github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/acls_windows_test.go (about) 1 // +build windows 2 3 package iptablesctrl 4 5 import ( 6 "strings" 7 "testing" 8 9 "github.com/kballard/go-shellquote" 10 . "github.com/smartystreets/goconvey/convey" 11 "go.aporeto.io/enforcerd/trireme-lib/common" 12 "go.aporeto.io/enforcerd/trireme-lib/controller/internal/windows" 13 "go.aporeto.io/enforcerd/trireme-lib/utils/frontman" 14 ) 15 16 const ( 17 sampleTCPPorts = "80,443" 18 sampleUDPPorts = "" 19 ) 20 21 func TestTransformACLRuleHost(t *testing.T) { 22 23 Convey("When I parse some acl rules", t, func() { 24 25 var aclRules [][]string 26 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " ")) 27 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -j DROP", " ")) 28 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT", " ")) 29 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3", " ")) 30 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " ")) 31 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m state --state NEW -m set --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " ")) 32 33 aclInfo := &ACLInfo{} 34 aclInfo.TCPPorts = sampleTCPPorts 35 aclInfo.UDPPorts = sampleUDPPorts 36 aclInfo.PUType = common.HostPU 37 38 xformedRules := transformACLRules(aclRules, aclInfo, nil, true) 39 40 Convey("Adjacent like ones should be merged", func() { 41 42 So(xformedRules, ShouldHaveLength, 4) 43 44 // check combined rule 1 and 2 45 // OUTPUT HostSvcRules-OUTPUT -p 6 --dports 1:65535 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dstIP,dstPort -m set ! --match-set TRI-v4-TargetTCP dstIP,dstPort -j DROP -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6 46 rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...) 47 48 So(err, ShouldBeNil) 49 So(rs.Protocol, ShouldEqual, 6) 50 So(rs.Action, ShouldEqual, frontman.FilterActionBlock) 51 So(rs.Log, ShouldBeTrue) 52 So(rs.TCPFlagsSpecified, ShouldBeTrue) 53 So(rs.TCPFlags, ShouldEqual, 2) 54 So(rs.TCPFlagsMask, ShouldEqual, 18) 55 So(rs.LogPrefix, ShouldEqual, "531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6") 56 So(rs.MatchDstPort, ShouldHaveLength, 1) 57 So(rs.MatchDstPort[0].Start, ShouldEqual, 1) 58 So(rs.MatchDstPort[0].End, ShouldEqual, 65535) 59 So(rs.MatchSet, ShouldHaveLength, 2) 60 So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd") 61 So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse) 62 So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeFalse) 63 So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeFalse) 64 So(rs.MatchSet[0].MatchSetDstIP, ShouldBeTrue) 65 So(rs.MatchSet[0].MatchSetDstPort, ShouldBeTrue) 66 So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP") 67 So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue) 68 So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeFalse) 69 So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeFalse) 70 So(rs.MatchSet[1].MatchSetDstIP, ShouldBeTrue) 71 So(rs.MatchSet[1].MatchSetDstPort, ShouldBeTrue) 72 73 // check singular rule 3 74 // OUTPUT TRI-App-hostZ7PbqL-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT 75 rs, err = windows.ParseRuleSpec(xformedRules[1][2:]...) 76 77 So(err, ShouldBeNil) 78 So(rs.Protocol, ShouldEqual, 17) 79 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 80 So(rs.Log, ShouldBeFalse) 81 So(rs.MatchDstPort, ShouldHaveLength, 3) 82 So(rs.MatchDstPort[0].Start, ShouldEqual, 80) 83 So(rs.MatchDstPort[0].End, ShouldEqual, 80) 84 So(rs.MatchDstPort[1].Start, ShouldEqual, 443) 85 So(rs.MatchDstPort[1].End, ShouldEqual, 443) 86 So(rs.MatchDstPort[2].Start, ShouldEqual, 8080) 87 So(rs.MatchDstPort[2].End, ShouldEqual, 8443) 88 So(rs.MatchSet, ShouldHaveLength, 1) 89 90 // check combined rule 4 and 5 91 // OUTPUT HostSvcRules-OUTPUT -p 6 --dports 2323 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dstIP,dstPort -m set ! --match-set TRI-v4-TargetTCP dstIP,dstPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3 92 rs, err = windows.ParseRuleSpec(xformedRules[2][2:]...) 