17:00:20 +00:00
assert.NotNil(t, fw.InRules)
assert.NotNil(t, fw.OutRules)
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
ti, err := netip.ParsePrefix("1.2.3.4/32")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Public Release
2019-11-19 17:00:20 +00:00
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoTCP, 1, 1, []string{}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
// An empty rule is any
In the middle
2024-01-23 16:02:10 -06:00
assert.True(t, fw.InRules.TCP[1].Any.Any.Any)
At the end
2024-01-29 15:30:52 -06:00
assert.Empty(t, fw.InRules.TCP[1].Any.Groups)
assert.Empty(t, fw.InRules.TCP[1].Any.Hosts)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoUDP, 1, 1, []string{"g1"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
At the end
2024-01-29 15:30:52 -06:00
assert.Nil(t, fw.InRules.UDP[1].Any.Any)
assert.Contains(t, fw.InRules.UDP[1].Any.Groups[0].Groups, "g1")
assert.Empty(t, fw.InRules.UDP[1].Any.Hosts)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoICMP, 1, 1, []string{}, "h1", netip.Prefix{}, netip.Prefix{}, "", ""))
At the end
2024-01-29 15:30:52 -06:00
assert.Nil(t, fw.InRules.ICMP[1].Any.Any)
assert.Empty(t, fw.InRules.ICMP[1].Any.Groups)
assert.Contains(t, fw.InRules.ICMP[1].Any.Hosts, "h1")
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(false, firewall.ProtoAny, 1, 1, []string{}, "", ti, netip.Prefix{}, "", ""))
At the end
2024-01-29 15:30:52 -06:00
assert.Nil(t, fw.OutRules.AnyProto[1].Any.Any)
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
_, ok := fw.OutRules.AnyProto[1].Any.CIDR.Get(ti)
Use generics for CIDRTrees to avoid casting issues (#1004)
2023-11-02 17:05:08 -05:00
assert.True(t, ok)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(false, firewall.ProtoAny, 1, 1, []string{}, "", netip.Prefix{}, ti, "", ""))
At the end
2024-01-29 15:30:52 -06:00
assert.NotNil(t, fw.OutRules.AnyProto[1].Any.Any)
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
_, ok = fw.OutRules.AnyProto[1].Any.Any.LocalCIDR.Get(ti)
Use generics for CIDRTrees to avoid casting issues (#1004)
2023-11-02 17:05:08 -05:00
assert.True(t, ok)
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoUDP, 1, 1, []string{"g1"}, "", netip.Prefix{}, netip.Prefix{}, "ca-name", ""))
Public Release
2019-11-19 17:00:20 +00:00
assert.Contains(t, fw.InRules.UDP[1].CANames, "ca-name")
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoUDP, 1, 1, []string{"g1"}, "", netip.Prefix{}, netip.Prefix{}, "", "ca-sha"))
Public Release
2019-11-19 17:00:20 +00:00
assert.Contains(t, fw.InRules.UDP[1].CAShas, "ca-sha")
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(false, firewall.ProtoAny, 0, 0, []string{}, "any", netip.Prefix{}, netip.Prefix{}, "", ""))
In the middle
2024-01-23 16:02:10 -06:00
assert.True(t, fw.OutRules.AnyProto[0].Any.Any.Any)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
anyIp, err := netip.ParsePrefix("0.0.0.0/0")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(false, firewall.ProtoAny, 0, 0, []string{}, "", anyIp, netip.Prefix{}, "", ""))
In the middle
2024-01-23 16:02:10 -06:00
assert.True(t, fw.OutRules.AnyProto[0].Any.Any.Any)
Public Release
2019-11-19 17:00:20 +00:00
// Test error conditions
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.Error(t, fw.AddRule(true, math.MaxUint8, 0, 0, []string{}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
require.Error(t, fw.AddRule(true, firewall.ProtoAny, 10, 0, []string{}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Public Release
2019-11-19 17:00:20 +00:00
}
func TestFirewall_Drop(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
p := firewall.Packet{
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
LocalAddr: netip.MustParseAddr("1.2.3.4"),
RemoteAddr: netip.MustParseAddr("1.2.3.4"),
Run `make vet` in CI (#693)
2023-03-13 14:35:12 -05:00
LocalPort: 10,
RemotePort: 90,
Protocol: firewall.ProtoUDP,
Fragment: false,
Public Release
2019-11-19 17:00:20 +00:00
}
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := dummyCert{
name: "host1",
networks: []netip.Prefix{netip.MustParsePrefix("1.2.3.4/24")},
groups: []string{"default-group"},
issuer: "signer-shasum",
Public Release
2019-11-19 17:00:20 +00:00
}
subnet support
2019-12-12 16:34:17 +00:00
h := HostInfo{
ConnectionState: &ConnectionState{
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
peerCert: &cert.CachedCertificate{
Certificate: &c,
InvertedGroups: map[string]struct{}{"default-group": {}},
},
subnet support
2019-12-12 16:34:17 +00:00
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{netip.MustParseAddr("1.2.3.4")},
subnet support
2019-12-12 16:34:17 +00:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h.buildNetworks(c.networks, c.unsafeNetworks)
Public Release
2019-11-19 17:00:20 +00:00
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, &c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"any"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Public Release
2019-11-19 17:00:20 +00:00
cp := cert.NewCAPool()
// Drop outbound
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, ErrNoMatchingRule, fw.Drop(p, false, &h, cp, nil))
