personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2026-04-01 05:25:18 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

tun tester more useful

Browse Source
This commit is contained in:
JackDoan
2026-02-17 15:16:36 -06:00
parent 37abdd7f96
commit 92ee45ed13
4 changed files with 29 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
firewall_test.go
View File

@@ -1047,53 +1047,53 @@ func TestNewFirewallFromConfig(t *testing.T) {
conf := config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": "asdf"}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound failed to parse, should be an array of rules")
// Test both port and code
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "1", "code": "2"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; only one of port or code should be provided")
// Test missing host, group, cidr, ca_name and ca_sha
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; at least one of host, group, cidr, local_cidr, ca_name, or ca_sha must be provided")
// Test code/port error
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "a", "host": "testh", "proto": "any"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; code was not a number; `a`")
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"port": "a", "host": "testh", "proto": "any"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; port was not a number; `a`")
// Test proto error
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "host": "testh"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; proto was not understood; ``")
// Test cidr parse error
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "cidr": "testh", "proto": "any"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
// Test local_cidr parse error
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"outbound": []any{map[string]any{"code": "1", "local_cidr": "testh", "proto": "any"}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.outbound rule #0; local_cidr did not parse; netip.ParsePrefix(\"testh\"): no '/'")
// Test both group and groups
conf = config.NewC(l)
conf.Settings["firewall"] = map[string]any{"inbound": []any{map[string]any{"port": "1", "proto": "any", "group": "a", "groups": []string{"b", "c"}}}}
_, err = NewFirewallFromConfig(l, cs, conf, netip.Addr{})
_, err = NewFirewallFromConfig(l, cs, conf)
require.EqualError(t, err, "firewall.inbound rule #0; only one of group or groups should be defined, both provided")
}

13
overlay/tun_linux.go
View File

@@ -449,12 +449,13 @@ func (t *tun) Activate() error {
}
//todo hmmmmmm
if len(t.unsafeNetworks) != 0 {
err = os.WriteFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/accept_local", t.Device), []byte("1"), os.FileMode(0o644))
if err != nil {
return err
}
}
//pretty sure this is avoidable
//if len(t.unsafeNetworks) != 0 {
// err = os.WriteFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/accept_local", t.Device), []byte("1"), os.FileMode(0o644))
// if err != nil {
// return err
// }
//}
return nil
}

15
overlay/tun_tester.go
View File

@@ -20,6 +20,7 @@ type TestTun struct {
Device string
vpnNetworks []netip.Prefix
unsafeNetworks []netip.Prefix
snatAddr netip.Prefix
Routes []Route
routeTree *bart.Table[routing.Gateways]
l *logrus.Logger
@@ -39,7 +40,7 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, unsafeNet
return nil, err
}
return &TestTun{
tt := &TestTun{
Device: c.GetString("tun.dev", ""),
vpnNetworks: vpnNetworks,
unsafeNetworks: unsafeNetworks,
@@ -48,7 +49,9 @@ func newTun(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, unsafeNet
l: l,
rxPackets: make(chan []byte, 10),
TxPackets: make(chan []byte, 10),
}, nil
}
tt.snatAddr = prepareSnatAddr(tt, l, c, routes)
return tt, nil
}
func newTunFromFd(_ *config.C, _ *logrus.Logger, _ int, _ []netip.Prefix, _ []netip.Prefix) (*TestTun, error) {
@@ -142,10 +145,10 @@ func (t *TestTun) NewMultiQueueReader() (io.ReadWriteCloser, error) {
return nil, fmt.Errorf("TODO: multiqueue not implemented")
}
func (t *tun) UnsafeNetworks() []netip.Prefix {
return t.UnsafeNetworks()
func (t *TestTun) UnsafeNetworks() []netip.Prefix {
return t.unsafeNetworks
}
func (t *tun) SNATAddress() netip.Prefix {
return netip.Prefix{}
func (t *TestTun) SNATAddress() netip.Prefix {
return t.snatAddr
}

10
test/tun.go
View File

@@ -10,14 +10,12 @@ import (
type NoopTun struct{}
func (NoopTun) Routes() []Route {
//TODO implement me
panic("implement me")
func (NoopTun) UnsafeNetworks() []netip.Prefix {
return nil
}
func (NoopTun) UnsafeNetworks() []netip.Prefix {
//TODO implement me
panic("implement me")
func (NoopTun) SNATAddress() netip.Prefix {
return netip.Prefix{}
}
func (NoopTun) RoutesFor(addr netip.Addr) routing.Gateways {