func toIPRange(dest string) (garden.IPRange, error) { idx := strings.IndexAny(dest, "-/") // Not a range or a CIDR if idx == -1 { ip := net.ParseIP(dest) if ip == nil { return garden.IPRange{}, ErrIPRangeConversionFailed } return garden.IPRangeFromIP(ip), nil } // We have a CIDR if dest[idx] == '/' { _, ipNet, err := net.ParseCIDR(dest) if err != nil { return garden.IPRange{}, ErrIPRangeConversionFailed } return garden.IPRangeFromIPNet(ipNet), nil } // We have an IP range firstIP := net.ParseIP(dest[:idx]) secondIP := net.ParseIP(dest[idx+1:]) if firstIP == nil || secondIP == nil { return garden.IPRange{}, ErrIPRangeConversionFailed } return garden.IPRange{Start: firstIP, End: secondIP}, nil }
func tcpRule(ip string, port uint16) garden.NetOutRule { return garden.NetOutRule{ Protocol: garden.ProtocolTCP, Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP(ip))}, Ports: []garden.PortRange{garden.PortRangeFromPort(port)}, Log: true, } }
func main() { gardenClient := client.New(connection.New("tcp", "127.0.0.1:7777")) _ = gardenClient.Destroy("foo") foo, err := gardenClient.Create(garden.ContainerSpec{Handle: "foo"}) failIf(err, "Create") err = foo.NetOut(garden.NetOutRule{ Protocol: garden.ProtocolICMP, Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("8.8.8.8"))}, }) failIf(err, "NetOut") restartGarden() }
handle = "foo-handle" }) JustBeforeEach(func() { server.AppendHandlers( ghttp.CombineHandlers( ghttp.VerifyRequest("POST", fmt.Sprintf("/containers/%s/net/out", handle)), verifyRequestBody(&rule, &garden.NetOutRule{}), ghttp.RespondWith(200, "{}"))) }) Context("when a NetOutRule is passed", func() { BeforeEach(func() { rule = garden.NetOutRule{ Protocol: garden.ProtocolICMP, Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP("1.2.3.4"))}, Ports: []garden.PortRange{garden.PortRangeFromPort(2), garden.PortRangeFromPort(4)}, ICMPs: &garden.ICMPControl{Type: 3, Code: garden.ICMPControlCode(3)}, Log: true, } }) It("should send the rule over the wire", func() { Ω(connection.NetOut(handle, rule)).Should(Succeed()) }) }) }) Describe("Listing containers", func() { BeforeEach(func() { server.AppendHandlers(
package garden_test import ( "net" "github.com/cloudfoundry-incubator/garden" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" ) var _ = Describe("NetOutRule helper functions", func() { Describe("IPRangeFromIP", func() { It("Creates an IPRange with the Start and End set to the passed IP", func() { r := garden.IPRangeFromIP(net.ParseIP("1.2.3.4")) Ω(r.Start).Should(Equal(net.ParseIP("1.2.3.4"))) Ω(r.End).Should(Equal(r.Start)) }) }) Describe("IPRangeFromIPNet", func() { It("Creates an IPRange with the Start and End set to the extent of the IPNet", func() { ip, cidr, err := net.ParseCIDR("1.2.3.0/24") Ω(err).Should(Succeed()) r := garden.IPRangeFromIPNet(cidr) Ω(r.Start.String()).Should(Equal(ip.String())) Ω(r.End.String()).Should(Equal("1.2.3.255")) }) }) Describe("PortRangeFromPort", func() {
func pingRule(ip string) garden.NetOutRule { return garden.NetOutRule{ Protocol: garden.ProtocolICMP, Networks: []garden.IPRange{garden.IPRangeFromIP(net.ParseIP(ip))}, } }
//The target address is the ip addr of www.example.com in these tests BeforeEach(func() { denyRange = "0.0.0.0/0" allowRange = "9.9.9.9/30" containerNetwork = fmt.Sprintf("10.1%d.0.0/24", GinkgoParallelNode()) }) It("disallows TCP connections", func() { ByRejectingTCP() }) Context("when a rule that allows all traffic to the target is added", func() { JustBeforeEach(func() { err := container.NetOut(garden.NetOutRule{ Networks: []garden.IPRange{ garden.IPRangeFromIP(externalIP), }, }) Expect(err).ToNot(HaveOccurred()) }) It("allows TCP traffic to the target", func() { ByAllowingTCP() }) }) }) Context("when the target address is inside ALLOW_NETWORKS", func() { BeforeEach(func() { denyRange = "0.0.0.0/0" allowRange = "0.0.0.0/0"