Public Release
2019-11-19 17:00:20 +00:00
// Allow inbound
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
resetConntrack(fw)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, true, &h, cp, nil))
Public Release
2019-11-19 17:00:20 +00:00
// Allow outbound because conntrack
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, false, &h, cp, nil))
subnet support
2019-12-12 16:34:17 +00:00
// test remote mismatch
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
oldRemote := p.RemoteAddr
p.RemoteAddr = netip.MustParseAddr("1.2.3.10")
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, false, &h, cp, nil), ErrInvalidRemoteIP)
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
p.RemoteAddr = oldRemote
Public Release
2019-11-19 17:00:20 +00:00
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
// ensure signer doesn't get in the way of group checks
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, &c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"nope"}, "", netip.Prefix{}, netip.Prefix{}, "", "signer-shasum"))
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"default-group"}, "", netip.Prefix{}, netip.Prefix{}, "", "signer-shasum-bad"))
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, true, &h, cp, nil), ErrNoMatchingRule)
Public Release
2019-11-19 17:00:20 +00:00
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
// test caSha doesn't drop on match
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, &c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"nope"}, "", netip.Prefix{}, netip.Prefix{}, "", "signer-shasum-bad"))
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"default-group"}, "", netip.Prefix{}, netip.Prefix{}, "", "signer-shasum"))
require.NoError(t, fw.Drop(p, true, &h, cp, nil))
Public Release
2019-11-19 17:00:20 +00:00
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
// ensure ca name doesn't get in the way of group checks
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
cp.CAs["signer-shasum"] = &cert.CachedCertificate{Certificate: &dummyCert{name: "ca-good"}}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, &c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"nope"}, "", netip.Prefix{}, netip.Prefix{}, "ca-good", ""))
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"default-group"}, "", netip.Prefix{}, netip.Prefix{}, "ca-good-bad", ""))
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, true, &h, cp, nil), ErrNoMatchingRule)
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
// test caName doesn't drop on match
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
cp.CAs["signer-shasum"] = &cert.CachedCertificate{Certificate: &dummyCert{name: "ca-good"}}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, &c)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"nope"}, "", netip.Prefix{}, netip.Prefix{}, "ca-good-bad", ""))
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"default-group"}, "", netip.Prefix{}, netip.Prefix{}, "ca-good", ""))
require.NoError(t, fw.Drop(p, true, &h, cp, nil))
Public Release
2019-11-19 17:00:20 +00:00
}
func BenchmarkFirewallTable_match(b *testing.B) {
At the end
2024-01-29 15:30:52 -06:00
f := &Firewall{}
Public Release
2019-11-19 17:00:20 +00:00
ft := FirewallTable{
TCP: firewallPort{},
}
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
pfix := netip.MustParsePrefix("172.1.1.1/32")
_ = ft.TCP.addRule(f, 10, 10, []string{"good-group"}, "good-host", pfix, netip.Prefix{}, "", "")
_ = ft.TCP.addRule(f, 100, 100, []string{"good-group"}, "good-host", netip.Prefix{}, pfix, "", "")
Public Release
2019-11-19 17:00:20 +00:00
cp := cert.NewCAPool()
b.Run("fail on proto", func(b *testing.B) {
In the middle
2024-01-23 16:02:10 -06:00
// This benchmark is showing us the cost of failing to match the protocol
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{},
}
Public Release
2019-11-19 17:00:20 +00:00
for n := 0; n < b.N; n++ {
In the middle
2024-01-23 16:02:10 -06:00
assert.False(b, ft.match(firewall.Packet{Protocol: firewall.ProtoUDP}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass proto, fail on port", func(b *testing.B) {
// This benchmark is showing us the cost of matching a specific protocol but failing to match the port
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{},
}
Public Release
2019-11-19 17:00:20 +00:00
for n := 0; n < b.N; n++ {
In the middle
2024-01-23 16:02:10 -06:00
assert.False(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 1}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass proto, port, fail on local CIDR", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{},
}
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
ip := netip.MustParsePrefix("9.254.254.254/32")
Public Release
2019-11-19 17:00:20 +00:00
for n := 0; n < b.N; n++ {
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
assert.False(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 100, LocalAddr: ip.Addr()}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass proto, port, any local CIDR, fail all group, name, and cidr", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{
