fix: generate firewall script

cholical · cholical · commit 931901ca1ec0 · 2025-08-20T14:19:35.000-07:00
diff --git a/internal/shadeform/v1/instance.go b/internal/shadeform/v1/instance.go
@@ -77,7 +77,7 @@ func (c *ShadeformClient) CreateInstance(ctx context.Context, attrs v1.CreateIns
 		tags = append(tags, createdTag)
 	}
 
-	base64Script, err := c.generateFirewallScript(attrs.FirewallRules)
+	base64Script, err := c.GenerateFirewallScript(attrs.FirewallRules)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/shadeform/v1/ufw.go b/internal/shadeform/v1/ufw.go
@@ -15,7 +15,7 @@ const (
 	ufwForceEnable          = "ufw --force enable"
 )
 
-func (c *ShadeformClient) generateFirewallScript(firewallRules v1.FirewallRules) (string, error) {
+func (c *ShadeformClient) GenerateFirewallScript(firewallRules v1.FirewallRules) (string, error) {
 	commands := []string{ufwForceReset, ufwDefaultDropIncoming, ufwDefaultAllowOutgoing, ufwDefaultAllowPort22, ufwDefaultAllowPort2222}
 
 	for _, firewallRule := range firewallRules.IngressRules {
@@ -40,38 +40,50 @@ func (c *ShadeformClient) generateFirewallScript(firewallRules v1.FirewallRules)
 
 func (c *ShadeformClient) convertIngressFirewallRuleToUfwCommand(firewallRule v1.FirewallRule) []string {
 	cmds := []string{}
-	portSpec := ""
+	portSpecs := []string{}
 	if firewallRule.FromPort == firewallRule.ToPort {
-		portSpec = fmt.Sprintf("port %d", firewallRule.FromPort)
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d", firewallRule.FromPort))
 	} else {
-		portSpec = fmt.Sprintf("port %d:%d", firewallRule.FromPort, firewallRule.ToPort)
+		// port ranges require two separate rules for tcp and udp
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d:%d proto tcp", firewallRule.FromPort, firewallRule.ToPort))
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d:%d proto udp", firewallRule.FromPort, firewallRule.ToPort))
 	}
 
 	if len(firewallRule.IPRanges) == 0 {
-		cmds = append(cmds, fmt.Sprintf("ufw allow in from any to any port %s", portSpec))
+		for _, portSpec := range portSpecs {
+			cmds = append(cmds, fmt.Sprintf("ufw allow in from any to any %s", portSpec))
+		}
 	}
 
 	for _, ipRange := range firewallRule.IPRanges {
-		cmds = append(cmds, fmt.Sprintf("ufw allow in from %s to any port %s", ipRange, portSpec))
+		for _, portSpec := range portSpecs {
+			cmds = append(cmds, fmt.Sprintf("ufw allow in from %s to any %s", ipRange, portSpec))
+		}
 	}
 	return cmds
 }
 
 func (c *ShadeformClient) convertEgressFirewallRuleToUfwCommand(firewallRule v1.FirewallRule) []string {
 	cmds := []string{}
-	portSpec := ""
+	portSpecs := []string{}
 	if firewallRule.FromPort == firewallRule.ToPort {
-		portSpec = fmt.Sprintf("port %d", firewallRule.FromPort)
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d", firewallRule.FromPort))
 	} else {
-		portSpec = fmt.Sprintf("port %d:%d", firewallRule.FromPort, firewallRule.ToPort)
+		// port ranges require two separate rules for tcp and udp
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d:%d proto tcp", firewallRule.FromPort, firewallRule.ToPort))
+		portSpecs = append(portSpecs, fmt.Sprintf("port %d:%d proto udp", firewallRule.FromPort, firewallRule.ToPort))
 	}
 
 	if len(firewallRule.IPRanges) == 0 {
-		cmds = append(cmds, fmt.Sprintf("ufw allow out to any port %s", portSpec))
+		for _, portSpec := range portSpecs {
+			cmds = append(cmds, fmt.Sprintf("ufw allow out to any %s", portSpec))
+		}
 	}
 
 	for _, ipRange := range firewallRule.IPRanges {
-		cmds = append(cmds, fmt.Sprintf("ufw allow out to %s port %s", ipRange, portSpec))
+		for _, portSpec := range portSpecs {
+			cmds = append(cmds, fmt.Sprintf("ufw allow out to %s %s", ipRange, portSpec))
+		}
 	}
 	return cmds
 }
diff --git a/internal/shadeform/v1/validation_test.go b/internal/shadeform/v1/validation_test.go
@@ -74,18 +74,30 @@ func TestInstanceTypeFilter(t *testing.T) {
 		FirewallRules: v1.FirewallRules{
 			EgressRules: []v1.FirewallRule{
 				{
-					ID:       "test-rule",
+					ID:       "test-rule1",
 					FromPort: 80,
 					ToPort:   8080,
-					IPRanges: []string{"127.0.0.1", "10.0.0.0/32"},
+					IPRanges: []string{"127.0.0.1", "10.0.0.0/24"},
+				},
+				{
+					ID:       "test-rule2",
+					FromPort: 5432,
+					ToPort:   5432,
+					IPRanges: []string{"127.0.0.1", "10.0.0.0/24"},
 				},
 			},
 			IngressRules: []v1.FirewallRule{
 				{
-					ID:       "test-rule",
+					ID:       "test-rule3",
+					FromPort: 80,
+					ToPort:   8080,
+					IPRanges: []string{"127.0.0.1", "10.0.0.0/24"},
+				},
+				{
+					ID:       "test-rule4",
 					FromPort: 5432,
 					ToPort:   5432,
-					IPRanges: []string{"127.0.0.1", "10.0.0.0/32"},
+					IPRanges: []string{"127.0.0.1", "10.0.0.0/24"},
 				},
 			},
 		},

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func (c *ShadeformClient) CreateInstance(ctx context.Context, attrs v1.CreateIns`
`77`	`77`	`tags = append(tags, createdTag)`
`78`	`78`	`}`
`79`	`79`
`80`		`- base64Script, err := c.generateFirewallScript(attrs.FirewallRules)`
	`80`	`+ base64Script, err := c.GenerateFirewallScript(attrs.FirewallRules)`
`81`	`81`	`if err != nil {`
`82`	`82`	`return nil, err`
`83`	`83`	`}`