github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/iptables_windows_test.go (about) 1 // +build windows 2 3 package iptablesctrl 4 5 import ( 6 "context" 7 "fmt" 8 "net" 9 "strings" 10 "sync" 11 "syscall" 12 "testing" 13 "unsafe" 14 15 . "github.com/smartystreets/goconvey/convey" 16 "go.aporeto.io/enforcerd/trireme-lib/common" 17 "go.aporeto.io/enforcerd/trireme-lib/controller/constants" 18 tacls "go.aporeto.io/enforcerd/trireme-lib/controller/internal/enforcer/acls" 19 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/fqconfig" 20 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet" 21 "go.aporeto.io/enforcerd/trireme-lib/controller/runtime" 22 "go.aporeto.io/enforcerd/trireme-lib/policy" 23 "go.aporeto.io/enforcerd/trireme-lib/utils/frontman" 24 ) 25 26 const ( 27 errInvalidParameter = syscall.Errno(0xC000000D) 28 errInsufficientBuffer = syscall.Errno(122) 29 errAlreadyExists = syscall.Errno(183) 30 ) 31 32 type abi struct { 33 filters map[string]map[string]bool 34 ipsets map[string][]string 35 ipsetByID map[int]string 36 ipsetsNomatch map[string][]string 37 ipsetCount int 38 sync.Mutex 39 } 40 41 func (a *abi) FrontmanOpenShared() (uintptr, error) { 42 return 1234, nil 43 } 44 45 func (a *abi) GetDestInfo(driverHandle, socket, destInfo uintptr) (uintptr, error) { 46 return 1, nil 47 } 48 49 func (a *abi) ApplyDestHandle(socket, destHandle uintptr) (uintptr, error) { 50 return 1, nil 51 } 52 53 func (a *abi) FreeDestHandle(destHandle uintptr) (uintptr, error) { 54 return 1, nil 55 } 56 57 func (a *abi) NewIpset(driverHandle, name, ipsetType, ipset uintptr) (uintptr, error) { 58 if name == 0 || ipsetType == 0 || ipset == 0 { 59 return 0, errInvalidParameter 60 } 61 a.Lock() 62 defer a.Unlock() 63 nameStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(name))) // nolint:govet 64 ipsetPtr := (*int)(unsafe.Pointer(ipset)) // nolint:govet 65 a.ipsetCount++ 66 *ipsetPtr = a.ipsetCount 67 a.ipsets[nameStr] = make([]string, 0) 68 a.ipsetsNomatch[nameStr] = make([]string, 0) 69 a.ipsetByID[a.ipsetCount] = nameStr 70 return 1, nil 71 } 72 73 func (a *abi) GetIpset(driverHandle, name, ipset uintptr) (uintptr, error) { 74 if name == 0 || ipset == 0 { 75 return 0, errInvalidParameter 76 } 77 a.Lock() 78 defer a.Unlock() 79 nameStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(name))) // nolint:govet 80 ipsetPtr := (*int)(unsafe.Pointer(ipset)) // nolint:govet 81 for k, v := range a.ipsetByID { 82 if v == nameStr { 83 *ipsetPtr = k 84 return 1, nil 85 } 86 } 87 return 0, errInvalidParameter 88 } 89 90 func (a *abi) DestroyAllIpsets(driverHandle, prefix uintptr) (uintptr, error) { 91 if prefix == 0 { 92 return 0, errInvalidParameter 93 } 94 a.Lock() 95 defer a.Unlock() 96 prefixStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(prefix))) // nolint:govet 97 for k := range a.ipsets { 98 if strings.HasPrefix(k, prefixStr) { 99 for id, name := range a.ipsetByID { 100 if name == k { 101 delete(a.ipsetByID, id) 102 break 103 } 104 } 105 delete(a.ipsets, k) 106 } 107 } 108 return 1, nil 109 } 110 111 func (a *abi) ListIpsets(driverHandle, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) { 112 if bytesReturned == 0 { 113 return 0, errInvalidParameter 114 } 115 a.Lock() 116 defer a.Unlock() 117 bytesReturnedPtr := (*uint32)(unsafe.Pointer(bytesReturned)) // nolint:govet 118 fstr := "" 119 for k := range a.ipsets { 120 fstr += k + "," 121 } 122 sizeNeeded := len(fstr) * 2 123 if sizeNeeded == 0 { 124 *bytesReturnedPtr = 0 125 return 1, nil 126 } 127 if int(ipsetNamesSize) < sizeNeeded { 128 *bytesReturnedPtr = uint32(sizeNeeded) 129 return 0, errInsufficientBuffer 130 } 131 if ipsetNames == 0 { 132 return 0, errInvalidParameter 133 } 134 buf := (*[1 << 20]uint16)(unsafe.Pointer(ipsetNames))[: ipsetNamesSize/2 : ipsetNamesSize/2] // nolint:govet 135 copy(buf, syscall.StringToUTF16(fstr)) // nolint:staticcheck 136 buf[ipsetNamesSize/2-1] = 0 137 return 1, nil 138 } 139 140 func (a *abi) IpsetAdd(driverHandle, ipset, entry, timeout uintptr) (uintptr, error) { 141 return a.IpsetAddOption(driverHandle, ipset, entry, 0, timeout) 142 } 143 144 func (a *abi) IpsetAddOption(driverHandle, ipset, entry, option, timeout uintptr) (uintptr, error) { 145 if entry == 0 { 146 return 0, errInvalidParameter 147 } 148 a.Lock() 149 defer a.Unlock() 150 entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet 151 id := int(ipset) 152 name := a.ipsetByID[id] 153 entries, ok := a.ipsets[name] 154 if !ok { 155 return 0, errInvalidParameter 156 } 157 for _, e := range entries { 158 if e == entryStr { 159 return 0, errAlreadyExists 160 } 161 } 162 if option != 0 { 163 optionStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(option))) // nolint:govet 164 if optionStr == "nomatch" { 165 entriesNomatch, ok := a.ipsetsNomatch[name] 166 if !ok { 167 return 0, errInvalidParameter 168 } 169 a.ipsetsNomatch[name] = append(entriesNomatch, entryStr) 170 } 171 } 172 a.ipsets[name] = append(entries, entryStr) 173 return 1, nil 174 } 175 176 func (a *abi) IpsetDelete(driverHandle, ipset, entry uintptr) (uintptr, error) { 177 if entry == 0 { 178 return 0, errInvalidParameter 179 } 180 a.Lock() 181 defer a.Unlock() 182 entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet 183 id := int(ipset) 184 name := a.ipsetByID[id] 185 entries, ok := a.ipsets[name] 186 if !ok { 187 return 0, errInvalidParameter 188 } 189 for i, e := range entries { 190 if e == entryStr { 191 a.ipsets[name] = append(entries[:i], entries[i+1:]...) 