name: "nope",
networks: []netip.Prefix{netip.MustParsePrefix("9.254.254.245/32")},
Public Release
2019-11-19 17:00:20 +00:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"nope": {}},
Public Release
2019-11-19 17:00:20 +00:00
}
for n := 0; n < b.N; n++ {
In the middle
2024-01-23 16:02:10 -06:00
assert.False(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 10}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass proto, port, specific local CIDR, fail all group, name, and cidr", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{
name: "nope",
networks: []netip.Prefix{netip.MustParsePrefix("9.254.254.245/32")},
Public Release
2019-11-19 17:00:20 +00:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"nope": {}},
Public Release
2019-11-19 17:00:20 +00:00
}
for n := 0; n < b.N; n++ {
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
assert.False(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 100, LocalAddr: pfix.Addr()}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass on group on any local cidr", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{
name: "nope",
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"good-group": {}},
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
}
for n := 0; n < b.N; n++ {
In the middle
2024-01-23 16:02:10 -06:00
assert.True(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 10}, true, c, cp))
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
}
})
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass on group on specific local cidr", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{
name: "nope",
Public Release
2019-11-19 17:00:20 +00:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"good-group": {}},
Public Release
2019-11-19 17:00:20 +00:00
}
for n := 0; n < b.N; n++ {
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
assert.True(b, ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 100, LocalAddr: pfix.Addr()}, true, c, cp))
Public Release
2019-11-19 17:00:20 +00:00
}
})
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
In the middle
2024-01-23 16:02:10 -06:00
b.Run("pass on name", func(b *testing.B) {
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &cert.CachedCertificate{
Certificate: &dummyCert{
name: "good-host",
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"nope": {}},
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
}
for n := 0; n < b.N; n++ {
In the middle
2024-01-23 16:02:10 -06:00
ft.match(firewall.Packet{Protocol: firewall.ProtoTCP, LocalPort: 10}, true, c, cp)
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
}
})
Public Release
2019-11-19 17:00:20 +00:00
}
func TestFirewall_Drop2(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Add test for current bug in master, reduce log output in test
2019-12-18 11:06:51 -08:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
p := firewall.Packet{
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
LocalAddr: netip.MustParseAddr("1.2.3.4"),
RemoteAddr: netip.MustParseAddr("1.2.3.4"),
Run `make vet` in CI (#693)
2023-03-13 14:35:12 -05:00
LocalPort: 10,
RemotePort: 90,
Protocol: firewall.ProtoUDP,
Fragment: false,
Public Release
2019-11-19 17:00:20 +00:00
}
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
network := netip.MustParsePrefix("1.2.3.4/24")
Public Release
2019-11-19 17:00:20 +00:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host1",
networks: []netip.Prefix{network},
Public Release
2019-11-19 17:00:20 +00:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"default-group": {}, "test-group": {}},
Public Release
2019-11-19 17:00:20 +00:00
}
subnet support
2019-12-12 16:34:17 +00:00
h := HostInfo{
ConnectionState: &ConnectionState{
peerCert: &c,
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
subnet support
2019-12-12 16:34:17 +00:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h.buildNetworks(c.Certificate.Networks(), c.Certificate.UnsafeNetworks())
Public Release
2019-11-19 17:00:20 +00:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c1 := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host1",
networks: []netip.Prefix{network},
Public Release
2019-11-19 17:00:20 +00:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"default-group": {}, "test-group-not": {}},
Public Release
2019-11-19 17:00:20 +00:00
}
subnet support
2019-12-12 16:34:17 +00:00
h1 := HostInfo{
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
subnet support
2019-12-12 16:34:17 +00:00
ConnectionState: &ConnectionState{
peerCert: &c1,
},
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h1.buildNetworks(c1.Certificate.Networks(), c1.Certificate.UnsafeNetworks())
Public Release
2019-11-19 17:00:20 +00:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"default-group", "test-group"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Public Release
2019-11-19 17:00:20 +00:00
cp := cert.NewCAPool()
subnet support
2019-12-12 16:34:17 +00:00
// h1/c1 lacks the proper groups
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.ErrorIs(t, fw.Drop(p, true, &h1, cp, nil), ErrNoMatchingRule)
