mirror of
https://github.com/juanfont/headscale.git
synced 2025-08-14 13:51:01 +02:00
policy: more reduce route test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
parent
399e832ca1
commit
9aaa458ac6
@ -1,6 +1,7 @@
|
|||||||
package policy
|
package policy
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/netip"
|
"net/netip"
|
||||||
"testing"
|
"testing"
|
||||||
@ -16,6 +17,7 @@ import (
|
|||||||
"gorm.io/gorm"
|
"gorm.io/gorm"
|
||||||
"tailscale.com/net/tsaddr"
|
"tailscale.com/net/tsaddr"
|
||||||
"tailscale.com/tailcfg"
|
"tailscale.com/tailcfg"
|
||||||
|
"tailscale.com/util/must"
|
||||||
)
|
)
|
||||||
|
|
||||||
var ap = func(ipStr string) *netip.Addr {
|
var ap = func(ipStr string) *netip.Addr {
|
||||||
@ -23,6 +25,11 @@ var ap = func(ipStr string) *netip.Addr {
|
|||||||
return &ip
|
return &ip
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var p = func(prefStr string) netip.Prefix {
|
||||||
|
ip := netip.MustParsePrefix(prefStr)
|
||||||
|
return ip
|
||||||
|
}
|
||||||
|
|
||||||
// hsExitNodeDestForTest is the list of destination IP ranges that are allowed when
|
// hsExitNodeDestForTest is the list of destination IP ranges that are allowed when
|
||||||
// we use headscale "autogroup:internet".
|
// we use headscale "autogroup:internet".
|
||||||
var hsExitNodeDestForTest = []tailcfg.NetPortRange{
|
var hsExitNodeDestForTest = []tailcfg.NetPortRange{
|
||||||
@ -762,6 +769,54 @@ func TestReduceFilterRules(t *testing.T) {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "2365-only-route-policy",
|
||||||
|
pol: `
|
||||||
|
{
|
||||||
|
"hosts": {
|
||||||
|
"router": "100.64.0.1/32",
|
||||||
|
"node": "100.64.0.2/32"
|
||||||
|
},
|
||||||
|
"acls": [
|
||||||
|
{
|
||||||
|
"action": "accept",
|
||||||
|
"src": [
|
||||||
|
"*"
|
||||||
|
],
|
||||||
|
"dst": [
|
||||||
|
"router:8000"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"action": "accept",
|
||||||
|
"src": [
|
||||||
|
"node"
|
||||||
|
],
|
||||||
|
"dst": [
|
||||||
|
"172.26.0.0/16:*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
}
|
||||||
|
`,
|
||||||
|
node: &types.Node{
|
||||||
|
IPv4: ap("100.64.0.2"),
|
||||||
|
IPv6: ap("fd7a:115c:a1e0::2"),
|
||||||
|
User: users[3],
|
||||||
|
},
|
||||||
|
peers: types.Nodes{
|
||||||
|
&types.Node{
|
||||||
|
IPv4: ap("100.64.0.1"),
|
||||||
|
IPv6: ap("fd7a:115c:a1e0::1"),
|
||||||
|
User: users[1],
|
||||||
|
Hostinfo: &tailcfg.Hostinfo{
|
||||||
|
RoutableIPs: []netip.Prefix{p("172.16.0.0/24"), p("10.10.11.0/24"), p("10.10.12.0/24")},
|
||||||
|
},
|
||||||
|
ApprovedRoutes: []netip.Prefix{p("172.16.0.0/24"), p("10.10.11.0/24"), p("10.10.12.0/24")},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
want: []tailcfg.FilterRule{},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
@ -773,6 +828,7 @@ func TestReduceFilterRules(t *testing.T) {
|
|||||||
pm, err = pmf(users, append(tt.peers, tt.node))
|
pm, err = pmf(users, append(tt.peers, tt.node))
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
got, _ := pm.Filter()
|
got, _ := pm.Filter()
|
||||||
|
t.Logf("full filter:\n%s", must.Get(json.MarshalIndent(got, "", " ")))
|
||||||
got = ReduceFilterRules(tt.node, got)
|
got = ReduceFilterRules(tt.node, got)
|
||||||
|
|
||||||
if diff := cmp.Diff(tt.want, got); diff != "" {
|
if diff := cmp.Diff(tt.want, got); diff != "" {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user