diff --git a/cmd/api/app.go b/cmd/api/app.go index ba2d8da..e07ee0e 100755 --- a/cmd/api/app.go +++ b/cmd/api/app.go @@ -30,28 +30,6 @@ func (a *App) Flags() []cli.Flag { var flags []cli.Flag switch Version { - case "v6": - flags = append(flags, - &cli.StringFlag{ - Name: "format", - Aliases: []string{"f"}, - Usage: "output format: json|yaml", - Value: "yaml", - }) - flags = append(flags, - &cli.StringFlag{ - Name: "conf", - Aliases: []string{"c"}, - Usage: "confd server connection", - Value: Server, - }) - flags = append(flags, - &cli.StringFlag{ - Name: "database", - Aliases: []string{"d"}, - Usage: "confd database", - Value: Database, - }) default: flags = append(flags, &cli.StringFlag{ diff --git a/cmd/api/v5/cmd.go b/cmd/api/v5/cmd.go index ac9c381..46269fb 100755 --- a/cmd/api/v5/cmd.go +++ b/cmd/api/v5/cmd.go @@ -38,6 +38,5 @@ func Commands(app *api.App) { IPSec{}.Commands(app) Version{}.Commands(app) Log{}.Commands(app) - Guest{}.Commands(app) - Knock{}.Commands(app) + ZTrust{}.Commands(app) } diff --git a/cmd/api/v5/guest.go b/cmd/api/v5/guest.go deleted file mode 100755 index 2371773..0000000 --- a/cmd/api/v5/guest.go +++ /dev/null @@ -1,120 +0,0 @@ -package v5 - -import ( - "strings" - - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/libol" - "github.com/luscis/openlan/pkg/schema" - "github.com/urfave/cli/v2" -) - -type Guest struct { - Cmd -} - -func (u Guest) Url(prefix, name string) string { - name, network := api.SplitName(name) - if network == "" { - return prefix + "/api/network/" + name + "/guest" - } - return prefix + "/api/network/" + network + "/guest/" + name -} - -func (u Guest) Add(c *cli.Context) error { - username := c.String("name") - if !strings.Contains(username, "@") { - return libol.NewErr("invalid username") - } - guest := &schema.ZGuest{ - Name: username, - Address: c.String("address"), - } - guest.Name, guest.Network = api.SplitName(username) - url := u.Url(c.String("url"), username) - clt := u.NewHttp(c.String("token")) - if err := clt.PostJSON(url, guest, nil); err != nil { - return err - } - return nil -} - -func (u Guest) Remove(c *cli.Context) error { - username := c.String("name") - if !strings.Contains(username, "@") { - return libol.NewErr("invalid username") - } - guest := &schema.ZGuest{ - Name: username, - Address: c.String("address"), - } - guest.Name, guest.Network = api.SplitName(username) - url := u.Url(c.String("url"), username) - clt := u.NewHttp(c.String("token")) - if err := clt.DeleteJSON(url, guest, nil); err != nil { - return err - } - return nil -} - -func (u Guest) Tmpl() string { - return `# total {{ len . }} -{{ps -24 "username"}} {{ps -24 "address"}} -{{- range . }} -{{p2 -24 "%s@%s" .Name .Network}} {{ps -24 .Address}} -{{- end }} -` -} - -func (u Guest) List(c *cli.Context) error { - network := c.String("network") - - url := u.Url(c.String("url"), network) - clt := u.NewHttp(c.String("token")) - - var items []schema.ZGuest - if err := clt.GetJSON(url, &items); err != nil { - return err - } - - return u.Out(items, c.String("format"), u.Tmpl()) -} - -func (u Guest) Commands(app *api.App) { - name := api.GetUser(api.Token) - app.Command(&cli.Command{ - Name: "guest", - Aliases: []string{"gu"}, - Usage: "ZTrust Guest configuration", - Subcommands: []*cli.Command{ - { - Name: "add", - Usage: "Add a zGuest", - Flags: []cli.Flag{ - &cli.StringFlag{Name: "name", Value: name}, - &cli.StringFlag{Name: "address"}, - }, - Action: u.Add, - }, - { - Name: "remove", - Usage: "Remove an existing zGuest", - Aliases: []string{"rm"}, - Flags: []cli.Flag{ - &cli.StringFlag{Name: "name", Value: name}, - &cli.StringFlag{Name: "address"}, - }, - Action: u.Remove, - }, - { - Name: "list", - Usage: "Display all zGuests", - Aliases: []string{"ls"}, - Flags: []cli.Flag{ - &cli.StringFlag{Name: "network", Value: name}, - }, - Action: u.List, - }, - }, - }) -} diff --git a/cmd/api/v5/knock.go b/cmd/api/v5/knock.go deleted file mode 100755 index 0eda46f..0000000 --- a/cmd/api/v5/knock.go +++ /dev/null @@ -1,125 +0,0 @@ -package v5 - -import ( - "strings" - - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/libol" - "github.com/luscis/openlan/pkg/schema" - "github.com/urfave/cli/v2" -) - -type Knock struct { - Cmd -} - -func (u Knock) Url(prefix, name string) string { - name, network := api.SplitName(name) - return prefix + "/api/network/" + network + "/guest/" + name + "/knock" -} - -func (u Knock) Add(c *cli.Context) error { - username := c.String("name") - if !strings.Contains(username, "@") { - return libol.NewErr("invalid username") - } - socket := c.String("socket") - knock := &schema.KnockRule{ - Protocol: c.String("protocol"), - Age: c.Int("age"), - } - knock.Name, knock.Network = api.SplitName(username) - knock.Dest, knock.Port = api.SplitSocket(socket) - - url := u.Url(c.String("url"), username) - clt := u.NewHttp(c.String("token")) - if err := clt.PostJSON(url, knock, nil); err != nil { - return err - } - return nil -} - -func (u Knock) Remove(c *cli.Context) error { - username := c.String("name") - if !strings.Contains(username, "@") { - return libol.NewErr("invalid username") - } - socket := c.String("socket") - knock := &schema.KnockRule{ - Protocol: c.String("protocol"), - } - knock.Name, knock.Network = api.SplitName(username) - knock.Dest, knock.Port = api.SplitSocket(socket) - - url := u.Url(c.String("url"), username) - clt := u.NewHttp(c.String("token")) - if err := clt.DeleteJSON(url, knock, nil); err != nil { - return err - } - return nil -} - -func (u Knock) Tmpl() string { - return `# total {{ len . }} -{{ps -24 "username"}} {{ps -8 "protocol"}} {{ps -24 "socket"}} {{ps -4 "age"}} {{ps -24 "createAt"}} -{{- range . }} -{{p2 -24 "%s@%s" .Name .Network}} {{ps -8 .Protocol}} {{p2 -24 "%s:%s" .Dest .Port}} {{pi -4 .Age}} {{ut .CreateAt}} -{{- end }} -` -} - -func (u Knock) List(c *cli.Context) error { - name := c.String("name") - - url := u.Url(c.String("url"), name) - clt := u.NewHttp(c.String("token")) - - var items []schema.KnockRule - if err := clt.GetJSON(url, &items); err != nil { - return err - } - - return u.Out(items, c.String("format"), u.Tmpl()) -} - -func (u Knock) Commands(app *api.App) { - name := api.GetUser(api.Token) - app.Command(&cli.Command{ - Name: "knock", - Aliases: []string{"kn"}, - Usage: "Knock configuration", - Subcommands: []*cli.Command{ - { - Name: "add", - Usage: "Add a knock", - Flags: []cli.Flag{ - &cli.StringFlag{Name: "name", Value: name}, - &cli.StringFlag{Name: "protocol"}, - &cli.StringFlag{Name: "socket"}, - &cli.IntFlag{Name: "age", Value: 60}, - }, - Action: u.Add, - }, - { - Name: "remove", - Usage: "Remove an existing knock", - Aliases: []string{"rm"}, - Flags: []cli.Flag{ - &cli.StringFlag{Name: "name", Value: name}, - &cli.StringFlag{Name: "protocol"}, - &cli.StringFlag{Name: "socket"}, - }, - Action: u.Remove, - }, - { - Name: "list", - Usage: "Display all knock", - Aliases: []string{"ls"}, - Flags: []cli.Flag{ - &cli.StringFlag{Name: "name", Value: name}, - }, - Action: u.List, - }, - }, - }) -} diff --git a/cmd/api/v5/network.go b/cmd/api/v5/network.go index 95b6e54..a3e9f39 100755 --- a/cmd/api/v5/network.go +++ b/cmd/api/v5/network.go @@ -86,14 +86,6 @@ func (u Network) Save(c *cli.Context) error { } func (u Network) Commands(app *api.App) { - point := Point{} - client := VPNClient{} - route := Route{} - link := Link{} - openvpn := OpenVpn{} - output := Output{} - qos := Qos{} - findhop := FindHop{} app.Command(&cli.Command{ Name: "network", Aliases: []string{"net"}, @@ -128,14 +120,14 @@ func (u Network) Commands(app *api.App) { Aliases: []string{"sa"}, Action: u.Save, }, - point.Commands(), - qos.Commands(), - client.Commands(), - openvpn.Commands(), - output.Commands(), - route.Commands(), - link.Commands(), - findhop.Commands(), + Point{}.Commands(), + Qos{}.Commands(), + VPNClient{}.Commands(), + OpenVPN{}.Commands(), + Output{}.Commands(), + Route{}.Commands(), + Link{}.Commands(), + FindHop{}.Commands(), }, }) } diff --git a/cmd/api/v5/openvpn.go b/cmd/api/v5/openvpn.go index 2e66ee2..d27cb82 100755 --- a/cmd/api/v5/openvpn.go +++ b/cmd/api/v5/openvpn.go @@ -61,15 +61,15 @@ func (u VPNClient) Commands() *cli.Command { } } -type OpenVpn struct { +type OpenVPN struct { Cmd } -func (o OpenVpn) Url(prefix, name string) string { +func (o OpenVPN) Url(prefix, name string) string { return prefix + "/api/network/" + name + "/openvpn/restart" } -func (o OpenVpn) Restart(c *cli.Context) error { +func (o OpenVPN) Restart(c *cli.Context) error { network := c.String("name") url := o.Url(c.String("url"), network) @@ -81,16 +81,15 @@ func (o OpenVpn) Restart(c *cli.Context) error { return nil } -func (o OpenVpn) Commands() *cli.Command { +func (o OpenVPN) Commands() *cli.Command { return &cli.Command{ Name: "openvpn", Usage: "Control OpenVPN", Subcommands: []*cli.Command{ { - Name: "restart", - Usage: "restart openvpn for the network", - Aliases: []string{"ro"}, - Action: o.Restart, + Name: "restart", + Usage: "restart openvpn for the network", + Action: o.Restart, }, }, } diff --git a/cmd/api/v5/qos.go b/cmd/api/v5/qos.go index 0983235..0ac0b4c 100644 --- a/cmd/api/v5/qos.go +++ b/cmd/api/v5/qos.go @@ -10,12 +10,11 @@ type Qos struct { } func (q Qos) Commands() *cli.Command { - rule := QosRule{} return &cli.Command{ Name: "qos", Usage: "QoS for client in network", Subcommands: []*cli.Command{ - rule.Commands(), + QosRule{}.Commands(), }, } } diff --git a/cmd/api/v5/ztrust.go b/cmd/api/v5/ztrust.go new file mode 100644 index 0000000..b3f2dd0 --- /dev/null +++ b/cmd/api/v5/ztrust.go @@ -0,0 +1,263 @@ +package v5 + +import ( + "github.com/luscis/openlan/cmd/api" + "github.com/luscis/openlan/pkg/schema" + "github.com/urfave/cli/v2" +) + +type ZTrust struct { + Cmd +} + +func (z ZTrust) Url(prefix, network, action string) string { + return prefix + "/api/network/" + network + "/ztrust/" + action +} + +func (z ZTrust) Enable(c *cli.Context) error { + name := c.String("network") + url := z.Url(c.String("url"), name, "enable") + clt := z.NewHttp(c.String("token")) + if err := clt.PostJSON(url, nil, nil); err != nil { + return err + } + return nil +} + +func (z ZTrust) Disable(c *cli.Context) error { + name := c.String("network") + url := z.Url(c.String("url"), name, "disable") + clt := z.NewHttp(c.String("token")) + if err := clt.PostJSON(url, nil, nil); err != nil { + return err + } + return nil +} + +func (z ZTrust) Commands(app *api.App) { + name := api.GetUser(api.Token) + user, network := api.SplitName(name) + app.Command(&cli.Command{ + Name: "ztrust", + Usage: "Control Zero Trust", + Flags: []cli.Flag{ + &cli.StringFlag{Name: "network", Value: network}, + }, + Subcommands: []*cli.Command{ + { + Name: "enable", + Usage: "Enable zTrust", + Action: z.Enable, + }, + { + Name: "disable", + Usage: "Disable zTrust", + Action: z.Disable, + }, + Guest{}.Commands(user), + Knock{}.Commands(user), + }, + }) +} + +type Guest struct { + Cmd +} + +func (u Guest) Url(prefix, network, name string) string { + if name == "" { + return prefix + "/api/network/" + network + "/guest" + } + return prefix + "/api/network/" + network + "/guest/" + name +} + +func (u Guest) Add(c *cli.Context) error { + guest := &schema.ZGuest{ + Address: c.String("address"), + Name: c.String("user"), + Network: c.String("network"), + } + url := u.Url(c.String("url"), guest.Network, guest.Name) + clt := u.NewHttp(c.String("token")) + if err := clt.PostJSON(url, guest, nil); err != nil { + return err + } + return nil +} + +func (u Guest) Remove(c *cli.Context) error { + guest := &schema.ZGuest{ + Name: c.String("user"), + Network: c.String("network"), + Address: c.String("address"), + } + url := u.Url(c.String("url"), guest.Network, guest.Name) + clt := u.NewHttp(c.String("token")) + if err := clt.DeleteJSON(url, guest, nil); err != nil { + return err + } + return nil +} + +func (u Guest) Tmpl() string { + return `# total {{ len . }} +{{ps -24 "username"}} {{ps -24 "address"}} +{{- range . }} +{{p2 -24 "%s@%s" .Name .Network}} {{ps -24 .Address}} +{{- end }} +` +} + +func (u Guest) List(c *cli.Context) error { + network := c.String("network") + + url := u.Url(c.String("url"), network, "") + clt := u.NewHttp(c.String("token")) + + var items []schema.ZGuest + if err := clt.GetJSON(url, &items); err != nil { + return err + } + + return u.Out(items, c.String("format"), u.Tmpl()) +} + +func (u Guest) Commands(user string) *cli.Command { + return &cli.Command{ + Name: "guest", + Usage: "zTrust Guest configuration", + Subcommands: []*cli.Command{ + { + Name: "add", + Usage: "Add a zGuest", + Flags: []cli.Flag{ + &cli.StringFlag{Name: "user", Value: user}, + &cli.StringFlag{Name: "address"}, + }, + Action: u.Add, + }, + { + Name: "remove", + Usage: "Remove an existing zGuest", + Aliases: []string{"rm"}, + Flags: []cli.Flag{ + &cli.StringFlag{Name: "user", Value: user}, + }, + Action: u.Remove, + }, + { + Name: "list", + Usage: "Display all zGuests", + Aliases: []string{"ls"}, + Action: u.List, + }, + }, + } +} + +type Knock struct { + Cmd +} + +func (u Knock) Url(prefix, network, name string) string { + return prefix + "/api/network/" + network + "/guest/" + name + "/knock" +} + +func (u Knock) Add(c *cli.Context) error { + socket := c.String("socket") + knock := &schema.KnockRule{ + Protocol: c.String("protocol"), + Age: c.Int("age"), + Name: c.String("user"), + Network: c.String("network"), + } + knock.Dest, knock.Port = api.SplitSocket(socket) + + url := u.Url(c.String("url"), knock.Network, knock.Name) + clt := u.NewHttp(c.String("token")) + if err := clt.PostJSON(url, knock, nil); err != nil { + return err + } + return nil +} + +func (u Knock) Remove(c *cli.Context) error { + socket := c.String("socket") + knock := &schema.KnockRule{ + Protocol: c.String("protocol"), + Name: c.String("user"), + Network: c.String("network"), + } + knock.Dest, knock.Port = api.SplitSocket(socket) + + url := u.Url(c.String("url"), knock.Network, knock.Name) + clt := u.NewHttp(c.String("token")) + if err := clt.DeleteJSON(url, knock, nil); err != nil { + return err + } + return nil +} + +func (u Knock) Tmpl() string { + return `# total {{ len . }} +{{ps -24 "username"}} {{ps -8 "protocol"}} {{ps -24 "socket"}} {{ps -4 "age"}} {{ps -24 "createAt"}} +{{- range . }} +{{p2 -24 "%s@%s" .Name .Network}} {{ps -8 .Protocol}} {{p2 -24 "%s:%s" .Dest .Port}} {{pi -4 .Age}} {{ut .CreateAt}} +{{- end }} +` +} + +func (u Knock) List(c *cli.Context) error { + network := c.String("network") + user := c.String("user") + + url := u.Url(c.String("url"), network, user) + clt := u.NewHttp(c.String("token")) + + var items []schema.KnockRule + if err := clt.GetJSON(url, &items); err != nil { + return err + } + + return u.Out(items, c.String("format"), u.Tmpl()) +} + +func (u Knock) Commands(user string) *cli.Command { + return &cli.Command{ + Name: "knock", + Usage: "Knock configuration", + Subcommands: []*cli.Command{ + { + Name: "add", + Usage: "Add a knock", + Flags: []cli.Flag{ + &cli.StringFlag{Name: "user", Value: user}, + &cli.StringFlag{Name: "protocol", Required: true}, + &cli.StringFlag{Name: "socket", Required: true}, + &cli.IntFlag{Name: "age", Value: 60}, + }, + Action: u.Add, + }, + { + Name: "remove", + Usage: "Remove an existing knock", + Aliases: []string{"rm"}, + Flags: []cli.Flag{ + &cli.StringFlag{Name: "user", Value: user}, + &cli.StringFlag{Name: "protocol", Required: true}, + &cli.StringFlag{Name: "socket", Required: true}, + }, + Action: u.Remove, + }, + { + Name: "list", + Usage: "Display all knock", + Aliases: []string{"ls"}, + Flags: []cli.Flag{ + &cli.StringFlag{Name: "user", Value: user}, + }, + Action: u.List, + }, + }, + } +} diff --git a/cmd/api/v6/cmd.go b/cmd/api/v6/cmd.go deleted file mode 100755 index 16de0c1..0000000 --- a/cmd/api/v6/cmd.go +++ /dev/null @@ -1,29 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/urfave/cli/v2" -) - -func Before(c *cli.Context) error { - if _, err := database.NewConfClient(nil); err == nil { - return