apps/openlan
1
0
Fork 0
mirror of https://github.com/luscis/openlan.git synced 2025-10-09 18:40:04 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fea: enable ztrust by cli.

Browse Source
This commit is contained in:
Daniel Ding
2024-09-01 13:11:39 +08:00
parent d8d33b6621
commit 8a342ec3e0
21 changed files with 416 additions and 1221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
cmd/api/app.go
View File

@@ -30,28 +30,6 @@ func (a *App) Flags() []cli.Flag {
var flags []cli.Flag var flags []cli.Flag
switch Version { switch Version {
case "v6":
flags = append(flags,
&cli.StringFlag{
Name: "format",
Aliases: []string{"f"},
Usage: "output format: json|yaml",
Value: "yaml",
})
flags = append(flags,
&cli.StringFlag{
Name: "conf",
Aliases: []string{"c"},
Usage: "confd server connection",
Value: Server,
})
flags = append(flags,
&cli.StringFlag{
Name: "database",
Aliases: []string{"d"},
Usage: "confd database",
Value: Database,
})
default: default:
flags = append(flags, flags = append(flags,
&cli.StringFlag{ &cli.StringFlag{

3
cmd/api/v5/cmd.go
View File

@@ -38,6 +38,5 @@ func Commands(app *api.App) {
IPSec{}.Commands(app) IPSec{}.Commands(app)
Version{}.Commands(app) Version{}.Commands(app)
Log{}.Commands(app) Log{}.Commands(app)
Guest{}.Commands(app) ZTrust{}.Commands(app)
Knock{}.Commands(app)
} }

120
cmd/api/v5/guest.go
View File

@@ -1,120 +0,0 @@
package v5
import (
"strings"
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/libol"
"github.com/luscis/openlan/pkg/schema"
"github.com/urfave/cli/v2"
)
type Guest struct {
Cmd
}
func (u Guest) Url(prefix, name string) string {
name, network := api.SplitName(name)
if network == "" {
return prefix + "/api/network/" + name + "/guest"
}
return prefix + "/api/network/" + network + "/guest/" + name
}
func (u Guest) Add(c *cli.Context) error {
username := c.String("name")
if !strings.Contains(username, "@") {
return libol.NewErr("invalid username")
}
guest := &schema.ZGuest{
Name: username,
Address: c.String("address"),
}
guest.Name, guest.Network = api.SplitName(username)
url := u.Url(c.String("url"), username)
clt := u.NewHttp(c.String("token"))
if err := clt.PostJSON(url, guest, nil); err != nil {
return err
}
return nil
}
func (u Guest) Remove(c *cli.Context) error {
username := c.String("name")
if !strings.Contains(username, "@") {
return libol.NewErr("invalid username")
}
guest := &schema.ZGuest{
Name: username,
Address: c.String("address"),
}
guest.Name, guest.Network = api.SplitName(username)
url := u.Url(c.String("url"), username)
clt := u.NewHttp(c.String("token"))
if err := clt.DeleteJSON(url, guest, nil); err != nil {
return err
}
return nil
}
func (u Guest) Tmpl() string {
return `# total {{ len . }}
{{ps -24 "username"}} {{ps -24 "address"}}
{{- range . }}
{{p2 -24 "%s@%s" .Name .Network}} {{ps -24 .Address}}
{{- end }}
`
}
func (u Guest) List(c *cli.Context) error {
network := c.String("network")
url := u.Url(c.String("url"), network)
clt := u.NewHttp(c.String("token"))
var items []schema.ZGuest
if err := clt.GetJSON(url, &items); err != nil {
return err
}
return u.Out(items, c.String("format"), u.Tmpl())
}
func (u Guest) Commands(app *api.App) {
name := api.GetUser(api.Token)
app.Command(&cli.Command{
Name: "guest",
Aliases: []string{"gu"},
Usage: "ZTrust Guest configuration",
Subcommands: []*cli.Command{
{
Name: "add",
Usage: "Add a zGuest",
Flags: []cli.Flag{
&cli.StringFlag{Name: "name", Value: name},
&cli.StringFlag{Name: "address"},
},
Action: u.Add,
},
{
Name: "remove",
Usage: "Remove an existing zGuest",
Aliases: []string{"rm"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "name", Value: name},
&cli.StringFlag{Name: "address"},
},
Action: u.Remove,
},
{
Name: "list",
Usage: "Display all zGuests",
Aliases: []string{"ls"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "network", Value: name},
},
Action: u.List,
},
},
})
}

125
cmd/api/v5/knock.go
View File

@@ -1,125 +0,0 @@
package v5
import (
"strings"
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/libol"
"github.com/luscis/openlan/pkg/schema"
"github.com/urfave/cli/v2"
)
type Knock struct {
Cmd
}
func (u Knock) Url(prefix, name string) string {
name, network := api.SplitName(name)
return prefix + "/api/network/" + network + "/guest/" + name + "/knock"
}
func (u Knock) Add(c *cli.Context) error {
username := c.String("name")
if !strings.Contains(username, "@") {
return libol.NewErr("invalid username")
}
socket := c.String("socket")
knock := &schema.KnockRule{
Protocol: c.String("protocol"),
Age: c.Int("age"),
}
knock.Name, knock.Network = api.SplitName(username)
knock.Dest, knock.Port = api.SplitSocket(socket)
url := u.Url(c.String("url"), username)
clt := u.NewHttp(c.String("token"))
if err := clt.PostJSON(url, knock, nil); err != nil {
return err
}
return nil
}
func (u Knock) Remove(c *cli.Context) error {
username := c.String("name")
if !strings.Contains(username, "@") {
return libol.NewErr("invalid username")
}
socket := c.String("socket")
knock := &schema.KnockRule{
Protocol: c.String("protocol"),
}
knock.Name, knock.Network = api.SplitName(username)
knock.Dest, knock.Port = api.SplitSocket(socket)
url := u.Url(c.String("url"), username)
clt := u.NewHttp(c.String("token"))
if err := clt.DeleteJSON(url, knock, nil); err != nil {
return err
}
return nil
}
func (u Knock) Tmpl() string {
return `# total {{ len . }}
{{ps -24 "username"}} {{ps -8 "protocol"}} {{ps -24 "socket"}} {{ps -4 "age"}} {{ps -24 "createAt"}}
{{- range . }}
{{p2 -24 "%s@%s" .Name .Network}} {{ps -8 .Protocol}} {{p2 -24 "%s:%s" .Dest .Port}} {{pi -4 .Age}} {{ut .CreateAt}}
{{- end }}
`
}
func (u Knock) List(c *cli.Context) error {
name := c.String("name")
url := u.Url(c.String("url"), name)
clt := u.NewHttp(c.String("token"))
var items []schema.KnockRule
if err := clt.GetJSON(url, &items); err != nil {
return err
}
return u.Out(items, c.String("format"), u.Tmpl())
}
func (u Knock) Commands(app *api.App) {
name := api.GetUser(api.Token)
app.Command(&cli.Command{
Name: "knock",
Aliases: []string{"kn"},
Usage: "Knock configuration",
Subcommands: []*cli.Command{
{
Name: "add",
Usage: "Add a knock",
Flags: []cli.Flag{
&cli.StringFlag{Name: "name", Value: name},
&cli.StringFlag{Name: "protocol"},
&cli.StringFlag{Name: "socket"},
&cli.IntFlag{Name: "age", Value: 60},
},
Action: u.Add,
},
{
Name: "remove",
Usage: "Remove an existing knock",
Aliases: []string{"rm"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "name", Value: name},
&cli.StringFlag{Name: "protocol"},
&cli.StringFlag{Name: "socket"},
},
Action: u.Remove,
},
{
Name: "list",
Usage: "Display all knock",
Aliases: []string{"ls"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "name", Value: name},
},
Action: u.List,
},
},
})
}

