-
Notifications
You must be signed in to change notification settings - Fork 795
/
firewall_dialer_test.go
148 lines (133 loc) · 4.26 KB
/
firewall_dialer_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
package net
import (
"context"
"fmt"
"net"
"strings"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/cortexproject/cortex/pkg/util/flagext"
)
func TestFirewallDialer(t *testing.T) {
blockedCIDR := flagext.CIDR{}
require.NoError(t, blockedCIDR.Set("172.217.168.64/28"))
type testCase struct {
address string
expectBlocked bool
}
tests := map[string]struct {
cfg FirewallDialerConfigProvider
cases []testCase
}{
"should not block traffic with no block config": {
cfg: firewallCfgProvider{},
cases: []testCase{
{"localhost", false},
{"127.0.0.1", false},
{"google.com", false},
{"172.217.168.78", false},
},
},
"should support blocking private addresses": {
cfg: firewallCfgProvider{
blockPrivateAddresses: true,
},
cases: []testCase{
{"localhost", true},
{"127.0.0.1", true},
{"192.168.0.1", true},
{"10.0.0.1", true},
{"google.com", false},
{"172.217.168.78", false},
{"fdf8:f53b:82e4::53", true}, // Local
{"fe80::200:5aee:feaa:20a2", true}, // Link-local
{"2001:4860:4860::8844", false}, // Google DNS
{"::ffff:172.217.168.78", false}, // IPv6 mapped v4 non-private
{"::ffff:192.168.0.1", true}, // IPv6 mapped v4 private
},
},
"should support blocking custom CIDRs": {
cfg: firewallCfgProvider{
blockCIDRNetworks: []flagext.CIDR{blockedCIDR},
},
cases: []testCase{
{"localhost", false},
{"127.0.0.1", false},
{"192.168.0.1", false},
{"10.0.0.1", false},
{"172.217.168.78", true},
{"fdf8:f53b:82e4::53", false}, // Local
{"fe80::200:5aee:feaa:20a2", false}, // Link-local
{"2001:4860:4860::8844", false}, // Google DNS
{"::ffff:10.0.0.1", false}, // IPv6 mapped v4 non-blocked
{"::ffff:172.217.168.78", true}, // IPv6 mapped v4 blocked
},
},
}
for testName, testData := range tests {
t.Run(testName, func(t *testing.T) {
d := NewFirewallDialer(testData.cfg)
for _, tc := range testData.cases {
t.Run(fmt.Sprintf("address: %s", tc.address), func(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
defer cancel()
conn, err := d.DialContext(ctx, "tcp", fmt.Sprintf("[%s]:80", tc.address))
if conn != nil {
require.NoError(t, conn.Close())
}
if tc.expectBlocked {
assert.Error(t, err, errBlockedAddress.Error())
assert.Contains(t, err.Error(), errBlockedAddress.Error())
} else {
// We're fine either if succeeded or triggered a different error (eg. connection refused).
assert.True(t, err == nil || !strings.Contains(err.Error(), errBlockedAddress.Error()))
}
})
}
})
}
}
func TestIsPrivate(t *testing.T) {
tests := []struct {
ip net.IP
expected bool
}{
{nil, false},
{net.IPv4(1, 1, 1, 1), false},
{net.IPv4(9, 255, 255, 255), false},
{net.IPv4(10, 0, 0, 0), true},
{net.IPv4(10, 255, 255, 255), true},
{net.IPv4(11, 0, 0, 0), false},
{net.IPv4(172, 15, 255, 255), false},
{net.IPv4(172, 16, 0, 0), true},
{net.IPv4(172, 16, 255, 255), true},
{net.IPv4(172, 23, 18, 255), true},
{net.IPv4(172, 31, 255, 255), true},
{net.IPv4(172, 31, 0, 0), true},
{net.IPv4(172, 32, 0, 0), false},
{net.IPv4(192, 167, 255, 255), false},
{net.IPv4(192, 168, 0, 0), true},
{net.IPv4(192, 168, 255, 255), true},
{net.IPv4(192, 169, 0, 0), false},
{net.IP{0xfc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, true},
{net.IP{0xfc, 0xff, 0x12, 0, 0, 0, 0, 0x44, 0, 0, 0, 0, 0, 0, 0, 0}, true},
{net.IP{0xfb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, false},
{net.IP{0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}, true},
{net.IP{0xfe, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, false},
}
for _, test := range tests {
assert.Equalf(t, test.expected, isPrivate(test.ip), "ip: %s", test.ip.String())
}
}
type firewallCfgProvider struct {
blockCIDRNetworks []flagext.CIDR
blockPrivateAddresses bool
}
func (p firewallCfgProvider) BlockCIDRNetworks() []flagext.CIDR {
return p.blockCIDRNetworks
}
func (p firewallCfgProvider) BlockPrivateAddresses() bool {
return p.blockPrivateAddresses
}