nil - } else { - return err - } -} - -func After(c *cli.Context) error { - return nil -} - -func Commands(app *api.App) { - app.After = After - app.Before = Before - Switch{}.Commands(app) - Network{}.Commands(app) - Link{}.Commands(app) - Name{}.Commands(app) - Prefix{}.Commands(app) -} diff --git a/cmd/api/v6/link.go b/cmd/api/v6/link.go deleted file mode 100755 index 37b2793..0000000 --- a/cmd/api/v6/link.go +++ /dev/null @@ -1,262 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/luscis/openlan/pkg/libol" - "github.com/ovn-org/libovsdb/model" - "github.com/ovn-org/libovsdb/ovsdb" - "github.com/urfave/cli/v2" - "sort" - "strings" -) - -type Link struct { -} - -func (l Link) List(c *cli.Context) error { - var lsLn []database.VirtualLink - network := c.String("network") - if err := database.Client.WhereList( - func(l *database.VirtualLink) bool { - return network == "" || l.Network == network - }, &lsLn); err != nil { - return err - } else { - sort.SliceStable(lsLn, func(i, j int) bool { - ii := lsLn[i] - jj := lsLn[j] - return ii.Network+ii.UUID > jj.Network+jj.UUID - }) - return api.Out(lsLn, c.String("format"), "") - } -} - -func GetUserPassword(auth string) (string, string) { - values := strings.SplitN(auth, ":", 2) - if len(values) == 2 { - return values[0], values[1] - } - return auth, auth -} - -func GetDeviceName(conn, device string) string { - if libol.GetPrefix(conn, 4) == "spi:" { - return conn - } else { - return device - } -} - -func (l Link) Add(c *cli.Context) error { - auth := c.String("authentication") - connection := c.String("connection") - device := c.String("device") - lsLn := database.VirtualLink{ - UUID: c.String("uuid"), - Network: c.String("network"), - Connection: connection, - Device: device, - } - remoteAddr := c.String("remote-address") - user, pass := GetUserPassword(auth) - if err := database.Client.Get(&lsLn); err == nil { - lsVn := database.VirtualNetwork{ - Name: lsLn.Network, - } - if lsVn.Name == "" { - return libol.NewErr("network is nil") - } - if err := database.Client.Get(&lsVn); err != nil { - return libol.NewErr("find network %s: %s", lsVn.Name, err) - } - newLn := lsLn - if connection != "" { - newLn.Connection = connection - } - if user != "" { - newLn.Authentication["username"] = user - } - if pass != "" { - newLn.Authentication["password"] = pass - } - if remoteAddr != "" { - newLn.OtherConfig["remote_address"] = remoteAddr - } - if device != "" { - newLn.Device = device - } - ops, err := database.Client.Where(&lsLn).Update(&newLn) - if err != nil { - return err - } - if ret, err := database.Client.Transact(ops...); err != nil { - return err - } else { - database.PrintError(ret) - } - } else { - lsVn := database.VirtualNetwork{ - Name: c.String("network"), - } - if lsVn.Name == "" { - return libol.NewErr("network is nil") - } - if err := database.Client.Get(&lsVn); err != nil { - return libol.NewErr("find network %s: %s", lsVn.Name, err) - } - uuid := c.String("uuid") - if uuid == "" { - uuid = database.GenUUID() - } - newLn := database.VirtualLink{ - Network: lsLn.Network, - Connection: lsLn.Connection, - UUID: uuid, - Device: GetDeviceName(connection, device), - Authentication: map[string]string{ - "username": user, - "password": pass, - }, - OtherConfig: map[string]string{ - "local_address": lsVn.Address, - "remote_address": remoteAddr, - }, - } - ops, err := database.Client.Create(&newLn) - if err != nil { - return err - } - libol.Debug("Link.Add %s %s", ops, lsVn) - database.Client.Execute(ops) - ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{ - Field: &lsVn.LocalLinks, - Mutator: ovsdb.MutateOperationInsert, - Value: []string{newLn.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Link.Add %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - } - return nil -} - -func (l Link) Remove(c *cli.Context) error { - lsLn := database.VirtualLink{ - Network: c.String("network"), - Connection: c.String("connection"), - UUID: c.String("uuid"), - } - if err := database.Client.Get(&lsLn); err != nil { - return err - } - lsVn := database.VirtualNetwork{ - Name: lsLn.Network, - } - if err := database.Client.Get(&lsVn); err != nil { - return libol.NewErr("find network %s: %s", lsVn.Name, err) - } - if err := database.Client.Get(&lsLn); err != nil { - return err - } - ops, err := database.Client.Where(&lsLn).Delete() - if err != nil { - return err - } - libol.Debug("Link.Remove %s", ops) - database.Client.Execute(ops) - ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{ - Field: &lsVn.LocalLinks, - Mutator: ovsdb.MutateOperationDelete, - Value: []string{lsLn.