fix: eliminate stale verdict poisoning, memory leaks, data races, and per-packet allocations in engine
This commit is contained in:
+13
-28
@@ -1,7 +1,6 @@
|
||||
package engine
|
||||
|
||||
import (
|
||||
"net"
|
||||
"testing"
|
||||
|
||||
"git.difuse.io/Difuse/Mellaris/analyzer"
|
||||
@@ -9,8 +8,6 @@ import (
|
||||
"git.difuse.io/Difuse/Mellaris/ruleset"
|
||||
|
||||
"github.com/bwmarrin/snowflake"
|
||||
"github.com/google/gopacket"
|
||||
"github.com/google/gopacket/layers"
|
||||
)
|
||||
|
||||
type fixedRuleset struct {
|
||||
@@ -60,25 +57,19 @@ func TestUDPStreamUsesUpdatedRuleset(t *testing.T) {
|
||||
Ruleset: fixedRuleset{action: ruleset.ActionAllow},
|
||||
}
|
||||
|
||||
ipFlow := gopacket.NewFlow(layers.EndpointIPv4, net.IPv4(10, 0, 0, 1).To4(), net.IPv4(10, 0, 0, 2).To4())
|
||||
udp := &layers.UDP{
|
||||
SrcPort: 12345,
|
||||
DstPort: 53,
|
||||
BaseLayer: layers.BaseLayer{
|
||||
Payload: []byte("query"),
|
||||
},
|
||||
}
|
||||
tuple := udpTupleKey{AIP: [16]byte{10, 0, 0, 1}, BIP: [16]byte{10, 0, 0, 2}, ALen: 4, BLen: 4, APort: 12345, BPort: 53}
|
||||
payload := []byte("query")
|
||||
ctx := &udpContext{Verdict: udpVerdictAccept}
|
||||
s := f.New(ipFlow, udp.TransportFlow(), udp, ctx)
|
||||
s := f.New(tuple, payload, ctx)
|
||||
|
||||
if err := f.UpdateRuleset(fixedRuleset{action: ruleset.ActionBlock}); err != nil {
|
||||
t.Fatalf("update ruleset: %v", err)
|
||||
}
|
||||
|
||||
if !s.Accept(udp, false, ctx) {
|
||||
if !s.Accept(false, ctx) {
|
||||
t.Fatalf("unexpected Accept=false for virgin stream")
|
||||
}
|
||||
s.Feed(udp, false, ctx)
|
||||
s.Feed(false, payload, ctx)
|
||||
if ctx.Verdict != udpVerdictDropStream {
|
||||
t.Fatalf("verdict=%v want=%v", ctx.Verdict, udpVerdictDropStream)
|
||||
}
|
||||
@@ -96,21 +87,15 @@ func TestUDPStreamReevaluatesAfterRulesetVersionChange(t *testing.T) {
|
||||
Ruleset: fixedRuleset{action: ruleset.ActionAllow},
|
||||
}
|
||||
|
||||
ipFlow := gopacket.NewFlow(layers.EndpointIPv4, net.IPv4(10, 0, 0, 1).To4(), net.IPv4(10, 0, 0, 2).To4())
|
||||
udp := &layers.UDP{
|
||||
SrcPort: 12345,
|
||||
DstPort: 53,
|
||||
BaseLayer: layers.BaseLayer{
|
||||
Payload: []byte("query"),
|
||||
},
|
||||
}
|
||||
tuple := udpTupleKey{AIP: [16]byte{10, 0, 0, 1}, BIP: [16]byte{10, 0, 0, 2}, ALen: 4, BLen: 4, APort: 12345, BPort: 53}
|
||||
payload := []byte("query")
|
||||
|
||||
ctx1 := &udpContext{Verdict: udpVerdictAccept}
|
||||
s := f.New(ipFlow, udp.TransportFlow(), udp, ctx1)
|
||||
if !s.Accept(udp, false, ctx1) {
|
||||
s := f.New(tuple, payload, ctx1)
|
||||
if !s.Accept(false, ctx1) {
|
||||
t.Fatalf("unexpected Accept=false before first feed")
|
||||
}
|
||||
s.Feed(udp, false, ctx1)
|
||||
s.Feed(false, payload, ctx1)
|
||||
if ctx1.Verdict != udpVerdictAcceptStream {
|
||||
t.Fatalf("verdict=%v want=%v", ctx1.Verdict, udpVerdictAcceptStream)
|
||||
}
|
||||
@@ -120,16 +105,16 @@ func TestUDPStreamReevaluatesAfterRulesetVersionChange(t *testing.T) {
|
||||
}
|
||||
|
||||
ctx2 := &udpContext{Verdict: udpVerdictAccept}
|
||||
if !s.Accept(udp, false, ctx2) {
|
||||
if !s.Accept(false, ctx2) {
|
||||
t.Fatalf("expected Accept=true after ruleset update")
|
||||
}
|
||||
s.Feed(udp, false, ctx2)
|
||||
s.Feed(false, payload, ctx2)
|
||||
if ctx2.Verdict != udpVerdictDropStream {
|
||||
t.Fatalf("verdict=%v want=%v", ctx2.Verdict, udpVerdictDropStream)
|
||||
}
|
||||
|
||||
ctx3 := &udpContext{Verdict: udpVerdictAccept}
|
||||
if s.Accept(udp, false, ctx3) {
|
||||
if s.Accept(false, ctx3) {
|
||||
t.Fatalf("expected Accept=false with unchanged ruleset and no active entries")
|
||||
}
|
||||
if ctx3.Verdict != udpVerdictDropStream {
|
||||
|
||||
Reference in New Issue
Block a user