github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/utils/frontman/rulecleanup_windows_test.go (about) 1 // +build windows 2 3 package frontman 4 5 import ( 6 "fmt" 7 "strings" 8 "testing" 9 ) 10 11 const ( 12 ipset1 = "ipset-1" 13 ipset2 = "ipset-2" 14 ipset3 = "ipset-3" 15 ipset4 = "ipset-4" 16 ipset5 = "ipset-5" 17 ipset6a = "ipset-6a" 18 ipset6b = "ipset-6b" 19 filter1 = "filter 1" 20 filter2 = "filter 2" 21 filter3 = "filter 3" 22 filter4 = "filter 4" 23 ) 24 25 var ( 26 rule1 = fmt.Sprintf("rule 1 for %s", ipset1) 27 rule2 = fmt.Sprintf("rule 2 for %s and %s", ipset1, ipset2) 28 rule3 = fmt.Sprintf("rule 3 for %s", ipset2) 29 rule4 = fmt.Sprintf("rule 4 for %s", ipset3) 30 rule5 = fmt.Sprintf("rule 5 for %s", ipset4) 31 rule6 = fmt.Sprintf("rule 6 for %s and %s and two different filters", ipset4, ipset5) 32 rule7 = fmt.Sprintf("rule 7 for %s and two different filters", ipset4) 33 rule8 = fmt.Sprintf("rule 8 for %s", ipset6a) 34 rule9 = fmt.Sprintf("rule 9 for %s", ipset6b) 35 ) 36 37 type wrapperForTest struct { 38 cleaner ruleCleanup 39 ipsets map[string]bool 40 rules map[string]map[string]bool 41 } 42 43 func (w *wrapperForTest) addRule(ipsetName, filterName, ruleCriteria string) { 44 w.cleaner.mapIpsetToRule(ipsetName, filterName, ruleCriteria) 45 w.ipsets[ipsetName] = true 46 if _, ok := w.rules[filterName]; !ok { 47 w.rules[filterName] = make(map[string]bool) 48 } 49 w.rules[filterName][ruleCriteria] = true 50 } 51 52 func (w *wrapperForTest) deleteIpset(ipsetName string) error { 53 if err := w.cleaner.deleteRulesForIpset(w, ipsetName); err != nil { 54 return err 55 } 56 delete(w.ipsets, ipsetName) 57 return nil 58 } 59 60 func (w *wrapperForTest) deleteIpsetByPrefix(ipsetNamePrefix string) error { 61 if err := w.cleaner.deleteRuleForIpsetByPrefix(w, ipsetNamePrefix); err != nil { 62 return err 63 } 64 for ipsetName := range w.ipsets { 65 if strings.HasPrefix(ipsetName, ipsetNamePrefix) { 66 delete(w.ipsets, ipsetName) 67 } 68 } 69 return nil 70 } 71 72 func (w *wrapperForTest) ruleExists(filterName, ruleCriteria string) bool { 73 _, ok := w.rules[filterName][ruleCriteria] 74 return ok 75 } 76 77 func (w *wrapperForTest) deleteRule(filterName, ruleCriteria string) { 78 w.cleaner.deleteRuleFromIpsetMap(filterName, ruleCriteria) 79 delete(w.rules[filterName], ruleCriteria) 80 } 81 82 func Test_ruleCleaner(t *testing.T) { 83 84 wrapper := &wrapperForTest{ 85 ipsets: make(map[string]bool), 86 rules: make(map[string]map[string]bool), 87 cleaner: newRuleCleanup(), 88 } 89 90 // Add some ipsets and rules 91 wrapper.addRule(ipset1, filter1, rule1) 92 wrapper.addRule(ipset1, filter2, rule2) 93 wrapper.addRule(ipset2, filter2, rule2) 94 wrapper.addRule(ipset2, filter1, rule3) 95 wrapper.addRule(ipset2, filter2, rule3) 96 wrapper.addRule(ipset3, filter3, rule4) 97 wrapper.addRule(ipset1, filter3, rule1) 98 wrapper.addRule(ipset1, filter4, rule1) 99 wrapper.addRule(ipset4, filter1, rule5) 100 wrapper.addRule(ipset4, filter1, rule6) 101 wrapper.addRule(ipset5, filter1, rule6) 102 wrapper.addRule(ipset4, filter2, rule7) 103 wrapper.addRule(ipset4, filter2, rule6) 104 wrapper.addRule(ipset5, filter2, rule6) 105 wrapper.addRule(ipset6a, filter3, rule8) 106 wrapper.addRule(ipset6b, filter3, rule9) 107 108 // I delete an ipset. Its rules should be deleted. 