192 break 193 } 194 } 195 if entriesNomatch, ok := a.ipsetsNomatch[name]; ok { 196 for i, e := range entriesNomatch { 197 if e == entryStr { 198 a.ipsetsNomatch[name] = append(entriesNomatch[:i], entriesNomatch[i+1:]...) 199 break 200 } 201 } 202 } 203 return 1, nil 204 } 205 206 func (a *abi) IpsetDestroy(driverHandle, ipset uintptr) (uintptr, error) { 207 a.Lock() 208 defer a.Unlock() 209 id := int(ipset) 210 name := a.ipsetByID[id] 211 if _, ok := a.ipsets[name]; !ok { 212 return 0, errInvalidParameter 213 } 214 delete(a.ipsetByID, id) 215 delete(a.ipsets, name) 216 return 1, nil 217 } 218 219 func (a *abi) IpsetFlush(driverHandle, ipset uintptr) (uintptr, error) { 220 a.Lock() 221 defer a.Unlock() 222 id := int(ipset) 223 name := a.ipsetByID[id] 224 if _, ok := a.ipsets[name]; !ok { 225 return 0, errInvalidParameter 226 } 227 a.ipsets[name] = nil 228 return 1, nil 229 } 230 231 func (a *abi) IpsetTest(driverHandle, ipset, entry uintptr) (uintptr, error) { 232 if entry == 0 { 233 return 0, errInvalidParameter 234 } 235 a.Lock() 236 defer a.Unlock() 237 entryStr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(entry))) // nolint:govet 238 id := int(ipset) 239 name := a.ipsetByID[id] 240 entries, ok := a.ipsets[name] 241 if !ok { 242 return 0, errInvalidParameter 243 } 244 for _, e := range entries { 245 // TODO nomatch 246 if e == entryStr { 247 return 1, nil 248 } 249 } 250 // not found 251 return 0, nil 252 } 253 254 func (a *abi) PacketFilterStart(frontman, firewallName, receiveCallback, loggingCallback uintptr) (uintptr, error) { 255 return 1, nil 256 } 257 258 func (a *abi) PacketFilterClose() (uintptr, error) { 259 return 1, nil 260 } 261 262 func (a *abi) PacketFilterForward(info, packet uintptr) (uintptr, error) { 263 return 1, nil 264 } 265 266 func (a *abi) AppendFilter(driverHandle, outbound, filterName, isGotoFilter uintptr) (uintptr, error) { 267 return a.InsertFilter(driverHandle, outbound, 1000, filterName, isGotoFilter) 268 } 269 270 func (a *abi) InsertFilter(driverHandle, outbound, priority, filterName, isGotoFilter uintptr) (uintptr, error) { 271 if filterName == 0 { 272 return 0, errInvalidParameter 273 } 274 a.Lock() 275 defer a.Unlock() 276 str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet 277 a.filters[str] = make(map[string]bool) 278 return 1, nil 279 } 280 281 func (a *abi) DestroyFilter(driverHandle, filterName uintptr) (uintptr, error) { 282 if filterName == 0 { 283 return 0, errInvalidParameter 284 } 285 a.Lock() 286 defer a.Unlock() 287 str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet 288 delete(a.filters, str) 289 return 1, nil 290 } 291 292 func (a *abi) EmptyFilter(driverHandle, filterName uintptr) (uintptr, error) { 293 if filterName == 0 { 294 return 0, errInvalidParameter 295 } 296 a.Lock() 297 defer a.Unlock() 298 str := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet 299 a.filters[str] = make(map[string]bool) 300 return 1, nil 301 } 302 303 func (a *abi) GetFilterList(driverHandle, outbound, buffer, bufferSize, bytesReturned uintptr) (uintptr, error) { 304 if bytesReturned == 0 { 305 return 0, errInvalidParameter 306 } 307 a.Lock() 308 defer a.Unlock() 309 bytesReturnedPtr := (*uint32)(unsafe.Pointer(bytesReturned)) // nolint:govet 310 fstr := "" 311 for k := range a.filters { 312 fstr += k + "," 313 } 314 sizeNeeded := len(fstr) * 2 315 if sizeNeeded == 0 { 316 *bytesReturnedPtr = 0 317 return 1, nil 318 } 319 if int(bufferSize) < sizeNeeded { 320 *bytesReturnedPtr = uint32(sizeNeeded) 321 return 0, errInsufficientBuffer 322 } 323 if buffer == 0 { 324 return 0, errInvalidParameter 325 } 326 buf := (*[1 << 20]uint16)(unsafe.Pointer(buffer))[: bufferSize/2 : bufferSize/2] // nolint:govet 327 copy(buf, syscall.StringToUTF16(fstr)) // nolint:staticcheck 328 buf[bufferSize/2-1] = 0 329 return 1, nil 330 } 331 332 func (a *abi) AppendFilterCriteria(driverHandle, filterName, criteriaName, ruleSpec, ipsetRuleSpecs, ipsetRuleSpecCount uintptr) (uintptr, error) { 333 if filterName == 0 || criteriaName == 0 { 334 return 0, errInvalidParameter 335 } 336 a.Lock() 337 defer a.Unlock() 338 fstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet 339 cstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(criteriaName))) // nolint:govet 340 m, ok := a.filters[fstr] 341 if !ok { 342 return 0, errInvalidParameter 343 } 344 m[cstr] = true 345 return 1, nil 