package monitor import "net" import "testing" func TestEgressPolicyBlocksInternal(t *testing.T) { var policy EgressPolicy var blocked []string var allowed []string var addr string var ip net.IP // Test the deny logic explicitly, independent of the deployment default // (DefaultEgressPolicy may be configured to allow internal targets). policy = EgressPolicy{AllowInternal: false} blocked = []string{ "127.0.0.1", // loopback "::1", // loopback v6 "169.254.169.254", // link-local / cloud metadata "10.1.2.3", // private "172.16.5.5", // private "192.168.1.1", // private "0.0.0.0", // unspecified "fe80::1", // link-local v6 "fc00::1", // unique-local v6 (private) } allowed = []string{ "8.8.8.8", "1.1.1.1", "93.184.216.34", // example.com } for _, addr = range blocked { ip = net.ParseIP(addr) if policy.IPAllowed(ip) { t.Errorf("expected %s to be blocked by default policy", addr) } } for _, addr = range allowed { ip = net.ParseIP(addr) if !policy.IPAllowed(ip) { t.Errorf("expected %s to be allowed by default policy", addr) } } } func TestEgressPolicyAllowInternal(t *testing.T) { var policy EgressPolicy policy = EgressPolicy{AllowInternal: true} if !policy.IPAllowed(net.ParseIP("127.0.0.1")) { t.Errorf("AllowInternal policy should permit loopback") } }