(t *testing.T)
| 102 | } |
| 103 | |
| 104 | func TestFilter(t *testing.T) { |
| 105 | filt := newFilter(t.Logf) |
| 106 | |
| 107 | ipWithCap := netip.MustParseAddr("10.0.0.1") |
| 108 | ipWithoutCap := netip.MustParseAddr("10.0.0.2") |
| 109 | filt.srcIPHasCap = func(ip netip.Addr, cap tailcfg.NodeCapability) bool { |
| 110 | return cap == "cap-hit-1234-ssh" && ip == ipWithCap |
| 111 | } |
| 112 | |
| 113 | type InOut struct { |
| 114 | want Response |
| 115 | p packet.Parsed |
| 116 | } |
| 117 | tests := []InOut{ |
| 118 | // allow 8.1.1.1 => 1.2.3.4:22 |
| 119 | {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 999, 22)}, |
| 120 | {Accept, parsed(ipproto.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0)}, |
| 121 | {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 0)}, |
| 122 | {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 22)}, |
| 123 | {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 21)}, |
| 124 | // allow 8.2.2.2. => 1.2.3.4:22 |
| 125 | {Accept, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 22)}, |
| 126 | {Drop, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 23)}, |
| 127 | {Drop, parsed(ipproto.TCP, "8.3.3.3", "1.2.3.4", 0, 22)}, |
| 128 | // allow 8.1.1.1 => 5.6.7.8:23-24 |
| 129 | {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 23)}, |
| 130 | {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 24)}, |
| 131 | {Drop, parsed(ipproto.TCP, "8.1.1.3", "5.6.7.8", 0, 24)}, |
| 132 | {Drop, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 22)}, |
| 133 | // allow * => *:443 |
| 134 | {Accept, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 443)}, |
| 135 | {Drop, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 444)}, |
| 136 | // allow * => 100.122.98.50:* |
| 137 | {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 999)}, |
| 138 | {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 0)}, |
| 139 | |
| 140 | // allow ::1, ::2 => [2001::1]:22 |
| 141 | {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 22)}, |
| 142 | {Accept, parsed(ipproto.ICMPv6, "::1", "2001::1", 0, 0)}, |
| 143 | {Accept, parsed(ipproto.TCP, "::2", "2001::1", 0, 22)}, |
| 144 | {Accept, parsed(ipproto.TCP, "::2", "2001::2", 0, 22)}, |
| 145 | {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 23)}, |
| 146 | {Drop, parsed(ipproto.TCP, "::1", "2001::3", 0, 22)}, |
| 147 | {Drop, parsed(ipproto.TCP, "::3", "2001::1", 0, 22)}, |
| 148 | // allow * => *:443 |
| 149 | {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 443)}, |
| 150 | {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 444)}, |
| 151 | |
| 152 | // localNets prefilter - accepted by policy filter, but |
| 153 | // unexpected dst IP. |
| 154 | {Drop, parsed(ipproto.TCP, "8.1.1.1", "16.32.48.64", 0, 443)}, |
| 155 | {Drop, parsed(ipproto.TCP, "1::", "2602::1", 0, 443)}, |
| 156 | |
| 157 | // Don't allow protocols not specified by filter |
| 158 | {Drop, parsed(ipproto.SCTP, "8.1.1.1", "1.2.3.4", 999, 22)}, |
| 159 | // But SCTP is allowed for 9.1.1.1 |
| 160 | {Accept, parsed(ipproto.SCTP, "9.1.1.1", "1.2.3.4", 999, 22)}, |
| 161 |
nothing calls this directly
no test coverage detected
searching dependent graphs…