-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipsec: Improve encrypt flush
command
#28795
Merged
Merged
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
017b0df
ipsec: Move getSPIFromXfrmPolicy to pkg/common
pchaigno 457e2e6
cmd: Add confirmation to encrypt flush command
pchaigno 5c20be0
cmd: New flag to flush only XFRM configs for given SPI
pchaigno 2e9ca0c
cmd: Refactor XFRM filter function to ease generalization
pchaigno b7972b1
cmd: Unit test for the filterXFRMs function
pchaigno 458cf36
ipsec: Move getNodeIDFromXfrmMark to pkg/common
pchaigno 1491133
cmd: New flag to flush only XFRM configs for a given node ID
pchaigno 8ac29cb
cmd: Unit test for parseNodeID
pchaigno File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
// SPDX-License-Identifier: Apache-2.0 | ||
// Copyright Authors of Cilium | ||
|
||
package cmd | ||
|
||
import ( | ||
"net" | ||
"testing" | ||
|
||
"github.com/vishvananda/netlink" | ||
) | ||
|
||
func TestFilterXFRMs(t *testing.T) { | ||
policies := []netlink.XfrmPolicy{ | ||
{Ifid: 1, Proto: netlink.XFRM_PROTO_ESP, Dst: &net.IPNet{IP: net.ParseIP("192.168.1.0"), Mask: net.CIDRMask(24, 32)}}, | ||
{Ifid: 2, Proto: netlink.XFRM_PROTO_AH, Dst: &net.IPNet{IP: net.ParseIP("192.168.1.0"), Mask: net.CIDRMask(24, 32)}}, | ||
{Ifid: 3, Proto: netlink.XFRM_PROTO_ESP, Dst: &net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(16, 32)}}, | ||
{Ifid: 4, Proto: netlink.XFRM_PROTO_AH, Dst: &net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.CIDRMask(16, 32)}}, | ||
} | ||
states := []netlink.XfrmState{ | ||
{Ifid: 1, Proto: netlink.XFRM_PROTO_ESP, Dst: net.ParseIP("192.168.1.0")}, | ||
{Ifid: 2, Proto: netlink.XFRM_PROTO_AH, Dst: net.ParseIP("192.168.1.0")}, | ||
{Ifid: 3, Proto: netlink.XFRM_PROTO_ESP, Dst: net.ParseIP("10.0.0.0")}, | ||
{Ifid: 4, Proto: netlink.XFRM_PROTO_AH, Dst: net.ParseIP("10.0.0.0")}, | ||
} | ||
filterDstPolicy := func(pol netlink.XfrmPolicy) bool { | ||
return pol.Dst.IP.String() == "192.168.1.0" | ||
} | ||
filterDstState := func(state netlink.XfrmState) bool { | ||
return state.Dst.String() == "192.168.1.0" | ||
} | ||
filterProtoPolicy := func(pol netlink.XfrmPolicy) bool { | ||
return pol.Proto == netlink.XFRM_PROTO_ESP | ||
} | ||
filterProtoState := func(state netlink.XfrmState) bool { | ||
return state.Proto == netlink.XFRM_PROTO_ESP | ||
} | ||
|
||
// Test that single call to filterXFRMs provides the expected results. | ||
resPolicies, resStates := filterXFRMs(policies, states, filterDstPolicy, filterDstState) | ||
if len(resPolicies) != 2 { | ||
t.Errorf("Expected two policies to be filtered, but got %d", len(resPolicies)) | ||
} | ||
if len(resStates) != 2 { | ||
t.Errorf("Expected two states to be filtered, but got %d", len(resStates)) | ||
} | ||
if resPolicies[0].Ifid != 1 || resPolicies[1].Ifid != 2 { | ||
t.Errorf("Expected policies with Ifids 1 and 2 to be filtered, but got policies with Ifids %d and %d", resPolicies[0].Ifid, resPolicies[1].Ifid) | ||
} | ||
if resStates[0].Ifid != 1 || resStates[1].Ifid != 2 { | ||
t.Errorf("Expected state with Ifids 1 and 2 to be filtered, but got states with Ifids %d and %d", resStates[0].Ifid, resStates[1].Ifid) | ||
} | ||
|
||
// Test that chained calls to filterXFRMs also provide the expected results. | ||
resPolicies, resStates = filterXFRMs(resPolicies, resStates, filterProtoPolicy, filterProtoState) | ||
if len(resPolicies) != 1 { | ||
t.Errorf("Expected one policy to be filtered, but got %d", len(resPolicies)) | ||
} | ||
if len(resStates) != 1 { | ||
t.Errorf("Expected one state to be filtered, but got %d", len(resStates)) | ||
} | ||
if resPolicies[0].Ifid != 1 { | ||
t.Errorf("Expected policies with Ifid 1 to be filtered, but got policies with Ifid %d", resPolicies[0].Ifid) | ||
} | ||
if resStates[0].Ifid != 1 { | ||
t.Errorf("Expected state with Ifid 1 to be filtered, but got states with Ifid %d", resStates[0].Ifid) | ||
} | ||
} | ||
|
||
func TestParseNodeID(t *testing.T) { | ||
tests := []struct { | ||
input string | ||
expected uint16 | ||
err bool | ||
}{ | ||
{"0x0", 0, true}, | ||
{"42", 42, false}, | ||
{"0x1a", 26, false}, | ||
{"65535", 65535, false}, | ||
{"70000", 0, true}, // Too big for uint16 | ||
{"invalid", 0, true}, | ||
{"0xinvalid", 0, true}, | ||
{"0xdeadbeef", 0, true}, // Too big for uint16 | ||
} | ||
|
||
for _, test := range tests { | ||
result, err := parseNodeID(test.input) | ||
if test.err { | ||
if err == nil { | ||
t.Errorf("Expected error for input %s, but got nil", test.input) | ||
} | ||
} else { | ||
if err != nil { | ||
t.Errorf("Unexpected error for input %s: %v", test.input, err) | ||
} | ||
|
||
if result != test.expected { | ||
t.Errorf("For input %s, expected %d, but got %d", test.input, test.expected, result) | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For readability, this could be written:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does look a bit better. You could make it a linter :-)