24
cmd/api/v5/network.go
View File

@@ -86,14 +86,6 @@ func (u Network) Save(c *cli.Context) error {
} }
func (u Network) Commands(app *api.App) { func (u Network) Commands(app *api.App) {
point := Point{}
client := VPNClient{}
route := Route{}
link := Link{}
openvpn := OpenVpn{}
output := Output{}
qos := Qos{}
findhop := FindHop{}
app.Command(&cli.Command{ app.Command(&cli.Command{
Name: "network", Name: "network",
Aliases: []string{"net"}, Aliases: []string{"net"},
@@ -128,14 +120,14 @@ func (u Network) Commands(app *api.App) {
Aliases: []string{"sa"}, Aliases: []string{"sa"},
Action: u.Save, Action: u.Save,
}, },
point.Commands(), Point{}.Commands(),
qos.Commands(), Qos{}.Commands(),
client.Commands(), VPNClient{}.Commands(),
openvpn.Commands(), OpenVPN{}.Commands(),
output.Commands(), Output{}.Commands(),
route.Commands(), Route{}.Commands(),
link.Commands(), Link{}.Commands(),
findhop.Commands(), FindHop{}.Commands(),
}, },
}) })
} }

15
cmd/api/v5/openvpn.go
View File

@@ -61,15 +61,15 @@ func (u VPNClient) Commands() *cli.Command {
} }
} }
type OpenVpn struct { type OpenVPN struct {
Cmd Cmd
} }
func (o OpenVpn) Url(prefix, name string) string { func (o OpenVPN) Url(prefix, name string) string {
return prefix + "/api/network/" + name + "/openvpn/restart" return prefix + "/api/network/" + name + "/openvpn/restart"
} }
func (o OpenVpn) Restart(c *cli.Context) error { func (o OpenVPN) Restart(c *cli.Context) error {
network := c.String("name") network := c.String("name")
url := o.Url(c.String("url"), network) url := o.Url(c.String("url"), network)
@@ -81,16 +81,15 @@ func (o OpenVpn) Restart(c *cli.Context) error {
return nil return nil
} }
func (o OpenVpn) Commands() *cli.Command { func (o OpenVPN) Commands() *cli.Command {
return &cli.Command{ return &cli.Command{
Name: "openvpn", Name: "openvpn",
Usage: "Control OpenVPN", Usage: "Control OpenVPN",
Subcommands: []*cli.Command{ Subcommands: []*cli.Command{
{ {
Name: "restart", Name: "restart",
Usage: "restart openvpn for the network", Usage: "restart openvpn for the network",
Aliases: []string{"ro"}, Action: o.Restart,
Action: o.Restart,
}, },
}, },
} }

3
cmd/api/v5/qos.go
View File

@@ -10,12 +10,11 @@ type Qos struct {
} }
func (q Qos) Commands() *cli.Command { func (q Qos) Commands() *cli.Command {
rule := QosRule{}
return &cli.Command{ return &cli.Command{
Name: "qos", Name: "qos",
Usage: "QoS for client in network", Usage: "QoS for client in network",
Subcommands: []*cli.Command{ Subcommands: []*cli.Command{
rule.Commands(), QosRule{}.Commands(),
}, },
} }
} }

