From 65fd0a3b85dab7fee5821ff1f4e0c0aacca9c3c9 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Tue, 23 Jan 2024 08:58:34 +0100 Subject: [PATCH] Drop forward for the metal-case (#101) --- .github/workflows/master.yml | 12 +- .github/workflows/pr.yml | 19 +- .github/workflows/release.yml | 12 +- Makefile | 6 - go.mod | 48 ++-- go.sum | 245 +++++------------- pkg/netconf/chrony_test.go | 15 +- pkg/netconf/configurator.go | 27 +- pkg/netconf/configurator_test.go | 9 +- pkg/netconf/frr_test.go | 13 +- pkg/netconf/hostname_test.go | 10 +- pkg/netconf/hosts_test.go | 11 +- pkg/netconf/interfaces_test.go | 4 +- pkg/netconf/knowledgebase_test.go | 102 ++++---- pkg/netconf/nftables.go | 16 +- pkg/netconf/nftables_test.go | 25 +- pkg/netconf/routemap_test.go | 4 +- pkg/netconf/service_test.go | 20 +- pkg/netconf/testdata/nftrules | 3 +- .../testdata/nftrules_accept_forwarding | 73 ++++++ pkg/netconf/testdata/nftrules_dmz | 3 +- pkg/netconf/testdata/nftrules_dmz_app | 3 +- pkg/netconf/testdata/nftrules_ipv6 | 3 +- pkg/netconf/testdata/nftrules_shared | 3 +- pkg/netconf/testdata/nftrules_vpn | 3 +- pkg/netconf/tpl/nftrules.tpl | 5 +- validate.sh | 9 +- 27 files changed, 345 insertions(+), 358 deletions(-) create mode 100644 pkg/netconf/testdata/nftrules_accept_forwarding diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index f5894ec..d088c25 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -10,14 +10,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 - - name: Set up Go 1.20 - uses: actions/setup-go@v3 + uses: actions/checkout@v4 + + - name: Set up Go 1.21 + uses: actions/setup-go@v5 with: - go-version: '1.20.x' + go-version: '1.21.x' + cache: false + - name: Lint uses: golangci/golangci-lint-action@v3 with: args: -p bugs -p unused + - name: Build project run: make diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 743febe..3e97885 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -5,24 +5,23 @@ on: branches: - master -env: - GCS_BUCKET: images.metal-pod.io - jobs: build: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@master - - name: Set up Go 1.20 - uses: actions/setup-go@v3 + uses: actions/checkout@v4 + + - name: Set up Go 1.21 + uses: actions/setup-go@v5 with: - go-version: '1.20.x' + go-version: '1.21.x' + cache: false + - name: Lint uses: golangci/golangci-lint-action@v3 with: args: -p bugs -p unused + - name: Build project - run: | - make - make validate + run: make diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ace47c6..c2e2d0a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,14 +10,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@master - - name: Set up Go 1.20 - uses: actions/setup-go@v3 + uses: actions/checkout@v4 + + - name: Set up Go 1.21 + uses: actions/setup-go@v5 with: - go-version: '1.20.x' + go-version: '1.21.x' + cache: false + - name: Lint uses: golangci/golangci-lint-action@v3 with: args: -p bugs -p unused + - name: Build project run: make diff --git a/Makefile b/Makefile index cdcd528..d024b14 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,3 @@ -.ONESHELL: -SHA := $(shell git rev-parse --short=8 HEAD) -GITVERSION := $(shell git describe --long --all) -BUILDDATE := $(shell date -Iseconds) -VERSION := $(or ${VERSION},devel) - .PHONY: all all: test validate diff --git a/go.mod b/go.mod index fd7f83c..3b63d0d 100644 --- a/go.mod +++ b/go.mod @@ -1,41 +1,39 @@ module github.com/metal-stack/metal-networker -go 1.20 +go 1.21 require ( github.com/coreos/go-systemd/v22 v22.5.0 - github.com/google/go-cmp v0.5.9 - github.com/metal-stack/metal-go v0.22.3 - github.com/metal-stack/metal-hammer v0.11.2 - github.com/metal-stack/metal-lib v0.11.5 + github.com/google/go-cmp v0.6.0 + github.com/metal-stack/metal-go v0.26.2 + github.com/metal-stack/metal-hammer v0.12.0 + github.com/metal-stack/metal-lib v0.14.3 github.com/metal-stack/v v1.0.3 - github.com/stretchr/testify v1.8.2 - go.uber.org/zap v1.24.0 + github.com/stretchr/testify v1.8.4 + go.uber.org/zap v1.26.0 gopkg.in/yaml.v3 v3.0.1 ) require ( github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/benbjohnson/clock v1.3.0 // indirect - github.com/davecgh/go-spew v1.1.1 // indirect - github.com/go-openapi/analysis v0.21.4 // indirect - github.com/go-openapi/errors v0.20.3 // indirect - github.com/go-openapi/jsonpointer v0.19.6 // indirect - github.com/go-openapi/jsonreference v0.20.2 // indirect - github.com/go-openapi/loads v0.21.2 // indirect - github.com/go-openapi/spec v0.20.8 // indirect - github.com/go-openapi/strfmt v0.21.5 // indirect - github.com/go-openapi/swag v0.22.3 // indirect - github.com/go-openapi/validate v0.22.1 // indirect - github.com/godbus/dbus/v5 v5.1.