Fix IPv6 in ACLs

This commit is contained in:
Viacheslav Sychov 2023-05-20 11:53:01 +02:00 committed by Kristoffer Dalby
parent 725bbd7408
commit c72401a99b
3 changed files with 63 additions and 1 deletions

View file

@ -385,7 +385,13 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
maybeIPv6Str := strings.TrimSuffix(dest, ":"+port) maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("") log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() { filteredMaybeIPv6Str := maybeIPv6Str
if strings.Contains(maybeIPv6Str, "/") {
networkParts := strings.Split(maybeIPv6Str, "/")
filteredMaybeIPv6Str = networkParts[0]
}
if maybeIPv6, err := netip.ParseAddr(filteredMaybeIPv6Str); err != nil && !maybeIPv6.Is6() {
log.Trace().Err(err).Msg("trying to parse as IPv6") log.Trace().Err(err).Msg("trying to parse as IPv6")
return nil, fmt.Errorf( return nil, fmt.Errorf(

View file

@ -439,6 +439,44 @@ acls:
c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0") c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0")
} }
func (s *Suite) TestBasicIpv6YAML(c *check.C) {
acl := []byte(`
---
hosts:
host-1: 100.100.100.100/32
subnet-1: 100.100.101.100/24
acls:
- action: accept
src:
- "*"
dst:
- 0.0.0.0/0:*
- ::/0:*
- fd7a:115c:a1e0::2:22
`)
pol, err := LoadACLPolicyFromBytes(acl, "yaml")
c.Assert(err, check.IsNil)
c.Assert(pol, check.NotNil)
rules, err := pol.generateFilterRules(types.Machines{}, false)
c.Assert(err, check.IsNil)
c.Assert(rules, check.NotNil)
c.Assert(rules, check.HasLen, 1)
c.Assert(rules[0].DstPorts, check.HasLen, 3)
c.Assert(rules[0].DstPorts[0].IP, check.Equals, "0.0.0.0/0")
c.Assert(rules[0].DstPorts[0].Ports.First, check.Equals, uint16(0))
c.Assert(rules[0].DstPorts[0].Ports.Last, check.Equals, uint16(65535))
c.Assert(rules[0].DstPorts[1].IP, check.Equals, "::/0")
c.Assert(rules[0].DstPorts[1].Ports.First, check.Equals, uint16(0))
c.Assert(rules[0].DstPorts[1].Ports.Last, check.Equals, uint16(65535))
c.Assert(rules[0].DstPorts[2].IP, check.Equals, "fd7a:115c:a1e0::2/128")
c.Assert(rules[0].DstPorts[2].Ports.First, check.Equals, uint16(22))
c.Assert(rules[0].DstPorts[2].Ports.Last, check.Equals, uint16(22))
c.Assert(rules[0].SrcIPs, check.HasLen, 2)
c.Assert(rules[0].SrcIPs[0], check.Equals, "0.0.0.0/0")
}
func Test_expandGroup(t *testing.T) { func Test_expandGroup(t *testing.T) {
type field struct { type field struct {
pol ACLPolicy pol ACLPolicy

View file

@ -237,6 +237,24 @@ func TestACLHostsInNetMapTable(t *testing.T) {
"user2": 3, // ns1 + ns2 (return path) "user2": 3, // ns1 + ns2 (return path)
}, },
}, },
"ipv6-acls-1470": {
users: map[string]int{
"user1": 2,
"user2": 2,
},
policy: policy.ACLPolicy{
ACLs: []policy.ACL{
{
Action: "accept",
Sources: []string{"*"},
Destinations: []string{"0.0.0.0/0:*", "::/0:*"},
},
},
}, want: map[string]int{
"user1": 3, // ns1 + ns2
"user2": 3, // ns2 + ns1
},
},
} }
for name, testCase := range tests { for name, testCase := range tests {