zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-05 16:57:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'develop' into feature_v0.14.8_internet_gateway

Browse Source
This commit is contained in:
Matthew R Kasun
2022-08-09 13:55:16 -04:00
committed by GitHub
parent 85cb88f0ad c7a3d2b098
commit 65723e23dd
8 changed files with 213 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
controllers/config/dnsconfig/netmaker.hosts
View File

@@ -1 +1,2 @@
10.0.0.2 testnode.skynet myhost.skynet 10.0.0.1 testnode.skynet
10.0.0.2 myhost.skynet

154
logic/gateway.go
View File

@@ -3,6 +3,7 @@ package logic
import ( import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt"
"strings" "strings"
"time" "time"
@@ -30,17 +31,25 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
node.IsEgressGateway = "yes" node.IsEgressGateway = "yes"
node.EgressGatewayRanges = gateway.Ranges node.EgressGatewayRanges = gateway.Ranges
node.EgressGatewayNatEnabled = gateway.NatEnabled node.EgressGatewayNatEnabled = gateway.NatEnabled
node.EgressGatewayRequest = gateway // store entire request for use when preserving the egress gateway
postUpCmd := "" postUpCmd := ""
postDownCmd := "" postDownCmd := ""
logger.Log(3, "creating egress gateway firewall in use is '", node.FirewallInUse, "'")
if node.OS == "linux" { if node.OS == "linux" {
postUpCmd = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; " switch node.FirewallInUse {
postUpCmd += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT" case models.FIREWALL_NFTABLES:
postDownCmd = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT; " // nftables only supported on Linux
postDownCmd += "iptables -D FORWARD -o " + node.Interface + " -j ACCEPT" // assumes chains eg FORWARD and POSTROUTING already exist
logger.Log(3, "creating egress gateway nftables is present")
// down commands don't remove as removal of the rules leaves an empty chain while
// removing the chain with rules in it would remove all rules in that section (not safe
// if there are remaining rules on the host that need to stay). In practice the chain is removed
// when non-empty even though the removal of a non-empty chain should not be possible per nftables wiki.
postUpCmd, postDownCmd = firewallNFTCommandsCreateEgress(node.Interface, gateway.Interface, node.EgressGatewayNatEnabled)
if node.EgressGatewayNatEnabled == "yes" { default: // iptables assumed
postUpCmd += "; iptables -t nat -A POSTROUTING -o " + gateway.Interface + " -j MASQUERADE" logger.Log(3, "creating egress gateway nftables is not present")
postDownCmd += "; iptables -t nat -D POSTROUTING -o " + gateway.Interface + " -j MASQUERADE" postUpCmd, postDownCmd = firewallIPTablesCommandsCreateEgress(node.Interface, gateway.Interface, node.EgressGatewayNatEnabled)
} }
} }
if node.OS == "freebsd" { if node.OS == "freebsd" {
@@ -115,23 +124,27 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
node.IsEgressGateway = "no" node.IsEgressGateway = "no"
node.EgressGatewayRanges = []string{} node.EgressGatewayRanges = []string{}
node.EgressGatewayRequest = models.EgressGatewayRequest{} // remove preserved request as the egress gateway is gone
// needed in case we don't preserve a gateway (i.e., no ingress to preserve)
node.PostUp = "" node.PostUp = ""
node.PostDown = "" node.PostDown = ""
logger.Log(3, "deleting egress gateway firewall in use is '", node.FirewallInUse, "'")
if node.IsIngressGateway == "yes" { // check if node is still an ingress gateway before completely deleting postdown/up rules if node.IsIngressGateway == "yes" { // check if node is still an ingress gateway before completely deleting postdown/up rules
// still have an ingress gateway so preserve it
if node.OS == "linux" { if node.OS == "linux" {
node.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT ; " switch node.FirewallInUse {
node.PostUp += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT ; " case models.FIREWALL_NFTABLES:
node.PostUp += "iptables -t nat -A POSTROUTING -o " + node.Interface + " -j MASQUERADE" // nftables only supported on Linux
node.PostDown = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT ; " // assumes chains eg FORWARD and POSTROUTING already exist
node.PostDown += "iptables -D FORWARD -o " + node.Interface + " -j ACCEPT ; " logger.Log(3, "deleting egress gateway nftables is present")
node.PostDown += "iptables -t nat -D POSTROUTING -o " + node.Interface + " -j MASQUERADE" node.PostUp, node.PostDown = firewallNFTCommandsCreateIngress(node.Interface)
} default:
if node.OS == "freebsd" { logger.Log(3, "deleting egress gateway nftables is not present")
node.PostUp = "" node.PostUp, node.PostDown = firewallIPTablesCommandsCreateIngress(node.Interface)
node.PostDown = "ipfw delete 64000 ; " }
node.PostDown += "ipfw delete 65534 ; "
node.PostDown += "kldunload ipfw_nat ipfw"
} }
// no need to preserve ingress gateway on FreeBSD as ingress is not supported on that OS
} }
node.SetLastModified() node.SetLastModified()
@@ -151,6 +164,7 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
// CreateIngressGateway - creates an ingress gateway // CreateIngressGateway - creates an ingress gateway
func CreateIngressGateway(netid string, nodeid string) (models.Node, error) { func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
var postUpCmd, postDownCmd string
node, err := GetNodeByID(nodeid) node, err := GetNodeByID(nodeid)
if node.OS != "linux" { // add in darwin later if node.OS != "linux" { // add in darwin later
return models.Node{}, errors.New(node.OS + " is unsupported for ingress gateways") return models.Node{}, errors.New(node.OS + " is unsupported for ingress gateways")