Public Release
2019-11-19 17:00:20 +00:00
// c has the proper groups
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
resetConntrack(fw)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, true, &h, cp, nil))
Public Release
2019-11-19 17:00:20 +00:00
}
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
func TestFirewall_Drop3(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
p := firewall.Packet{
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
LocalAddr: netip.MustParseAddr("1.2.3.4"),
RemoteAddr: netip.MustParseAddr("1.2.3.4"),
Run `make vet` in CI (#693)
2023-03-13 14:35:12 -05:00
LocalPort: 1,
RemotePort: 1,
Protocol: firewall.ProtoUDP,
Fragment: false,
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
network := netip.MustParsePrefix("1.2.3.4/24")
c := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host-owner",
networks: []netip.Prefix{network},
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
},
}
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c1 := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host1",
networks: []netip.Prefix{network},
issuer: "signer-sha-bad",
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
},
}
h1 := HostInfo{
ConnectionState: &ConnectionState{
peerCert: &c1,
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h1.buildNetworks(c1.Certificate.Networks(), c1.Certificate.UnsafeNetworks())
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c2 := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host2",
networks: []netip.Prefix{network},
issuer: "signer-sha",
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
},
}
h2 := HostInfo{
ConnectionState: &ConnectionState{
peerCert: &c2,
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h2.buildNetworks(c2.Certificate.Networks(), c2.Certificate.UnsafeNetworks())
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c3 := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host3",
networks: []netip.Prefix{network},
issuer: "signer-sha-bad",
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
},
}
h3 := HostInfo{
ConnectionState: &ConnectionState{
peerCert: &c3,
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h3.buildNetworks(c3.Certificate.Networks(), c3.Certificate.UnsafeNetworks())
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 1, 1, []string{}, "host1", netip.Prefix{}, netip.Prefix{}, "", ""))
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 1, 1, []string{}, "", netip.Prefix{}, netip.Prefix{}, "", "signer-sha"))
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
cp := cert.NewCAPool()
// c1 should pass because host match
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, true, &h1, cp, nil))
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
// c2 should pass because ca sha match
resetConntrack(fw)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, true, &h2, cp, nil))
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
// c3 should fail because no match
resetConntrack(fw)
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, true, &h3, cp, nil), ErrNoMatchingRule)
Bump github.com/gaissmai/bart from 0.13.0 to 0.18.1 (#1341) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nate Brown <nbrown.us@gmail.com>
2025-03-06 13:26:29 -06:00
// Test a remote address match
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 1, 1, []string{}, "", netip.MustParsePrefix("1.2.3.4/24"), netip.Prefix{}, "", ""))
require.NoError(t, fw.Drop(p, true, &h1, cp, nil))
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
func TestFirewall_DropConntrackReload(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
p := firewall.Packet{
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
LocalAddr: netip.MustParseAddr("1.2.3.4"),
RemoteAddr: netip.MustParseAddr("1.2.3.4"),
Run `make vet` in CI (#693)
2023-03-13 14:35:12 -05:00
LocalPort: 10,
RemotePort: 90,
Protocol: firewall.ProtoUDP,
Fragment: false,
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
}
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
network := netip.MustParsePrefix("1.2.3.4/24")
c := cert.CachedCertificate{
Certificate: &dummyCert{
name: "host1",
networks: []netip.Prefix{network},
groups: []string{"default-group"},
issuer: "signer-shasum",
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
},
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
InvertedGroups: map[string]struct{}{"default-group": {}},
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
}
h := HostInfo{
ConnectionState: &ConnectionState{
peerCert: &c,
},
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
vpnAddrs: []netip.Addr{network.Addr()},
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
h.buildNetworks(c.Certificate.Networks(), c.Certificate.UnsafeNetworks())
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
fw := NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 0, 0, []string{"any"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
cp := cert.NewCAPool()
// Drop outbound
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, false, &h, cp, nil), ErrNoMatchingRule)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
