MCPcopy Index your code
hub / github.com/tailscale/tailscale / TestFilter

Function TestFilter

wgengine/filter/filter_test.go:104–197  ·  view source on GitHub ↗
(t *testing.T)

Source from the content-addressed store, hash-verified

102}
103
104func TestFilter(t *testing.T) {
105 filt := newFilter(t.Logf)
106
107 ipWithCap := netip.MustParseAddr("10.0.0.1")
108 ipWithoutCap := netip.MustParseAddr("10.0.0.2")
109 filt.srcIPHasCap = func(ip netip.Addr, cap tailcfg.NodeCapability) bool {
110 return cap == "cap-hit-1234-ssh" && ip == ipWithCap
111 }
112
113 type InOut struct {
114 want Response
115 p packet.Parsed
116 }
117 tests := []InOut{
118 // allow 8.1.1.1 => 1.2.3.4:22
119 {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 999, 22)},
120 {Accept, parsed(ipproto.ICMPv4, "8.1.1.1", "1.2.3.4", 0, 0)},
121 {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 0)},
122 {Accept, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 22)},
123 {Drop, parsed(ipproto.TCP, "8.1.1.1", "1.2.3.4", 0, 21)},
124 // allow 8.2.2.2. => 1.2.3.4:22
125 {Accept, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 22)},
126 {Drop, parsed(ipproto.TCP, "8.2.2.2", "1.2.3.4", 0, 23)},
127 {Drop, parsed(ipproto.TCP, "8.3.3.3", "1.2.3.4", 0, 22)},
128 // allow 8.1.1.1 => 5.6.7.8:23-24
129 {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 23)},
130 {Accept, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 24)},
131 {Drop, parsed(ipproto.TCP, "8.1.1.3", "5.6.7.8", 0, 24)},
132 {Drop, parsed(ipproto.TCP, "8.1.1.1", "5.6.7.8", 0, 22)},
133 // allow * => *:443
134 {Accept, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 443)},
135 {Drop, parsed(ipproto.TCP, "17.34.51.68", "8.1.34.51", 0, 444)},
136 // allow * => 100.122.98.50:*
137 {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 999)},
138 {Accept, parsed(ipproto.TCP, "17.34.51.68", "100.122.98.50", 0, 0)},
139
140 // allow ::1, ::2 => [2001::1]:22
141 {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 22)},
142 {Accept, parsed(ipproto.ICMPv6, "::1", "2001::1", 0, 0)},
143 {Accept, parsed(ipproto.TCP, "::2", "2001::1", 0, 22)},
144 {Accept, parsed(ipproto.TCP, "::2", "2001::2", 0, 22)},
145 {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 23)},
146 {Drop, parsed(ipproto.TCP, "::1", "2001::3", 0, 22)},
147 {Drop, parsed(ipproto.TCP, "::3", "2001::1", 0, 22)},
148 // allow * => *:443
149 {Accept, parsed(ipproto.TCP, "::1", "2001::1", 0, 443)},
150 {Drop, parsed(ipproto.TCP, "::1", "2001::1", 0, 444)},
151
152 // localNets prefilter - accepted by policy filter, but
153 // unexpected dst IP.
154 {Drop, parsed(ipproto.TCP, "8.1.1.1", "16.32.48.64", 0, 443)},
155 {Drop, parsed(ipproto.TCP, "1::", "2602::1", 0, 443)},
156
157 // Don't allow protocols not specified by filter
158 {Drop, parsed(ipproto.SCTP, "8.1.1.1", "1.2.3.4", 999, 22)},
159 // But SCTP is allowed for 9.1.1.1
160 {Accept, parsed(ipproto.SCTP, "9.1.1.1", "1.2.3.4", 999, 22)},
161

Callers

nothing calls this directly

Calls 9

newFilterFunction · 0.85
RunInMethod · 0.80
CheckTCPMethod · 0.80
runOutMethod · 0.80
parsedFunction · 0.70
StringMethod · 0.65
ErrorfMethod · 0.65
AddrMethod · 0.45
PortMethod · 0.45

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…