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/go-openapi/analysis v0.22.2 // indirect + github.com/go-openapi/errors v0.21.0 // indirect + github.com/go-openapi/jsonpointer v0.20.2 // indirect + github.com/go-openapi/jsonreference v0.20.4 // indirect + github.com/go-openapi/loads v0.21.5 // indirect + github.com/go-openapi/spec v0.20.14 // indirect + github.com/go-openapi/strfmt v0.22.0 // indirect + github.com/go-openapi/swag v0.22.8 // indirect + github.com/go-openapi/validate v0.22.6 // indirect + github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect + github.com/google/uuid v1.5.0 // indirect github.com/josharian/intern v1.0.0 // indirect - github.com/kr/pretty v0.3.1 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/oklog/ulid v1.3.1 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect - go.mongodb.org/mongo-driver v1.11.2 // indirect - go.uber.org/atomic v1.10.0 // indirect - go.uber.org/goleak v1.2.1 // indirect - go.uber.org/multierr v1.10.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + go.mongodb.org/mongo-driver v1.13.1 // indirect + go.uber.org/multierr v1.11.0 // indirect + golang.org/x/sys v0.16.0 // indirect ) diff --git a/go.sum b/go.sum index 77accb6..92204e3 100644 --- a/go.sum +++ b/go.sum @@ -1,227 +1,112 @@ -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= -github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= -github.com/benbjohnson/clock v1.3.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-openapi/analysis v0.21.2/go.mod h1:HZwRk4RRisyG8vx2Oe6aqeSQcoxRp47Xkp3+K6q+LdY= -github.com/go-openapi/analysis v0.21.4 h1:ZDFLvSNxpDaomuCueM0BlSXxpANBlFYiBvr+GXrvIHc= -github.com/go-openapi/analysis v0.21.4/go.mod h1:4zQ35W4neeZTqh3ol0rv/O8JBbka9QyAgQRPp9y3pfo= -github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.20.2/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= -github.com/go-openapi/errors v0.20.3 h1:rz6kiC84sqNQoqrtulzaL/VERgkoCyB6WdEkc2ujzUc= -github.com/go-openapi/errors v0.20.3/go.mod h1:Z3FlZ4I8jEGxjUK+bugx3on2mIAk4txuAOhlsB1FSgk= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= -github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= -github.com/go-openapi/jsonreference v0.19.6/go.mod h1:diGHMEHg2IqXZGKxqyvWdfWU/aim5Dprw5bqpKkTvns= -github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= -github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= -github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= -github.com/go-openapi/loads v0.21.1/go.mod h1:/DtAMXXneXFjbQMGEtbamCZb+4x7eGwkvZCvBmwUG+g= -github.com/go-openapi/loads v0.21.2 h1:r2a/xFIYeZ4Qd2TnGpWDIQNcP80dIaZgf704za8enro= -github.com/go-openapi/loads v0.21.2/go.mod h1:Jq58Os6SSGz0rzh62ptiu8Z31I+OTHqmULx5e/gJbNw= -github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I= -github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= -github.com/go-openapi/spec v0.20.8 h1:ubHmXNY3FCIOinT8RNrrPfGc9t7I1qhPtdOGoG2AxRU= -github.com/go-openapi/spec v0.20.8/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA= -github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg= -github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k= -github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= -github.com/go-openapi/strfmt v0.21.5 h1:Z/algjpXIZpbvdN+6KbVTkpO75RuedMrqpn1GN529h4= -github.com/go-openapi/strfmt v0.21.5/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= -github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= -github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= -github.com/go-openapi/validate v0.22.1 h1:G+c2ub6q47kfX1sOBLwIQwzBVt8qmOAARyo/9Fqs9NU= -github.com/go-openapi/validate v0.22.1/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg= -github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0= -github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY= -github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg= -github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= -github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= -github.com/gobuffalo/flect v0.1.0/go.mod h1:d2ehjJqGOH/Kjqcoz+F7jHTBbmDb38yXA598Hb50EGs= -github.com/gobuffalo/flect v0.1.1/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= -github.com/gobuffalo/flect v0.1.3/go.mod h1:8JCgGVbRjJhVgD6399mQr4fx5rRfGKVzFjbj6RE/9UI= -github.com/gobuffalo/genny v0.0.0-20190329151137-27723ad26ef9/go.mod h1:rWs4Z12d1Zbf19rlsn0nurr75KqhYp52EAGGxTbBhNk= -github.com/gobuffalo/genny v0.0.0-20190403191548-3ca520ef0d9e/go.mod h1:80lIj3kVJWwOrXWWMRzzdhW3DsrdjILVil/SFKBzF28= -github.com/gobuffalo/genny v0.1.0/go.mod h1:XidbUqzak3lHdS//TPu2OgiFB+51Ur5f7CSnXZ/JDvo= -github.com/gobuffalo/genny v0.1.1/go.mod h1:5TExbEyY48pfunL4QSXxlDOmdsD44RRq4mVZ0Ex28Xk= -github.com/gobuffalo/gitgen v0.0.0-20190315122116-cc086187d211/go.mod h1:vEHJk/E9DmhejeLeNt7UVvlSGv3ziL+djtTr3yyzcOw= -github.com/gobuffalo/gogen v0.0.0-20190315121717-8f38393713f5/go.mod h1:V9QVDIxsgKNZs6L2IYiGR8datgMhB577vzTDqypH360= -github.com/gobuffalo/gogen v0.1.0/go.mod h1:8NTelM5qd8RZ15VjQTFkAW6qOMx5wBbW4dSCS3BY8gg= -github.com/gobuffalo/gogen v0.1.1/go.mod h1:y8iBtmHmGc4qa3urIyo1shvOD8JftTtfcKi+71xfDNE= -github.com/gobuffalo/logger v0.0.0-20190315122211-86e12af44bc2/go.mod