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Link.Remove %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (l Link) Commands(app *api.App) { - app.Command(&cli.Command{ - Name: "link", - Aliases: []string{"li"}, - Usage: "Virtual Link", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List virtual links", - Aliases: []string{"ls"}, - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "network", - Usage: "the network name", - }, - }, - Action: l.List, - }, - { - Name: "add", - Usage: "Add a virtual link", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "uuid", - }, - &cli.StringFlag{ - Name: "network", - Usage: "the network name", - }, - &cli.StringFlag{ - Name: "connection", - Value: "any", - Usage: "connection for remote server", - }, - &cli.StringFlag{ - Name: "device", - Usage: "the device name, like spi:10", - }, - &cli.StringFlag{ - Name: "authentication", - Usage: "user and password for authentication", - }, - &cli.StringFlag{ - Name: "remote-address", - Usage: "remote address in this link", - }, - }, - Action: l.Add, - }, - { - Name: "del", - Usage: "Del a virtual link", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "uuid", - }, - &cli.StringFlag{ - Name: "network", - Usage: "the network name", - }, - &cli.StringFlag{ - Name: "connection", - Usage: "connection for remote server", - }, - }, - Action: l.Remove, - }, - }, - }) -} diff --git a/cmd/api/v6/name.go b/cmd/api/v6/name.go deleted file mode 100755 index a42d45a..0000000 --- a/cmd/api/v6/name.go +++ /dev/null @@ -1,146 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/luscis/openlan/pkg/libol" - "github.com/urfave/cli/v2" - "net" - "sort" - "time" -) - -type Name struct { -} - -func (u Name) List(c *cli.Context) error { - var listNa []database.NameCache - if err := database.Client.List(&listNa); err != nil { - return err - } else { - sort.SliceStable(listNa, func(i, j int) bool { - ii := listNa[i] - jj := listNa[j] - return ii.UUID > jj.UUID - }) - return api.Out(listNa, c.String("format"), "") - } -} - -func (u Name) Add(c *cli.Context) error { - name := c.String("name") - lsNa := database.NameCache{ - Name: name, - UUID: c.String("uuid"), - } - if lsNa.Name == "" && lsNa.UUID == "" { - return libol.NewErr("Name is nil") - } - address := c.String("address") - if address == "" { - addrIps, _ := net.LookupIP(lsNa.Name) - if len(addrIps) > 0 { - address = addrIps[0].String() - } - } - newNa := lsNa - if name != "" { - newNa.Name = name - } - if address != "" { - newNa.Address = address - } - newNa.UpdateAt = time.Now().Format("2006-01-02T15:04") - if err := database.Client.Get(&lsNa); err == nil { - if lsNa.Address != address { - ops, err := database.Client.Where(&lsNa).Update(&newNa) - if err != nil { - return err - } - if ret, err := database.Client.Transact(ops...); err != nil { - return err - } else { - database.PrintError(ret) - } - } - } else { - ops, err := database.Client.Create(&newNa) - if err != nil { - return err - } - libol.Debug("Name.Add %s", ops) - if ret, err := database.Client.Transact(ops...); err != nil { - return err - } else { - database.PrintError(ret) - } - } - return nil -} - -func (u Name) Remove(c *cli.Context) error { - lsNa := database.NameCache{ - Name: c.String("name"), - UUID: c.String("uuid"), - } - if err := database.Client.Get(&lsNa); err != nil { - return nil - } - ops, err := database.Client.Where(&lsNa).Delete() - if err != nil { - return err - } - libol.Debug("Name.Remove %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (u Name) Commands(app *api.App) { - app.Command(&cli.Command{ - Name: "name", - Aliases: []string{"na"}, - Usage: "Name cache", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List name cache", - Aliases: []string{"ls"}, - Action: u.List, - }, - { - Name: "add", - Usage: "Add or update name cache", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "uuid", - }, - &cli.StringFlag{ - Name: "name", - }, - &cli.StringFlag{ - Name: "address", - }, - }, - Action: u.Add, - }, - { - Name: "del", - Usage: "Delete a name cache", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "uuid", - }, - &cli.StringFlag{ - Name: "name", - }, - }, - Action: u.Remove, - }, - }, - }) -} diff --git a/cmd/api/v6/network.go b/cmd/api/v6/network.go deleted file mode 100755 index 6d5db48..0000000 --- a/cmd/api/v6/network.go +++ /dev/null @@ -1,154 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/luscis/openlan/pkg/libol" - "github.com/ovn-org/libovsdb/model" - "github.com/ovn-org/libovsdb/ovsdb" - "github.com/urfave/cli/v2" - "sort" -) - -type Network struct { -} - -func (u Network) List(c *cli.Context) error { - var listVn []database.VirtualNetwork - err := database.Client.List(&listVn) - if err != nil { - return err - } - sort.SliceStable(listVn, func(i, j int) bool { - ii := listVn[i] - jj := listVn[j] - return ii.UUID > jj.UUID - }) - return api.Out(listVn, c.String("format"), "") -} - -func (u Network) Add(c *cli.Context) error { - name := c.String("name") - if name == "" { - return libol.NewErr("name is nil") - } - oldVn := database.VirtualNetwork{Name: name} - if err := database.Client.Get(&oldVn); err == nil { - return libol.NewErr("network %s already existed.", oldVn.Name) - } - address := c.String("address") - provider := c.String("provider") - newVn := database.VirtualNetwork{ - Name: name, - Address: address, - Bridge: "br-" + name, - UUID: database.GenUUID(), - Provider: provider, - } - ops, err := database.Client.Create(&newVn) - if err != nil { - return err - } - libol.Debug("Network.Add %s", ops) - database.Client.Execute(ops) - sw, err := database.Client.Switch() - if err != nil { - return err - } - ops, err = database.Client.Where(sw).Mutate(sw, model.Mutation{ - Field: &sw.VirtualNetworks, - Mutator: ovsdb.MutateOperationInsert, - Value: []string{newVn.