109 if err := wrapper.deleteIpset(ipset2); err != nil { 110 t.Errorf("deleteIpset failed: %w", err) 111 } 112 if wrapper.ruleExists(filter2, rule2) || wrapper.ruleExists(filter1, rule3) || wrapper.ruleExists(filter2, rule3) { 113 t.Errorf("deleting ipset 2 did not delete all its rules") 114 } 115 if !wrapper.ruleExists(filter1, rule1) { 116 t.Errorf("deleting ipset 2 deleted extra rules") 117 } 118 119 // Delete by prefix 120 if err := wrapper.deleteIpsetByPrefix("ipset-6"); err != nil { 121 t.Errorf("deleteIpsetByPrefix failed: %w", err) 122 } 123 if wrapper.ruleExists(filter3, rule8) || wrapper.ruleExists(filter3, rule9) { 124 t.Errorf("deleting by prefix did not work") 125 } 126 127 // Delete another ipset associated with different filters and other ipsets 128 if err := wrapper.deleteIpset(ipset4); err != nil { 129 t.Errorf("deleteIpset failed: %w", err) 130 } 131 if wrapper.ruleExists(filter1, rule5) || wrapper.ruleExists(filter1, rule6) || wrapper.ruleExists(filter2, rule6) || wrapper.ruleExists(filter2, rule7) { 132 t.Errorf("deleting ipset 4 did not delete all its rules") 133 } 134 135 // Rules 1 and 4 should be remaining 136 if !wrapper.ruleExists(filter1, rule1) || !wrapper.ruleExists(filter3, rule1) || !wrapper.ruleExists(filter4, rule1) { 137 t.Errorf("expected rule 1 to exist but does not") 138 } 139 if !wrapper.ruleExists(filter3, rule4) { 140 t.Errorf("expected rule 4 to exist but does not") 141 } 142 143 // Delete rules 1 and 4 and verify 144 wrapper.deleteRule(filter1, rule1) 145 wrapper.deleteRule(filter3, rule1) 146 wrapper.deleteRule(filter4, rule1) 147 wrapper.deleteRule(filter3, rule4) 148 if wrapper.ruleExists(filter1, rule1) || wrapper.ruleExists(filter3, rule1) || wrapper.ruleExists(filter4, rule1) || wrapper.ruleExists(filter3, rule4) { 149 t.Errorf("deleting rules 1 and 4 did not work") 150 } 151 152 // Rules should be gone 153 for filterName, ruleCriterias := range wrapper.rules { 154 for ruleCriteria := range ruleCriterias { 155 t.Errorf("deleted rules but this one for filter %s remains: %s", filterName, ruleCriteria) 156 } 157 } 158 159 // Now we still have some ipsets not deleted, so their maps may not be empty. Explicitly delete these rules. 160 wrapper.deleteRule(filter2, rule2) // in ipset1 map 161 wrapper.deleteRule(filter1, rule6) // in ipset5 map 162 wrapper.deleteRule(filter2, rule6) // in ipset5 map 163 164 // Verify nothing left in cleaner 165 remainingRules := make([]*filterRulePair, 0) 166 remainingRules = append(remainingRules, 167 append(wrapper.cleaner.getRulesForIpset(ipset1), 168 append(wrapper.cleaner.getRulesForIpset(ipset2), 169 append(wrapper.cleaner.getRulesForIpset(ipset3), 170 append(wrapper.cleaner.getRulesForIpset(ipset4), 171 append(wrapper.cleaner.getRulesForIpset(ipset5), 172 append(wrapper.cleaner.getRulesForIpset(ipset6a), 173 wrapper.cleaner.getRulesForIpset(ipset6b)...)...)...)...)...)...)...) 