@@ -166,12 +180,18 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
} }
node.IsIngressGateway = "yes" node.IsIngressGateway = "yes"
node.IngressGatewayRange = network.AddressRange node.IngressGatewayRange = network.AddressRange
postUpCmd := "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT ; " logger.Log(3, "creating ingress gateway firewall in use is '", node.FirewallInUse, "'")
postUpCmd += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT ; " switch node.FirewallInUse {
postUpCmd += "iptables -t nat -A POSTROUTING -o " + node.Interface + " -j MASQUERADE" case models.FIREWALL_NFTABLES:
postDownCmd := "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT ; " // nftables only supported on Linux
postDownCmd += "iptables -D FORWARD -o " + node.Interface + " -j ACCEPT ; " // assumes chains eg FORWARD and POSTROUTING already exist
postDownCmd += "iptables -t nat -D POSTROUTING -o " + node.Interface + " -j MASQUERADE" logger.Log(3, "creating ingress gateway nftables is present")
postUpCmd, postDownCmd = firewallNFTCommandsCreateIngress(node.Interface)
default:
logger.Log(3, "creating ingress gateway using nftables is not present")
postUpCmd, postDownCmd = firewallIPTablesCommandsCreateIngress(node.Interface)
}
if node.PostUp != "" { if node.PostUp != "" {
if !strings.Contains(node.PostUp, postUpCmd) { if !strings.Contains(node.PostUp, postUpCmd) {
postUpCmd = node.PostUp + "; " + postUpCmd postUpCmd = node.PostUp + "; " + postUpCmd
@@ -214,12 +234,26 @@ func DeleteIngressGateway(networkName string, nodeid string) (models.Node, error
if err = DeleteGatewayExtClients(node.ID, networkName); err != nil { if err = DeleteGatewayExtClients(node.ID, networkName); err != nil {
return models.Node{}, err return models.Node{}, err
} }
logger.Log(3, "deleting ingress gateway")
node.UDPHolePunch = network.DefaultUDPHolePunch node.UDPHolePunch = network.DefaultUDPHolePunch
node.LastModified = time.Now().Unix() node.LastModified = time.Now().Unix()
node.IsIngressGateway = "no" node.IsIngressGateway = "no"
node.IngressGatewayRange = "" node.IngressGatewayRange = ""
// default to removing postup and postdown
node.PostUp = ""
node.PostDown = ""
logger.Log(3, "deleting ingress gateway firewall in use is '", node.FirewallInUse, "' and isEgressGateway is", node.IsEgressGateway)
if node.EgressGatewayRequest.NodeID != "" {
_, err := CreateEgressGateway(node.EgressGatewayRequest)
if err != nil {
logger.Log(0, fmt.Sprintf("failed to create egress gateway on node [%s] on network [%s]: %v",
node.EgressGatewayRequest.NodeID, node.EgressGatewayRequest.NetID, err))
}
}
data, err := json.Marshal(&node) data, err := json.Marshal(&node)
if err != nil { if err != nil {
return models.Node{}, err return models.Node{}, err
@@ -248,3 +282,73 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error {
} }
return nil return nil
} }
// firewallNFTCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the nftables firewall.
func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) {
postUp := "nft add table ip filter ; "
postUp += "nft add chain ip filter FORWARD ; "
postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
postUp += "nft add table nat ; "
postUp += "nft add chain nat POSTROUTING ; "
postUp += "nft add rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade"
// doesn't remove potentially empty tables or chains
postDown := "nft delete rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
postDown += "nft delete rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
postDown += "nft delete rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade"
return postUp, postDown
}
// firewallNFTCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the nftables firewall.
func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
postUp := "nft add table ip filter ; "
postUp += "nft add chain ip filter FORWARD ; "
postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
postDown := "nft delete rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
postDown += "nft delete rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
if egressNatEnabled == "yes" {
postUp += "nft add table nat ; "
postUp += "nft add chain nat POSTROUTING ; "
postUp += "nft add rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;"
postDown += "nft delete rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;"
}
return postUp, postDown
}
// firewallIPTablesCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the iptables firewall.
func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, string) {
postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
postUp += "iptables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE"
// doesn't remove potentially empty tables or chains
postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
postDown += "iptables -D FORWARD -o " + networkInterface + " -j ACCEPT ; "
postDown += "iptables -t nat -D POSTROUTING -o " + networkInterface + " -j MASQUERADE"
return postUp, postDown
}
// firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall.
func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT; "
postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT"
postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT; "
postDown += "iptables -D FORWARD -o " + networkInterface + " -j ACCEPT"
if egressNatEnabled == "yes" {
postUp += "; iptables -t nat -A POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
postDown += "; iptables -t nat -D POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
}
return postUp, postDown
}