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Network.Add %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (u Network) Remove(c *cli.Context) error { - name := c.String("name") - oldVn := database.VirtualNetwork{ - Name: name, - } - if err := database.Client.Get(&oldVn); err != nil { - return err - } - ops, err := database.Client.Where(&oldVn).Delete() - if err != nil { - return err - } - libol.Debug("Switch.Remove %s", ops) - database.Client.Execute(ops) - sw, err := database.Client.Switch() - if err != nil { - return err - } - ops, err = database.Client.Where(sw).Mutate(sw, model.Mutation{ - Field: &sw.VirtualNetworks, - Mutator: ovsdb.MutateOperationDelete, - Value: []string{oldVn.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Network.Remove %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (u Network) Commands(app *api.App) { - app.Command(&cli.Command{ - Name: "network", - Aliases: []string{"ne"}, - Usage: "Virtual network", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List virtual networks", - Aliases: []string{"ls"}, - Action: u.List, - }, - { - Name: "add", - Usage: "Add a virtual network", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "name", - Usage: "unique name with short long"}, - &cli.StringFlag{ - Name: "provider", - Value: "openlan", - Usage: "provider name"}, - &cli.StringFlag{ - Name: "address", - Value: "169.255.169.0/24", - Usage: "ip address"}, - }, - Action: u.Add, - }, - { - Name: "del", - Usage: "Del a virtual network", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "name", - Usage: "unique name with short long"}, - }, - Action: u.Remove, - }, - }, - }) -} diff --git a/cmd/api/v6/prefix.go b/cmd/api/v6/prefix.go deleted file mode 100755 index fce00c9..0000000 --- a/cmd/api/v6/prefix.go +++ /dev/null @@ -1,171 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/luscis/openlan/pkg/libol" - "github.com/ovn-org/libovsdb/model" - "github.com/ovn-org/libovsdb/ovsdb" - "github.com/urfave/cli/v2" - "sort" -) - -type Prefix struct { -} - -func (u Prefix) List(c *cli.Context) error { - var list []database.PrefixRoute - if err := database.Client.List(&list); err != nil { - return err - } else { - sort.SliceStable(list, func(i, j int) bool { - ii := list[i] - jj := list[j] - return ii.UUID > jj.UUID - }) - return api.Out(list, c.String("format"), "") - } -} - -func (u Prefix) Add(c *cli.Context) error { - lsVn := database.VirtualNetwork{ - Name: c.String("network"), - } - if lsVn.Name == "" { - return libol.NewErr("network is nil") - } - if err := database.Client.Get(&lsVn); err != nil { - return libol.NewErr("find network %s: %s", lsVn.Name, err) - } - newPf := database.PrefixRoute{ - UUID: database.GenUUID(), - Network: lsVn.Name, - Source: c.String("source"), - Prefix: c.String("prefix"), - Gateway: c.String("gateway"), - Mode: c.String("mode"), - } - ops, err := database.Client.Create(&newPf) - if err != nil { - return err - } - libol.Debug("Prefix.Add %s %s", ops, lsVn) - database.Client.Execute(ops) - ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{ - Field: &lsVn.PrefixRoutes, - Mutator: ovsdb.MutateOperationInsert, - Value: []string{newPf.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Prefix.Add %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (u Prefix) Remove(c *cli.Context) error { - lsPf := database.PrefixRoute{ - Network: c.String("network"), - Prefix: c.String("prefix"), - UUID: c.String("uuid"), - } - if err := database.Client.Get(&lsPf); err != nil { - return err - } - lsVn := database.VirtualNetwork{ - Name: lsPf.Network, - } - if err := database.Client.Get(&lsVn); err != nil { - return libol.NewErr("find network %s: %s", lsVn.Name, err) - } - if err := database.Client.Get(&lsPf); err != nil { - return err - } - ops, err := database.Client.Where(&lsPf).Delete() - if err != nil { - return err - } - libol.Debug("Prefix.Remove %s", ops) - database.Client.Execute(ops) - ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{ - Field: &lsVn.PrefixRoutes, - Mutator: ovsdb.MutateOperationDelete, - Value: []string{lsPf.UUID}, - }) - if err != nil { - return err - } - libol.Debug("Prefix.Remove %s", ops) - database.Client.Execute(ops) - if ret, err := database.Client.Commit(); err != nil { - return err - } else { - database.PrintError(ret) - } - return nil -} - -func (u Prefix) Commands(app *api.App) { - app.Command(&cli.Command{ - Name: "route", - Aliases: []string{"ro"}, - Usage: "Prefix route", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List prefix routes", - Aliases: []string{"ls"}, - Action: u.List, - }, - { - Name: "add", - Usage: "Add a prefix route", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "network", - Usage: "the network name", - }, - &cli.StringFlag{ - Name: "prefix", - }, - &cli.StringFlag{ - Name: "source", - Value: "0.0.0.0/0", - }, - &cli.StringFlag{ - Name: "gateway", - Value: "local", - }, - &cli.StringFlag{ - Name: "mode", - Value: "direct", - }, - }, - Action: u.Add, - }, - { - Name: "del", - Usage: "delete a prefix route", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "uuid", - }, - &cli.StringFlag{ - Name: "network", - Usage: "the network name", - }, - &cli.StringFlag{ - Name: "prefix", - }, - }, - Action: u.Remove, - }, - }, - }) -} diff --git a/cmd/api/v6/switch.go b/cmd/api/v6/switch.go deleted file mode 100755 index b6d349f..0000000 --- a/cmd/api/v6/switch.go +++ /dev/null @@ -1,85 +0,0 @@ -package v6 - -import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/pkg/database" - "github.com/luscis/openlan/pkg/libol" - "github.com/urfave/cli/v2" -) - -type