// Allow inbound
resetConntrack(fw)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, true, &h, cp, nil))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
// Allow outbound because conntrack
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, false, &h, cp, nil))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
oldFw := fw
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 10, 10, []string{"any"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
fw.Conntrack = oldFw.Conntrack
fw.rulesVersion = oldFw.rulesVersion + 1
// Allow outbound because conntrack and new rules allow port 10
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.Drop(p, false, &h, cp, nil))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
oldFw = fw
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
fw = NewFirewall(l, time.Second, time.Minute, time.Hour, c.Certificate)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, fw.AddRule(true, firewall.ProtoAny, 11, 11, []string{"any"}, "", netip.Prefix{}, netip.Prefix{}, "", ""))
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
fw.Conntrack = oldFw.Conntrack
fw.rulesVersion = oldFw.rulesVersion + 1
// Drop outbound because conntrack doesn't match new ruleset
Remove tcp rtt tracking from the firewall (#1114)
2024-04-11 21:44:22 -05:00
assert.Equal(t, fw.Drop(p, false, &h, cp, nil), ErrNoMatchingRule)
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
}
Public Release
2019-11-19 17:00:20 +00:00
func BenchmarkLookup(b *testing.B) {
ml := func(m map[string]struct{}, a [][]string) {
for n := 0; n < b.N; n++ {
for _, sg := range a {
found := false
for _, g := range sg {
if _, ok := m[g]; !ok {
found = false
break
}
found = true
}
if found {
return
}
}
}
}
b.Run("array to map best", func(b *testing.B) {
m := map[string]struct{}{
"1ne": {},
"2wo": {},
"3hr": {},
"4ou": {},
"5iv": {},
"6ix": {},
}
a := [][]string{
{"1ne", "2wo", "3hr", "4ou", "5iv", "6ix"},
{"one", "2wo", "3hr", "4ou", "5iv", "6ix"},
{"one", "two", "3hr", "4ou", "5iv", "6ix"},
{"one", "two", "thr", "4ou", "5iv", "6ix"},
{"one", "two", "thr", "fou", "5iv", "6ix"},
{"one", "two", "thr", "fou", "fiv", "6ix"},
{"one", "two", "thr", "fou", "fiv", "six"},
}
for n := 0; n < b.N; n++ {
ml(m, a)
}
})
b.Run("array to map worst", func(b *testing.B) {
m := map[string]struct{}{
"one": {},
"two": {},
"thr": {},
"fou": {},
"fiv": {},
"six": {},
}
a := [][]string{
{"1ne", "2wo", "3hr", "4ou", "5iv", "6ix"},
{"one", "2wo", "3hr", "4ou", "5iv", "6ix"},
{"one", "two", "3hr", "4ou", "5iv", "6ix"},
{"one", "two", "thr", "4ou", "5iv", "6ix"},
{"one", "two", "thr", "fou", "5iv", "6ix"},
{"one", "two", "thr", "fou", "fiv", "6ix"},
{"one", "two", "thr", "fou", "fiv", "six"},
}
for n := 0; n < b.N; n++ {
ml(m, a)
}
})
}
func Test_parsePort(t *testing.T) {
_, _, err := parsePort("")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "was not a number; ``")
Public Release
2019-11-19 17:00:20 +00:00
_, _, err = parsePort(" ")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "was not a number; ` `")
Public Release
2019-11-19 17:00:20 +00:00
_, _, err = parsePort("-")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "appears to be a range but could not be parsed; `-`")
Public Release
2019-11-19 17:00:20 +00:00
_, _, err = parsePort(" - ")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "appears to be a range but could not be parsed; ` - `")
Public Release
2019-11-19 17:00:20 +00:00
_, _, err = parsePort("a-b")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "beginning range was not a number; `a`")
Public Release
2019-11-19 17:00:20 +00:00
_, _, err = parsePort("1-b")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "ending range was not a number; `b`")
Public Release
2019-11-19 17:00:20 +00:00
s, e, err := parsePort(" 1 - 2 ")
assert.Equal(t, int32(1), s)
assert.Equal(t, int32(2), e)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Public Release
2019-11-19 17:00:20 +00:00
s, e, err = parsePort("0-1")
assert.Equal(t, int32(0), s)
assert.Equal(t, int32(0), e)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Public Release
2019-11-19 17:00:20 +00:00
s, e, err = parsePort("9919")
assert.Equal(t, int32(9919), s)
assert.Equal(t, int32(9919), e)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Public Release
2019-11-19 17:00:20 +00:00
s, e, err = parsePort("any")
assert.Equal(t, int32(0), s)
assert.Equal(t, int32(0), e)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Public Release
2019-11-19 17:00:20 +00:00
}
func TestNewFirewallFromConfig(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Public Release
2019-11-19 17:00:20 +00:00
// Test a bad rule definition
Cert interface (#1212)
2024-10-10 18:00:22 -05:00
c := &dummyCert{}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
cs, err := newCertState(cert.Version2, nil, c, false, cert.Curve_CURVE25519, nil)
require.NoError(t, err)
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf := config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": "asdf"}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound failed to parse, should be an array of rules")