1
logic/nodes.go
View File

@@ -427,6 +427,7 @@ func SetNodeDefaults(node *models.Node) {
node.SetDefaultIngressGateway() node.SetDefaultIngressGateway()
node.SetDefaulIsPending() node.SetDefaulIsPending()
node.SetDefaultMTU() node.SetDefaultMTU()
node.SetDefaultNFTablesPresent()
node.SetDefaultIsRelayed() node.SetDefaultIsRelayed()
node.SetDefaultIsRelay() node.SetDefaultIsRelay()
node.SetDefaultIsDocker() node.SetDefaultIsDocker()

85
models/node.go
View File

@@ -28,6 +28,10 @@ const (
NODE_NOOP = "noop" NODE_NOOP = "noop"
// NODE_FORCE_UPDATE - indicates a node should pull all changes // NODE_FORCE_UPDATE - indicates a node should pull all changes
NODE_FORCE_UPDATE = "force" NODE_FORCE_UPDATE = "force"
// FIREWALL_IPTABLES - indicates that iptables is the firewall in use
FIREWALL_IPTABLES = "iptables"
// FIREWALL_NFTABLES - indicates nftables is in use (Linux only)
FIREWALL_NFTABLES = "nftables"
) )
var seededRand *rand.Rand = rand.New( var seededRand *rand.Rand = rand.New(
@@ -35,41 +39,42 @@ var seededRand *rand.Rand = rand.New(
// Node - struct for node model // Node - struct for node model
type Node struct { type Node struct {
ID string `json:"id,omitempty" bson:"id,omitempty" yaml:"id,omitempty" validate:"required,min=5" validate:"id_unique` ID string `json:"id,omitempty" bson:"id,omitempty" yaml:"id,omitempty" validate:"required,min=5" validate:"id_unique`
Address string `json:"address" bson:"address" yaml:"address" validate:"omitempty,ipv4"` Address string `json:"address" bson:"address" yaml:"address" validate:"omitempty,ipv4"`
Address6 string `json:"address6" bson:"address6" yaml:"address6" validate:"omitempty,ipv6"` Address6 string `json:"address6" bson:"address6" yaml:"address6" validate:"omitempty,ipv6"`
LocalAddress string `json:"localaddress" bson:"localaddress" yaml:"localaddress" validate:"omitempty,ip"` LocalAddress string `json:"localaddress" bson:"localaddress" yaml:"localaddress" validate:"omitempty,ip"`
Name string `json:"name" bson:"name" yaml:"name" validate:"omitempty,max=62,in_charset"` Name string `json:"name" bson:"name" yaml:"name" validate:"omitempty,max=62,in_charset"`
NetworkSettings Network `json:"networksettings" bson:"networksettings" yaml:"networksettings" validate:"-"` NetworkSettings Network `json:"networksettings" bson:"networksettings" yaml:"networksettings" validate:"-"`
ListenPort int32 `json:"listenport" bson:"listenport" yaml:"listenport" validate:"omitempty,numeric,min=1024,max=65535"` ListenPort int32 `json:"listenport" bson:"listenport" yaml:"listenport" validate:"omitempty,numeric,min=1024,max=65535"`
LocalListenPort int32 `json:"locallistenport" bson:"locallistenport" yaml:"locallistenport" validate:"numeric,min=0,max=65535"` LocalListenPort int32 `json:"locallistenport" bson:"locallistenport" yaml:"locallistenport" validate:"numeric,min=0,max=65535"`
PublicKey string `json:"publickey" bson:"publickey" yaml:"publickey" validate:"required,base64"` PublicKey string `json:"publickey" bson:"publickey" yaml:"publickey" validate:"required,base64"`
Endpoint string `json:"endpoint" bson:"endpoint" yaml:"endpoint" validate:"required,ip"` Endpoint string `json:"endpoint" bson:"endpoint" yaml:"endpoint" validate:"required,ip"`
PostUp string `json:"postup" bson:"postup" yaml:"postup"` PostUp string `json:"postup" bson:"postup" yaml:"postup"`
