914538eed1
Architektur-Pivot: nginx fällt komplett weg. HAProxy 2.8+ übernimmt
TLS-Termination, L7-Routing per Host-Header und LB. ACME-Webroot
und Management-UI werden von edgeguard-api ausgeliefert (Phase 3
implementiert die zugehörigen Handler); HAProxy proxied
/.well-known/acme-challenge/* und Management-FQDN-Traffic an
127.0.0.1:9443. Eine Distro-Abhängigkeit weniger, ein Renderer
weniger, sauberere Trennung.
Renderer (alle mit Embed-Templates + Tests):
* internal/configgen/ — atomic write + systemctl reload helpers
* internal/haproxy/ — :80 + :443, ACME-ACL, Host-Header-Routing,
Stats-Frontend, api_backend Fallback
* internal/firewall/ — default-deny input, stateful baseline,
SSH-Rate-Limit, :80/:443 accept,
Cluster-Peer-Set für mTLS :8443,
Custom-Rules aus PG
* internal/{squid,wireguard,unbound}/ — Stubs (ErrNotImplemented)
Orchestrator + CLI:
* internal/services/configorch/ — fester Reihenfolge-Run, Stubs
sind soft-skip statt fatal
* cmd/edgeguard-ctl render-config [--no-reload] [--only=svc1,svc2]
Packaging:
* postinst: /etc/edgeguard/nginx raus, /var/lib/edgeguard/acme rein,
self-signed _default.pem via openssl req (damit HAProxy startet
bevor certbot etwas issuet hat)
* control: Depends nginx raus, openssl rein
* edgeguard-ui: dependency auf nginx weg, "Served by edgeguard-api
gin StaticFS"
Live-Smoke: render-config gegen lokale PG schreibt /etc/edgeguard/
haproxy/haproxy.cfg + nftables.d/ruleset.nft korrekt; CRUD-Test aus
Phase 2 läuft weiter unverändert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
79 lines
1.8 KiB
Go
79 lines
1.8 KiB
Go
package firewall
|
|
|
|
import (
|
|
"bytes"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func renderView(t *testing.T, v View) string {
|
|
t.Helper()
|
|
var buf bytes.Buffer
|
|
if err := tpl.Execute(&buf, v); err != nil {
|
|
t.Fatalf("template execute: %v", err)
|
|
}
|
|
return buf.String()
|
|
}
|
|
|
|
func TestRender_BaselineHasMandatorySections(t *testing.T) {
|
|
out := renderView(t, View{})
|
|
for _, w := range []string{
|
|
"flush ruleset",
|
|
"table inet edgeguard",
|
|
"set peer_ipv4",
|
|
"set peer_ipv6",
|
|
"chain input",
|
|
"type filter hook input priority 0; policy drop;",
|
|
"ct state established,related accept",
|
|
"iif lo accept",
|
|
"tcp dport 22 ct state new limit rate 10/minute accept",
|
|
"tcp dport { 80, 443 } accept",
|
|
"tcp dport 8443 ip saddr @peer_ipv4 accept",
|
|
"chain forward",
|
|
"chain output",
|
|
} {
|
|
if !strings.Contains(out, w) {
|
|
t.Errorf("missing %q in baseline:\n%s", w, out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRender_PeerIPsPopulateSets(t *testing.T) {
|
|
v := View{
|
|
PeerIPv4: []string{"10.0.0.11", "10.0.0.12"},
|
|
PeerIPv6: []string{"fd00::1"},
|
|
}
|
|
out := renderView(t, v)
|
|
for _, w := range []string{
|
|
"elements = { 10.0.0.11, 10.0.0.12 }",
|
|
"elements = { fd00::1 }",
|
|
} {
|
|
if !strings.Contains(out, w) {
|
|
t.Errorf("missing %q:\n%s", w, out)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestRender_CustomRulesLandInChain(t *testing.T) {
|
|
v := View{
|
|
CustomRulesInput: []Rule{
|
|
{MatchExpr: "ip saddr 192.168.0.0/16 tcp dport 9090", Action: "accept", Comment: "monitoring"},
|
|
},
|
|
CustomRulesForward: []Rule{
|
|
{MatchExpr: "iif eth0 oif eth1", Action: "accept", Comment: "lan to wan"},
|
|
},
|
|
}
|
|
out := renderView(t, v)
|
|
want := []string{
|
|
"# monitoring",
|
|
"ip saddr 192.168.0.0/16 tcp dport 9090 accept",
|
|
"# lan to wan",
|
|
"iif eth0 oif eth1 accept",
|
|
}
|
|
for _, w := range want {
|
|
if !strings.Contains(out, w) {
|
|
t.Errorf("missing %q:\n%s", w, out)
|
|
}
|
|
}
|
|
}
|