263
cmd/api/v5/ztrust.go Normal file
View File

@@ -0,0 +1,263 @@
package v5
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/schema"
"github.com/urfave/cli/v2"
)
type ZTrust struct {
Cmd
}
func (z ZTrust) Url(prefix, network, action string) string {
return prefix + "/api/network/" + network + "/ztrust/" + action
}
func (z ZTrust) Enable(c *cli.Context) error {
name := c.String("network")
url := z.Url(c.String("url"), name, "enable")
clt := z.NewHttp(c.String("token"))
if err := clt.PostJSON(url, nil, nil); err != nil {
return err
}
return nil
}
func (z ZTrust) Disable(c *cli.Context) error {
name := c.String("network")
url := z.Url(c.String("url"), name, "disable")
clt := z.NewHttp(c.String("token"))
if err := clt.PostJSON(url, nil, nil); err != nil {
return err
}
return nil
}
func (z ZTrust) Commands(app *api.App) {
name := api.GetUser(api.Token)
user, network := api.SplitName(name)
app.Command(&cli.Command{
Name: "ztrust",
Usage: "Control Zero Trust",
Flags: []cli.Flag{
&cli.StringFlag{Name: "network", Value: network},
},
Subcommands: []*cli.Command{
{
Name: "enable",
Usage: "Enable zTrust",
Action: z.Enable,
},
{
Name: "disable",
Usage: "Disable zTrust",
Action: z.Disable,
},
Guest{}.Commands(user),
Knock{}.Commands(user),
},
})
}
type Guest struct {
Cmd
}
func (u Guest) Url(prefix, network, name string) string {
if name == "" {
return prefix + "/api/network/" + network + "/guest"
}
return prefix + "/api/network/" + network + "/guest/" + name
}
func (u Guest) Add(c *cli.Context) error {
guest := &schema.ZGuest{
Address: c.String("address"),
Name: c.String("user"),
Network: c.String("network"),
}
url := u.Url(c.String("url"), guest.Network, guest.Name)
clt := u.NewHttp(c.String("token"))
if err := clt.PostJSON(url, guest, nil); err != nil {
return err
}
return nil
}
func (u Guest) Remove(c *cli.Context) error {
guest := &schema.ZGuest{
Name: c.String("user"),
Network: c.String("network"),
Address: c.String("address"),
}
url := u.Url(c.String("url"), guest.Network, guest.Name)
clt := u.NewHttp(c.String("token"))
if err := clt.DeleteJSON(url, guest, nil); err != nil {
return err
}
return nil
}
func (u Guest) Tmpl() string {
return `# total {{ len . }}
{{ps -24 "username"}} {{ps -24 "address"}}
{{- range . }}
{{p2 -24 "%s@%s" .Name .Network}} {{ps -24 .Address}}
{{- end }}
`
}
func (u Guest) List(c *cli.Context) error {
network := c.String("network")
url := u.Url(c.String("url"), network, "")
clt := u.NewHttp(c.String("token"))
var items []schema.ZGuest
if err := clt.GetJSON(url, &items); err != nil {
return err
}
return u.Out(items, c.String("format"), u.Tmpl())
}
func (u Guest) Commands(user string) *cli.Command {
return &cli.Command{
Name: "guest",
Usage: "zTrust Guest configuration",
Subcommands: []*cli.Command{
{
Name: "add",
Usage: "Add a zGuest",
Flags: []cli.Flag{
&cli.StringFlag{Name: "user", Value: user},
&cli.StringFlag{Name: "address"},
},
Action: u.Add,
},
{
Name: "remove",
Usage: "Remove an existing zGuest",
Aliases: []string{"rm"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "user", Value: user},
},
Action: u.Remove,
},
{
Name: "list",
Usage: "Display all zGuests",
Aliases: []string{"ls"},
Action: u.List,
},
},
}
}
type Knock struct {
Cmd
}
func (u Knock) Url(prefix, network, name string) string {
return prefix + "/api/network/" + network + "/guest/" + name + "/knock"
}
func (u Knock) Add(c *cli.Context) error {
socket := c.String("socket")
knock := &schema.KnockRule{
Protocol: c.String("protocol"),
Age: c.Int("age"),
Name: c.String("user"),
Network: c.String("network"),
}
knock.Dest, knock.Port = api.SplitSocket(socket)
url := u.Url(c.String("url"), knock.Network, knock.Name)
clt := u.NewHttp(c.String("token"))
if err := clt.PostJSON(url, knock, nil); err != nil {
return err
}
return nil
}
func (u Knock) Remove(c *cli.Context) error {
socket := c.String("socket")
knock := &schema.KnockRule{
Protocol: c.String("protocol"),
Name: c.String("user"),
Network: c.String("network"),
}
knock.Dest, knock.Port = api.SplitSocket(socket)
url := u.Url(c.String("url"), knock.Network, knock.Name)
clt := u.NewHttp(c.String("token"))
if err := clt.DeleteJSON(url, knock, nil); err != nil {
return err
}
return nil
}
func (u Knock) Tmpl() string {
return `# total {{ len . }}
{{ps -24 "username"}} {{ps -8 "protocol"}} {{ps -24 "socket"}} {{ps -4 "age"}} {{ps -24 "createAt"}}
{{- range . }}
{{p2 -24 "%s@%s" .Name .Network}} {{ps -8 .Protocol}} {{p2 -24 "%s:%s" .Dest .Port}} {{pi -4 .Age}} {{ut .CreateAt}}
{{- end }}
`
}
func (u Knock) List(c *cli.Context) error {
network := c.String("network")
user := c.String("user")
url := u.Url(c.String("url"), network, user)
clt := u.NewHttp(c.String("token"))
var items []schema.KnockRule
if err := clt.GetJSON(url, &items); err != nil {
return err
}
return u.Out(items, c.String("format"), u.Tmpl())
}
func (u Knock) Commands(user string) *cli.Command {
return &cli.Command{
Name: "knock",
Usage: "Knock configuration",
Subcommands: []*cli.Command{
{
Name: "add",
Usage: "Add a knock",
Flags: []cli.Flag{
&cli.StringFlag{Name: "user", Value: user},
&cli.StringFlag{Name: "protocol", Required: true},
&cli.StringFlag{Name: "socket", Required: true},
&cli.IntFlag{Name: "age", Value: 60},
},
Action: u.Add,
},
{
Name: "remove",
Usage: "Remove an existing knock",
Aliases: []string{"rm"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "user", Value: user},
&cli.StringFlag{Name: "protocol", Required: true},
&cli.StringFlag{Name: "socket", Required: true},
},
Action: u.Remove,
},
{
Name: "list",
Usage: "Display all knock",
Aliases: []string{"ls"},
Flags: []cli.Flag{
&cli.StringFlag{Name: "user", Value: user},
},
Action: u.List,
},
},
}
}

29
cmd/api/v6/cmd.go
View File

@@ -1,29 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/urfave/cli/v2"
)
func Before(c *cli.Context) error {
if _, err := database.NewConfClient(nil); err == nil {
return nil
} else {
return err
}
}
func After(c *cli.Context) error {
return nil
}
func Commands(app *api.App) {
app.After = After
app.Before = Before
Switch{}.Commands(app)
Network{}.Commands(app)
Link{}.Commands(app)
Name{}.Commands(app)
Prefix{}.Commands(app)
}

