From 4d30435f24ed70cd57ca1c2dc9f15555522a345d Mon Sep 17 00:00:00 2001
From: Masashi Honma <masashi.honma@gmail.com>
Date: Mon, 19 Oct 2020 20:19:24 +0900
Subject: [PATCH] ipset: Address a TODO, add test for netmask
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR removes a TODO comment by adding some netmask tests. The TODO comment
introduced by commit e768924a6269 "validate entry in ipset".

// TODO: CIDR /32 may not be valid

The comment says that 32 is invalid netmask, but in reality values ​​from 0 to
32 are valid because the result of the Linux ipset command says so.

$ sudo ipset create foo hash:ip,port,net
$ sudo ipset add foo 10.20.30.40,53,192.168.3.1/33
ipset v7.5: Syntax error: '33' is out of range 0-32
$ sudo ipset --version
ipset v7.5, protocol version: 7

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
 pkg/util/ipset/ipset_test.go | 55 ++++++++++++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 2 deletions(-)

diff --git a/pkg/util/ipset/ipset_test.go b/pkg/util/ipset/ipset_test.go
index 3ad5cb70341..e74f060c6a6 100644
--- a/pkg/util/ipset/ipset_test.go
+++ b/pkg/util/ipset/ipset_test.go
@@ -1457,8 +1457,7 @@ func TestValidateEntry(t *testing.T) {
 				IP:       "10.20.30.40",
 				Protocol: ProtocolTCP,
 				Port:     53,
-				// TODO: CIDR /32 may not be valid
-				Net: "10.20.30.0/24",
+				Net:      "10.20.30.0/24",
 			},
 			set: &IPSet{
 				Name: "abc",
@@ -1570,6 +1569,58 @@ func TestValidateEntry(t *testing.T) {
 			},
 			valid: false,
 		},
+		{ // case[30]
+			entry: &Entry{
+				SetType:  HashIPPortNet,
+				IP:       "10.20.30.40",
+				Protocol: ProtocolTCP,
+				Port:     53,
+				Net:      "192.168.3.0/0",
+			},
+			set: &IPSet{
+				Name: "net mask boundary 0",
+			},
+			valid: true,
+		},
+		{ // case[31]
+			entry: &Entry{
+				SetType:  HashIPPortNet,
+				IP:       "10.20.30.40",
+				Protocol: ProtocolTCP,
+				Port:     53,
+				Net:      "192.168.3.0/32",
+			},
+			set: &IPSet{
+				Name: "net mask boundary 32",
+			},
+			valid: true,
+		},
+		{ // case[32]
+			entry: &Entry{
+				SetType:  HashIPPortNet,
+				IP:       "10.20.30.40",
+				Protocol: ProtocolTCP,
+				Port:     53,
+				Net:      "192.168.3.1/33",
+			},
+			set: &IPSet{
+				Name: "invalid net mask",
+			},
+			valid: false,
+		},
+		{ // case[33]
+			entry: &Entry{
+				SetType:  HashIPPortNet,
+				IP:       "10.20.30.40",
+				Protocol: ProtocolTCP,
+				Port:     53,
+				Net:      "192.168.3.1/-1",
+			},
+			set: &IPSet{
+				Name: "invalid net mask",
+			},
+			valid: false,
+		},
 	}
 	for i := range testCases {
 		valid := testCases[i].entry.Validate(testCases[i].set)