PostDown string `json:"postdown" bson:"postdown" yaml:"postdown"` PostDown string `json:"postdown" bson:"postdown" yaml:"postdown"`
AllowedIPs []string `json:"allowedips" bson:"allowedips" yaml:"allowedips"` AllowedIPs []string `json:"allowedips" bson:"allowedips" yaml:"allowedips"`
PersistentKeepalive int32 `json:"persistentkeepalive" bson:"persistentkeepalive" yaml:"persistentkeepalive" validate:"omitempty,numeric,max=1000"` PersistentKeepalive int32 `json:"persistentkeepalive" bson:"persistentkeepalive" yaml:"persistentkeepalive" validate:"omitempty,numeric,max=1000"`
IsHub string `json:"ishub" bson:"ishub" yaml:"ishub" validate:"checkyesorno"` IsHub string `json:"ishub" bson:"ishub" yaml:"ishub" validate:"checkyesorno"`
AccessKey string `json:"accesskey" bson:"accesskey" yaml:"accesskey"` AccessKey string `json:"accesskey" bson:"accesskey" yaml:"accesskey"`
Interface string `json:"interface" bson:"interface" yaml:"interface"` Interface string `json:"interface" bson:"interface" yaml:"interface"`
LastModified int64 `json:"lastmodified" bson:"lastmodified" yaml:"lastmodified"` LastModified int64 `json:"lastmodified" bson:"lastmodified" yaml:"lastmodified"`
ExpirationDateTime int64 `json:"expdatetime" bson:"expdatetime" yaml:"expdatetime"` ExpirationDateTime int64 `json:"expdatetime" bson:"expdatetime" yaml:"expdatetime"`
LastPeerUpdate int64 `json:"lastpeerupdate" bson:"lastpeerupdate" yaml:"lastpeerupdate"` LastPeerUpdate int64 `json:"lastpeerupdate" bson:"lastpeerupdate" yaml:"lastpeerupdate"`
LastCheckIn int64 `json:"lastcheckin" bson:"lastcheckin" yaml:"lastcheckin"` LastCheckIn int64 `json:"lastcheckin" bson:"lastcheckin" yaml:"lastcheckin"`
MacAddress string `json:"macaddress" bson:"macaddress" yaml:"macaddress"` MacAddress string `json:"macaddress" bson:"macaddress" yaml:"macaddress"`
Password string `json:"password" bson:"password" yaml:"password" validate:"required,min=6"` Password string `json:"password" bson:"password" yaml:"password" validate:"required,min=6"`
Network string `json:"network" bson:"network" yaml:"network" validate:"network_exists"` Network string `json:"network" bson:"network" yaml:"network" validate:"network_exists"`
IsRelayed string `json:"isrelayed" bson:"isrelayed" yaml:"isrelayed"` IsRelayed string `json:"isrelayed" bson:"isrelayed" yaml:"isrelayed"`
IsPending string `json:"ispending" bson:"ispending" yaml:"ispending"` IsPending string `json:"ispending" bson:"ispending" yaml:"ispending"`
IsRelay string `json:"isrelay" bson:"isrelay" yaml:"isrelay" validate:"checkyesorno"` IsRelay string `json:"isrelay" bson:"isrelay" yaml:"isrelay" validate:"checkyesorno"`
IsDocker string `json:"isdocker" bson:"isdocker" yaml:"isdocker" validate:"checkyesorno"` IsDocker string `json:"isdocker" bson:"isdocker" yaml:"isdocker" validate:"checkyesorno"`
IsK8S string `json:"isk8s" bson:"isk8s" yaml:"isk8s" validate:"checkyesorno"` IsK8S string `json:"isk8s" bson:"isk8s" yaml:"isk8s" validate:"checkyesorno"`
IsEgressGateway string `json:"isegressgateway" bson:"isegressgateway" yaml:"isegressgateway"` IsEgressGateway string `json:"isegressgateway" bson:"isegressgateway" yaml:"isegressgateway"`