174 for _, frpair := range remainingRules { 175 t.Errorf("deleted rules but cleaner still has this one for filter %s: %s", frpair.filterName, frpair.ruleCriteria) 176 } 177 } 178 179 // WrapDriver implementation for the test only needs to implement the functions called by the rule cleaner 180 181 func (w *wrapperForTest) ListIpsets() ([]string, error) { 182 ipsetNames := make([]string, 0, len(w.ipsets)) 183 for ipsetName := range w.ipsets { 184 ipsetNames = append(ipsetNames, ipsetName) 185 } 186 return ipsetNames, nil 187 } 188 189 func (w *wrapperForTest) DeleteFilterCriteria(filterName, criteriaName string) error { 190 delete(w.rules[filterName], criteriaName) 191 return nil 192 } 193 194 // Dummy implementations below 195 196 func (w *wrapperForTest) GetDestInfo(socket uintptr, destInfo *DestInfo) error { 197 return nil 198 } 199 200 func (w *wrapperForTest) ApplyDestHandle(socket, destHandle uintptr) error { 201 return nil 202 } 203 204 func (w *wrapperForTest) FreeDestHandle(destHandle uintptr) error { 205 return nil 206 } 207 208 func (w *wrapperForTest) NewIpset(name, ipsetType string) (uintptr, error) { 209 return 1, nil 210 } 211 212 func (w *wrapperForTest) GetIpset(name string) (uintptr, error) { 213 return 1, nil 214 } 215 216 func (w *wrapperForTest) DestroyAllIpsets(prefix string) error { 217 return nil 218 } 219 220 func (w *wrapperForTest) ListIpsetsDetail(format int) (string, error) { 221 return "", nil 222 } 223 224 func (w *wrapperForTest) IpsetAdd(ipsetHandle uintptr, entry string, timeout int) error { 225 return nil 226 } 227 228 func (w *wrapperForTest) IpsetAddOption(ipsetHandle uintptr, entry, option string, timeout int) error { 229 return nil 230 } 231 232 func (w *wrapperForTest) IpsetDelete(ipsetHandle uintptr, entry string) error { 233 return nil 234 } 235 236 func (w *wrapperForTest) IpsetDestroy(ipsetHandle uintptr, name string) error { 237 return nil 238 } 239 240 func (w *wrapperForTest) IpsetFlush(ipsetHandle uintptr) error { 241 return nil 242 } 243 244 func (w *wrapperForTest) IpsetTest(ipsetHandle uintptr, entry string) (bool, error) { 245 return false, nil 246 } 247 248 func (w *wrapperForTest) PacketFilterStart(firewallName string, receiveCallback, loggingCallback func(uintptr, uintptr) uintptr) error { 249 return nil 250 } 251 252 func (w *wrapperForTest) PacketFilterClose() error { 253 return nil 254 } 255 256 func (w *wrapperForTest) PacketFilterForward(info *PacketInfo, packetBytes []byte) error { 257 return nil 258 } 259 260 func (w *wrapperForTest) AppendFilter(outbound bool, filterName string, isGotoFilter bool) error { 261 return nil 262 } 263 264 func (w *wrapperForTest) InsertFilter(outbound bool, priority int, filterName string, isGotoFilter bool) error { 265 return nil 266 } 267 268 func (w *wrapperForTest) DestroyFilter(filterName string) error { 269 return nil 270 } 271 272 func (w *wrapperForTest) EmptyFilter(filterName string) error { 273 return nil 274 } 275 276 func (w *wrapperForTest) GetFilterList(outbound bool) ([]string, error) { 277 return nil, nil 278 } 279 280 func (w *wrapperForTest) AppendFilterCriteria(filterName, criteriaName string, ruleSpec *RuleSpec, ipsetRuleSpecs []IpsetRuleSpec) error { 281 return nil 282 } 283 284 func (w *wrapperForTest) GetCriteriaList(format int) (string, error) { 285 return "", nil 286 }