346 } 347 348 func (a *abi) DeleteFilterCriteria(driverHandle, filterName, criteriaName uintptr) (uintptr, error) { 349 if filterName == 0 || criteriaName == 0 { 350 return 0, errInvalidParameter 351 } 352 a.Lock() 353 defer a.Unlock() 354 fstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(filterName))) // nolint:govet 355 cstr := frontman.WideCharPointerToString((*uint16)(unsafe.Pointer(criteriaName))) // nolint:govet 356 m, ok := a.filters[fstr] 357 if !ok { 358 return 0, errInvalidParameter 359 } 360 delete(m, cstr) 361 return 1, nil 362 } 363 364 func (a *abi) ListIpsetsDetail(driverHandle, format, ipsetNames, ipsetNamesSize, bytesReturned uintptr) (uintptr, error) { 365 return 1, nil 366 } 367 368 func (a *abi) GetCriteriaList(driverHandle, format, criteriaList, criteriaListSize, bytesReturned uintptr) (uintptr, error) { 369 return 1, nil 370 } 371 372 func Test_WindowsNomatchIpsets(t *testing.T) { 373 374 a := &abi{ 375 filters: make(map[string]map[string]bool), 376 ipsets: make(map[string][]string), 377 ipsetsNomatch: make(map[string][]string), 378 ipsetByID: make(map[int]string), 379 } 380 frontman.Driver = a 381 382 getEnforcerPID = func() int { return 111 } 383 getCnsAgentMgrPID = func() int { return 222 } 384 getCnsAgentBootPID = func() int { return 333 } 385 386 Convey("Given a valid instance", t, func() { 387 388 fq := newFilterQueueWithDefaults() 389 impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None) 390 So(err, ShouldBeNil) 391 392 err = impl.Run(context.Background()) 393 So(err, ShouldBeNil) 394 395 cfg := &runtime.Configuration{ 396 TCPTargetNetworks: []string{"!2001:db8:1234::/48", "!10.10.10.0/24", "::/0", "!10.0.0.0/8", "10.10.0.0/16", "0.0.0.0/0"}, 397 UDPTargetNetworks: []string{"!10.10.10.0/24", "10.0.0.0/8"}, 398 ExcludedNetworks: []string{"!192.168.56.15/32", "127.0.0.1", "192.168.56.0/24"}, 399 } 400 err = impl.SetTargetNetworks(cfg) // nolint 401 So(err, ShouldBeNil) 402 403 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP") 404 So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.0.0.0/8") 405 So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.10.10.0/24") 406 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16") 407 So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldNotContain, "10.10.0.0/16") 408 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "0.0.0.0/1") 409 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "128.0.0.0/1") 410 411 So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP") 412 So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldContain, "2001:db8:1234::/48") 413 So(a.ipsets["TRI-v6-TargetTCP"], ShouldContain, "::/1") 414 So(a.ipsets["TRI-v6-TargetTCP"], ShouldContain, "8000::/1") 415 So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldNotContain, "::/1") 416 So(a.ipsetsNomatch["TRI-v6-TargetTCP"], ShouldNotContain, "8000::/1") 417 418 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP") 419 So(a.ipsets["TRI-v4-TargetUDP"], ShouldContain, "10.0.0.0/8") 420 So(a.ipsetsNomatch["TRI-v4-TargetUDP"], ShouldNotContain, "10.0.0.0/8") 421 So(a.ipsets["TRI-v4-TargetUDP"], ShouldContain, "10.10.10.0/24") 422 So(a.ipsetsNomatch["TRI-v4-TargetUDP"], ShouldContain, "10.10.10.0/24") 423 424 So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded") 425 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "127.0.0.1") 426 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.0/24") 427 So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldNotContain, "192.168.56.0/24") 428 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32") 429 So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32") 430 431 // update target networks 432 cfgNew := &runtime.Configuration{ 433 TCPTargetNetworks: []string{"!10.10.0.0/16", "0.0.0.0/0"}, 434 UDPTargetNetworks: []string{}, 435 ExcludedNetworks: []string{"192.168.56.0/24", "!192.168.56.15/32", "127.0.0.1"}, 436 } 437 err = impl.SetTargetNetworks(cfgNew) 438 So(err, ShouldBeNil) 439 440 So(a.ipsets["TRI-v4-TargetTCP"], ShouldNotContain, "10.0.0.0/8") 441 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16") 442 So(a.ipsetsNomatch["TRI-v4-TargetTCP"], ShouldContain, "10.10.0.0/16") 443 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "0.0.0.0/1") 444 So(a.ipsets["TRI-v4-TargetTCP"], ShouldContain, "128.0.0.0/1") 445 446 So(a.ipsets["TRI-v4-TargetUDP"], ShouldBeEmpty) 447 448 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "127.0.0.1") 449 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.0/24") 450 So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldNotContain, "192.168.56.0/24") 451 So(a.ipsets["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32") 452 So(a.ipsetsNomatch["TRI-v4-Excluded"], ShouldContain, "192.168.56.15/32") 453 }) 454 } 455 456 func Test_WindowsNomatchIpsetsInExternalNetworks(t *testing.T) { 457 458 a := &abi{ 459 filters: make(map[string]map[string]bool), 460 ipsets: make(map[string][]string), 