Public Release
2019-11-19 17:00:20 +00:00
// Test both port and code
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "code": "2"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; only one of port or code should be provided")
Public Release
2019-11-19 17:00:20 +00:00
// Test missing host, group, cidr, ca_name and ca_sha
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; at least one of host, group, cidr, local_cidr, ca_name, or ca_sha must be provided")
Public Release
2019-11-19 17:00:20 +00:00
// Test code/port error
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "a", "host": "testh"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; code was not a number; `a`")
Public Release
2019-11-19 17:00:20 +00:00
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "a", "host": "testh"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; port was not a number; `a`")
Public Release
2019-11-19 17:00:20 +00:00
// Test proto error
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "host": "testh"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; proto was not understood; ``")
Public Release
2019-11-19 17:00:20 +00:00
// Test cidr parse error
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "cidr": "testh", "proto": "any"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
Public Release
2019-11-19 17:00:20 +00:00
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
// Test local_cidr parse error
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "local_cidr": "testh", "proto": "any"}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.outbound rule #0; local_cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
Public Release
2019-11-19 17:00:20 +00:00
// Test both group and groups
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "group": "a", "groups": []string{"b", "c"}}}}
V2 certificate format (#1216) Co-authored-by: Nate Brown <nbrown.us@gmail.com> Co-authored-by: Jack Doan <jackdoan@rivian.com> Co-authored-by: brad-defined <77982333+brad-defined@users.noreply.github.com> Co-authored-by: Jack Doan <me@jackdoan.com>
2025-03-06 11:28:26 -06:00
_, err = NewFirewallFromConfig(l, cs, conf)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, err, "firewall.inbound rule #0; only one of group or groups should be defined, both provided")
Public Release
2019-11-19 17:00:20 +00:00
}
func TestAddFirewallRulesFromConfig(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Public Release
2019-11-19 17:00:20 +00:00
// Test adding tcp rule
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf := config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf := &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "tcp", "host": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoTCP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test adding udp rule
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "udp", "host": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoUDP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test adding icmp rule
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "proto": "icmp", "host": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, false, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: false, proto: firewall.ProtoICMP, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test adding any rule
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "host": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, host: "a", ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
// Test adding rule with cidr
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
cidr := netip.MustParsePrefix("10.0.0.0/8")
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
conf = config.NewC(l)
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "cidr": cidr.String()}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: cidr, localIp: netip.Prefix{}}, mf.lastCall)
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
// Test adding rule with local_cidr
conf = config.NewC(l)
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "local_cidr": cidr.String()}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: cidr}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test adding rule with ca_sha
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "ca_sha": "12312313123"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: netip.Prefix{}, caSha: "12312313123"}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test adding rule with ca_name
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "ca_name": "root01"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: nil, ip: netip.Prefix{}, localIp: netip.Prefix{}, caName: "root01"}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test single group
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "group": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test single groups
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "groups": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test multiple AND groups