93 94 So(err, ShouldBeNil) 95 So(rs.Protocol, ShouldEqual, 6) 96 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 97 So(rs.Log, ShouldBeTrue) 98 So(rs.LogPrefix, ShouldEqual, "531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3") 99 So(rs.MatchDstPort, ShouldHaveLength, 1) 100 So(rs.MatchDstPort[0].Start, ShouldEqual, 2323) 101 So(rs.MatchDstPort[0].End, ShouldEqual, 2323) 102 So(rs.MatchSet, ShouldHaveLength, 2) 103 So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-z4QRD1114Z2xd") 104 So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse) 105 So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeFalse) 106 So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeFalse) 107 So(rs.MatchSet[0].MatchSetDstIP, ShouldBeTrue) 108 So(rs.MatchSet[0].MatchSetDstPort, ShouldBeTrue) 109 So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP") 110 So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue) 111 So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeFalse) 112 So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeFalse) 113 So(rs.MatchSet[1].MatchSetDstIP, ShouldBeTrue) 114 So(rs.MatchSet[1].MatchSetDstPort, ShouldBeTrue) 115 116 // check last rule 6 117 // OUTPUT TRI-App-hostZ7PbqL-0 -p 6 -m state --state NEW -m set --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT 118 rs, err = windows.ParseRuleSpec(xformedRules[3][2:]...) 119 120 So(err, ShouldBeNil) 121 So(rs.Protocol, ShouldEqual, 6) 122 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 123 So(rs.Log, ShouldBeFalse) 124 So(rs.TCPFlagsSpecified, ShouldBeTrue) 125 So(rs.TCPFlags, ShouldEqual, 2) 126 So(rs.TCPFlagsMask, ShouldEqual, 18) 127 So(rs.MatchDstPort, ShouldHaveLength, 1) 128 So(rs.MatchDstPort[0].Start, ShouldEqual, 2323) 129 So(rs.MatchDstPort[0].End, ShouldEqual, 2323) 130 So(rs.MatchSet, ShouldHaveLength, 1) 131 132 }) 133 134 }) 135 136 } 137 138 func TestTransformACLRuleHostNet(t *testing.T) { 139 140 Convey("When I parse a set of net acl rules for host pu", t, func() { 141 142 var aclRules [][]string 143 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v6-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " ")) 144 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 6 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v6-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " ")) 145 146 aclInfo := &ACLInfo{} 147 aclInfo.TCPPorts = sampleTCPPorts 148 aclInfo.UDPPorts = sampleUDPPorts 149 aclInfo.PUType = common.HostPU 150 151 xformedRules := transformACLRules(aclRules, aclInfo, nil, false) 152 153 Convey("They should be merged to one rule for the HostPU-INPUT chain", func() { 154 155 So(xformedRules, ShouldHaveLength, 1) 156 157 // check combined rule 1 and 2 158 // OUTPUT HostPU-INPUT -p 6 --dports 1:65535 -m set --match-set TRI-v6-ext-cUDEx1114Z2xd srcIP,srcPort -m set ! --match-set TRI-v6-TargetTCP srcIP,srcPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3 159 rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...) 160 161 So(err, ShouldBeNil) 162 So(rs.Protocol, ShouldEqual, 6) 163 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 164 So(rs.Log, ShouldBeTrue) 165 So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3") 166 So(rs.TCPFlagsSpecified, ShouldBeTrue) 167 So(rs.TCPFlags, ShouldEqual, 2) 168 So(rs.TCPFlagsMask, ShouldEqual, 18) 169 So(rs.MatchDstPort, ShouldHaveLength, 1) 170 So(rs.MatchDstPort[0].Start, ShouldEqual, 1) 171 So(rs.MatchDstPort[0].End, ShouldEqual, 65535) 172 So(rs.MatchSet, ShouldHaveLength, 2) 173 So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v6-ext-cUDEx1114Z2xd") 174 So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse) 175 So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeTrue) 176 So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeTrue) 177 So(rs.MatchSet[0].MatchSetDstIP, ShouldBeFalse) 178 So(rs.MatchSet[0].MatchSetDstPort, ShouldBeFalse) 179 So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v6-TargetTCP") 180 So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue) 181 So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeTrue) 182 So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeTrue) 183 So(rs.MatchSet[1].MatchSetDstIP, ShouldBeFalse) 184 So(rs.MatchSet[1].MatchSetDstPort, ShouldBeFalse) 185 186 }) 187 }) 188 189 } 190 191 func TestTransformACLRuleHostSvc(t *testing.T) { 192 193 Convey("When I parse some acl rules for a host service", t, func() { 194 195 var aclRules [][]string 196 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " ")) 197 