h1:QdxcLw541hSGtBnhUc4gaNIXRjiDppFGaDqzbrBd3v8= -github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= -github.com/gobuffalo/mapi v1.0.2/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= -github.com/gobuffalo/packd v0.0.0-20190315124812-a385830c7fc0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWeG2RIxq4= -github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= -github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= -github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/go-openapi/analysis v0.22.2 h1:ZBmNoP2h5omLKr/srIC9bfqrUGzT6g6gNv03HE9Vpj0= +github.com/go-openapi/analysis v0.22.2/go.mod h1:pDF4UbZsQTo/oNuRfAWWd4dAh4yuYf//LYorPTjrpvo= +github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY= +github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho= +github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= +github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= +github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/loads v0.21.5 h1:jDzF4dSoHw6ZFADCGltDb2lE4F6De7aWSpe+IcsRzT0= +github.com/go-openapi/loads v0.21.5/go.mod h1:PxTsnFBoBe+z89riT+wYt3prmSBP6GDAQh2l9H1Flz8= +github.com/go-openapi/spec v0.20.14 h1:7CBlRnw+mtjFGlPDRZmAMnq35cRzI91xj03HVyUi/Do= +github.com/go-openapi/spec v0.20.14/go.mod h1:8EOhTpBoFiask8rrgwbLC3zmJfz4zsCUueRuPM6GNkw= +github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI= +github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4= +github.com/go-openapi/swag v0.22.8 h1:/9RjDSQ0vbFR+NyjGMkFTsA1IA0fmhKSThmfGZjicbw= +github.com/go-openapi/swag v0.22.8/go.mod h1:6QT22icPLEqAM/z/TChgb4WAveCHF92+2gF0CNjHpPI= +github.com/go-openapi/validate v0.22.6 h1:+NhuwcEYpWdO5Nm4bmvhGLW0rt1Fcc532Mu3wpypXfo= +github.com/go-openapi/validate v0.22.6/go.mod h1:eaddXSqKeTg5XpSmj1dYyFTK/95n/XHwcOY+BMxKMyM= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= -github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg= +github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU= github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= -github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= -github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= -github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= -github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= -github.com/metal-stack/metal-go v0.22.3 h1:bCkMG4EHvqBFr0u1CeZfMzzK4UnbT55B7DE1ICUHGNU= -github.com/metal-stack/metal-go v0.22.3/go.mod h1:IZ7qY6dUAi72ZTz7Ni5cwWzzUXJj2Or1t04c3u4AUzU= -github.com/metal-stack/metal-hammer v0.11.2 h1:CUzrz+RCKlbhdKKSI5ow8UhgURmcT3Z7Zly113BTm98= -github.com/metal-stack/metal-hammer v0.11.2/go.mod h1:OyrsyH6aZ6p1DWv6k2CFEJGybg4A0oBjH0yQQmSBfcQ= -github.com/metal-stack/metal-lib v0.11.5 h1:tX6oRiKwWsjc7LiShNcQTe/7KKmYeZ886wMSI7zRsrI= -github.com/metal-stack/metal-lib v0.11.5/go.mod h1:dUlNcar6S42YBEyTsqHQcSX3wrBrPeCNgBr2weG/Rhg= +github.com/metal-stack/metal-go v0.26.2 h1:KZRV1wtCsj0dMo4GpW2+XemmAkPZAYFjbGe7QhhcH1k= +github.com/metal-stack/metal-go v0.26.2/go.mod h1:olJ3Az7RBh39Q5WFCJOQBd7cJi0xgGYwMTEIFvkDQQY= +github.com/metal-stack/metal-hammer v0.12.0 h1:t6t73RGmDU1IFkHC7dJxu7xDIZZvwmqmu9/0xZVF/L0= +github.com/metal-stack/metal-hammer v0.12.0/go.mod h1:MeY/EDYqyFUTk24vEQuaUrfRJf20lIisbqXj28+Bxmc= +github.com/metal-stack/metal-lib v0.14.3 h1:oHtOnGsQC/ySLXzj14mfy7/8bwmCPfD5SD6U4yh8BHU= +github.com/metal-stack/metal-lib v0.14.3/go.mod h1:2wKxFXSCpA1Dr+Rq0ddpQCPKPGMWJp4cpIaVTM4lDi0= github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs= github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg= -github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= -github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= -github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= -github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= -github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= -github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= -github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= -github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= -github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= -github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= -github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= -github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= +github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4= +github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= -go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg= -go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng= -go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8= -go.mongodb.org/mongo-driver v1.11.2 h1:+1v2rDQUWNcGW7/7E0Jvdz51V38XXxJfhzbV17aNHCw= -go.mongodb.org/mongo-driver v1.11.2/go.mod