461 ipsetsNomatch: make(map[string][]string), 462 ipsetByID: make(map[int]string), 463 } 464 frontman.Driver = a 465 466 getEnforcerPID = func() int { return 111 } 467 getCnsAgentMgrPID = func() int { return 222 } 468 getCnsAgentBootPID = func() int { return 333 } 469 470 Convey("Given a valid instance", t, func() { 471 472 fq := newFilterQueueWithDefaults() 473 impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None) 474 So(err, ShouldBeNil) 475 476 err = impl.Run(context.Background()) 477 So(err, ShouldBeNil) 478 479 cfg := &runtime.Configuration{ 480 TCPTargetNetworks: []string{"!2001:db8:1234::/48", "!10.10.10.0/24", "::/0", "!10.0.0.0/8", "10.10.0.0/16", "0.0.0.0/0"}, 481 UDPTargetNetworks: []string{"!10.10.10.0/24", "10.0.0.0/8"}, 482 ExcludedNetworks: []string{"!192.168.56.15/32", "127.0.0.1", "192.168.56.0/24"}, 483 } 484 err = impl.SetTargetNetworks(cfg) // nolint 485 So(err, ShouldBeNil) 486 487 // Setup external networks 488 appACLs := policy.IPRuleList{ 489 policy.IPRule{ 490 Addresses: []string{"10.0.0.0/8", "!10.0.0.0/16", "!10.0.2.0/24", "10.0.2.7"}, 491 Ports: []string{"80"}, 492 Protocols: []string{constants.TCPProtoNum}, 493 Policy: &policy.FlowPolicy{ 494 Action: policy.Accept | policy.Log, 495 ServiceID: "a1", 496 PolicyID: "123a", 497 }, 498 }, 499 policy.IPRule{ 500 Addresses: []string{"::/0", "!2001:db8:1234::/48"}, 501 Ports: []string{"80"}, 502 Protocols: []string{constants.TCPProtoNum}, 503 Policy: &policy.FlowPolicy{ 504 Action: policy.Accept | policy.Log, 505 ServiceID: "a3", 506 PolicyID: "1234a", 507 }, 508 }, 509 } 510 netACLs := policy.IPRuleList{ 511 policy.IPRule{ 512 Addresses: []string{"0.0.0.0/0", "!10.0.0.0/8", "10.0.0.0/16", "!10.0.2.8"}, 513 Ports: []string{"80"}, 514 Protocols: []string{constants.TCPProtoNum}, 515 Policy: &policy.FlowPolicy{ 516 Action: policy.Accept | policy.Log, 517 ServiceID: "a2", 518 PolicyID: "123b", 519 }, 520 }, 521 } 522 523 policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 524 525 puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU) 526 puInfo.Policy = policyRules 527 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 528 puInfo.Runtime.SetPUType(common.HostPU) 529 puInfo.Runtime.SetOptions(policy.OptionsType{ 530 CgroupMark: "10", 531 }) 532 533 // configure rules 534 var iprules policy.IPRuleList 535 iprules = append(iprules, puInfo.Policy.ApplicationACLs()...) 536 iprules = append(iprules, puInfo.Policy.NetworkACLs()...) 537 err = impl.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) 538 So(err, ShouldBeNil) 539 err = impl.iptv6.ipsetmanager.RegisterExternalNets("pu1", iprules) 540 So(err, ShouldBeNil) 541 542 err = impl.ConfigureRules(0, "pu1", puInfo) 543 So(err, ShouldBeNil) 544 545 // Check ipsets 546 setName := impl.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0] 547 So(a.ipsets[setName], ShouldContain, "10.0.0.0/8") 548 So(a.ipsets[setName], ShouldContain, "10.0.0.0/16") 549 So(a.ipsets[setName], ShouldContain, "10.0.2.0/24") 550 So(a.ipsets[setName], ShouldContain, "10.0.2.7") 551 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8") 552 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/16") 553 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.0/24") 554 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.2.7") 555 556 setName = impl.iptv6.ipsetmanager.GetACLIPsetsNames(appACLs[1:2])[0] 557 So(a.ipsets[setName], ShouldContain, "::/1") 558 So(a.ipsets[setName], ShouldContain, "8000::/1") 559 So(a.ipsets[setName], ShouldContain, "2001:db8:1234::/48") 560 So(a.ipsetsNomatch[setName], ShouldNotContain, "::/1") 561 So(a.ipsetsNomatch[setName], ShouldNotContain, "8000::/1") 562 So(a.ipsetsNomatch[setName], ShouldContain, "2001:db8:1234::/48") 563 564 setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0] 565 So(a.ipsets[setName], ShouldContain, "0.0.0.0/1") 566 So(a.ipsets[setName], ShouldContain, "128.0.0.0/1") 567 So(a.ipsets[setName], ShouldContain, "10.0.0.0/8") 568 So(a.ipsets[setName], ShouldContain, "10.0.0.0/16") 569 So(a.ipsets[setName], ShouldContain, "10.0.2.8") 570 So(a.ipsetsNomatch[setName], ShouldNotContain, "0.0.0.0/1") 571 So(a.ipsetsNomatch[setName], ShouldNotContain, "128.0.0.0/1") 572 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/8") 573 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/16") 574 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.8") 575 576 // Reconfigure external networks 577 appACLs = policy.IPRuleList{ 578 policy.IPRule{ 579 Addresses: []string{"10.0.0.0/8", "!10.0.0.0/16", "10.0.2.0/24", "!10.0.2.7"}, 580 Ports: []string{"80"}, 581 Protocols: []string{constants.TCPProtoNum}, 582 Policy: &policy.FlowPolicy{ 583 Action: policy.Accept | policy.Log, 584 ServiceID: "a1", 585 PolicyID: "123a", 586 }, 587 }, 588 } 589 netACLs = policy.IPRuleList{ 590 policy.IPRule{ 591 Addresses: []string{"0.0.0.0/0", "10.0.0.0/8", "!10.0.2.0/24"}, 592 Ports: []string{"80"}, 593 Protocols: []string{constants.TCPProtoNum}, 594 Policy: &policy.FlowPolicy{ 595 Action: policy.Accept | policy.Log, 596 ServiceID: "a2", 597 PolicyID: "123b", 598 }, 599 }, 600 } 601 602 policyRules = policy.NewPUPolicy("Context", "/ns1", policy.Police, appACLs, netACLs, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 603 604 puInfoUpdated := policy.NewPUInfo("Context", "/ns1", common.HostPU) 605 puInfoUpdated.Policy = policyRules 606 puInfoUpdated.Runtime = policy.NewPURuntimeWithDefaults() 607 puInfoUpdated.Runtime.SetPUType(common.HostPU) 608 puInfoUpdated.Runtime.SetOptions(policy.OptionsType{ 609 CgroupMark: "10", 610 }) 611 612 // Reconfigure rules 613 iprules = nil 614 iprules = append(iprules, puInfoUpdated.Policy.ApplicationACLs()...) 615 iprules = append(iprules, puInfoUpdated.Policy.NetworkACLs()...) 616 err = impl.iptv4.ipsetmanager.RegisterExternalNets("pu1", iprules) 617 So(err, ShouldBeNil) 618 619 err = impl.UpdateRules(1, "pu1", puInfoUpdated, puInfo) 620 So(err, ShouldBeNil) 621 622 impl.iptv4.ipsetmanager.DestroyUnusedIPsets() 623 624 // Check ipsets again 625 setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(appACLs[0:1])[0] 626 So(a.ipsets[setName], ShouldContain, "10.0.0.0/8") 627 So(a.ipsets[setName], ShouldContain, "10.0.0.0/16") 628 So(a.ipsets[setName], ShouldContain, "10.0.2.0/24") 629 So(a.ipsets[setName], ShouldContain, "10.0.2.7") 630 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8") 631 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.0.0/16") 632 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.2.0/24") 633 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.7") 634 635 setName = impl.iptv4.ipsetmanager.GetACLIPsetsNames(netACLs[0:1])[0] 636 So(a.ipsets[setName], ShouldContain, "0.0.0.0/1") 637 So(a.ipsets[setName], ShouldContain, "128.0.0.0/1") 638 So(a.ipsets[setName], ShouldContain, "10.0.0.0/8") 639 So(a.ipsets[setName], ShouldContain, "10.0.2.0/24") 640 So(a.ipsets[setName], ShouldNotContain, "10.0.2.8") 641 So(a.ipsetsNomatch[setName], ShouldNotContain, "0.0.0.0/1") 642 So(a.ipsetsNomatch[setName], ShouldNotContain, "128.0.0.0/1") 643 So(a.ipsetsNomatch[setName], ShouldNotContain, "10.0.0.0/8") 644 So(a.ipsetsNomatch[setName], ShouldContain, "10.0.2.0/24") 645 646 // Configure and check acl cache 647 aclCache := tacls.NewACLCache() 648 err = aclCache.AddRuleList(puInfoUpdated.Policy.ApplicationACLs()) 649 So(err, ShouldBeNil) 650 651 defaultFlowPolicy := &policy.FlowPolicy{Action: policy.Reject | policy.Log, PolicyID: "default", ServiceID: "default"} 652 653 report, _, err := aclCache.GetMatchingAction(net.ParseIP("10.0.2.7"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 654 So(err, ShouldNotBeNil) 655 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 656 657 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.2.8"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 658 So(err, ShouldBeNil) 659 So(report.Action, ShouldEqual, policy.Accept|policy.Log) 660 661 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.0.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 662 So(err, ShouldNotBeNil) 663 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 664 665 report, _, err = aclCache.GetMatchingAction(net.ParseIP("10.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 666 So(err, ShouldBeNil) 667 So(report.Action, ShouldEqual, policy.Accept|policy.Log) 668 669 report, _, err = aclCache.GetMatchingAction(net.ParseIP("11.1.3.1"), 80, packet.IPProtocolTCP, defaultFlowPolicy) 670 So(err, ShouldNotBeNil) 671 So(report.Action, ShouldEqual, policy.Reject|policy.Log) 672 }) 673 } 674 675 func newFilterQueueWithDefaults() fqconfig.FilterQueue { 676 return fqconfig.NewFilterQueue(0, []string{"0.0.0.0/0", "::/0"}) 677 } 678 679 func Test_WindowsConfigureRulesV4(t *testing.T) { 680 681 a := &abi{ 682 filters: make(map[string]map[string]bool), 683 ipsets: make(map[string][]string), 684 ipsetsNomatch: make(map[string][]string), 685 ipsetByID: make(map[int]string), 686 } 687 frontman.Driver = a 688 689 getEnforcerPID = func() int { return 111 } 690 getCnsAgentMgrPID = func() int { return 222 } 691 getCnsAgentBootPID = func() int { return 333 } 692 693 Convey("Given a valid instance", t, func() { 694 695 fq := newFilterQueueWithDefaults() 696 impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None) 697 So(err, ShouldBeNil) 698 699 err = impl.Run(context.Background()) 700 So(err, ShouldBeNil) 701 702 // check filters 703 So(a.filters, ShouldHaveLength, 8) 704 So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v4") 705 So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v4") 706 So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v4") 707 So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v4") 708 So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v4") 709 So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v4") 710 So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v4") 