github.com/cilium/cilium@v1.16.2/pkg/policy/cidr_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package policy 5 6 import ( 7 "net/netip" 8 "testing" 9 10 "github.com/stretchr/testify/require" 11 12 "github.com/cilium/cilium/pkg/labels" 13 "github.com/cilium/cilium/pkg/policy/api" 14 ) 15 16 func TestGetPrefixesFromCIDR(t *testing.T) { 17 inputToCIDRString := map[string]string{ 18 "0.0.0.0/0": "0.0.0.0/0", 19 "192.0.2.3": "192.0.2.3/32", 20 "192.0.2.3/32": "192.0.2.3/32", 21 "192.0.2.3/24": "192.0.2.0/24", 22 "192.0.2.0/24": "192.0.2.0/24", 23 "::/0": "::/0", 24 "fdff::ff": "fdff::ff/128", 25 } 26 expected := []netip.Prefix{} 27 inputs := []api.CIDR{} 28 for ruleStr, cidr := range inputToCIDRString { 29 net := netip.MustParsePrefix(cidr) 30 expected = append(expected, net) 31 inputs = append(inputs, api.CIDR(ruleStr)) 32 } 33 result := getPrefixesFromCIDR(inputs) 34 require.EqualValues(t, expected, result) 35 } 36 37 func TestGetCIDRPrefixes(t *testing.T) { 38 rules := api.Rules{ 39 &api.Rule{ 40 EndpointSelector: api.NewESFromLabels(labels.ParseSelectLabel("bar")), 41 Ingress: []api.IngressRule{ 42 { 43 IngressCommonRule: api.IngressCommonRule{ 44 FromCIDR: []api.CIDR{ 45 "192.0.2.0/24", 46 }, 47 }, 48 }, 49 }, 50 Egress: []api.EgressRule{ 51 { 52 EgressCommonRule: api.EgressCommonRule{ 53 ToCIDR: []api.CIDR{ 54 "192.0.2.0/24", 55 "192.0.3.0/24", 56 }, 57 }, 58 }, 59 }, 60 }, 61 } 62 63 // We have three CIDR instances in the ruleset, check that all exist 64 expectedCIDRStrings := []string{ 65 "192.0.2.0/24", 66 "192.0.2.0/24", 67 "192.0.3.0/24", 68 } 69 expectedCIDRs := []netip.Prefix{} 70 for _, ipStr := range expectedCIDRStrings { 71 cidr := netip.MustParsePrefix(ipStr) 72 expectedCIDRs = append(expectedCIDRs, cidr) 73 } 74 require.EqualValues(t, expectedCIDRs, GetCIDRPrefixes(rules)) 75 76 // Now, test with CIDRSets. 77 rules = api.Rules{ 78 &api.Rule{ 79 EndpointSelector: api.NewESFromLabels(labels.ParseSelectLabel("bar")), 80 Ingress: []api.IngressRule{ 81 { 82 IngressCommonRule: api.IngressCommonRule{ 83 FromCIDRSet: []api.CIDRRule{ 84 { 85 Cidr: "192.0.2.0/24", 86 ExceptCIDRs: []api.CIDR{"192.0.2.128/25"}, 87 }, 88 }, 89 }, 90 }, 91 }, 92 Egress: []api.EgressRule{ 93 { 94 EgressCommonRule: api.EgressCommonRule{ 95 ToCIDRSet: []api.CIDRRule{ 96 { 97 Cidr: "10.0.0.0/8", 98 ExceptCIDRs: []api.CIDR{"10.0.0.0/16"}, 99 }, 100 }, 101 }, 102 }, 103 }, 104 }, 105 } 106 107 // Once exceptions apply, here are the list of CIDRs. 108 expectedCIDRStrings = []string{ 109 "192.0.2.0/25", 110 // Not "192.0.2.128/25", 111 "10.128.0.0/9", 112 "10.64.0.0/10", 113 "10.32.0.0/11", 114 "10.16.0.0/12", 115 "10.8.0.0/13", 116 "10.4.0.0/14", 117 "10.2.0.0/15", 118 "10.1.0.0/16", 119 // Not "10.0.0.0/16", 120 } 121 expectedCIDRs = []netip.Prefix{} 122 for _, ipStr := range expectedCIDRStrings { 123 cidr := netip.MustParsePrefix(ipStr) 124 expectedCIDRs = append(expectedCIDRs, cidr) 125 } 126 require.EqualValues(t, expectedCIDRs, GetCIDRPrefixes(rules)) 127 }