mirror of
https://github.com/tailscale/tailscale.git
synced 2026-03-29 11:42:02 -04:00
2c9ffdd188
PR #18860 adds firewall rules in the mangle table to save outbound packet marks to conntrack and restore them on reply packets before the routing decision. When reply packets have their marks restored, the kernel uses the correct routing table (based on the mark) and the packets pass the rp_filter check. This makes the risk check and reverse path filtering warnings unnecessary. Updates #3310 Fixes tailscale/corp#37846 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
68 lines
1.2 KiB
Go
68 lines
1.2 KiB
Go
// Copyright (c) Tailscale Inc & contributors
|
|
// SPDX-License-Identifier: BSD-3-Clause
|
|
|
|
package netutil
|
|
|
|
import (
|
|
"io"
|
|
"net"
|
|
"runtime"
|
|
"testing"
|
|
)
|
|
|
|
type conn struct {
|
|
net.Conn
|
|
}
|
|
|
|
func TestOneConnListener(t *testing.T) {
|
|
c1 := new(conn)
|
|
a1 := dummyAddr("a1")
|
|
|
|
// Two Accepts
|
|
ln := NewOneConnListener(c1, a1)
|
|
if got := ln.Addr(); got != a1 {
|
|
t.Errorf("Addr = %#v; want %#v", got, a1)
|
|
}
|
|
c, err := ln.Accept()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if c != c1 {
|
|
t.Fatalf("didn't get c1; got %p", c)
|
|
}
|
|
c, err = ln.Accept()
|
|
if err != io.EOF {
|
|
t.Errorf("got %v; want EOF", err)
|
|
}
|
|
if c != nil {
|
|
t.Errorf("unexpected non-nil Conn")
|
|
}
|
|
|
|
// Close before Accept
|
|
ln = NewOneConnListener(c1, a1)
|
|
ln.Close()
|
|
_, err = ln.Accept()
|
|
if err != io.EOF {
|
|
t.Fatalf("got %v; want EOF", err)
|
|
}
|
|
|
|
// Implicit addr
|
|
ln = NewOneConnListener(c1, nil)
|
|
if ln.Addr() == nil {
|
|
t.Errorf("nil Addr")
|
|
}
|
|
}
|
|
|
|
func TestIPForwardingEnabledLinux(t *testing.T) {
|
|
if runtime.GOOS != "linux" {
|
|
t.Skipf("skipping on %s", runtime.GOOS)
|
|
}
|
|
got, err := ipForwardingEnabledLinux(ipv4, "some-not-found-interface")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if got {
|
|
t.Errorf("got true; want false")
|
|
}
|
|
}
|