starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-25 19:01:35 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Fix issue where ACL * would filter out returning connections (#1279)

Browse Source
This commit is contained in:
Kristoffer Dalby
2023-03-27 19:19:32 +02:00
committed by GitHub
parent 56a7b1e349
commit c7b459b615
8 changed files with 437 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
machine_test.go
View File

@@ -282,10 +282,10 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
peersOfAdminMachine := app.filterMachinesByACL(adminMachine, machines)
c.Log(peersOfTestMachine)
c.Assert(len(peersOfTestMachine), check.Equals, 4)
c.Assert(peersOfTestMachine[0].Hostname, check.Equals, "testmachine4")
c.Assert(peersOfTestMachine[1].Hostname, check.Equals, "testmachine6")
c.Assert(peersOfTestMachine[3].Hostname, check.Equals, "testmachine10")
c.Assert(len(peersOfTestMachine), check.Equals, 9)
c.Assert(peersOfTestMachine[0].Hostname, check.Equals, "testmachine1")
c.Assert(peersOfTestMachine[1].Hostname, check.Equals, "testmachine3")
c.Assert(peersOfTestMachine[3].Hostname, check.Equals, "testmachine5")
c.Log(peersOfAdminMachine)
c.Assert(len(peersOfAdminMachine), check.Equals, 9)
@@ -950,6 +950,96 @@ func Test_getFilteredByACLPeers(t *testing.T) {
},
want: Machines{},
},
{
// Investigating 699
// Found some machines: [ts-head-8w6paa ts-unstable-lys2ib ts-head-upcrmb ts-unstable-rlwpvr] machine=ts-head-8w6paa
// ACL rules generated ACL=[{"DstPorts":[{"Bits":null,"IP":"*","Ports":{"First":0,"Last":65535}}],"SrcIPs":["fd7a:115c:a1e0::3","100.64.0.3","fd7a:115c:a1e0::4","100.64.0.4"]}]
// ACL Cache Map={"100.64.0.3":{"*":{}},"100.64.0.4":{"*":{}},"fd7a:115c:a1e0::3":{"*":{}},"fd7a:115c:a1e0::4":{"*":{}}}
name: "issue-699-broken-star",
args: args{
machines: Machines{ //
{
ID: 1,
Hostname: "ts-head-upcrmb",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.3"),
netip.MustParseAddr("fd7a:115c:a1e0::3"),
},
User: User{Name: "user1"},
},
{
ID: 2,
Hostname: "ts-unstable-rlwpvr",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.4"),
netip.MustParseAddr("fd7a:115c:a1e0::4"),
},
User: User{Name: "user1"},
},
{
ID: 3,
Hostname: "ts-head-8w6paa",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
netip.MustParseAddr("fd7a:115c:a1e0::1"),
},
User: User{Name: "user2"},
},
{
ID: 4,
Hostname: "ts-unstable-lys2ib",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.2"),
netip.MustParseAddr("fd7a:115c:a1e0::2"),
},
User: User{Name: "user2"},
},
},
rules: []tailcfg.FilterRule{ // list of all ACLRules registered
{
DstPorts: []tailcfg.NetPortRange{
{
IP: "*",
Ports: tailcfg.PortRange{First: 0, Last: 65535},
},
},
SrcIPs: []string{
"fd7a:115c:a1e0::3", "100.64.0.3",
"fd7a:115c:a1e0::4", "100.64.0.4",
},
},
},
machine: &Machine{ // current machine
ID: 3,
Hostname: "ts-head-8w6paa",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.1"),
netip.MustParseAddr("fd7a:115c:a1e0::1"),
},
User: User{Name: "user2"},
},
},
want: Machines{
{
ID: 1,
Hostname: "ts-head-upcrmb",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.3"),
netip.MustParseAddr("fd7a:115c:a1e0::3"),
},
User: User{Name: "user1"},
},
{
ID: 2,
Hostname: "ts-unstable-rlwpvr",
IPAddresses: MachineAddresses{
netip.MustParseAddr("100.64.0.4"),
netip.MustParseAddr("fd7a:115c:a1e0::4"),
},
User: User{Name: "user1"},
},
},
},
}
var lock sync.RWMutex
for _, tt := range tests {