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 1:65535 -j DROP", " ")) 198 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -p 17 -m set --match-set TRI-v4-TargetUDP src --match multiport --dports 80,443,8080:8443 -j ACCEPT", " ")) 199 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -m state --state NEW -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d9e2e2d8431510001bcc931:5d61b8f4884e46000146bcd9:3", " ")) 200 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-1114oqLQAD-0 -m set --match-set TRI-v4-ext-z4QRD1114Z2xd dst -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP dst --match multiport --dports 2323 -j ACCEPT", " ")) 201 202 aclInfo := &ACLInfo{} 203 aclInfo.TCPPorts = sampleTCPPorts 204 aclInfo.UDPPorts = sampleUDPPorts 205 aclInfo.PUType = common.HostNetworkPU 206 207 xformedRules := transformACLRules(aclRules, aclInfo, nil, true) 208 209 Convey("No outgoing rules are kept for host-service PU", func() { 210 211 So(xformedRules, ShouldHaveLength, 0) 212 213 }) 214 215 }) 216 217 } 218 219 func TestTransformACLRuleHostSvcNet(t *testing.T) { 220 221 Convey("When I parse a set of net acl rules for a host svc pu", t, func() { 222 223 var aclRules [][]string 224 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " ")) 225 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -p 6 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " ")) 226 // protocol any rules for input on host-svc should be dropped 227 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -m set --match-set TRI-v4-ext-dxxgXBWCQy0= src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix 187906336:5e2b46b82e67d60001766eda:5dfd1e479facec0001e5936b:3", " ")) 228 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-1114oqLQAD-0 -m set --match-set TRI-v4-ext-dxxgXBWCQy0= src -m state --state NEW -m set ! --match-set TRI-v4-TargetTCP src --match multiport --dports 1:65535 -j ACCEPT", " ")) 229 230 aclInfo := &ACLInfo{} 231 aclInfo.TCPPorts = sampleTCPPorts 232 aclInfo.UDPPorts = sampleUDPPorts 233 aclInfo.PUType = common.HostNetworkPU 234 235 xformedRules := transformACLRules(aclRules, aclInfo, nil, false) 236 237 Convey("They should be merged to one rule for the HostSvcRules-INPUT chain and should have the PU's ports", func() { 238 239 So(xformedRules, ShouldHaveLength, 1) 240 241 // check combined rule 1 and 2 242 // dports should be replaced with PU's ports 243 // OUTPUT HostSvcRules-INPUT -p 6 --dports 80,443 -m set --match-set TRI-v4-ext-cUDEx1114Z2xd srcIP,srcPort -m set ! --match-set TRI-v4-TargetTCP srcIP,srcPort -j ACCEPT -j NFLOG --nflog-group 0 --nflog-prefix 531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3 244 rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...) 245 246 So(err, ShouldBeNil) 247 So(rs.Protocol, ShouldEqual, 6) 248 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 249 So(rs.Log, ShouldBeTrue) 250 So(rs.LogPrefix, ShouldEqual, "531138568:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3") 251 So(rs.TCPFlagsSpecified, ShouldBeTrue) 252 So(rs.TCPFlags, ShouldEqual, 2) 253 So(rs.TCPFlagsMask, ShouldEqual, 18) 254 So(rs.MatchSet, ShouldHaveLength, 2) 255 So(rs.MatchSet[0].MatchSetName, ShouldEqual, "TRI-v4-ext-cUDEx1114Z2xd") 256 So(rs.MatchSet[0].MatchSetNegate, ShouldBeFalse) 257 So(rs.MatchSet[0].MatchSetSrcIP, ShouldBeTrue) 258 So(rs.MatchSet[0].MatchSetSrcPort, ShouldBeTrue) 259 So(rs.MatchSet[0].MatchSetDstIP, ShouldBeFalse) 260 So(rs.MatchSet[0].MatchSetDstPort, ShouldBeFalse) 261 So(rs.MatchSet[1].MatchSetName, ShouldEqual, "TRI-v4-TargetTCP") 262 So(rs.MatchSet[1].MatchSetNegate, ShouldBeTrue) 263 So(rs.MatchSet[1].MatchSetSrcIP, ShouldBeTrue) 264 So(rs.MatchSet[1].MatchSetSrcPort, ShouldBeTrue) 265 So(rs.MatchSet[1].MatchSetDstIP, ShouldBeFalse) 266 So(rs.MatchSet[1].MatchSetDstPort, ShouldBeFalse) 267 268 }) 269 270 }) 271 272 } 273 274 func TestTransformACLRuleIcmp(t *testing.T) { 275 276 Convey("When I parse a set of net acl rules with an icmp rule", t, func() { 277 278 var aclRules [][]string 279 280 rule, err := shellquote.