h1:s7p5vEtfbeR1gYi6pnj3c3/urpbLv2T5Sfd6Rp2HBB8= -go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= -go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk= +go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4= -go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= -go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= -golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190412183630-56d357773e84/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190419153524-e8e3143a4f4a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190531175056-4c3a928424d2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210420072515-93ed5bcd2bfe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20190329151228-23e29df326fe/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190416151739-9c9e1878f421/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190420181800-aa740d480789/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -golang.org/x/tools v0.0.0-20190531172133-b3315ee88b7d/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/pkg/netconf/chrony_test.go b/pkg/netconf/chrony_test.go index 367f95c..fefcc41 100644 --- a/pkg/netconf/chrony_test.go +++ b/pkg/netconf/chrony_test.go @@ -7,11 +7,10 @@ import ( "github.com/metal-stack/metal-hammer/pkg/api" mn "github.com/metal-stack/metal-lib/pkg/net" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestChronyServiceEnabler_Enable(t *testing.T) { - assert := assert.New(t) - vrf := int64(104009) external := mn.External network := &models.V1MachineNetwork{Networktype: &external, Destinationprefixes: []string{IPv4ZeroCIDR}, Vrf: &vrf} @@ -32,13 +31,13 @@ func TestChronyServiceEnabler_Enable(t *testing.T) { }, } - for _, t := range tests { - e, err := newChronyServiceEnabler(t.kb) - if t.isErrorExpected { - assert.Error(err) + for _, tt := range tests { + e, err := newChronyServiceEnabler(tt.kb) + if tt.isErrorExpected { + require.Error(t, err) } else { - assert.NoError(err) + require.NoError(t, err) } - assert.Equal(t.vrf, e.vrf) + assert.Equal(t, tt.vrf, e.vrf) } } diff --git a/pkg/netconf/configurator.go b/pkg/netconf/configurator.go index ad14159..a615f98 100644 --- a/pkg/netconf/configurator.go +++ b/pkg/netconf/configurator.go @@ -39,11 +39,22 @@ var ( tmpPath = "/etc/metal/networker/" ) +// ForwardPolicy defines how packets in the forwarding chain are handled, can be either drop or accept. +// drop will be the standard for firewalls which are not managed by kubernetes resources (CWNPs) +type ForwardPolicy string + +const ( + // ForwardPolicyDrop drops packets which try to go through the forwarding chain + ForwardPolicyDrop = ForwardPolicy("drop") + // ForwardPolicyAccept accepts packets which try to go through the forwarding chain + ForwardPolicyAccept = ForwardPolicy("accept") +) + type ( // Configurator is an interface to configure bare metal servers. Configurator interface { - Configure() - ConfigureNftables() + Configure(forwardPolicy ForwardPolicy) + ConfigureNftables(forwardPolicy ForwardPolicy) } // machineConfigurator is a configurator that configures a bare metal server as 'machine'. @@ -83,19 +94,19 @@ func NewConfigurator(kind BareMetalType, c config, enableDNS bool) (Configurator } // Configure applies configuration to a bare metal server to function as 'machine'. -func (mc machineConfigurator) Configure() { +func (mc machineConfigurator) Configure(forwardPolicy ForwardPolicy) { applyCommonConfiguration(mc.c.log, Machine, mc.c) } // ConfigureNftables is empty function that exists just to satisfy the Configurator interface -func (mc machineConfigurator) ConfigureNftables() {} +func (mc machineConfigurator) ConfigureNftables(forwardPolicy ForwardPolicy) {} // Configure applies configuration to a bare metal server to function as 'firewall'. -func (fc firewallConfigurator) Configure() { +func (fc firewallConfigurator) Configure(forwardPolicy ForwardPolicy) { kb := fc.c applyCommonConfiguration(fc.c.log, Firewall, kb) - fc.ConfigureNftables() + fc.ConfigureNftables(forwardPolicy) chrony, err := newChronyServiceEnabler(fc.c) if err != nil { @@ -142,13 +153,13 @@ func (fc firewallConfigurator) Configure() { applyAndCleanUp(fc.c.log, applier, tplSuricataConfig, src, "/etc/suricata/suricata.yaml", fileModeSixFourFour, false) } -func (fc firewallConfigurator) ConfigureNftables() { +func (fc firewallConfigurator) ConfigureNftables(forwardPolicy ForwardPolicy) { src := mustTmpFile("nftrules_") validator := NftablesValidator{ path: src, log: fc.c.log, } - applier := newNftablesConfigApplier(fc.c, validator, fc.enableDNSProxy) + applier := newNftablesConfigApplier(fc.c, validator, fc.enableDNSProxy, forwardPolicy) applyAndCleanUp(fc.c.log, applier, TplNftables, src, "/etc/nftables/rules", fileModeDefault, true) } diff --git a/pkg/netconf/configurator_test.go b/pkg/netconf/configurator_test.go index db3bb8a..b40481c 100644 --- a/pkg/netconf/configurator_test.go +++ b/pkg/netconf/configurator_test.go @@ -4,6 +4,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestNewConfigurator(t *testing.T) { @@ -21,9 +22,9 @@ func TestNewConfigurator(t *testing.T) { }, } - for _, test := range tests { - actual, err := NewConfigurator(test.kind, config{}, false) - assert.NoError(t, err) - assert.IsType(t, test.expected, actual) + for _, tt := range tests { + actual, err := NewConfigurator(tt.kind, config{}, false) + require.NoError(t, err) + assert.IsType(t, tt.expected, actual) } } diff --git a/pkg/netconf/frr_test.go b/pkg/netconf/frr_test.go index 0bd9fef..ccc2d97 100644 --- a/pkg/netconf/frr_test.go +++ b/pkg/netconf/frr_test.go @@ -6,6 +6,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) @@ -72,13 +73,13 @@ func TestFrrConfigApplier(t *testing.T) { t.Run(test.name, func(t *testing.T) { log := zaptest.NewLogger(t).Sugar() kb, err := New(log, test.input) - assert.NoError(t, err) + require.NoError(t, err) a := NewFrrConfigApplier(test.configuratorType, *kb, "") b := bytes.Buffer{} tpl := MustParseTpl(test.tpl) err = a.Render(&b, *tpl) - assert.NoError(t, err) + require.NoError(t, err) // eases adjustment of test fixtures // just remove old test fixture after a code change @@ -86,25 +87,23 @@ func TestFrrConfigApplier(t *testing.T) { // check them manually before commit if _, err := os.Stat(test.expectedOutput); os.IsNotExist(err) { err = os.WriteFile(test.expectedOutput, b.Bytes(), fileModeDefault) - assert.NoError(t, err) + require.NoError(t, err) return } expected, err := os.ReadFile(test.expectedOutput) - assert.NoError(t, err) + require.NoError(t, err) assert.Equal(t, string(expected), b.String()) }) } } func TestFRRValidator_Validate(t *testing.T) { - assert := assert.New(t) log := zaptest.NewLogger(t).Sugar() validator := frrValidator{ log: log, } actual := validator.Validate() - assert.NotNil(actual) - assert.NotNil(actual.Error()) + require.Error(t, actual) } diff --git a/pkg/netconf/hostname_test.go b/pkg/netconf/hostname_test.go index df1a54d..aca65d9 100644 --- a/pkg/netconf/hostname_test.go +++ b/pkg/netconf/hostname_test.go @@ -6,23 +6,23 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) func TestNameHostname(t *testing.T) { - assert := assert.New(t) expected, err := os.ReadFile("testdata/hostname") - assert.NoError(err) + require.NoError(t, err) log := zaptest.NewLogger(t).Sugar() kb, err := New(log, "testdata/firewall.yaml") - assert.NoError(err) + require.NoError(t, err) a := newHostnameApplier(*kb, "") b := bytes.Buffer{} tpl := MustParseTpl(tplHostname) err = a.Render(&b, *tpl) - assert.NoError(err) - assert.Equal(string(expected), b.String()) + require.NoError(t, err) + assert.Equal(t, string(expected), b.String()) } diff --git a/pkg/netconf/hosts_test.go b/pkg/netconf/hosts_test.go index c3c3419..cda42ee 100644 --- a/pkg/netconf/hosts_test.go +++ b/pkg/netconf/hosts_test.go @@ -6,23 +6,22 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) func TestNewHostsApplier(t *testing.T) { - assert := assert.New(t) - expected, err := os.ReadFile("testdata/hosts") - assert.NoError(err) + require.NoError(t, err) log := zaptest.NewLogger(t).Sugar() kb, err := New(log, "testdata/firewall.yaml") - assert.NoError(err) + require.NoError(t, err) a := newHostsApplier(*kb, "") b := bytes.Buffer{} tpl := MustParseTpl(tplHosts) err = a.Render(&b, *tpl) - assert.NoError(err) - assert.Equal(string(expected), b.String()) + require.NoError(t, err) + assert.Equal(t, string(expected), b.String()) } diff --git a/pkg/netconf/interfaces_test.go b/pkg/netconf/interfaces_test.go index b0d6092..e324449 100644 --- a/pkg/netconf/interfaces_test.go +++ b/pkg/netconf/interfaces_test.go @@ -7,7 +7,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) @@ -44,7 +44,7 @@ func TestIfacesApplier(t *testing.T) { systemdNetworkPath = old }() kb, err := New(log, tc.input) - assert.NoError(t, err) + require.NoError(t, err) a := newIfacesApplier(tc.configuratorType, *kb) a.Apply() if equal, s := equalDirs(systemdNetworkPath, tc.expectedOutput); !equal { diff --git a/pkg/netconf/knowledgebase_test.go b/pkg/netconf/knowledgebase_test.go index 1501fe7..b7f1ca6 100644 --- a/pkg/netconf/knowledgebase_test.go +++ b/pkg/netconf/knowledgebase_test.go @@ -8,6 +8,7 @@ import ( "github.com/metal-stack/metal-hammer/pkg/api" mn "github.com/metal-stack/metal-lib/pkg/net" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) @@ -15,79 +16,78 @@ func mustNewKnowledgeBase(t *testing.T) config { log := zaptest.NewLogger(t).Sugar() d, err := New(log, "testdata/firewall.yaml") - assert.NoError(t, err) + require.NoError(t, err) assert.NotNil(t, d) return *d } func TestNewKnowledgeBase(t *testing.T) { - assert := assert.New(t) d := mustNewKnowledgeBase(t) - assert.Equal("firewall", d.Hostname) - assert.NotEmpty(d.Networks) - assert.Equal(5, len(d.Networks)) + assert.Equal(t, "firewall", d.Hostname) + assert.NotEmpty(t, d.Networks) + assert.Len(t, d.Networks, 5) // private network n := d.Networks[0] - assert.Equal(1, len(n.Ips)) - assert.Equal("10.0.16.2", n.Ips[0]) - assert.Equal(1, len(n.Prefixes)) - assert.Equal("10.0.16.0/22", n.Prefixes[0]) - assert.True(*n.Private) - assert.Equal(mn.PrivatePrimaryUnshared, *n.Networktype) - assert.Equal(int64(3981), *n.Vrf) + assert.Len(t, n.Ips, 