262
cmd/api/v6/link.go
View File

@@ -1,262 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/luscis/openlan/pkg/libol"
"github.com/ovn-org/libovsdb/model"
"github.com/ovn-org/libovsdb/ovsdb"
"github.com/urfave/cli/v2"
"sort"
"strings"
)
type Link struct {
}
func (l Link) List(c *cli.Context) error {
var lsLn []database.VirtualLink
network := c.String("network")
if err := database.Client.WhereList(
func(l *database.VirtualLink) bool {
return network == "" || l.Network == network
}, &lsLn); err != nil {
return err
} else {
sort.SliceStable(lsLn, func(i, j int) bool {
ii := lsLn[i]
jj := lsLn[j]
return ii.Network+ii.UUID > jj.Network+jj.UUID
})
return api.Out(lsLn, c.String("format"), "")
}
}
func GetUserPassword(auth string) (string, string) {
values := strings.SplitN(auth, ":", 2)
if len(values) == 2 {
return values[0], values[1]
}
return auth, auth
}
func GetDeviceName(conn, device string) string {
if libol.GetPrefix(conn, 4) == "spi:" {
return conn
} else {
return device
}
}
func (l Link) Add(c *cli.Context) error {
auth := c.String("authentication")
connection := c.String("connection")
device := c.String("device")
lsLn := database.VirtualLink{
UUID: c.String("uuid"),
Network: c.String("network"),
Connection: connection,
Device: device,
}
remoteAddr := c.String("remote-address")
user, pass := GetUserPassword(auth)
if err := database.Client.Get(&lsLn); err == nil {
lsVn := database.VirtualNetwork{
Name: lsLn.Network,
}
if lsVn.Name == "" {
return libol.NewErr("network is nil")
}
if err := database.Client.Get(&lsVn); err != nil {
return libol.NewErr("find network %s: %s", lsVn.Name, err)
}
newLn := lsLn
if connection != "" {
newLn.Connection = connection
}
if user != "" {
newLn.Authentication["username"] = user
}
if pass != "" {
newLn.Authentication["password"] = pass
}
if remoteAddr != "" {
newLn.OtherConfig["remote_address"] = remoteAddr
}
if device != "" {
newLn.Device = device
}
ops, err := database.Client.Where(&lsLn).Update(&newLn)
if err != nil {
return err
}
if ret, err := database.Client.Transact(ops...); err != nil {
return err
} else {
database.PrintError(ret)
}
} else {
lsVn := database.VirtualNetwork{
Name: c.String("network"),
}
if lsVn.Name == "" {
return libol.NewErr("network is nil")
}
if err := database.Client.Get(&lsVn); err != nil {
return libol.NewErr("find network %s: %s", lsVn.Name, err)
}
uuid := c.String("uuid")
if uuid == "" {
uuid = database.GenUUID()
}
newLn := database.VirtualLink{
Network: lsLn.Network,
Connection: lsLn.Connection,
UUID: uuid,
Device: GetDeviceName(connection, device),
Authentication: map[string]string{
"username": user,
"password": pass,
},
OtherConfig: map[string]string{
"local_address": lsVn.Address,
"remote_address": remoteAddr,
},
}
ops, err := database.Client.Create(&newLn)
if err != nil {
return err
}
libol.Debug("Link.Add %s %s", ops, lsVn)
database.Client.Execute(ops)
ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{
Field: &lsVn.LocalLinks,
Mutator: ovsdb.MutateOperationInsert,
Value: []string{newLn.UUID},
})
if err != nil {
return err
}
libol.Debug("Link.Add %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
}
return nil
}
func (l Link) Remove(c *cli.Context) error {
lsLn := database.VirtualLink{
Network: c.String("network"),
Connection: c.String("connection"),
UUID: c.String("uuid"),
}
if err := database.Client.Get(&lsLn); err != nil {
return err
}
lsVn := database.VirtualNetwork{
Name: lsLn.Network,
}
if err := database.Client.Get(&lsVn); err != nil {
return libol.NewErr("find network %s: %s", lsVn.Name, err)
}
if err := database.Client.Get(&lsLn); err != nil {
return err
}
ops, err := database.Client.Where(&lsLn).Delete()
if err != nil {
return err
}
libol.Debug("Link.Remove %s", ops)
database.Client.Execute(ops)
ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{
Field: &lsVn.LocalLinks,
Mutator: ovsdb.MutateOperationDelete,
Value: []string{lsLn.UUID},
})
if err != nil {
return err
}
libol.Debug("Link.Remove %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (l Link) Commands(app *api.App) {
app.Command(&cli.Command{
Name: "link",
Aliases: []string{"li"},
Usage: "Virtual Link",
Subcommands: []*cli.Command{
{
Name: "list",
Usage: "List virtual links",
Aliases: []string{"ls"},
Flags: []cli.Flag{
&cli.StringFlag{
Name: "network",
Usage: "the network name",
},
},
Action: l.List,
},
{
Name: "add",
Usage: "Add a virtual link",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "uuid",
},
&cli.StringFlag{
Name: "network",
Usage: "the network name",
},
&cli.StringFlag{
Name: "connection",
Value: "any",
Usage: "connection for remote server",
},
&cli.StringFlag{
Name: "device",
Usage: "the device name, like spi:10",
},
&cli.StringFlag{
Name: "authentication",
Usage: "user and password for authentication",
},
&cli.StringFlag{
Name: "remote-address",
Usage: "remote address in this link",
},
},
Action: l.Add,
},
{
Name: "del",
Usage: "Del a virtual link",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "uuid",
},
&cli.StringFlag{
Name: "network",
Usage: "the network name",
},
&cli.StringFlag{
Name: "connection",
Usage: "connection for remote server",
},
},
Action: l.Remove,
},
},
})
}

