Fix IPv6 in ACLs
This commit is contained in:
parent
725bbd7408
commit
c72401a99b
3 changed files with 63 additions and 1 deletions
|
@ -385,7 +385,13 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
|
||||||
maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
|
maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
|
||||||
log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
|
log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
|
||||||
|
|
||||||
if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
|
filteredMaybeIPv6Str := maybeIPv6Str
|
||||||
|
if strings.Contains(maybeIPv6Str, "/") {
|
||||||
|
networkParts := strings.Split(maybeIPv6Str, "/")
|
||||||
|
filteredMaybeIPv6Str = networkParts[0]
|
||||||
|
}
|
||||||
|
|
||||||
|
if maybeIPv6, err := netip.ParseAddr(filteredMaybeIPv6Str); err != nil && !maybeIPv6.Is6() {
|
||||||
log.Trace().Err(err).Msg("trying to parse as IPv6")
|
log.Trace().Err(err).Msg("trying to parse as IPv6")
|
||||||
|
|
||||||
return nil, fmt.Errorf(
|
return nil, fmt.Errorf(
|
||||||
|
|
|
@ -439,6 +439,44 @@ acls:
|
||||||
c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0")
|
c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *Suite) TestBasicIpv6YAML(c *check.C) {
|
||||||
|
acl := []byte(`
|
||||||
|
---
|
||||||
|
hosts:
|
||||||
|
host-1: 100.100.100.100/32
|
||||||
|
subnet-1: 100.100.101.100/24
|
||||||
|
acls:
|
||||||
|
- action: accept
|
||||||
|
src:
|
||||||
|
- "*"
|
||||||
|
dst:
|
||||||
|
- 0.0.0.0/0:*
|
||||||
|
- ::/0:*
|
||||||
|
- fd7a:115c:a1e0::2:22
|
||||||
|
`)
|
||||||
|
pol, err := LoadACLPolicyFromBytes(acl, "yaml")
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
c.Assert(pol, check.NotNil)
|
||||||
|
|
||||||
|
rules, err := pol.generateFilterRules(types.Machines{}, false)
|
||||||
|
c.Assert(err, check.IsNil)
|
||||||
|
c.Assert(rules, check.NotNil)
|
||||||
|
|
||||||
|
c.Assert(rules, check.HasLen, 1)
|
||||||
|
c.Assert(rules[0].DstPorts, check.HasLen, 3)
|
||||||
|
c.Assert(rules[0].DstPorts[0].IP, check.Equals, "0.0.0.0/0")
|
||||||
|
c.Assert(rules[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
|
||||||
|
c.Assert(rules[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
|
||||||
|
c.Assert(rules[0].DstPorts[1].IP, check.Equals, "::/0")
|
||||||
|
c.Assert(rules[0].DstPorts[1].Ports.First, check.Equals, uint16(0))
|
||||||
|
c.Assert(rules[0].DstPorts[1].Ports.Last, check.Equals, uint16(65535))
|
||||||
|
c.Assert(rules[0].DstPorts[2].IP, check.Equals, "fd7a:115c:a1e0::2/128")
|
||||||
|
c.Assert(rules[0].DstPorts[2].Ports.First, check.Equals, uint16(22))
|
||||||
|
c.Assert(rules[0].DstPorts[2].Ports.Last, check.Equals, uint16(22))
|
||||||
|
c.Assert(rules[0].SrcIPs, check.HasLen, 2)
|
||||||
|
c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0")
|
||||||
|
}
|
||||||
|
|
||||||
func Test_expandGroup(t *testing.T) {
|
func Test_expandGroup(t *testing.T) {
|
||||||
type field struct {
|
type field struct {
|
||||||
pol ACLPolicy
|
pol ACLPolicy
|
||||||
|
|
|
@ -237,6 +237,24 @@ func TestACLHostsInNetMapTable(t *testing.T) {
|
||||||
"user2": 3, // ns1 + ns2 (return path)
|
"user2": 3, // ns1 + ns2 (return path)
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
"ipv6-acls-1470": {
|
||||||
|
users: map[string]int{
|
||||||
|
"user1": 2,
|
||||||
|
"user2": 2,
|
||||||
|
},
|
||||||
|
policy: policy.ACLPolicy{
|
||||||
|
ACLs: []policy.ACL{
|
||||||
|
{
|
||||||
|
Action: "accept",
|
||||||
|
Sources: []string{"*"},
|
||||||
|
Destinations: []string{"0.0.0.0/0:*", "::/0:*"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}, want: map[string]int{
|
||||||
|
"user1": 3, // ns1 + ns2
|
||||||
|
"user2": 3, // ns2 + ns1
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for name, testCase := range tests {
|
for name, testCase := range tests {
|
||||||
|
|
Loading…
Reference in a new issue