rename

firewall.go

@@ -566,7 +566,7 @@ func (f *Firewall) identifyRemoteNetworkType(h *HostInfo, fp firewall.Packet) Ne
 
 	//RemoteAddr not in our networks table
 	if f.snatAddr.IsValid() && fp.IsIPv4() && h.HasOnlyV6Addresses() {
-		return NetworkTypeUncheckedSNATPeer
+		return NetworkTypeUnverifiedSNATPeer
 	} else {
 		return NetworkTypeInvalidPeer
 	}
@@ -583,7 +583,7 @@ func (f *Firewall) allowRemoteNetworkType(nwType NetworkType, fp firewall.Packet
 		return ErrPeerRejected // reject for now, one day this may have different FW rules
 	case NetworkTypeUnsafe:
 		return nil // nothing special, one day this may have different FW rules
-	case NetworkTypeUncheckedSNATPeer:
+	case NetworkTypeUnverifiedSNATPeer:
 		if f.unsafeIPv4Origin.IsValid() && fp.LocalAddr == f.unsafeIPv4Origin {
 			return nil //the client case
 		}
@@ -668,7 +668,7 @@ func (f *Firewall) Drop(fp firewall.Packet, pkt []byte, incoming bool, h *HostIn
 	// We always want to conntrack since it is a faster operation
 	c = f.addConn(fp, incoming)
 
-	if incoming && remoteNetworkType == NetworkTypeUncheckedSNATPeer {
+	if incoming && remoteNetworkType == NetworkTypeUnverifiedSNATPeer {
 		return f.applySnat(pkt, &fp, c, h)
 	} else {
 		//outgoing snat is handled before this function is called

hostmap.go

@@ -224,8 +224,8 @@ const (
 	NetworkTypeVPNPeer
 	// NetworkTypeUnsafe is a network from Certificate.UnsafeNetworks()
 	NetworkTypeUnsafe
-	// NetworkTypeUncheckedSNATPeer is used to indicate traffic we're willing to route, but never deliver to a NetworkTypeVPN
-	NetworkTypeUncheckedSNATPeer
+	// NetworkTypeUnverifiedSNATPeer is used to indicate traffic we're willing to route, but never deliver to a NetworkTypeVPN
+	NetworkTypeUnverifiedSNATPeer
 	NetworkTypeInvalidPeer
 )
 

snat_test.go

@@ -335,7 +335,7 @@ func TestFirewall_IdentifyNetworkType_SNATPeer(t *testing.T) {
 			RemoteAddr: netip.MustParseAddr("10.0.0.1"),
 			LocalAddr:  netip.MustParseAddr("192.168.1.1"),
 		}
-		assert.Equal(t, NetworkTypeUncheckedSNATPeer, fw.identifyRemoteNetworkType(h, fp))
+		assert.Equal(t, NetworkTypeUnverifiedSNATPeer, fw.identifyRemoteNetworkType(h, fp))
 	})
 
 	t.Run("v4 packet from v4 host is not snat peer", func(t *testing.T) {
@@ -373,12 +373,12 @@ func TestFirewall_AllowNetworkType_SNAT(t *testing.T) {
 	//todo fix!
 	//t.Run("snat peer allowed with snat addr", func(t *testing.T) {
 	//	fw := &Firewall{snatAddr: netip.MustParseAddr("169.254.55.96")}
-	//	assert.NoError(t, fw.allowRemoteNetworkType(NetworkTypeUncheckedSNATPeer, fp))
+	//	assert.NoError(t, fw.allowRemoteNetworkType(NetworkTypeUnverifiedSNATPeer, fp))
 	//})
 	//
 	//t.Run("snat peer rejected without snat addr", func(t *testing.T) {
 	//	fw := &Firewall{}
-	//	assert.ErrorIs(t, fw.allowRemoteNetworkType(NetworkTypeUncheckedSNATPeer, fp), ErrInvalidRemoteIP)
+	//	assert.ErrorIs(t, fw.allowRemoteNetworkType(NetworkTypeUnverifiedSNATPeer, fp), ErrInvalidRemoteIP)
 	//})
 
 	t.Run("vpn always allowed", func(t *testing.T) {
@@ -1291,7 +1291,7 @@ func TestFirewall_Drop_IPv4HostNotSNATted(t *testing.T) {
 		}
 		nwType := fw.identifyRemoteNetworkType(h, fp)
 		assert.Equal(t, NetworkTypeVPN, nwType, "v4 peer using its own VPN addr should be NetworkTypeVPN")
-		assert.NotEqual(t, NetworkTypeUncheckedSNATPeer, nwType, "must NOT be classified as SNAT peer")
+		assert.NotEqual(t, NetworkTypeUnverifiedSNATPeer, nwType, "must NOT be classified as SNAT peer")
 	})
 
 	t.Run("identifyRemoteNetworkType v4 peer with mismatched source", func(t *testing.T) {
@@ -1305,6 +1305,6 @@ func TestFirewall_Drop_IPv4HostNotSNATted(t *testing.T) {
 		}
 		nwType := fw.identifyRemoteNetworkType(h, fp)
 		assert.Equal(t, NetworkTypeInvalidPeer, nwType, "v4 peer with mismatched source should be InvalidPeer")
-		assert.NotEqual(t, NetworkTypeUncheckedSNATPeer, nwType, "must NOT be classified as SNAT peer")
+		assert.NotEqual(t, NetworkTypeUnverifiedSNATPeer, nwType, "must NOT be classified as SNAT peer")
 	})
 }