146
cmd/api/v6/name.go
View File

@@ -1,146 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/luscis/openlan/pkg/libol"
"github.com/urfave/cli/v2"
"net"
"sort"
"time"
)
type Name struct {
}
func (u Name) List(c *cli.Context) error {
var listNa []database.NameCache
if err := database.Client.List(&listNa); err != nil {
return err
} else {
sort.SliceStable(listNa, func(i, j int) bool {
ii := listNa[i]
jj := listNa[j]
return ii.UUID > jj.UUID
})
return api.Out(listNa, c.String("format"), "")
}
}
func (u Name) Add(c *cli.Context) error {
name := c.String("name")
lsNa := database.NameCache{
Name: name,
UUID: c.String("uuid"),
}
if lsNa.Name == "" && lsNa.UUID == "" {
return libol.NewErr("Name is nil")
}
address := c.String("address")
if address == "" {
addrIps, _ := net.LookupIP(lsNa.Name)
if len(addrIps) > 0 {
address = addrIps[0].String()
}
}
newNa := lsNa
if name != "" {
newNa.Name = name
}
if address != "" {
newNa.Address = address
}
newNa.UpdateAt = time.Now().Format("2006-01-02T15:04")
if err := database.Client.Get(&lsNa); err == nil {
if lsNa.Address != address {
ops, err := database.Client.Where(&lsNa).Update(&newNa)
if err != nil {
return err
}
if ret, err := database.Client.Transact(ops...); err != nil {
return err
} else {
database.PrintError(ret)
}
}
} else {
ops, err := database.Client.Create(&newNa)
if err != nil {
return err
}
libol.Debug("Name.Add %s", ops)
if ret, err := database.Client.Transact(ops...); err != nil {
return err
} else {
database.PrintError(ret)
}
}
return nil
}
func (u Name) Remove(c *cli.Context) error {
lsNa := database.NameCache{
Name: c.String("name"),
UUID: c.String("uuid"),
}
if err := database.Client.Get(&lsNa); err != nil {
return nil
}
ops, err := database.Client.Where(&lsNa).Delete()
if err != nil {
return err
}
libol.Debug("Name.Remove %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (u Name) Commands(app *api.App) {
app.Command(&cli.Command{
Name: "name",
Aliases: []string{"na"},
Usage: "Name cache",
Subcommands: []*cli.Command{
{
Name: "list",
Usage: "List name cache",
Aliases: []string{"ls"},
Action: u.List,
},
{
Name: "add",
Usage: "Add or update name cache",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "uuid",
},
&cli.StringFlag{
Name: "name",
},
&cli.StringFlag{
Name: "address",
},
},
Action: u.Add,
},
{
Name: "del",
Usage: "Delete a name cache",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "uuid",
},
&cli.StringFlag{
Name: "name",
},
},
Action: u.Remove,
},
},
})
}

154
cmd/api/v6/network.go
View File

@@ -1,154 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/luscis/openlan/pkg/libol"
"github.com/ovn-org/libovsdb/model"
"github.com/ovn-org/libovsdb/ovsdb"
"github.com/urfave/cli/v2"
"sort"
)
type Network struct {
}
func (u Network) List(c *cli.Context) error {
var listVn []database.VirtualNetwork
err := database.Client.List(&listVn)
if err != nil {
return err
}
sort.SliceStable(listVn, func(i, j int) bool {
ii := listVn[i]
jj := listVn[j]
return ii.UUID > jj.UUID
})
return api.Out(listVn, c.String("format"), "")
}
func (u Network) Add(c *cli.Context) error {
name := c.String("name")
if name == "" {
return libol.NewErr("name is nil")
}
oldVn := database.VirtualNetwork{Name: name}
if err := database.Client.Get(&oldVn); err == nil {
return libol.NewErr("network %s already existed.", oldVn.Name)
}
address := c.String("address")
provider := c.String("provider")
newVn := database.VirtualNetwork{
Name: name,
Address: address,
Bridge: "br-" + name,
UUID: database.GenUUID(),
Provider: provider,
}
ops, err := database.Client.Create(&newVn)
if err != nil {
return err
}
libol.Debug("Network.Add %s", ops)
database.Client.Execute(ops)
sw, err := database.Client.Switch()
if err != nil {
return err
}
ops, err = database.Client.Where(sw).Mutate(sw, model.Mutation{
Field: &sw.VirtualNetworks,
Mutator: ovsdb.MutateOperationInsert,
Value: []string{newVn.UUID},
})
if err != nil {
return err
}
libol.Debug("Network.Add %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (u Network) Remove(c *cli.Context) error {
name := c.String("name")
oldVn := database.VirtualNetwork{
Name: name,
}
if err := database.Client.Get(&oldVn); err != nil {
return err
}
ops, err := database.Client.Where(&oldVn).Delete()
if err != nil {
return err
}
libol.Debug("Switch.Remove %s", ops)
database.Client.Execute(ops)
sw, err := database.Client.Switch()
if err != nil {
return err
}
ops, err = database.Client.Where(sw).Mutate(sw, model.Mutation{
Field: &sw.VirtualNetworks,
Mutator: ovsdb.MutateOperationDelete,
Value: []string{oldVn.UUID},
})
if err != nil {
return err
}
libol.Debug("Network.Remove %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (u Network) Commands(app *api.App) {
app.Command(&cli.Command{
Name: "network",
Aliases: []string{"ne"},
Usage: "Virtual network",
Subcommands: []*cli.Command{
{
Name: "list",
Usage: "List virtual networks",
Aliases: []string{"ls"},
Action: u.List,
},
{
Name: "add",
Usage: "Add a virtual network",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "name",
Usage: "unique name with short long"},
&cli.StringFlag{
Name: "provider",
Value: "openlan",
Usage: "provider name"},
&cli.StringFlag{
Name: "address",
Value: "169.255.169.0/24",
Usage: "ip address"},
},
Action: u.Add,
},
{
Name: "del",
Usage: "Del a virtual network",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "name",
Usage: "unique name with short long"},
},
Action: u.Remove,
},
},
})
}

