diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 16063ae..15b8eb9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -223,7 +223,7 @@ jobs: - name: "[TEST] Run container with ruleset file..." run: | - RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel udp" + RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel decap udp" echo "$RULE" > ruleset set -o pipefail @@ -249,7 +249,7 @@ jobs: - name: "[TEST] Run container with ruleset via SFUNNEL_RULESET (no override)..." run: | - RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel udp" + RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel decap udp" set -o pipefail docker run -e SFUNNEL_RULESET="$RULE" --privileged sfunnel:latest 2>&1 | tee output @@ -264,7 +264,7 @@ jobs: - name: "[TEST] Run container with ruleset via SFUNNEL_RULESET (override)..." run: | - RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel udp" #Should override ruleset file with 127.0.0.1 + RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel decap udp" #Should override ruleset file with 127.0.0.1 set -o pipefail docker run -e SFUNNEL_RULESET="$RULE" --privileged -v `pwd`/ruleset:/etc/sfunnel/ruleset sfunnel:latest 2>&1 | tee output @@ -297,7 +297,7 @@ jobs: - name: "[TEST] Run container with DEBUG=1 ..." run: | - RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel udp" + RULE="ip saddr 127.0.0.1 udp dport 80 actions unfunnel decap udp" echo "$RULE" > ruleset set -o pipefail @@ -421,7 +421,7 @@ jobs: (grep "\$DEBUG='1'" output) || (echo "ERROR: unable to validate env. variables are passed to the NETNS execution" && exit 1) #Successful run with SFUNNEL_RULESET - RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel udp" + RULE="ip saddr 127.0.0.2 udp dport 80 actions unfunnel decap udp" docker run --privileged --network=host -v /var/run/netns:/var/run/netns -e NETNS=test_ns -e DEBUG=1 -e SFUNNEL_RULESET="$RULE" -e IFACES=lo sfunnel:latest 2>&1 | tee output if [ ${PIPESTATUS[0]} -ne 0 ]; then echo "ERROR: container execution FAILED!" diff --git a/test/cni/Makefile b/test/cni/Makefile index ee18eac..0cf962e 100644 --- a/test/cni/Makefile +++ b/test/cni/Makefile @@ -20,8 +20,8 @@ endif CLANG ?= clang ITERATIONS ?= 10 -RULESET_EGRESS := "ip tcp dport 8080 actions funnel tcp dport 80 sport 540; ip udp dport 8080 actions funnel tcp dport 80 sport 541;" -RULESET_INGRESS := "ip tcp sport 80 dport 540 actions unfunnel tcp" +RULESET_EGRESS := "ip tcp dport 8080 actions funnel encap tcp dport 80 sport 540; ip udp dport 8080 actions funnel encap tcp dport 80 sport 541;" +RULESET_INGRESS := "ip tcp sport 80 dport 540 actions unfunnel decap tcp" SRC_IPS := 192.168.254.2 192.168.254.3 192.168.254.4 192.168.254.5 192.168.254.6 192.168.254.7 192.168.254.8 192.168.254.9 192.168.254.10 192.168.254.11 all: check diff --git a/test/ns/ruleset b/test/ns/ruleset index 46a3608..a14947f 100644 --- a/test/ns/ruleset +++ b/test/ns/ruleset @@ -1,12 +1,12 @@ ##Matching funneling and unfunneling rules 1:1 -ip udp dport 2055 actions funnel tcp dport 179 sport 540 -ip tcp dport 179 sport 540 actions unfunnel udp +ip udp dport 2055 actions funnel encap tcp dport 179 sport 540 +ip tcp dport 179 sport 540 actions unfunnel decap udp -ip udp dport 2056 actions funnel udp dport 179 sport 540 -ip udp dport 179 sport 540 actions unfunnel udp +ip udp dport 2056 actions funnel encap udp dport 179 sport 540 +ip udp dport 179 sport 540 actions unfunnel decap udp -ip tcp dport 2055 actions funnel tcp dport 179 sport 541 -ip tcp dport 179 sport 541 actions unfunnel tcp +ip tcp dport 2055 actions funnel encap tcp dport 179 sport 541 +ip tcp dport 179 sport 541 actions unfunnel decap tcp -ip tcp dport 2056 actions funnel udp dport 179 sport 541 -ip udp dport 179 sport 541 actions unfunnel tcp +ip tcp dport 2056 actions funnel encap udp dport 179 sport 541 +ip udp dport 179 sport 541 actions unfunnel decap tcp diff --git a/test/ns_perf/Makefile b/test/ns_perf/Makefile index 6a5a0b3..501ae23 100644 --- a/test/ns_perf/Makefile +++ b/test/ns_perf/Makefile @@ -42,11 +42,11 @@ check: _setup _load # ........... ............ # -RULES_SVC_EGRESS := "ip $(PROTO) sport 8080 actions funnel $(FUN_PROTO) sport 80 dport 540" -RULES_SVC_INGRESS := "ip $(FUN_PROTO) dport 80 sport 540 actions unfunnel $(PROTO)" +RULES_SVC_EGRESS := "ip $(PROTO) sport 8080 actions funnel encap $(FUN_PROTO) sport 80 dport 540" +RULES_SVC_INGRESS := "ip $(FUN_PROTO) dport 80 sport 540 actions unfunnel decap $(PROTO)" -RULES_INGRESS := "ip $(FUN_PROTO) sport 80 dport 540 actions unfunnel $(PROTO)" -RULES_EGRESS := "ip $(PROTO) dport 8080 actions funnel $(FUN_PROTO) sport 540 dport 80" +RULES_INGRESS := "ip $(FUN_PROTO) sport 80 dport 540 actions unfunnel decap $(PROTO)" +RULES_EGRESS := "ip $(PROTO) dport 8080 actions funnel encap $(FUN_PROTO) sport 540 dport 80" _setup: $(QUIET)echo -n "Creating ifaces..." diff --git a/tools/gen.py b/tools/gen.py index c0f483a..f407ed7 100644 --- a/tools/gen.py +++ b/tools/gen.py @@ -60,8 +60,8 @@ ] action_patterns = [ - f"(funnel)\s*{param_re}\s*(sport|dport)\s*{param_re}\s*(sport|dport)\s*{param_re}", - f"(unfunnel)\s*{param_re}", + f"(funnel)\s*(encap)\s*{param_re}\s*(sport|dport)\s*{param_re}\s*(sport|dport)\s*{param_re}", + f"(unfunnel)\s*(decap)\s*{param_re}", f"(dnat)\s*{param_re}", f"(accept)", f"(drop)"