1) + assert.Equal(t, "10.0.16.2", n.Ips[0]) + assert.Len(t, n.Prefixes, 1) + assert.Equal(t, "10.0.16.0/22", n.Prefixes[0]) + assert.True(t, *n.Private) + assert.Equal(t, mn.PrivatePrimaryUnshared, *n.Networktype) + assert.Equal(t, int64(3981), *n.Vrf) // private shared network n = d.Networks[1] - assert.Equal(1, len(n.Ips)) - assert.Equal("10.0.18.2", n.Ips[0]) - assert.Equal(1, len(n.Prefixes)) - assert.Equal("10.0.18.0/22", n.Prefixes[0]) - assert.True(*n.Private) - assert.Equal(mn.PrivateSecondaryShared, *n.Networktype) - assert.Equal(int64(3982), *n.Vrf) + assert.Len(t, n.Ips, 1) + assert.Equal(t, "10.0.18.2", n.Ips[0]) + assert.Len(t, n.Prefixes, 1) + assert.Equal(t, "10.0.18.0/22", n.Prefixes[0]) + assert.True(t, *n.Private) + assert.Equal(t, mn.PrivateSecondaryShared, *n.Networktype) + assert.Equal(t, int64(3982), *n.Vrf) // public networks n = d.Networks[2] - assert.Equal(1, len(n.Destinationprefixes)) - assert.Equal(IPv4ZeroCIDR, n.Destinationprefixes[0]) - assert.Equal(1, len(n.Ips)) - assert.Equal("185.1.2.3", n.Ips[0]) - assert.Equal(2, len(n.Prefixes)) - assert.Equal("185.1.2.0/24", n.Prefixes[0]) - assert.Equal("185.27.0.0/22", n.Prefixes[1]) - assert.False(*n.Underlay) - assert.False(*n.Private) - assert.True(*n.Nat) - assert.Equal(mn.External, *n.Networktype) - assert.Equal(int64(104009), *n.Vrf) + assert.Len(t, n.Destinationprefixes, 1) + assert.Equal(t, IPv4ZeroCIDR, n.Destinationprefixes[0]) + assert.Len(t, n.Ips, 1) + assert.Equal(t, "185.1.2.3", n.Ips[0]) + assert.Len(t, n.Prefixes, 2) + assert.Equal(t, "185.1.2.0/24", n.Prefixes[0]) + assert.Equal(t, "185.27.0.0/22", n.Prefixes[1]) + assert.False(t, *n.Underlay) + assert.False(t, *n.Private) + assert.True(t, *n.Nat) + assert.Equal(t, mn.External, *n.Networktype) + assert.Equal(t, int64(104009), *n.Vrf) // underlay network n = d.Networks[3] - assert.Equal(int64(4200003073), *n.Asn) - assert.Equal(1, len(n.Ips)) - assert.Equal("10.1.0.1", n.Ips[0]) - assert.Equal(1, len(n.Prefixes)) - assert.Equal("10.0.12.0/22", n.Prefixes[0]) - assert.True(*n.Underlay) - assert.Equal(mn.Underlay, *n.Networktype) + assert.Equal(t, int64(4200003073), *n.Asn) + assert.Len(t, n.Ips, 1) + assert.Equal(t, "10.1.0.1", n.Ips[0]) + assert.Len(t, n.Prefixes, 1) + assert.Equal(t, "10.0.12.0/22", n.Prefixes[0]) + assert.True(t, *n.Underlay) + assert.Equal(t, mn.Underlay, *n.Networktype) // public network mpls n = d.Networks[4] - assert.Equal(1, len(n.Destinationprefixes)) - assert.Equal("100.127.1.0/24", n.Destinationprefixes[0]) - assert.Equal(1, len(n.Ips)) - assert.Equal("100.127.129.1", n.Ips[0]) - assert.Equal(1, len(n.Prefixes)) - assert.Equal("100.127.129.0/24", n.Prefixes[0]) - assert.False(*n.Underlay) - assert.False(*n.Private) - assert.True(*n.Nat) - assert.Equal(mn.External, *n.Networktype) - assert.Equal(int64(104010), *n.Vrf) + assert.Len(t, n.Destinationprefixes, 1) + assert.Equal(t, "100.127.1.0/24", n.Destinationprefixes[0]) + assert.Len(t, n.Ips, 1) + assert.Equal(t, "100.127.129.1", n.Ips[0]) + assert.Len(t, n.Prefixes, 1) + assert.Equal(t, "100.127.129.0/24", n.Prefixes[0]) + assert.False(t, *n.Underlay) + assert.False(t, *n.Private) + assert.True(t, *n.Nat) + assert.Equal(t, mn.External, *n.Networktype) + assert.Equal(t, int64(104010), *n.Vrf) } var ( @@ -184,10 +184,10 @@ func TestKnowledgeBase_Validate(t *testing.T) { t.Run(fmt.Sprintf("testcase %d - kind %v", i, kind), func(t *testing.T) { actualErr := test.kb.Validate(kind) if test.expectedErrMsg == "" { - assert.NoError(t, actualErr) + require.NoError(t, actualErr) return } - assert.EqualError(t, actualErr, test.expectedErrMsg, "expected error: %s", test.expectedErrMsg) + require.EqualError(t, actualErr, test.expectedErrMsg, "expected error: %s", test.expectedErrMsg) }) } } diff --git a/pkg/netconf/nftables.go b/pkg/netconf/nftables.go index e083cb1..c79d56f 100644 --- a/pkg/netconf/nftables.go +++ b/pkg/netconf/nftables.go @@ -30,10 +30,11 @@ const ( type ( // NftablesData represents the information required to render nftables configuration. NftablesData struct { - Comment string - SNAT []SNAT - DNSProxyDNAT DNAT - VPN bool + Comment string + SNAT []SNAT + DNSProxyDNAT DNAT + VPN bool + ForwardPolicy string } // SNAT holds the information required to configure Source NAT. @@ -69,10 +70,11 @@ type ( ) // newNftablesConfigApplier constructs a new instance of this type. -func newNftablesConfigApplier(c config, validator net.Validator, enableDNSProxy bool) net.Applier { +func newNftablesConfigApplier(c config, validator net.Validator, enableDNSProxy bool, forwardPolicy ForwardPolicy) net.Applier { data := NftablesData{ - Comment: versionHeader(c.MachineUUID), - SNAT: getSNAT(c, enableDNSProxy), + Comment: versionHeader(c.MachineUUID), + SNAT: getSNAT(c, enableDNSProxy), + ForwardPolicy: string(forwardPolicy), } if enableDNSProxy { diff --git a/pkg/netconf/nftables_test.go