-
Notifications
You must be signed in to change notification settings - Fork 33
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Filter interfaces by their associated IPs (#111)
* ip interface filter implementation * add ipv6 ip interface filter test cases * updated comments and docs * modify logic to allow subnets for InterfaceIPs and updated docs and tests to reflect it * go mod tidy and go mod vendor * update packets agent to use new interface filter interface * added error if both INTERFACES/EXCLUDE_INTERFACES and INTERFACE_IPS are specified * allow INTERFACE_IPS to be used for the packet agent * factor out IPsFromInterface function since we have it duplicated in two places now
- Loading branch information
Showing
9 changed files
with
233 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,43 +1,109 @@ | ||
package agent | ||
|
||
import ( | ||
"net/netip" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func TestInterfaces_DefaultConfig(t *testing.T) { | ||
ifaces, err := initInterfaceFilter(nil, []string{"lo"}) | ||
ifaces, err := initRegexpInterfaceFilter(nil, []string{"lo"}) | ||
require.NoError(t, err) | ||
|
||
assert.True(t, ifaces.Allowed("eth0")) | ||
assert.True(t, ifaces.Allowed("br-0")) | ||
assert.False(t, ifaces.Allowed("lo")) | ||
// Allowed | ||
for _, iface := range []string{"eth0", "br-0"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.True(t, allowed) | ||
} | ||
|
||
// Not Allowed | ||
allowed, err := ifaces.Allowed("lo") | ||
require.NoError(t, err) | ||
assert.False(t, allowed) | ||
} | ||
|
||
func TestInterfaceFilter_SelectingInterfaces_DefaultExclusion(t *testing.T) { | ||
ifaces, err := initInterfaceFilter([]string{"eth0", "/^br-/"}, []string{"lo"}) | ||
ifaces, err := initRegexpInterfaceFilter([]string{"eth0", "/^br-/"}, []string{"lo"}) | ||
require.NoError(t, err) | ||
|
||
assert.True(t, ifaces.Allowed("eth0")) | ||
assert.True(t, ifaces.Allowed("br-0")) | ||
assert.False(t, ifaces.Allowed("eth01")) | ||
assert.False(t, ifaces.Allowed("abr-3")) | ||
assert.False(t, ifaces.Allowed("lo")) | ||
// Allowed | ||
for _, iface := range []string{"eth0", "br-0"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.True(t, allowed) | ||
} | ||
// Not Allowed | ||
for _, iface := range []string{"eth01", "abr-3", "lo"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.False(t, allowed) | ||
} | ||
} | ||
|
||
func TestInterfaceFilter_ExclusionTakesPriority(t *testing.T) { | ||
ifaces, err := initRegexpInterfaceFilter([]string{"/^eth/", "/^br-/"}, []string{"eth1", "/^br-1/"}) | ||
require.NoError(t, err) | ||
|
||
// Allowed | ||
for _, iface := range []string{"eth0", "eth-10", "eth11", "br-2", "br-0"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.True(t, allowed) | ||
} | ||
// Not Allowed | ||
for _, iface := range []string{"eth1", "br-1", "br-10"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.False(t, allowed) | ||
} | ||
} | ||
|
||
func TestInterfaceFilter_InterfaceIPs(t *testing.T) { | ||
mockIPByIface := func(iface string) ([]netip.Addr, error) { | ||
switch iface { | ||
case "eth0": | ||
return []netip.Addr{netip.MustParsePrefix("198.51.100.1/24").Addr()}, nil | ||
|
||
case "eth1": | ||
return []netip.Addr{netip.MustParsePrefix("198.51.100.2/24").Addr()}, nil | ||
|
||
case "eth2": | ||
return []netip.Addr{netip.MustParsePrefix("2001:db8::1/32").Addr(), netip.MustParsePrefix("198.51.100.3/24").Addr()}, nil | ||
|
||
case "eth3": | ||
return []netip.Addr{netip.MustParsePrefix("2001:db8::2/32").Addr()}, nil | ||
|
||
case "eth4": | ||
return []netip.Addr{netip.MustParsePrefix("192.0.2.120/24").Addr()}, nil | ||
|
||
default: | ||
panic("unexpected interface name") | ||
} | ||
} | ||
|
||
ifaces, err := initInterfaceFilter([]string{"/^eth/", "/^br-/"}, []string{"eth1", "/^br-1/"}) | ||
ifaces, err := initIPInterfaceFilter([]string{"198.51.100.1/32", "2001:db8::1/128", "192.0.2.0/24"}, mockIPByIface) | ||
require.NoError(t, err) | ||
|
||
assert.True(t, ifaces.Allowed("eth0")) | ||
assert.True(t, ifaces.Allowed("eth10")) | ||
assert.True(t, ifaces.Allowed("eth11")) | ||
assert.True(t, ifaces.Allowed("br-2")) | ||
assert.True(t, ifaces.Allowed("br-0")) | ||
assert.False(t, ifaces.Allowed("eth1")) | ||
assert.False(t, ifaces.Allowed("br-1")) | ||
assert.False(t, ifaces.Allowed("br-10")) | ||
// Allowed | ||
for _, iface := range []string{"eth0", "eth2", "eth4"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.True(t, allowed) | ||
} | ||
// Not Allowed | ||
for _, iface := range []string{"eth1", "eth3"} { | ||
iface := iface | ||
allowed, err := ifaces.Allowed(iface) | ||
require.NoError(t, err) | ||
assert.False(t, allowed) | ||
} | ||
} |
Oops, something went wrong.