IsIngressGateway string `json:"isingressgateway" bson:"isingressgateway" yaml:"isingressgateway"` IsIngressGateway string `json:"isingressgateway" bson:"isingressgateway" yaml:"isingressgateway"`
EgressGatewayRanges []string `json:"egressgatewayranges" bson:"egressgatewayranges" yaml:"egressgatewayranges"` EgressGatewayRanges []string `json:"egressgatewayranges" bson:"egressgatewayranges" yaml:"egressgatewayranges"`
EgressGatewayNatEnabled string `json:"egressgatewaynatenabled" bson:"egressgatewaynatenabled" yaml:"egressgatewaynatenabled"` EgressGatewayNatEnabled string `json:"egressgatewaynatenabled" bson:"egressgatewaynatenabled" yaml:"egressgatewaynatenabled"`
RelayAddrs []string `json:"relayaddrs" bson:"relayaddrs" yaml:"relayaddrs"` EgressGatewayRequest EgressGatewayRequest `json:"egressgatewayrequest" bson:"egressgatewayrequest" yaml:"egressgatewayrequest"`
IngressGatewayRange string `json:"ingressgatewayrange" bson:"ingressgatewayrange" yaml:"ingressgatewayrange"` RelayAddrs []string `json:"relayaddrs" bson:"relayaddrs" yaml:"relayaddrs"`
IngressGatewayRange string `json:"ingressgatewayrange" bson:"ingressgatewayrange" yaml:"ingressgatewayrange"`
// IsStatic - refers to if the Endpoint is set manually or dynamically // IsStatic - refers to if the Endpoint is set manually or dynamically
IsStatic string `json:"isstatic" bson:"isstatic" yaml:"isstatic" validate:"checkyesorno"` IsStatic string `json:"isstatic" bson:"isstatic" yaml:"isstatic" validate:"checkyesorno"`
UDPHolePunch string `json:"udpholepunch" bson:"udpholepunch" yaml:"udpholepunch" validate:"checkyesorno"` UDPHolePunch string `json:"udpholepunch" bson:"udpholepunch" yaml:"udpholepunch" validate:"checkyesorno"`
@@ -84,6 +89,7 @@ type Node struct {
Version string `json:"version" bson:"version" yaml:"version"` Version string `json:"version" bson:"version" yaml:"version"`
Server string `json:"server" bson:"server" yaml:"server"` Server string `json:"server" bson:"server" yaml:"server"`
TrafficKeys TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"` TrafficKeys TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"`
FirewallInUse string `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
InternetGateway string `json:"internetgateway" bson:"internetgateway" yaml:"internetgateway"` InternetGateway string `json:"internetgateway" bson:"internetgateway" yaml:"internetgateway"`
} }
@@ -120,6 +126,13 @@ func (node *Node) SetDefaultMTU() {
} }
} }
// Node.SetDefaultNFTablesPresent - sets default for nftables check
func (node *Node) SetDefaultNFTablesPresent() {
if node.FirewallInUse == "" {
node.FirewallInUse = FIREWALL_IPTABLES // default to iptables
}
}
// Node.SetDefaulIsPending - sets ispending default // Node.SetDefaulIsPending - sets ispending default
func (node *Node) SetDefaulIsPending() { func (node *Node) SetDefaulIsPending() {
if node.IsPending == "" { if node.IsPending == "" {
@@ -255,7 +268,7 @@ func (node *Node) SetDefaultName() {
} }
// Node.Fill - fills other node data into calling node data if not set on calling node // Node.Fill - fills other node data into calling node data if not set on calling node
func (newNode *Node) Fill(currentNode *Node) { func (newNode *Node) Fill(currentNode *Node) { // TODO add new field for nftables present
newNode.ID = currentNode.ID newNode.ID = currentNode.ID
if newNode.Address == "" { if newNode.Address == "" {