171
cmd/api/v6/prefix.go
View File

@@ -1,171 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/luscis/openlan/pkg/libol"
"github.com/ovn-org/libovsdb/model"
"github.com/ovn-org/libovsdb/ovsdb"
"github.com/urfave/cli/v2"
"sort"
)
type Prefix struct {
}
func (u Prefix) List(c *cli.Context) error {
var list []database.PrefixRoute
if err := database.Client.List(&list); err != nil {
return err
} else {
sort.SliceStable(list, func(i, j int) bool {
ii := list[i]
jj := list[j]
return ii.UUID > jj.UUID
})
return api.Out(list, c.String("format"), "")
}
}
func (u Prefix) Add(c *cli.Context) error {
lsVn := database.VirtualNetwork{
Name: c.String("network"),
}
if lsVn.Name == "" {
return libol.NewErr("network is nil")
}
if err := database.Client.Get(&lsVn); err != nil {
return libol.NewErr("find network %s: %s", lsVn.Name, err)
}
newPf := database.PrefixRoute{
UUID: database.GenUUID(),
Network: lsVn.Name,
Source: c.String("source"),
Prefix: c.String("prefix"),
Gateway: c.String("gateway"),
Mode: c.String("mode"),
}
ops, err := database.Client.Create(&newPf)
if err != nil {
return err
}
libol.Debug("Prefix.Add %s %s", ops, lsVn)
database.Client.Execute(ops)
ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{
Field: &lsVn.PrefixRoutes,
Mutator: ovsdb.MutateOperationInsert,
Value: []string{newPf.UUID},
})
if err != nil {
return err
}
libol.Debug("Prefix.Add %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (u Prefix) Remove(c *cli.Context) error {
lsPf := database.PrefixRoute{
Network: c.String("network"),
Prefix: c.String("prefix"),
UUID: c.String("uuid"),
}
if err := database.Client.Get(&lsPf); err != nil {
return err
}
lsVn := database.VirtualNetwork{
Name: lsPf.Network,
}
if err := database.Client.Get(&lsVn); err != nil {
return libol.NewErr("find network %s: %s", lsVn.Name, err)
}
if err := database.Client.Get(&lsPf); err != nil {
return err
}
ops, err := database.Client.Where(&lsPf).Delete()
if err != nil {
return err
}
libol.Debug("Prefix.Remove %s", ops)
database.Client.Execute(ops)
ops, err = database.Client.Where(&lsVn).Mutate(&lsVn, model.Mutation{
Field: &lsVn.PrefixRoutes,
Mutator: ovsdb.MutateOperationDelete,
Value: []string{lsPf.UUID},
})
if err != nil {
return err
}
libol.Debug("Prefix.Remove %s", ops)
database.Client.Execute(ops)
if ret, err := database.Client.Commit(); err != nil {
return err
} else {
database.PrintError(ret)
}
return nil
}
func (u Prefix) Commands(app *api.App) {
app.Command(&cli.Command{
Name: "route",
Aliases: []string{"ro"},
Usage: "Prefix route",
Subcommands: []*cli.Command{
{
Name: "list",
Usage: "List prefix routes",
Aliases: []string{"ls"},
Action: u.List,
},
{
Name: "add",
Usage: "Add a prefix route",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "network",
Usage: "the network name",
},
&cli.StringFlag{
Name: "prefix",
},
&cli.StringFlag{
Name: "source",
Value: "0.0.0.0/0",
},
&cli.StringFlag{
Name: "gateway",
Value: "local",
},
&cli.StringFlag{
Name: "mode",
Value: "direct",
},
},
Action: u.Add,
},
{
Name: "del",
Usage: "delete a prefix route",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "uuid",
},
&cli.StringFlag{
Name: "network",
Usage: "the network name",
},
&cli.StringFlag{
Name: "prefix",
},
},
Action: u.Remove,
},
},
})
}

85
cmd/api/v6/switch.go
View File

@@ -1,85 +0,0 @@
package v6
import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/pkg/database"
"github.com/luscis/openlan/pkg/libol"
"github.com/urfave/cli/v2"
)
type Switch struct {
}
func (u Switch) List(c *cli.Context) error {
var listSw []database.Switch
if err := database.Client.List(&listSw); err == nil {
return api.Out(listSw, c.String("format"), "")
}
return nil
}
func (u Switch) Add(c *cli.Context) error {
protocol := c.String("protocol")
listen := c.Int("listen")
newSw := database.Switch{
Protocol: protocol,
Listen: listen,
}
sw, _ := database.Client.Switch()
if sw == nil {
ops, err := database.Client.Create(&newSw)
if err != nil {
return err
}
libol.Debug("Switch.Add %s", ops)
if ret, err := database.Client.Transact(ops...); err != nil {
return err
} else {
database.PrintError(ret)
}
} else {
ops, err := database.Client.Where(sw).Update(&newSw)
if err != nil {
return err
}
libol.Debug("Switch.Add %s", ops)
if ret, err := database.Client.Transact(ops...); err != nil {
return err
} else {
database.PrintError(ret)
}
}
return nil
}
func (u Switch) Commands(app *api.App) {
app.Command(&cli.Command{
Name: "switch",
Aliases: []string{"sw"},
Usage: "Global switch",
Subcommands: []*cli.Command{
{
Name: "list",
Usage: "List global switch",
Aliases: []string{"ls"},
Action: u.List,
},
{
Name: "add",
Usage: "Add or update switch",
Flags: []cli.Flag{
&cli.StringFlag{
Name: "protocol",
Value: "tcp",
Usage: "used protocol: tcp|udp|http|tls"},
&cli.IntFlag{
Name: "listen",
Value: 10002,
Usage: "listen on port: 1024-65535",
},
},
Action: u.Add,
},
},
})
}

8
cmd/main.go
View File

@@ -1,11 +1,11 @@
package main package main
import ( import (
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/cmd/api/v5"
"github.com/luscis/openlan/cmd/api/v6"
"log" "log"
"os" "os"
"github.com/luscis/openlan/cmd/api"
"github.com/luscis/openlan/cmd/api/v5"
) )
func main() { func main() {
@@ -18,8 +18,6 @@ func main() {
app.New() app.New()
switch api.Version { switch api.Version {
case "v6":
v6.Commands(app)
default: default:
v5.Commands(app) v5.Commands(app)
} }

