Fix test

netbirdio · mlsmaycon · Dec 23, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 20, 2024
commit 8f843bbc85bd8f1e714a71c66f60f7d17cd1b3d4
diff --git a/client/server/debug_test.go b/client/server/debug_test.go
@@ -430,17 +430,18 @@ func isInCGNATRange(ip net.IP) bool {
 }
 
 func TestAnonymizeFirewallRules(t *testing.T) {
+	// TODO: Add ipv6
+
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -s 192.168.1.0/24 -j ACCEPT
--A INPUT -s 203.0.113.1/32 -j DROP
--A INPUT -s 2001:db8::1/128 -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -s 44.192.140.1/32 -j DROP
 -A FORWARD -s 10.0.0.0/8 -j DROP
--A FORWARD -s 203.0.113.0/24 -d 198.51.100.0/24 -j ACCEPT
+-A FORWARD -s 44.192.140.0/24 -d 52.84.12.34/24 -j ACCEPT
 COMMIT
 
 *nat
@@ -449,20 +450,19 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
--A PREROUTING -d 203.0.113.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
+-A PREROUTING -d 44.192.140.10/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
 COMMIT`
 
 	// Example iptables -v -n -L output
 	iptablesVerbose := `Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 ACCEPT     all  --  *      *       192.168.1.0/24       0.0.0.0/0           
-     100  1024 DROP       all  --  *      *       203.0.113.1          0.0.0.0/0           
-      50   512 ACCEPT     tcp  --  *      *       2001:db8::1          ::/0                tcp dpt:22
+     100  1024 DROP       all  --  *      *       44.192.140.1         0.0.0.0/0
 
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
        0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
-      25   256 ACCEPT     all  --  *      *       203.0.113.0/24       198.51.100.0/24     
+      25   256 ACCEPT     all  --  *      *       44.192.140.0/24      52.84.12.34/24
 
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination`
@@ -472,13 +472,12 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
         chain input {
                 type filter hook input priority filter; policy accept;
                 ip saddr 192.168.1.1 accept
-                ip saddr 203.0.113.1 drop
-                ip6 saddr 2001:db8::1 tcp dport 22 accept
+                ip saddr 44.192.140.1 drop
         }
         chain forward {
                 type filter hook forward priority filter; policy accept;
                 ip saddr 10.0.0.0/8 drop
-                ip saddr 203.0.113.0/24 ip daddr 198.51.100.0/24 accept
+                ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
         }
     }`
 
@@ -493,12 +492,11 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonIptablesSave, "192.168.100.0/24")
 	assert.Contains(t, anonIptablesSave, "192.168.1.10")
 
-	// Public IP addresses should be anonymized
-	assert.NotContains(t, anonIptablesSave, "203.0.113.1")
-	assert.NotContains(t, anonIptablesSave, "203.0.113.0/24")
-	assert.NotContains(t, anonIptablesSave, "203.0.113.10")
-	assert.NotContains(t, anonIptablesSave, "198.51.100.0/24")
-	assert.NotContains(t, anonIptablesSave, "2001:db8::1")
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonIptablesSave, "44.192.140.1")
+	assert.NotContains(t, anonIptablesSave, "44.192.140.0/24")
+	assert.NotContains(t, anonIptablesSave, "52.84.12.34")
+	assert.Contains(t, anonIptablesSave, "198.51.100.") // Default anonymous range
 
 	// Structure should be preserved
 	assert.Contains(t, anonIptablesSave, "*filter")
@@ -514,11 +512,11 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonIptablesVerbose, "192.168.1.0/24")
 	assert.Contains(t, anonIptablesVerbose, "10.0.0.0/8")
 
-	// Public IP addresses should be anonymized
-	assert.NotContains(t, anonIptablesVerbose, "203.0.113.1")
-	assert.NotContains(t, anonIptablesVerbose, "203.0.113.0/24")
-	assert.NotContains(t, anonIptablesVerbose, "198.51.100.0/24")
-	assert.NotContains(t, anonIptablesVerbose, "2001:db8::1")
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonIptablesVerbose, "44.192.140.1")
+	assert.NotContains(t, anonIptablesVerbose, "44.192.140.0/24")
+	assert.NotContains(t, anonIptablesVerbose, "52.84.12.34")
+	assert.Contains(t, anonIptablesVerbose, "198.51.100.") // Default anonymous range
 
 	// Structure and counters should be preserved
 	assert.Contains(t, anonIptablesVerbose, "Chain INPUT (policy ACCEPT 0 packets, 0 bytes)")
@@ -532,15 +530,14 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "192.168.1.1")
 	assert.Contains(t, anonNftables, "10.0.0.0/8")
 
-	// Public IP addresses should be anonymized
-	assert.NotContains(t, anonNftables, "203.0.113.1")
-	assert.NotContains(t, anonNftables, "203.0.113.0/24")
-	assert.NotContains(t, anonNftables, "198.51.100.0/24")
-	assert.NotContains(t, anonNftables, "2001:db8::1")
+	// Public IP addresses should be anonymized to the default range
+	assert.NotContains(t, anonNftables, "44.192.140.1")
+	assert.NotContains(t, anonNftables, "44.192.140.0/24")
+	assert.NotContains(t, anonNftables, "52.84.12.34")
+	assert.Contains(t, anonNftables, "198.51.100.") // Default anonymous range
 
 	// Structure should be preserved
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
-	assert.Contains(t, anonNftables, "tcp dport 22 accept")
 }