10
netclient/functions/join.go
View File

@@ -114,7 +114,17 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
if ncutils.IsFreeBSD() { if ncutils.IsFreeBSD() {
cfg.Node.UDPHolePunch = "no" cfg.Node.UDPHolePunch = "no"
cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES // nftables not supported by FreeBSD
} }
if cfg.Node.FirewallInUse == "" {
if ncutils.IsNFTablesPresent() {
cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
} else {
cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
}
}
// make sure name is appropriate, if not, give blank name // make sure name is appropriate, if not, give blank name
cfg.Node.Name = formatName(cfg.Node) cfg.Node.Name = formatName(cfg.Node)
cfg.Node.OS = runtime.GOOS cfg.Node.OS = runtime.GOOS

12
netclient/functions/mqpublish.go
View File

@@ -13,6 +13,7 @@ import (
"github.com/cloverstd/tcping/ping" "github.com/cloverstd/tcping/ping"
"github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/models"
"github.com/gravitl/netmaker/netclient/auth" "github.com/gravitl/netmaker/netclient/auth"
"github.com/gravitl/netmaker/netclient/config" "github.com/gravitl/netmaker/netclient/config"
"github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/netclient/ncutils"
@@ -43,6 +44,17 @@ func checkin() {
var nodeCfg config.ClientConfig var nodeCfg config.ClientConfig
nodeCfg.Network = network nodeCfg.Network = network
nodeCfg.ReadConfig() nodeCfg.ReadConfig()
// check for nftables present if on Linux
if ncutils.IsLinux() {
if ncutils.IsNFTablesPresent() {
nodeCfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
} else {
nodeCfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
}
} else {
// defaults to iptables for now, may need another default for non-Linux OSes
nodeCfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
}
if nodeCfg.Node.IsStatic != "yes" { if nodeCfg.Node.IsStatic != "yes" {
extIP, err := ncutils.GetPublicIP() extIP, err := ncutils.GetPublicIP()
if err != nil { if err != nil {

10
netclient/ncutils/netclientutils.go
View File

@@ -110,6 +110,16 @@ func GetWireGuard() string {
return "wg" return "wg"
} }
// IsNFTablesPresent - returns true if nftables is present, false otherwise.
// Does not consider OS, up to the caller to determine if the OS supports nftables/whether this check is valid.
func IsNFTablesPresent() bool {
var nftFound bool
nftFound = FileExists("/usr/sbin/nft")
logger.Log(3, "nftables found:", strconv.FormatBool(nftFound))
return nftFound
}
// IsKernel - checks if running kernel WireGuard // IsKernel - checks if running kernel WireGuard
func IsKernel() bool { func IsKernel() bool {
//TODO //TODO

35
scripts/netmaker-server.sh
View File

@@ -1,35 +0,0 @@
#!/bin/sh
set -e
mkdir -p /etc/netmaker/config/environments
wget -O /etc/netmaker/netmaker https://github.com/gravitl/netmaker/releases/download/latest/netmaker
chmod +x /etc/netmaker/netmaker
cat >/etc/netmaker/config/environments/dev.yaml<<EOL
server:
host:
apiport: "8081"
masterkey: "secretkey"
allowedorigin: "*"
restbackend: true
agentbackend: true
dnsmode: "on"
EOL
cat >/etc/systemd/system/netmaker.service<<EOL
[Unit]
Description=Netmaker Server
After=network.target
[Service]
Type=simple
Restart=on-failure
WorkingDirectory=/etc/netmaker
ExecStart=/etc/netmaker/netmaker
[Install]
WantedBy=multi-user.target
EOL
systemctl daemon-reload
systemctl start netmaker.service