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 3/0:2,6 -j NFLOG --nflog-group 11 --nflog-prefix \"3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:incoming n_3484738895:3\"") 281 So(err, ShouldBeNil) 282 283 aclRules = append(aclRules, rule) 284 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 3/0:2,6 -j ACCEPT", " ")) 285 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 8/0:3,5 -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3", " ")) 286 aclRules = append(aclRules, strings.Split("OUTPUT TRI-Net-hostZ7PbqL-0 -p 1 --icmp-type 8/0:3 -j ACCEPT", " ")) 287 288 aclInfo := &ACLInfo{} 289 aclInfo.TCPPorts = sampleTCPPorts 290 aclInfo.UDPPorts = sampleUDPPorts 291 aclInfo.PUType = common.HostPU 292 293 xformedRules := transformACLRules(aclRules, aclInfo, nil, false) 294 295 Convey("They should be merged to one rule for the HostPU-INPUT chain", func() { 296 297 So(xformedRules, ShouldHaveLength, 3) 298 299 // check combined rule 1 and 2 300 // OUTPUT HostPU-INPUT -p 1 --icmp-type 3/0:2,6 -j ACCEPT -j NFLOG --nflog-group 11 --nflog-prefix 3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3 301 rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...) 302 303 So(err, ShouldBeNil) 304 So(rs.Protocol, ShouldEqual, 1) 305 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 306 So(rs.IcmpMatch, ShouldHaveLength, 2) 307 So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 3) 308 So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0) 309 So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 2) 310 So(rs.IcmpMatch[1].IcmpType, ShouldEqual, 3) 311 So(rs.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 6) 312 So(rs.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 6) 313 So(rs.Log, ShouldBeTrue) 314 So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:incoming n_3484738895:3") 315 316 // rules 3 and 4 should not be combined (they differ by icmp code) 317 rs, err = windows.ParseRuleSpec(xformedRules[1][2:]...) 318 So(err, ShouldBeNil) 319 So(rs.Protocol, ShouldEqual, 1) 320 So(rs.Action, ShouldEqual, frontman.FilterActionContinue) 321 So(rs.IcmpMatch, ShouldHaveLength, 2) 322 So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8) 323 So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0) 324 So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3) 325 So(rs.IcmpMatch[1].IcmpType, ShouldEqual, 8) 326 So(rs.IcmpMatch[1].IcmpCodeRange.Start, ShouldEqual, 5) 327 So(rs.IcmpMatch[1].IcmpCodeRange.End, ShouldEqual, 5) 328 So(rs.Log, ShouldBeTrue) 329 So(rs.LogPrefix, ShouldEqual, "3617624947:5d6967333561e000018a3a65:5d60448a884e46000145cf67:3") 330 331 rs, err = windows.ParseRuleSpec(xformedRules[2][2:]...) 332 So(err, ShouldBeNil) 333 So(rs.Protocol, ShouldEqual, 1) 334 So(rs.Action, ShouldEqual, frontman.FilterActionAllow) 335 So(rs.IcmpMatch, ShouldHaveLength, 1) 336 So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8) 337 So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 0) 338 So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3) 339 So(rs.Log, ShouldBeFalse) 340 So(rs.LogPrefix, ShouldEqual, "") 341 342 }) 343 }) 344 345 Convey("When I parse a set of app acl rules with an icmp rule", t, func() { 346 347 var aclRules [][]string 348 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 1 --icmp-type 8/1:3 -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6", " ")) 349 aclRules = append(aclRules, strings.Split("OUTPUT TRI-App-hostZ7PbqL-0 -p 1 --icmp-type 8/1:3 -j DROP", " ")) 350 351 aclInfo := &ACLInfo{} 352 aclInfo.TCPPorts = sampleTCPPorts 353 aclInfo.UDPPorts = sampleUDPPorts 354 aclInfo.PUType = common.HostPU 355 356 xformedRules := transformACLRules(aclRules, aclInfo, nil, true) 357 358 Convey("They should be merged to one rule for the HostPU-OUTPUT chain", func() { 359 360 So(xformedRules, ShouldHaveLength, 1) 361 362 // check combined rule 1 and 2 363 // OUTPUT HostPU-OUTPUT -p 1 --icmp-type 8/1:3 -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6 364 rs, err := windows.ParseRuleSpec(xformedRules[0][2:]...) 365 366 So(err, ShouldBeNil) 367 So(rs.Protocol, ShouldEqual, 1) 368 So(rs.Action, ShouldEqual, frontman.FilterActionBlock) 369 So(rs.IcmpMatch, ShouldHaveLength, 1) 370 So(rs.IcmpMatch[0].IcmpType, ShouldEqual, 8) 371 So(rs.IcmpMatch[0].IcmpCodeRange.Start, ShouldEqual, 1) 372 So(rs.IcmpMatch[0].IcmpCodeRange.End, ShouldEqual, 3) 373 So(rs.Log, ShouldBeTrue) 374 So(rs.LogPrefix, ShouldEqual, "531138568:5d6044b9e99572000149d650:5d60448a884e46000145cf67:6") 375 376 }) 377 }) 378 379 }