711 So(a.filters, ShouldContainKey, "HostPU-INPUT-v4") 712 713 // check ipsets 714 So(a.ipsets, ShouldHaveLength, 9) 715 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP") 716 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP") 717 So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded") 718 So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP") 719 So(a.ipsets, ShouldContainKey, "TRI-v6-TargetUDP") 720 So(a.ipsets, ShouldContainKey, "TRI-v6-Excluded") 721 So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsAllIPs") 722 So(a.ipsets, ShouldContainKey, "TRI-v6-WindowsAllIPs") 723 So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsDNSServer") 724 So(a.ipsets["TRI-v4-WindowsAllIPs"], ShouldContain, "0.0.0.0/0") 725 So(a.ipsets["TRI-v4-WindowsDNSServer"], ShouldContain, "0.0.0.0/0") 726 So(a.ipsets["TRI-v6-WindowsAllIPs"], ShouldContain, "::/0") 727 728 cfg := &runtime.Configuration{} 729 impl.SetTargetNetworks(cfg) // nolint 730 So(err, ShouldBeNil) 731 732 policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 733 734 puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU) 735 puInfo.Policy = policyRules 736 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 737 puInfo.Runtime.SetPUType(common.HostPU) 738 puInfo.Runtime.SetOptions(policy.OptionsType{ 739 CgroupMark: "10", 740 }) 741 742 // configure rules 743 err = impl.ConfigureRules(1, "ID", puInfo) 744 So(err, ShouldBeNil) 745 746 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, "-m set --match-set TRI-v4-Excluded dstIP -j ACCEPT_ONCE") 747 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 748 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, "-m set --match-set TRI-v4-Excluded srcIP -j ACCEPT_ONCE") 749 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 750 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, "-p udp --sports 53 -m set --match-set TRI-v4-WindowsDNSServer srcIP -j NFQUEUE_FORCE -j MARK 83") 751 So(a.filters["ProcessRules-OUTPUT-v4"], ShouldBeEmpty) 752 So(a.filters["ProcessRules-INPUT-v4"], ShouldBeEmpty) 753 So(a.filters["HostSvcRules-OUTPUT-v4"], ShouldBeEmpty) 754 So(a.filters["HostSvcRules-INPUT-v4"], ShouldBeEmpty) 755 So(a.filters["HostPU-INPUT-v4"], ShouldContainKey, "-p tcp -m set --match-set TRI-v4-Proxy-IDeCFL-srv dstPort -j REDIRECT --to-ports 20992") 756 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 1,1 -m set --match-set TRI-v4-TargetTCP dstIP -j ACCEPT") 757 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m set --match-set TRI-v4-TargetUDP dstIP -j NFQUEUE -j MARK 10") 758 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp -m set --match-set TRI-v4-TargetTCP dstIP -j NFQUEUE -j MARK 10") 759 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK 10") 760 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs dstIP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:10") 761 So(a.filters["TRI-App-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs dstIP -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:6") 762 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK 10") 763 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 4 -j NFQUEUE -j MARK 10") 764 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 6 -j NFQUEUE -j MARK 10") 765 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK 10") 766 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -m set --match-set TRI-v4-TargetTCP srcIP -j NFQUEUE -j MARK 10") 767 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs srcIP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:10") 768 So(a.filters["TRI-Net-IDtxit7H-1-v4"], ShouldContainKey, "-m set --match-set TRI-v4-WindowsAllIPs srcIP -j DROP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:6") 769 770 So(a.ipsets, ShouldContainKey, "TRI-v4-Proxy-IDeCFL-srv") 771 So(a.ipsets, ShouldContainKey, "TRI-v4-Proxy-IDeCFL-dst") 772 So(a.ipsets, ShouldContainKey, "TRI-v4-ProcPort-IDeCFL") 773 774 // configure rules for process wrap 775 puInfo = policy.NewPUInfo("Context", "/ns1", common.WindowsProcessPU) 776 puInfo.Policy = policyRules 777 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 778 puInfo.Runtime.SetPUType(common.WindowsProcessPU) 779 puInfo.Runtime.SetOptions(policy.OptionsType{ 780 CgroupMark: "10", 781 }) 782 783 err = impl.ConfigureRules(1, "1234", puInfo) 784 So(err, ShouldBeNil) 785 786 const pidFilterSubstring = "-m owner --pid-owner 1234 --pid-childrenonly" 787 So(len(a.filters["ProcessRules-OUTPUT-v4"]), ShouldNotBeZeroValue) 788 So(len(a.filters["ProcessRules-INPUT-v4"]), ShouldNotBeZeroValue) 789 790 for filter := range a.filters { 791 792 if strings.HasPrefix(filter, "ProcessRules") { 793 for k := range a.filters["ProcessRules-OUTPUT-v4"] { 794 So(k, ShouldContainSubstring, pidFilterSubstring) 795 } 796 for k := range a.filters["ProcessRules-INPUT-v4"] { 797 So(k, ShouldContainSubstring, pidFilterSubstring) 798 } 799 } else { 800 for k := range a.filters[filter] { 