Switch struct { -} - -func (u Switch) List(c *cli.Context) error { - var listSw []database.Switch - if err := database.Client.List(&listSw); err == nil { - return api.Out(listSw, c.String("format"), "") - } - return nil -} - -func (u Switch) Add(c *cli.Context) error { - protocol := c.String("protocol") - listen := c.Int("listen") - newSw := database.Switch{ - Protocol: protocol, - Listen: listen, - } - sw, _ := database.Client.Switch() - if sw == nil { - ops, err := database.Client.Create(&newSw) - if err != nil { - return err - } - libol.Debug("Switch.Add %s", ops) - if ret, err := database.Client.Transact(ops...); err != nil { - return err - } else { - database.PrintError(ret) - } - } else { - ops, err := database.Client.Where(sw).Update(&newSw) - if err != nil { - return err - } - libol.Debug("Switch.Add %s", ops) - if ret, err := database.Client.Transact(ops...); err != nil { - return err - } else { - database.PrintError(ret) - } - } - return nil -} - -func (u Switch) Commands(app *api.App) { - app.Command(&cli.Command{ - Name: "switch", - Aliases: []string{"sw"}, - Usage: "Global switch", - Subcommands: []*cli.Command{ - { - Name: "list", - Usage: "List global switch", - Aliases: []string{"ls"}, - Action: u.List, - }, - { - Name: "add", - Usage: "Add or update switch", - Flags: []cli.Flag{ - &cli.StringFlag{ - Name: "protocol", - Value: "tcp", - Usage: "used protocol: tcp|udp|http|tls"}, - &cli.IntFlag{ - Name: "listen", - Value: 10002, - Usage: "listen on port: 1024-65535", - }, - }, - Action: u.Add, - }, - }, - }) -} diff --git a/cmd/main.go b/cmd/main.go index 9edd494..9eba1ca 100755 --- a/cmd/main.go +++ b/cmd/main.go @@ -1,11 +1,11 @@ package main import ( - "github.com/luscis/openlan/cmd/api" - "github.com/luscis/openlan/cmd/api/v5" - "github.com/luscis/openlan/cmd/api/v6" "log" "os" + + "github.com/luscis/openlan/cmd/api" + "github.com/luscis/openlan/cmd/api/v5" ) func main() { @@ -18,8 +18,6 @@ func main() { app.New() switch api.Version { - case "v6": - v6.Commands(app) default: v5.Commands(app) } diff --git a/docs/ztrust.md b/docs/ztrust.md index f5da7f2..c69dcc8 100644 --- a/docs/ztrust.md +++ b/docs/ztrust.md @@ -2,11 +2,8 @@ ## Enable ztrust on a network ``` -$ cat /etc/openlan/switch/network/example.json -{ - ... - "ztrust": "enable" -} +$ openlan ztrust --network example enable +$ openlan network --name example sa $ $ systemctl restart openlan-switch $ @@ -24,8 +21,8 @@ $ ``` $ export TOKEN="daniel@example:" $ export URL="https://:10000" -$ openlan guest add -$ openlan guest ls +$ openlan ztrust guest add +$ openlan ztrust guest ls # total 1 username address daniel@example 169.254.15.6 @@ -34,9 +31,9 @@ $ ## Knock a host service ``` -$ openlan knock add --protocol icmp --socket 192.168.20.10 -$ openlan knock add --protocol tcp --socket 192.168.20.10:22 -$ openlan knock ls +$ openlan ztrust knock add --protocol icmp --socket 192.168.20.10 +$ openlan ztrust knock add --protocol tcp --socket 192.168.20.10:22 +$ openlan ztrust knock ls # total 2 username protocol socket age createAt daniel@example tcp 192.168.20.10:22 57 2024-01-02 12:42:06 +0000 UTC diff --git a/pkg/api/api.go b/pkg/api/api.go index df2a485..e1e5c76 100755 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -89,6 +89,8 @@ type Super interface { Start(v Switcher) Stop() Reload(v Switcher) + DoZTrust() + UndoZTrust() } type Networker interface { diff --git a/pkg/api/ztrust.go b/pkg/api/ztrust.go index 8010796..d37d4c0 100755 --- a/pkg/api/ztrust.go +++ b/pkg/api/ztrust.go @@ -16,6 +16,8 @@ type ZTrust struct { func (h ZTrust) Router(router *mux.Router) { router.HandleFunc("/api/network/{id}/ztrust", h.List).Methods("GET") + router.HandleFunc("/api/network/{id}/ztrust/enable", h.Enable).Methods("POST") + router.HandleFunc("/api/network/{id}/ztrust/disable", h.Disable).Methods("POST") router.HandleFunc("/api/network/{id}/guest", h.ListGuest).Methods("GET") router.HandleFunc("/api/network/{id}/guest/{user}", h.ListGuest).Methods("GET") router.HandleFunc("/api/network/{id}/guest/{user}", h.AddGuest).Methods("POST") @@ -42,6 +44,32 @@ func (h ZTrust) Get(w http.ResponseWriter, r *http.Request) { ResponseJson(w, "TODO") } +func (h ZTrust) Enable(w http.ResponseWriter, r *http.Request) { + vars := mux.Vars(r) + id := vars["id"] + + worker := Call.GetWorker(id) + if worker == nil { + http.Error(w, "Network not found", http.StatusBadRequest) + return + } + worker.DoZTrust() + ResponseJson(w, "success") +} + +func (h ZTrust) Disable(w http.ResponseWriter, r *http.Request) { + vars := mux.Vars(r) + id := vars["id"] + + worker := Call.GetWorker(id) + if worker == nil { + http.Error(w, "Network not found", http.StatusBadRequest) + return + } + worker.UndoZTrust() + ResponseJson(w, "success") +} + func (h ZTrust) ListGuest(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) id := vars["id"] diff --git a/pkg/switch/http.go b/pkg/switch/http.go index 5f6839c..c778e3c 100755 --- a/pkg/switch/http.go +++ b/pkg/switch/http.go @@ -195,27 +195,32 @@ func (h *Http) Shutdown() { } func (h *Http) IsAuth(w http.ResponseWriter, r *http.Request) bool { - token, pass, ok := r.BasicAuth() - libol.Debug("Http.IsAuth token: %s, pass: %s", token, pass) + user, pass, ok := r.BasicAuth() + libol.Debug("Http.IsAuth token: %s, pass: %s", user, pass) if !ok { return