17
docs/ztrust.md
View File

@@ -2,11 +2,8 @@
## Enable ztrust on a network ## Enable ztrust on a network
``` ```
$ cat /etc/openlan/switch/network/example.json $ openlan ztrust --network example enable
{ $ openlan network --name example sa
...
"ztrust": "enable"
}
$ $
$ systemctl restart openlan-switch $ systemctl restart openlan-switch
$ $
@@ -24,8 +21,8 @@ $
``` ```
$ export TOKEN="daniel@example:<password>" $ export TOKEN="daniel@example:<password>"
$ export URL="https://<your-central-switch-address>:10000" $ export URL="https://<your-central-switch-address>:10000"
$ openlan guest add $ openlan ztrust guest add
$ openlan guest ls $ openlan ztrust guest ls
# total 1 # total 1
username address username address
daniel@example 169.254.15.6 daniel@example 169.254.15.6
@@ -34,9 +31,9 @@ $
## Knock a host service ## Knock a host service
``` ```
$ openlan knock add --protocol icmp --socket 192.168.20.10 $ openlan ztrust knock add --protocol icmp --socket 192.168.20.10
$ openlan knock add --protocol tcp --socket 192.168.20.10:22 $ openlan ztrust knock add --protocol tcp --socket 192.168.20.10:22
$ openlan knock ls $ openlan ztrust knock ls
# total 2 # total 2
username protocol socket age createAt username protocol socket age createAt
daniel@example tcp 192.168.20.10:22 57 2024-01-02 12:42:06 +0000 UTC daniel@example tcp 192.168.20.10:22 57 2024-01-02 12:42:06 +0000 UTC

2
pkg/api/api.go
View File

@@ -89,6 +89,8 @@ type Super interface {
Start(v Switcher) Start(v Switcher)
Stop() Stop()
Reload(v Switcher) Reload(v Switcher)
DoZTrust()
UndoZTrust()
} }
type Networker interface { type Networker interface {

28
pkg/api/ztrust.go
View File

@@ -16,6 +16,8 @@ type ZTrust struct {
func (h ZTrust) Router(router *mux.Router) { func (h ZTrust) Router(router *mux.Router) {
router.HandleFunc("/api/network/{id}/ztrust", h.List).Methods("GET") router.HandleFunc("/api/network/{id}/ztrust", h.List).Methods("GET")
router.HandleFunc("/api/network/{id}/ztrust/enable", h.Enable).Methods("POST")
router.HandleFunc("/api/network/{id}/ztrust/disable", h.Disable).Methods("POST")
router.HandleFunc("/api/network/{id}/guest", h.ListGuest).Methods("GET") router.HandleFunc("/api/network/{id}/guest", h.ListGuest).Methods("GET")
router.HandleFunc("/api/network/{id}/guest/{user}", h.ListGuest).Methods("GET") router.HandleFunc("/api/network/{id}/guest/{user}", h.ListGuest).Methods("GET")
router.HandleFunc("/api/network/{id}/guest/{user}", h.AddGuest).Methods("POST") router.HandleFunc("/api/network/{id}/guest/{user}", h.AddGuest).Methods("POST")
@@ -42,6 +44,32 @@ func (h ZTrust) Get(w http.ResponseWriter, r *http.Request) {
ResponseJson(w, "TODO") ResponseJson(w, "TODO")
} }
func (h ZTrust) Enable(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
id := vars["id"]
worker := Call.GetWorker(id)
if worker == nil {
http.Error(w, "Network not found", http.StatusBadRequest)
return
}
worker.DoZTrust()
ResponseJson(w, "success")
}
func (h ZTrust) Disable(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
id := vars["id"]
worker := Call.GetWorker(id)
if worker == nil {
http.Error(w, "Network not found", http.StatusBadRequest)
return
}
worker.UndoZTrust()
ResponseJson(w, "success")
}
func (h ZTrust) ListGuest(w http.ResponseWriter, r *http.Request) { func (h ZTrust) ListGuest(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r) vars := mux.Vars(r)
id := vars["id"] id := vars["id"]

21
pkg/switch/http.go
View File

@@ -195,27 +195,32 @@ func (h *Http) Shutdown() {
} }
func (h *Http) IsAuth(w http.ResponseWriter, r *http.Request) bool { func (h *Http) IsAuth(w http.ResponseWriter, r *http.Request) bool {
token, pass, ok := r.BasicAuth() user, pass, ok := r.BasicAuth()
libol.Debug("Http.IsAuth token: %s, pass: %s", token, pass) libol.Debug("Http.IsAuth token: %s, pass: %s", user, pass)
if !ok { if !ok {
return false return false
} }
if token == h.adminToken { if user == h.adminToken {
return true return true
} }
elements := strings.SplitN(r.URL.Path, "/", 8) elements := strings.SplitN(r.URL.Path, "/", 8)
if len(elements) > 3 { if len(elements) > 4 {
if elements[2] == "network" { if elements[2] == "network" {
zone := elements[3] network := elements[3]
if !strings.HasSuffix(token, "@"+zone) { if !strings.HasSuffix(user, "@"+network) {
return false return false
} }
if api.UserCheck(token, pass) == nil { zone := elements[4]
return true if api.UserCheck(user, pass) == nil {
// user can URL: /1/2/3/<ovpn|guest>.
if zone == "ovpn" || zone == "guest" {
return true
}
} }
} }
} }
// open URL: /<openvpn-api>/<rest>.
if elements[1] == "openvpn-api" || elements[1] == "rest" { if elements[1] == "openvpn-api" || elements[1] == "rest" {
return true return true
} }

134
pkg/switch/network.go
View File

@@ -123,10 +123,8 @@ func (w *WorkerImpl) Initialize() {
w.out.Error("WorkerImpl.Initialize: create ipset: %s %s", out, err) w.out.Error("WorkerImpl.Initialize: create ipset: %s %s", out, err)
} }
if cfg.ZTrust == "enable" { w.ztrust = NewZTrust(cfg.Name, 30)
w.ztrust = NewZTrust(cfg.Name, 30) w.ztrust.Initialize()
