1 package v1
2
3 import (
4 "errors"
5 "regexp"
6
7 "slices"
8
9 "edge-infra.dev/pkg/lib/networkvalidator"
10 )
11
12 const (
13 portRangeValidationRegex = `^(\d+(:\d+)?)?$`
14 )
15
16 func (cfw *ClusterFirewall) ValidateRules() error {
17 for _, clustRule := range cfw.Spec.ClusterRules {
18 if valid, reason := validateNodeRule(clustRule.NodeRule); !valid {
19 return errors.New(reason)
20 }
21 }
22 return nil
23 }
24
25 func (nfw *NodeFirewall) ValidateRules() (bool, string) {
26 for _, rule := range nfw.Spec.Rules {
27 if valid, reason := validateNodeRule(rule); !valid {
28 return false, reason
29 }
30 }
31 return true, ""
32 }
33
34 func validateNodeRule(rule NodeRule) (bool, string) {
35 _, err := networkvalidator.ValidateMacAddress(rule.InterfaceMAC)
36 validMac := err == nil
37 switch {
38 case !(rule.InterfaceMAC == "" || validMac):
39 return false, "invalid InterfaceMAC"
40 case !slices.Contains([]Direction{Input, Output}, rule.Direction):
41 return false, "invalid Direction"
42 case !validateAddressRange(rule.DestinationRanges):
43 return false, "invalid DestinationRange"
44 case !validateAddressRange(rule.SourceRanges):
45 return false, "invalid SourceRange"
46 case !validateFilters(rule.Filters):
47 return false, "invalid Filter"
48 }
49
50 return true, ""
51 }
52
53 func validateAddressRange(addressRanges []string) bool {
54 for _, addressRange := range addressRanges {
55 if !networkvalidator.IsValidCIDR(addressRange) {
56 return false
57 }
58 }
59 return true
60 }
61
62 func validateFilters(filters []Filter) bool {
63 r, err := regexp.Compile(portRangeValidationRegex)
64 if err != nil {
65 return false
66 }
67 for _, filter := range filters {
68 if !slices.Contains([]IPProtocol{TCP, UDP}, filter.IPProtocol) ||
69 !r.MatchString(filter.PortRange) ||
70 !slices.Contains([]Action{Allow, Deny}, filter.Action) {
71 return false
72 }
73 }
74 return true
75 }
76
View as plain text