b/pkg/netconf/nftables_test.go index 60701ca..0e0a394 100644 --- a/pkg/netconf/nftables_test.go +++ b/pkg/netconf/nftables_test.go @@ -6,46 +6,59 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) func TestCompileNftRules(t *testing.T) { - assert := assert.New(t) tests := []struct { input string expected string enableDNSProxy bool + forwardPolicy ForwardPolicy }{ { input: "testdata/firewall.yaml", expected: "testdata/nftrules", enableDNSProxy: false, + forwardPolicy: ForwardPolicyDrop, + }, + { + input: "testdata/firewall.yaml", + expected: "testdata/nftrules_accept_forwarding", + enableDNSProxy: false, + forwardPolicy: ForwardPolicyAccept, }, { input: "testdata/firewall_dmz.yaml", expected: "testdata/nftrules_dmz", enableDNSProxy: true, + forwardPolicy: ForwardPolicyDrop, }, { input: "testdata/firewall_dmz_app.yaml", expected: "testdata/nftrules_dmz_app", enableDNSProxy: true, + forwardPolicy: ForwardPolicyDrop, }, { input: "testdata/firewall_ipv6.yaml", expected: "testdata/nftrules_ipv6", enableDNSProxy: true, + forwardPolicy: ForwardPolicyDrop, }, { input: "testdata/firewall_shared.yaml", expected: "testdata/nftrules_shared", enableDNSProxy: true, + forwardPolicy: ForwardPolicyDrop, }, { input: "testdata/firewall_vpn.yaml", expected: "testdata/nftrules_vpn", enableDNSProxy: false, + forwardPolicy: ForwardPolicyDrop, }, } log := zaptest.NewLogger(t).Sugar() @@ -54,18 +67,18 @@ func TestCompileNftRules(t *testing.T) { tt := tt t.Run(tt.input, func(t *testing.T) { expected, err := os.ReadFile(tt.expected) - assert.NoError(err) + require.NoError(t, err) kb, err := New(log, tt.input) - assert.NoError(err) + require.NoError(t, err) - a := newNftablesConfigApplier(*kb, nil, tt.enableDNSProxy) + a := newNftablesConfigApplier(*kb, nil, tt.enableDNSProxy, tt.forwardPolicy) b := bytes.Buffer{} tpl := MustParseTpl(TplNftables) err = a.Render(&b, *tpl) - assert.NoError(err) - assert.Equal(string(expected), b.String()) + require.NoError(t, err) + assert.Equal(t, string(expected), b.String()) }) } } diff --git a/pkg/netconf/routemap_test.go b/pkg/netconf/routemap_test.go index 448cc81..2d8b49a 100644 --- a/pkg/netconf/routemap_test.go +++ b/pkg/netconf/routemap_test.go @@ -6,7 +6,7 @@ import ( "reflect" "testing" - "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) @@ -259,7 +259,7 @@ func Test_importRulesForNetwork(t *testing.T) { tt := tt t.Run(tt.name, func(t *testing.T) { kb, err := New(log, tt.input) - assert.NoError(t, err) + require.NoError(t, err) err = kb.Validate(Firewall) if err != nil { t.Errorf("%s is not valid: %v", tt.input, err) diff --git a/pkg/netconf/service_test.go b/pkg/netconf/service_test.go index e0e759c..138cc72 100644 --- a/pkg/netconf/service_test.go +++ b/pkg/netconf/service_test.go @@ -7,26 +7,26 @@ import ( "github.com/metal-stack/metal-networker/pkg/net" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "go.uber.org/zap/zaptest" ) func TestServices(t *testing.T) { - assert := assert.New(t) log := zaptest.NewLogger(t).Sugar() kb, err := New(log, "testdata/firewall.yaml") - assert.NoError(err) + require.NoError(t, err) v := serviceValidator{} dsApplier, err := newDroptailerServiceApplier(*kb, v) - assert.NoError(err) + require.NoError(t, err) fcApplier, err := newFirewallControllerServiceApplier(*kb, v) - assert.NoError(err) + require.NoError(t, err) nodeExporterApplier, err := newNodeExporterServiceApplier(*kb, v) - assert.NoError(err) + require.NoError(t, err) suApplier, err := newSuricataUpdateServiceApplier(*kb, v) - assert.NoError(err) + require.NoError(t, err) nftablesExporterApplier, err := NewNftablesExporterServiceApplier(*kb, v) - assert.NoError(err) + require.NoError(t, err) tests := []struct { applier net.Applier @@ -62,12 +62,12 @@ func TestServices(t *testing.T) { for _, test := range tests { expected, err := os.ReadFile(test.expected) - assert.NoError(err) + require.NoError(t, err) b := bytes.Buffer{} tpl := MustParseTpl(test.template) err = test.applier.Render(&b, *tpl) - assert.NoError(err) - assert.Equal(string(expected), b.String()) + require.NoError(t, err) + assert.Equal(t, string(expected), b.String()) } } diff --git a/pkg/netconf/testdata/nftrules b/pkg/netconf/testdata/nftrules index 805d6e3..bb2b48f 100644 --- a/pkg/netconf/testdata/nftrules +++ b/pkg/netconf/testdata/nftrules @@ -20,9 +20,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding new file mode 100644 index 0000000..bcaf134 --- /dev/null +++ b/pkg/netconf/testdata/nftrules_accept_forwarding @@ -0,0 +1,73 @@ +# This file was auto generated for machine: 'e0ab02d2-27cd-5a5e-8efc-080ba80cf258' by app version . +# Do not edit. +table inet metal { + chain input { + type filter hook input priority 0; policy drop; + meta l4proto ipv6-icmp counter accept comment "icmpv6 input required for neighbor discovery" + iifname "lo" counter accept comment "BGP unnumbered" + iifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan0" + iifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered input from lan1" + iifname "lan0" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan0" + iifname "lan1" ip saddr 10.0.0.0/8 udp dport 4789 counter accept comment "incoming VXLAN lan1" + + ct state established,related counter accept comment "stateful input" + + tcp dport ssh ct state new counter accept comment "SSH incoming connections" + ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" + ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + + ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" + counter jump refuse + } + chain forward { + type filter hook forward priority 0; policy accept; + ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" + tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + + } + chain output { + type filter hook output priority 0; policy accept; + meta l4proto ipv6-icmp counter accept comment "icmpv6 output required for neighbor discovery" + oifname "lo" counter accept comment "lo output required e.g. for chrony" + oifname "lan0" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan0" + oifname "lan1" ip6 saddr fe80::/64 tcp dport bgp counter accept comment "bgp unnumbered output at lan1" + + ip daddr 10.0.0.0/8 udp dport 4789 counter accept comment "outgoing VXLAN" + + ct state established,related counter accept comment "stateful output" + ct state invalid counter drop comment "drop invalid packets" + } + chain output_ct { + type filter hook output priority raw; policy accept; + } + chain refuse { + limit rate 2/minute counter log prefix "nftables-metal-dropped: " + counter drop + } +} +table inet nat { + set public_dns_servers { + type ipv4_addr + flags interval + auto-merge + elements = { 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1 } + } + + chain prerouting { + type nat hook prerouting priority 0; policy accept; + } + chain prerouting_ct { + type filter hook prerouting priority raw; policy accept; + } + chain input { + type nat hook input priority 0; policy accept; + } + chain output { + type nat hook output priority 0; policy accept; + } + chain postrouting { + type nat hook postrouting priority 0; policy accept; + oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)" + oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)" + } +} \ No newline at end of file diff --git a/pkg/netconf/testdata/nftrules_dmz b/pkg/netconf/testdata/nftrules_dmz index c7b6328..5150adf 100644 --- a/pkg/netconf/testdata/nftrules_dmz +++ b/pkg/netconf/testdata/nftrules_dmz @@ -23,9 +23,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/testdata/nftrules_dmz_app b/pkg/netconf/testdata/nftrules_dmz_app index 1ad89fc..a789191 100644 --- a/pkg/netconf/testdata/nftrules_dmz_app +++ b/pkg/netconf/testdata/nftrules_dmz_app @@ -23,9 +23,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/testdata/nftrules_ipv6 b/pkg/netconf/testdata/nftrules_ipv6 index c0c1ee4..a2fae16 100644 --- a/pkg/netconf/testdata/nftrules_ipv6 +++ b/pkg/netconf/testdata/nftrules_ipv6 @@ -23,9 +23,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/testdata/nftrules_shared b/pkg/netconf/testdata/nftrules_shared index cc16dee..576e724 100644 --- a/pkg/netconf/testdata/nftrules_shared +++ b/pkg/netconf/testdata/nftrules_shared @@ -23,9 +23,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/testdata/nftrules_vpn b/pkg/netconf/testdata/nftrules_vpn index ea692af..8dddc89 100644 --- a/pkg/netconf/testdata/nftrules_vpn +++ b/pkg/netconf/testdata/nftrules_vpn @@ -20,9 +20,10 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy drop; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + limit rate 2/minute counter log prefix "nftables-metal-dropped: " } chain output { type filter hook output priority 0; policy accept; diff --git a/pkg/netconf/tpl/nftrules.tpl b/pkg/netconf/tpl/nftrules.tpl index 984a1d8..955df0c 100644 --- a/pkg/netconf/tpl/nftrules.tpl +++ b/pkg/netconf/tpl/nftrules.tpl @@ -29,9 +29,12 @@ table inet metal { counter jump refuse } chain forward { - type filter hook forward priority 0; policy accept; + type filter hook forward priority 0; policy {{ .ForwardPolicy }}; ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity" tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines" + {{ if eq .ForwardPolicy "drop" -}} + limit rate 2/minute counter log prefix "nftables-metal-dropped: " + {{- end }} } chain output { type filter hook output priority 0; policy accept; diff --git a/validate.sh b/validate.sh index c29d0f1..e871c72 100755 --- a/validate.sh +++ b/validate.sh @@ -14,10 +14,7 @@ validate () { . -t metal-networker } -validate "ubuntu" "20.04" "frr-8" -validate "debian" "10" "frr-8" - -# There is no release for jammy available yet -# validate "ubuntu" "22.04" "frr-8" validate "ubuntu" "22.04" "frr-8" -validate "debian" "11" "frr-8" \ No newline at end of file +validate "ubuntu" "22.04" "frr-9" +validate "debian" "12" "frr-8" +validate "debian" "12" "frr-9" \ No newline at end of file