TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-08 09:14:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn/ipnlocal: add test for CapMap packet filters

Browse Source 
Updates tailscale/corp#20514

Signed-off-by: James Sanderson <jsanderson@tailscale.com>
This commit is contained in:
James Sanderson 2025-03-07 15:07:00 +00:00 committed by James 'zofrex' Sanderson
parent 3a4b622276
commit 27ef9b666c
1 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
ipn/ipnlocal/local_test.go
View File

@ -44,6 +44,7 @@ import (
"tailscale.com/tsd" "tailscale.com/tsd"
"tailscale.com/tstest" "tailscale.com/tstest"
"tailscale.com/types/dnstype" "tailscale.com/types/dnstype"
"tailscale.com/types/ipproto"
"tailscale.com/types/key" "tailscale.com/types/key"
"tailscale.com/types/logger" "tailscale.com/types/logger"
"tailscale.com/types/logid" "tailscale.com/types/logid"
@ -60,6 +61,7 @@ import (
"tailscale.com/util/syspolicy/source" "tailscale.com/util/syspolicy/source"
"tailscale.com/wgengine" "tailscale.com/wgengine"
"tailscale.com/wgengine/filter" "tailscale.com/wgengine/filter"
"tailscale.com/wgengine/filter/filtertype"
"tailscale.com/wgengine/wgcfg" "tailscale.com/wgengine/wgcfg"
) )
@ -5206,3 +5208,60 @@ func TestUpdateIngressLocked(t *testing.T) {
}) })
} }
} }
// TestSrcCapPacketFilter tests that LocalBackend handles packet filters with
// SrcCaps instead of Srcs (IPs)
func TestSrcCapPacketFilter(t *testing.T) {
lb := newLocalBackendWithTestControl(t, false, func(tb testing.TB, opts controlclient.Options) controlclient.Client {
return newClient(tb, opts)
})
if err := lb.Start(ipn.Options{}); err != nil {
t.Fatalf("(*LocalBackend).Start(): %v", err)
}
var k key.NodePublic
must.Do(k.UnmarshalText([]byte("nodekey:5c8f86d5fc70d924e55f02446165a5dae8f822994ad26bcf4b08fd841f9bf261")))
controlClient := lb.cc.(*mockControl)
controlClient.send(nil, "", false, &netmap.NetworkMap{
SelfNode: (&tailcfg.Node{
Addresses: []netip.Prefix{netip.MustParsePrefix("1.1.1.1/32")},
}).View(),
Peers: []tailcfg.NodeView{
(&tailcfg.Node{
Addresses: []netip.Prefix{netip.MustParsePrefix("2.2.2.2/32")},
ID: 2,
Key: k,
CapMap: tailcfg.NodeCapMap{"cap-X": nil}, // node 2 has cap
}).View(),
(&tailcfg.Node{
Addresses: []netip.Prefix{netip.MustParsePrefix("3.3.3.3/32")},
ID: 3,
Key: k,
CapMap: tailcfg.NodeCapMap{}, // node 3 does not have the cap
}).View(),
},
PacketFilter: []filtertype.Match{{
IPProto: views.SliceOf([]ipproto.Proto{ipproto.TCP}),
SrcCaps: []tailcfg.NodeCapability{"cap-X"}, // cap in packet filter rule
Dsts: []filtertype.NetPortRange{{
Net: netip.MustParsePrefix("1.1.1.1/32"),
Ports: filtertype.PortRange{
First: 22,
Last: 22,
},
}},
}},
})
f := lb.GetFilterForTest()
res := f.Check(netip.MustParseAddr("2.2.2.2"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
if res != filter.Accept {
t.Errorf("Check(2.2.2.2, ...) = %s, want %s", res, filter.Accept)
}
res = f.Check(netip.MustParseAddr("3.3.3.3"), netip.MustParseAddr("1.1.1.1"), 22, ipproto.TCP)
if !res.IsDrop() {
t.Error("IsDrop() for node without cap = false, want true")
}
}