801 So(k, ShouldNotContainSubstring, pidFilterSubstring) 802 } 803 for k := range a.filters[filter] { 804 So(k, ShouldNotContainSubstring, pidFilterSubstring) 805 } 806 } 807 } 808 }) 809 810 } 811 812 func Test_WindowsConfigureRulesV6(t *testing.T) { 813 814 a := &abi{ 815 filters: make(map[string]map[string]bool), 816 ipsets: make(map[string][]string), 817 ipsetsNomatch: make(map[string][]string), 818 ipsetByID: make(map[int]string), 819 } 820 frontman.Driver = a 821 822 getEnforcerPID = func() int { return 111 } 823 getCnsAgentMgrPID = func() int { return 222 } 824 getCnsAgentBootPID = func() int { return 333 } 825 826 Convey("Given a valid instance with ipv6 enabled", t, func() { 827 828 fq := newFilterQueueWithDefaults() 829 impl, err := NewInstance(fq, constants.LocalServer, true, nil, "", policy.None) 830 So(err, ShouldBeNil) 831 832 err = impl.Run(context.Background()) 833 So(err, ShouldBeNil) 834 835 // check filters 836 So(a.filters, ShouldHaveLength, 16) 837 So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v4") 838 So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v4") 839 So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v4") 840 So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v4") 841 So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v4") 842 So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v4") 843 So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v4") 844 So(a.filters, ShouldContainKey, "HostPU-INPUT-v4") 845 So(a.filters, ShouldContainKey, "GlobalRules-OUTPUT-v6") 846 So(a.filters, ShouldContainKey, "GlobalRules-INPUT-v6") 847 So(a.filters, ShouldContainKey, "ProcessRules-OUTPUT-v6") 848 So(a.filters, ShouldContainKey, "ProcessRules-INPUT-v6") 849 So(a.filters, ShouldContainKey, "HostSvcRules-OUTPUT-v6") 850 So(a.filters, ShouldContainKey, "HostSvcRules-INPUT-v6") 851 So(a.filters, ShouldContainKey, "HostPU-OUTPUT-v6") 852 So(a.filters, ShouldContainKey, "HostPU-INPUT-v6") 853 854 // check ipsets 855 So(a.ipsets, ShouldHaveLength, 9) 856 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetTCP") 857 So(a.ipsets, ShouldContainKey, "TRI-v4-TargetUDP") 858 So(a.ipsets, ShouldContainKey, "TRI-v4-Excluded") 859 So(a.ipsets, ShouldContainKey, "TRI-v6-TargetTCP") 860 So(a.ipsets, ShouldContainKey, "TRI-v6-TargetUDP") 861 So(a.ipsets, ShouldContainKey, "TRI-v6-Excluded") 862 So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsAllIPs") 863 So(a.ipsets, ShouldContainKey, "TRI-v6-WindowsAllIPs") 864 So(a.ipsets, ShouldContainKey, "TRI-v4-WindowsDNSServer") 865 So(a.ipsets["TRI-v4-WindowsAllIPs"], ShouldContain, "0.0.0.0/0") 866 So(a.ipsets["TRI-v4-WindowsDNSServer"], ShouldContain, "0.0.0.0/0") 867 So(a.ipsets["TRI-v6-WindowsAllIPs"], ShouldContain, "::/0") 868 869 cfg := &runtime.Configuration{} 870 impl.SetTargetNetworks(cfg) // nolint 871 So(err, ShouldBeNil) 872 873 policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 874 875 puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU) 876 puInfo.Policy = policyRules 877 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 878 puInfo.Runtime.SetPUType(common.HostPU) 879 puInfo.Runtime.SetOptions(policy.OptionsType{ 880 CgroupMark: "10", 881 }) 882 883 // configure rules 884 err = impl.ConfigureRules(1, "ID", puInfo) 885 So(err, ShouldBeNil) 886 887 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-m set --match-set TRI-v6-Excluded dstIP -j ACCEPT_ONCE") 888 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 133/0 -j ACCEPT") 889 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 134/0 -j ACCEPT") 890 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 135/0 -j ACCEPT") 891 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 136/0 -j ACCEPT") 892 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 141/0 -j ACCEPT") 893 So(a.filters["GlobalRules-OUTPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 142/0 -j ACCEPT") 894 895 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-m set --match-set TRI-v6-Excluded srcIP -j ACCEPT_ONCE") 896 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 133/0 -j ACCEPT") 897 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 134/0 -j ACCEPT") 898 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 135/0 -j ACCEPT") 899 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 136/0 -j ACCEPT") 900 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 141/0 -j ACCEPT") 901 So(a.filters["GlobalRules-INPUT-v6"], ShouldContainKey, "-p icmpv6 --icmp-type 142/0 -j ACCEPT") 902 So(a.filters["ProcessRules-OUTPUT-v6"], ShouldBeEmpty) 903 So(a.filters["ProcessRules-INPUT-v6"], ShouldBeEmpty) 904 So(a.filters["HostSvcRules-OUTPUT-v6"], ShouldBeEmpty) 905 So(a.filters["HostSvcRules-INPUT-v6"], ShouldBeEmpty) 906 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 1,1 -m set --match-set TRI-v6-TargetTCP dstIP -j ACCEPT") 907 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m set --match-set TRI-v6-TargetUDP