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "groups": []string{"a", "b"}}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, AddFirewallRulesFromConfig(l, true, conf, mf))
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
assert.Equal(t, addRuleCall{incoming: true, proto: firewall.ProtoAny, startPort: 1, endPort: 1, groups: []string{"a", "b"}, ip: netip.Prefix{}, localIp: netip.Prefix{}}, mf.lastCall)
Public Release
2019-11-19 17:00:20 +00:00
// Test Add error
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
conf = config.NewC(l)
Public Release
2019-11-19 17:00:20 +00:00
mf = &mockFirewall{}
mf.nextCallReturn = errors.New("test error")
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "host": "a"}}}
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.EqualError(t, AddFirewallRulesFromConfig(l, true, conf, mf), "firewall.inbound rule #0; `test error`")
Public Release
2019-11-19 17:00:20 +00:00
}
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
func TestFirewall_convertRule(t *testing.T) {
Move util to test, contextual errors to util (#575)
2021-11-10 21:47:38 -06:00
l := test.NewLogger()
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
ob := &bytes.Buffer{}
l.SetOutput(ob)
// Ensure group array of 1 is converted and a warning is printed
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
c := map[string]any{
"group": []any{"group1"},
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
r, err := convertRule(l, c, "test", 1)
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
assert.Contains(t, ob.String(), "test rule #1; group was an array with a single value, converting to simple value")
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
assert.Equal(t, "group1", r.Group)
// Ensure group array of > 1 is errord
ob.Reset()
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
c = map[string]any{
"group": []any{"group1", "group2"},
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
r, err = convertRule(l, c, "test", 1)
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
assert.Equal(t, "", ob.String())
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.Error(t, err, "group should contain a single value, an array with more than one entry was provided")
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
// Make sure a well formed group is alright
ob.Reset()
upgrade to yaml.v3 (#1148) * upgrade to yaml.v3 The main nice fix here is that maps unmarshal into `map[string]any` instead of `map[any]any`, so it cleans things up a bit. * add config.AsBool Since yaml.v3 doesn't automatically convert yes to bool now, for backwards compat * use type aliases for m * more cleanup * more cleanup * more cleanup * go mod cleanup
2025-03-31 16:08:34 -04:00
c = map[string]any{
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
"group": "group1",
}
Don't use a global logger (#423)
2021-03-26 09:46:30 -05:00
r, err = convertRule(l, c, "test", 1)
Enable running testifylint in CI (#1350)
2025-03-10 17:38:14 -05:00
require.NoError(t, err)
Detect group array usage and try to be kind
2019-12-13 13:45:21 -08:00
assert.Equal(t, "group1", r.Group)
}
Public Release
2019-11-19 17:00:20 +00:00
type addRuleCall struct {
incoming bool
proto uint8
startPort int32
endPort int32
groups []string
host string
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
ip netip.Prefix
localIp netip.Prefix
Public Release
2019-11-19 17:00:20 +00:00
caName string
caSha string
}
type mockFirewall struct {
lastCall addRuleCall
nextCallReturn error
}
Switch most everything to netip in prep for ipv6 in the overlay (#1173)
2024-07-31 10:18:56 -05:00
func (mf *mockFirewall) AddRule(incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip netip.Prefix, localIp netip.Prefix, caName string, caSha string) error {
Public Release
2019-11-19 17:00:20 +00:00
mf.lastCall = addRuleCall{
incoming: incoming,
proto: proto,
startPort: startPort,
endPort: endPort,
groups: groups,
host: host,
ip: ip,
Add destination CIDR checking (#507)
2023-05-09 16:37:23 +01:00
localIp: localIp,
Public Release
2019-11-19 17:00:20 +00:00
caName: caName,
caSha: caSha,
}
err := mf.nextCallReturn
mf.nextCallReturn = nil
return err
}
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
func resetConntrack(fw *Firewall) {
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
fw.Conntrack.Lock()
Rework some things into packages (#489)
2021-11-03 20:54:04 -05:00
fw.Conntrack.Conns = map[firewall.Packet]*conn{}
Preserve conntrack table during firewall rules reload (SIGHUP) (#233) Currently, we drop the conntrack table when firewall rules change during a SIGHUP reload. This means responses to inflight HTTP requests can be dropped, among other issues. This change copies the conntrack table over to the new firewall (it holds the conntrack mutex lock during this process, to be safe). This change also records which firewall rules hash each conntrack entry used, so that we can re-verify the rules after the new firewall has been loaded.
2020-07-31 18:53:36 -04:00
fw.Conntrack.Unlock()
Actual fix for the real issue with tests
2019-12-18 21:23:34 -08:00
}
Reference in a new issue Copy permalink