zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-10 11:12:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

ignore setting up rules when default poliy is enabled

Browse Source
This commit is contained in:
abhishek9686
2024-10-27 23:00:36 +04:00
parent 514e785f7b
commit 502a15ea14
1 changed files with 63 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
logic/extpeers.go
View File

@@ -403,8 +403,17 @@ func ToggleExtClientConnectivity(client *models.ExtClient, enable bool) (models.
} }
func GetStaticNodeIps(node models.Node) (ips []net.IP) { func GetStaticNodeIps(node models.Node) (ips []net.IP) {
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), false) extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), false)
for _, extclient := range extclients { for _, extclient := range extclients {
if extclient.IsUserNode && defaultUserPolicy.Enabled {
continue
}
if !extclient.IsUserNode && defaultDevicePolicy.Enabled {
continue
}
if extclient.StaticNode.Address != "" { if extclient.StaticNode.Address != "" {
ips = append(ips, extclient.StaticNode.AddressIPNet4().IP) ips = append(ips, extclient.StaticNode.AddressIPNet4().IP)
} }
@@ -417,62 +426,67 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {
func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
// fetch user access to static clients via policies // fetch user access to static clients via policies
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
nodes, _ := GetNetworkNodes(node.Network) nodes, _ := GetNetworkNodes(node.Network)
nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...) nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)
userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network)) if !defaultUserPolicy.Enabled {
for _, userNodeI := range userNodes { userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
for _, peer := range nodes { for _, userNodeI := range userNodes {
if peer.IsUserNode { for _, peer := range nodes {
continue if peer.IsUserNode {
} continue
if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
if peer.IsStatic {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: peer.StaticNode.AddressIPNet4().IP,
Allow: true,
})
rules = append(rules, models.FwRule{
SrcIp: peer.StaticNode.AddressIPNet4().IP,
DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: peer.StaticNode.AddressIPNet6().IP,
Allow: true,
})
rules = append(rules, models.FwRule{
SrcIp: peer.StaticNode.AddressIPNet6().IP,
DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
Allow: true,
})
}
} else {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: peer.Address.IP,
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: peer.Address6.IP,
Allow: true,
})
}
} }
if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
if peer.IsStatic {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: peer.StaticNode.AddressIPNet4().IP,
Allow: true,
})
rules = append(rules, models.FwRule{
SrcIp: peer.StaticNode.AddressIPNet4().IP,
DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: peer.StaticNode.AddressIPNet6().IP,
Allow: true,
})
rules = append(rules, models.FwRule{
SrcIp: peer.StaticNode.AddressIPNet6().IP,
DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
Allow: true,
})
}
} else {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: peer.Address.IP,
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: peer.Address6.IP,
Allow: true,
})
}
}
}
} }
} }
} }
if defaultDevicePolicy.Enabled {
return
}
for _, nodeI := range nodes { for _, nodeI := range nodes {
if !nodeI.IsStatic || nodeI.IsUserNode { if !nodeI.IsStatic || nodeI.IsUserNode {
continue continue