[client] Add failing test for lazy-conn forward-target exclusion

toExcludedLazyPeers compares AllowedIPs (CIDR) against the unmasked
TranslatedAddress, so forward-target peers are never excluded. This test
asserts the peer is excluded and fails on the current behavior; the fix
follows.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
riccardom
2026-07-06 10:58:24 +02:00
parent c87089d09f
commit 460967d218

View File

@@ -0,0 +1,45 @@
package internal
import (
"net/netip"
"testing"
"github.com/stretchr/testify/require"
firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
mgmProto "github.com/netbirdio/netbird/shared/management/proto"
)
// TestToExcludedLazyPeers_ForwardTarget guards a regression: AllowedIPs arrive as
// CIDR (a peer's overlay IP is a /32), so comparing them for equality against
// ForwardRule.TranslatedAddress.String() (unmasked) never matched and the
// forward-target peer was never excluded from lazy connections.
func TestToExcludedLazyPeers_ForwardTarget(t *testing.T) {
e := &Engine{}
const targetPeerKey = "target-peer"
peers := []*mgmProto.RemotePeerConfig{
{WgPubKey: targetPeerKey, AllowedIps: []string{"100.110.8.145/32"}},
{WgPubKey: "other-peer", AllowedIps: []string{"100.110.9.10/32"}},
}
rules := []firewallManager.ForwardRule{
{TranslatedAddress: netip.MustParseAddr("100.110.8.145")},
}
excluded := e.toExcludedLazyPeers(rules, peers)
require.True(t, excluded[targetPeerKey], "forward-target peer must be excluded from lazy connections")
require.False(t, excluded["other-peer"], "non-target peer must not be excluded")
require.Len(t, excluded, 1)
}
func TestToExcludedLazyPeers_NoRules(t *testing.T) {
e := &Engine{}
peers := []*mgmProto.RemotePeerConfig{
{WgPubKey: "peer-a", AllowedIps: []string{"100.110.8.145/32"}},
}
excluded := e.toExcludedLazyPeers(nil, peers)
require.Empty(t, excluded)
}