Add test cases for port ranges in peer ACLs

2026-04-17 15:56:39 +00:00 · 2025-01-23 19:28:42 +01:00
parent da43d33540
commit e3d4f9819f
1 changed files with 54 additions and 19 deletions
--- a/client/firewall/uspfilter/uspfilter_filter_test.go
+++ b/client/firewall/uspfilter/uspfilter_filter_test.go
@@ -134,6 +134,60 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionAccept,
 			shouldBeBlocked: false,
 		},
+		{
+			name:            "Allow TCP traffic within port range",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         8080,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "Block TCP traffic outside port range",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         7999,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{IsRange: true, Values: []uint16{8000, 8100}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "Allow TCP traffic with source port range",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         32100,
+			dstPort:         443,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleSrcPort:     &fw.Port{IsRange: true, Values: []uint16{32000, 33000}},
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: false,
+		},
+		{
+			name:            "Block TCP traffic outside source port range",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         31999,
+			dstPort:         443,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleSrcPort:     &fw.Port{IsRange: true, Values: []uint16{32000, 33000}},
+			ruleDstPort:     &fw.Port{Values: []uint16{443}},
+			ruleAction:      fw.ActionAccept,
+			shouldBeBlocked: true,
+		},
 	}

 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -636,25 +690,6 @@ func TestRouteACLFiltering(t *testing.T) {
 			},
 			shouldPass: true,
 		},
-		{
-			name:    "Invalid Port Range Configuration",
-			srcIP:   "100.10.0.1",
-			dstIP:   "192.168.1.100",
-			proto:   fw.ProtocolTCP,
-			srcPort: 12345,
-			dstPort: 8080,
-			rule: rule{
-				sources: []netip.Prefix{netip.MustParsePrefix("100.10.0.0/16")},
-				dest:    netip.MustParsePrefix("192.168.1.0/24"),
-				proto:   fw.ProtocolTCP,
-				dstPort: &fw.Port{
-					IsRange: true,
-					Values:  []uint16{8000}, // Invalid: only one value for range
-				},
-				action: fw.ActionAccept,
-			},
-			shouldPass: false,
-		},
 		{
 			name:    "Edge Case - Port at Range Boundary",
 			srcIP:   "100.10.0.1",