false } - if token == h.adminToken { + if user == h.adminToken { return true } elements := strings.SplitN(r.URL.Path, "/", 8) - if len(elements) > 3 { + if len(elements) > 4 { if elements[2] == "network" { - zone := elements[3] - if !strings.HasSuffix(token, "@"+zone) { + network := elements[3] + if !strings.HasSuffix(user, "@"+network) { return false } - if api.UserCheck(token, pass) == nil { - return true + zone := elements[4] + if api.UserCheck(user, pass) == nil { + // user can URL: /1/2/3/. + if zone == "ovpn" || zone == "guest" { + return true + } } } } + // open URL: //. if elements[1] == "openvpn-api" || elements[1] == "rest" { return true } diff --git a/pkg/switch/network.go b/pkg/switch/network.go index bdf8aa7..c49cbf5 100755 --- a/pkg/switch/network.go +++ b/pkg/switch/network.go @@ -123,10 +123,8 @@ func (w *WorkerImpl) Initialize() { w.out.Error("WorkerImpl.Initialize: create ipset: %s %s", out, err) } - if cfg.ZTrust == "enable" { - w.ztrust = NewZTrust(cfg.Name, 30) - w.ztrust.Initialize() - } + w.ztrust = NewZTrust(cfg.Name, 30) + w.ztrust.Initialize() w.qos = NewQosCtrl(cfg.Name) w.qos.Initialize() @@ -352,13 +350,12 @@ func (w *WorkerImpl) loadVRF() { } } -func (w *WorkerImpl) SetMss(mss int) { +func (w *WorkerImpl) setMss() { cfg, _ := w.GetCfgs() - fire := w.fire - cfg.Bridge.Mss = mss - - fire.Mangle.Post.AddRule(cn.IPRule{ + mss := cfg.Bridge.Mss + w.fire.Mangle.Post.AddRuleX(cn.IPRule{ + Order: "-I", Output: cfg.Bridge.Name, Proto: "tcp", Match: "tcp", @@ -367,7 +364,8 @@ func (w *WorkerImpl) SetMss(mss int) { SetMss: mss, }) if w.br != nil { - fire.Mangle.Post.AddRule(cn.IPRule{ + w.fire.Mangle.Post.AddRuleX(cn.IPRule{ + Order: "-I", Output: w.br.L3Name(), Proto: "tcp", Match: "tcp", @@ -377,7 +375,8 @@ func (w *WorkerImpl) SetMss(mss int) { }) } // connect from local - fire.Mangle.In.AddRule(cn.IPRule{ + w.fire.Mangle.In.AddRuleX(cn.IPRule{ + Order: "-I", Input: cfg.Bridge.Name, Proto: "tcp", Match: "tcp", @@ -387,34 +386,64 @@ func (w *WorkerImpl) SetMss(mss int) { }) } +func (w *WorkerImpl) SetMss(mss int) { + cfg, _ := w.GetCfgs() + if cfg.Bridge.Mss != mss { + cfg.Bridge.Mss = mss + w.setMss() + } +} + +func (w *WorkerImpl) doTrust() { + _, vpn := w.GetCfgs() + w.fire.Mangle.Pre.AddRuleX(cn.IPRule{ + Input: vpn.Device, + Jump: w.ztrust.Chain(), + Comment: "Goto Zero Trust", + }) +} + +func (w *WorkerImpl) DoZTrust() { + cfg, _ := w.GetCfgs() + if cfg.ZTrust != "enable" { + cfg.ZTrust = "enable" + w.doTrust() + } +} + +func (w *WorkerImpl) undoTrust() { + _, vpn := w.GetCfgs() + w.fire.Mangle.Pre.DelRuleX(cn.IPRule{ + Input: vpn.Device, + Jump: w.ztrust.Chain(), + Comment: "Goto Zero Trust", + }) +} + +func (w *WorkerImpl) UndoZTrust() { + cfg, _ := w.GetCfgs() + if cfg.ZTrust == "enable" { + cfg.ZTrust = "disable" + w.undoTrust() + } +} + func (w *WorkerImpl) Start(v api.Switcher) { cfg, vpn := w.GetCfgs() - fire := w.fire w.out.Info("WorkerImpl.Start") - w.findhop.Start() - w.loadVRF() w.loadRoutes() w.acl.Start() w.toACL(cfg.Bridge.Name) - if cfg.Bridge.Mss > 0 { - // forward to remote - w.SetMss(cfg.Bridge.Mss) - } - for _, output := range cfg.Outputs { output.GenName() w.addOutput(cfg.Bridge.Name, output) } - if !(w.dhcp == nil) { - w.dhcp.Start() - } - if !(w.vpn == nil) { w.vpn.Start() if !(w.vrf == nil) { @@ -448,32 +477,31 @@ func (w *WorkerImpl) Start(v api.Switcher) { }) } - if !(w.ztrust == nil) { - w.ztrust.Start() - fire.Mangle.Pre.AddRule(cn.IPRule{ - Input: vpn.Device, - CtState: "RELATED,ESTABLISHED", - Comment: "Forwarding Accpted", - }) - fire.Mangle.Pre.AddRule(cn.IPRule{ - Input: vpn.Device, - Jump: w.ztrust.Chain(), - Comment: "Goto Zero Trust", - }) - } - - if !(w.qos == nil) { - w.qos.Start() - - fire.Mangle.In.AddRule(cn.IPRule{ - Input: vpn.Device, - Jump: w.qos.ChainIn(), - Comment: "Goto Qos ChainIn", - }) - } + w.fire.Mangle.In.AddRule(cn.IPRule{ + Input: vpn.Device, + Jump: w.qos.ChainIn(), + Comment: "Goto Qos ChainIn", + }) + w.qos.Start() + w.ztrust.Start() } - fire.Start() + w.fire.Start() + if cfg.Bridge.Mss > 0 { + // forward to remote + w.setMss() + } + + w.findhop.Start() + + if !(w.dhcp == nil) { + w.dhcp.Start() + } + if !(w.vpn == nil) { + if cfg.ZTrust == "enable" { + w.doTrust() + } + } } func (w *WorkerImpl) DelPhysical(bridge string, output string) { @@ -542,15 +570,13 @@ func (w *WorkerImpl) Stop() { w.fire.Stop() w.findhop.Stop() + w.acl.Stop() w.unloadRoutes() + if !(w.vpn == nil) { - if !(w.ztrust == nil) { - w.ztrust.Stop() - } - if !(w.qos == nil) { - w.qos.Stop() - } + w.ztrust.Stop() + w.qos.Stop() w.vpn.Stop() } if !(w.dhcp == nil) { @@ -564,8 +590,6 @@ func (w *WorkerImpl) Stop() { w.delOutput(w.cfg.Bridge.Name, output) } - w.acl.Stop() - w.setR.Destroy() w.setV.Destroy() } diff --git a/pkg/switch/ztrust.go b/pkg/switch/ztrust.go index 6afd8f9..5820206 100644 --- a/pkg/switch/ztrust.go +++ b/pkg/switch/ztrust.go @@ -168,6 +168,10 @@ func (z *ZTrust) Chain() string { func (z *ZTrust) Initialize() { z.chain = cn.NewFireWallChain(z.Chain(), cn.TMangle, "") + z.chain.AddRule(cn.IPRule{ + CtState: "RELATED,ESTABLISHED", + Comment: "Forwarding Accpted", + }) z.chain.AddRule(cn.IPRule{ Comment: "ZTrust Deny All", Jump: "DROP", @@ -196,7 +200,6 @@ func (z *ZTrust) Update() { for _, guest := range z.guests { guest.Clear() } - time.Sleep(time.Second * 3) } }