w.ztrust.Initialize()
}
w.qos = NewQosCtrl(cfg.Name) w.qos = NewQosCtrl(cfg.Name)
w.qos.Initialize() w.qos.Initialize()
@@ -352,13 +350,12 @@ func (w *WorkerImpl) loadVRF() {
} }
} }
func (w *WorkerImpl) SetMss(mss int) { func (w *WorkerImpl) setMss() {
cfg, _ := w.GetCfgs() cfg, _ := w.GetCfgs()
fire := w.fire
cfg.Bridge.Mss = mss mss := cfg.Bridge.Mss
w.fire.Mangle.Post.AddRuleX(cn.IPRule{
fire.Mangle.Post.AddRule(cn.IPRule{ Order: "-I",
Output: cfg.Bridge.Name, Output: cfg.Bridge.Name,
Proto: "tcp", Proto: "tcp",
Match: "tcp", Match: "tcp",
@@ -367,7 +364,8 @@ func (w *WorkerImpl) SetMss(mss int) {
SetMss: mss, SetMss: mss,
}) })
if w.br != nil { if w.br != nil {
fire.Mangle.Post.AddRule(cn.IPRule{ w.fire.Mangle.Post.AddRuleX(cn.IPRule{
Order: "-I",
Output: w.br.L3Name(), Output: w.br.L3Name(),
Proto: "tcp", Proto: "tcp",
Match: "tcp", Match: "tcp",
@@ -377,7 +375,8 @@ func (w *WorkerImpl) SetMss(mss int) {
}) })
} }
// connect from local // connect from local
fire.Mangle.In.AddRule(cn.IPRule{ w.fire.Mangle.In.AddRuleX(cn.IPRule{
Order: "-I",
Input: cfg.Bridge.Name, Input: cfg.Bridge.Name,
Proto: "tcp", Proto: "tcp",
Match: "tcp", Match: "tcp",
@@ -387,34 +386,64 @@ func (w *WorkerImpl) SetMss(mss int) {
}) })
} }
func (w *WorkerImpl) SetMss(mss int) {
cfg, _ := w.GetCfgs()
if cfg.Bridge.Mss != mss {
cfg.Bridge.Mss = mss
w.setMss()
}
}
func (w *WorkerImpl) doTrust() {
_, vpn := w.GetCfgs()
w.fire.Mangle.Pre.AddRuleX(cn.IPRule{
Input: vpn.Device,
Jump: w.ztrust.Chain(),
Comment: "Goto Zero Trust",
})
}
func (w *WorkerImpl) DoZTrust() {
cfg, _ := w.GetCfgs()
if cfg.ZTrust != "enable" {
cfg.ZTrust = "enable"
w.doTrust()
}
}
func (w *WorkerImpl) undoTrust() {
_, vpn := w.GetCfgs()
w.fire.Mangle.Pre.DelRuleX(cn.IPRule{
Input: vpn.Device,
Jump: w.ztrust.Chain(),
Comment: "Goto Zero Trust",
})
}
func (w *WorkerImpl) UndoZTrust() {
cfg, _ := w.GetCfgs()
if cfg.ZTrust == "enable" {
cfg.ZTrust = "disable"
w.undoTrust()
}
}
func (w *WorkerImpl) Start(v api.Switcher) { func (w *WorkerImpl) Start(v api.Switcher) {
cfg, vpn := w.GetCfgs() cfg, vpn := w.GetCfgs()
fire := w.fire
w.out.Info("WorkerImpl.Start") w.out.Info("WorkerImpl.Start")
w.findhop.Start()
w.loadVRF() w.loadVRF()
w.loadRoutes() w.loadRoutes()
w.acl.Start() w.acl.Start()
w.toACL(cfg.Bridge.Name) w.toACL(cfg.Bridge.Name)
if cfg.Bridge.Mss > 0 {
// forward to remote
w.SetMss(cfg.Bridge.Mss)
}
for _, output := range cfg.Outputs { for _, output := range cfg.Outputs {
output.GenName() output.GenName()
w.addOutput(cfg.Bridge.Name, output) w.addOutput(cfg.Bridge.Name, output)
} }
if !(w.dhcp == nil) {
w.dhcp.Start()
}
if !(w.vpn == nil) { if !(w.vpn == nil) {
w.vpn.Start() w.vpn.Start()
if !(w.vrf == nil) { if !(w.vrf == nil) {
@@ -448,32 +477,31 @@ func (w *WorkerImpl) Start(v api.Switcher) {
}) })
} }
if !(w.ztrust == nil) { w.fire.Mangle.In.AddRule(cn.IPRule{
w.ztrust.Start() Input: vpn.Device,
fire.Mangle.Pre.AddRule(cn.IPRule{ Jump: w.qos.ChainIn(),
Input: vpn.Device, Comment: "Goto Qos ChainIn",
CtState: "RELATED,ESTABLISHED", })
Comment: "Forwarding Accpted", w.qos.Start()
}) w.ztrust.Start()
fire.Mangle.Pre.AddRule(cn.IPRule{
Input: vpn.Device,
Jump: w.ztrust.Chain(),
Comment: "Goto Zero Trust",
})
}
if !(w.qos == nil) {
w.qos.Start()
fire.Mangle.In.AddRule(cn.IPRule{
Input: vpn.Device,
Jump: w.qos.ChainIn(),
Comment: "Goto Qos ChainIn",
})
}
} }
fire.Start() w.fire.Start()
if cfg.Bridge.Mss > 0 {
// forward to remote
w.setMss()
}
w.findhop.Start()
if !(w.dhcp == nil) {
w.dhcp.Start()
}
if !(w.vpn == nil) {
if cfg.ZTrust == "enable" {
w.doTrust()
}
}
} }
func (w *WorkerImpl) DelPhysical(bridge string, output string) { func (w *WorkerImpl) DelPhysical(bridge string, output string) {
@@ -542,15 +570,13 @@ func (w *WorkerImpl) Stop() {
w.fire.Stop() w.fire.Stop()
w.findhop.Stop() w.findhop.Stop()
w.acl.Stop()
w.unloadRoutes() w.unloadRoutes()
if !(w.vpn == nil) { if !(w.vpn == nil) {
if !(w.ztrust == nil) { w.ztrust.Stop()
w.ztrust.Stop() w.qos.Stop()
}
if !(w.qos == nil) {
w.qos.Stop()
}
w.vpn.Stop() w.vpn.Stop()
} }
if !(w.dhcp == nil) { if !(w.dhcp == nil) {
@@ -564,8 +590,6 @@ func (w *WorkerImpl) Stop() {
w.delOutput(w.cfg.Bridge.Name, output) w.delOutput(w.cfg.Bridge.Name, output)
} }
w.acl.Stop()
w.setR.Destroy() w.setR.Destroy()
w.setV.Destroy() w.setV.Destroy()
} }

5
pkg/switch/ztrust.go
View File

@@ -168,6 +168,10 @@ func (z *ZTrust) Chain() string {
func (z *ZTrust) Initialize() { func (z *ZTrust) Initialize() {
z.chain = cn.NewFireWallChain(z.Chain(), cn.TMangle, "") z.chain = cn.NewFireWallChain(z.Chain(), cn.TMangle, "")
z.chain.AddRule(cn.IPRule{
CtState: "RELATED,ESTABLISHED",
Comment: "Forwarding Accpted",
})
z.chain.AddRule(cn.IPRule{ z.chain.AddRule(cn.IPRule{
Comment: "ZTrust Deny All", Comment: "ZTrust Deny All",
Jump: "DROP", Jump: "DROP",
@@ -196,7 +200,6 @@ func (z *ZTrust) Update() {
for _, guest := range z.guests { for _, guest := range z.guests {
guest.Clear() guest.Clear()
} }
time.Sleep(time.Second * 3) time.Sleep(time.Second * 3)
} }
} }