dstIP -j NFQUEUE -j MARK 10") 908 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp -m set --match-set TRI-v6-TargetTCP dstIP -j NFQUEUE -j MARK 10") 909 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK 10") 910 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs dstIP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:10") 911 So(a.filters["TRI-App-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs dstIP -j DROP -j NFLOG --nflog-group 10 --nflog-prefix 1215753766:default:default:6") 912 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 4 -j NFQUEUE -j MARK 10") 913 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p udp -m string --string n30njxq7bmiwr6dtxq --offset 6 -j NFQUEUE -j MARK 10") 914 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK 10") 915 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK 10") 916 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-p tcp --tcp-flags 18,18 -m set --match-set TRI-v6-TargetTCP srcIP -j NFQUEUE -j MARK 10") 917 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs srcIP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:10") 918 So(a.filters["TRI-Net-IDtxit7H-1-v6"], ShouldContainKey, "-m set --match-set TRI-v6-WindowsAllIPs srcIP -j DROP -j NFLOG --nflog-group 11 --nflog-prefix 1215753766:default:default:6") 919 920 So(a.ipsets, ShouldContainKey, "TRI-v6-Proxy-IDeCFL-srv") 921 So(a.ipsets, ShouldContainKey, "TRI-v6-Proxy-IDeCFL-dst") 922 So(a.ipsets, ShouldContainKey, "TRI-v6-ProcPort-IDeCFL") 923 }) 924 925 } 926 927 func Test_WindowsConfigureRulesManagedByCns(t *testing.T) { 928 929 a := &abi{ 930 filters: make(map[string]map[string]bool), 931 ipsets: make(map[string][]string), 932 ipsetsNomatch: make(map[string][]string), 933 ipsetByID: make(map[int]string), 934 } 935 frontman.Driver = a 936 937 getEnforcerPID = func() int { return 111 } 938 939 Convey("Given a valid instance where managed by CNS", t, func() { 940 941 getCnsAgentMgrPID = func() int { return 222 } 942 getCnsAgentBootPID = func() int { return 333 } 943 944 fq := newFilterQueueWithDefaults() 945 impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None) 946 So(err, ShouldBeNil) 947 948 err = impl.Run(context.Background()) 949 So(err, ShouldBeNil) 950 951 cfg := &runtime.Configuration{} 952 impl.SetTargetNetworks(cfg) // nolint 953 So(err, ShouldBeNil) 954 955 policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 956 957 puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU) 958 puInfo.Policy = policyRules 959 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 960 puInfo.Runtime.SetPUType(common.HostPU) 961 puInfo.Runtime.SetOptions(policy.OptionsType{ 962 CgroupMark: "10", 963 }) 964 965 // configure rules 966 err = impl.ConfigureRules(1, "ID", puInfo) 967 So(err, ShouldBeNil) 968 969 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 970 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID())) 971 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID())) 972 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 973 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID())) 974 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID())) 975 }) 976 977 Convey("Given a valid instance where not managed by CNS", t, func() { 978 979 getCnsAgentMgrPID = func() int { return -1 } 980 getCnsAgentBootPID = func() int { return -1 } 981 982 fq := newFilterQueueWithDefaults() 983 impl, err := NewInstance(fq, constants.LocalServer, false, nil, "", policy.None) 984 So(err, ShouldBeNil) 985 986 err = impl.Run(context.Background()) 987 So(err, ShouldBeNil) 988 989 cfg := &runtime.Configuration{} 990 impl.SetTargetNetworks(cfg) // nolint 991 So(err, ShouldBeNil) 992 993 policyRules := policy.NewPUPolicy("Context", "/ns1", policy.Police, nil, nil, nil, nil, nil, nil, nil, nil, nil, 20992, 0, nil, nil, []string{}, policy.EnforcerMapping, policy.Reject|policy.Log, policy.Reject|policy.Log) 994 995 puInfo := policy.NewPUInfo("Context", "/ns1", common.HostPU) 996 puInfo.Policy = policyRules 997 puInfo.Runtime = policy.NewPURuntimeWithDefaults() 998 puInfo.Runtime.SetPUType(common.HostPU) 999 puInfo.Runtime.SetOptions(policy.OptionsType{ 1000 CgroupMark: "10", 1001 }) 1002 1003 // configure rules 1004 err = impl.ConfigureRules(1, "ID", puInfo) 1005 So(err, ShouldBeNil) 1006 1007 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 1008 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID())) 1009 So(a.filters["GlobalRules-OUTPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID())) 1010 So(a.filters["GlobalRules-INPUT-v4"], ShouldContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getEnforcerPID())) 1011 So(a.filters["GlobalRules-INPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d -j ACCEPT", getCnsAgentMgrPID())) 1012 So(a.filters["GlobalRules-INPUT-v4"], ShouldNotContainKey, fmt.Sprintf("-m owner --pid-owner %d --pid-children -j ACCEPT", getCnsAgentBootPID())) 1013 }) 1014 1015 }