zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-19 15:15:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

NET-1784: Adv Acl Rules (#3239)

Browse Source 
* define direction on acl req

* define protocol types and rule model

* get rules for node

* fetch acl rule for a node

* redine acl firewall model

* add json tags

* update port,protocol, and direction

* add json tags to acl options

* convert protocol to string

* simplify acl map

* add json tags to acl rules

* add networks to fw update

* add acls rules

* NET-1784: add allow all field

* add allow all field on fw udpate

* remove debug logs

* fix port and protocol types

* migrate default acl policies

* define constants for service types

* add adv options for user rules on ingress gw

* debug log

* allow whole network

* add static nodes to acl rules

* replace peers on acl updates

* initiliase rule map

* add user acl rules on target node

* revert acl check on extclient

* handle static node rules on ingress gw

* update multiple policies for users

* check allowed direction

* remove debug logs
This commit is contained in:
Abhishek K
2024-12-10 11:21:14 +04:00
committed by GitHub
parent 31c2311bef
commit f124b10c35
12 changed files with 707 additions and 118 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
logic/extpeers.go
View File

@@ -456,6 +456,10 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {
func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
// fetch user access to static clients via policies
defer func() {
logger.Log(0, fmt.Sprintf("node.ID: %s, Rules: %+v\n", node.ID, rules))
}()
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
nodes, _ := GetNetworkNodes(node.Network)
@@ -468,36 +472,50 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if peer.IsUserNode {
continue
}
if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
if ok, allowedPolicies := IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer); ok {
if peer.IsStatic {
if userNodeI.StaticNode.Address != "" {
if !defaultUserPolicy.Enabled {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: peer.StaticNode.AddressIPNet4(),
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: peer.StaticNode.AddressIPNet4(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet4(),
DstIP: userNodeI.StaticNode.AddressIPNet4(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet4(),
DstIP: userNodeI.StaticNode.AddressIPNet4(),
Allow: true,
})
}
if userNodeI.StaticNode.Address6 != "" {
if !defaultUserPolicy.Enabled {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: peer.StaticNode.AddressIPNet6(),
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: peer.StaticNode.AddressIPNet6(),
Allow: true,
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
})
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet6(),
DstIP: userNodeI.StaticNode.AddressIPNet6(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet6(),
DstIP: userNodeI.StaticNode.AddressIPNet6(),
Allow: true,
})
}
if len(peer.StaticNode.ExtraAllowedIPs) > 0 {
for _, additionalAllowedIPNet := range peer.StaticNode.ExtraAllowedIPs {
@@ -526,29 +544,39 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if userNodeI.StaticNode.Address != "" {
if !defaultUserPolicy.Enabled {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet4(),
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
Allow: true,
})
if !defaultUserPolicy.Enabled {
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: userNodeI.StaticNode.AddressIPNet6(),
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
}
}
}
}
@@ -564,21 +592,48 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {
continue
}
if IsNodeAllowedToCommunicate(nodeI, peer, true) {
if ok, allowedPolicies := IsNodeAllowedToCommunicate(nodeI, peer, true); ok {
if peer.IsStatic {
if nodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet4(),
DstIP: peer.StaticNode.AddressIPNet4(),
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet4(),
DstIP: peer.StaticNode.AddressIPNet4(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
if policy.AllowedDirection == models.TrafficDirectionBi {
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet4(),
DstIP: nodeI.StaticNode.AddressIPNet4(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
if nodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet6(),
DstIP: peer.StaticNode.AddressIPNet6(),
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet6(),
DstIP: peer.StaticNode.AddressIPNet6(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
if policy.AllowedDirection == models.TrafficDirectionBi {
rules = append(rules, models.FwRule{
SrcIP: peer.StaticNode.AddressIPNet6(),
DstIP: nodeI.StaticNode.AddressIPNet6(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
if len(peer.StaticNode.ExtraAllowedIPs) > 0 {
for _, additionalAllowedIPNet := range peer.StaticNode.ExtraAllowedIPs {
@@ -605,24 +660,56 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
}
} else {
if nodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet4(),
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet4(),
DstIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
if policy.AllowedDirection == models.TrafficDirectionBi {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address.IP,
Mask: net.CIDRMask(32, 32),
},
DstIP: nodeI.StaticNode.AddressIPNet4(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
if nodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet6(),
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
Allow: true,
})
for _, policy := range allowedPolicies {
rules = append(rules, models.FwRule{
SrcIP: nodeI.StaticNode.AddressIPNet6(),
DstIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
if policy.AllowedDirection == models.TrafficDirectionBi {
rules = append(rules, models.FwRule{
SrcIP: net.IPNet{
IP: peer.Address6.IP,
Mask: net.CIDRMask(128, 128),
},
DstIP: nodeI.StaticNode.AddressIPNet6(),
AllowedProtocol: policy.Proto,
AllowedPorts: policy.Port,
Allow: true,
})
}
}
}
}
@@ -650,11 +737,11 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
continue
}
if extPeer.RemoteAccessClientID == "" {
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), *peer, true) {
if ok, _ := IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), *peer, true); !ok {
continue
}
} else {
if !IsUserAllowedToCommunicate(extPeer.OwnerID, *peer) {
if ok, _ := IsUserAllowedToCommunicate(extPeer.OwnerID, *peer); !ok {
continue
}
}
@@ -739,7 +826,7 @@ func getExtpeerEgressRanges(node models.Node) (ranges, ranges6 []net.IPNet) {
if len(extPeer.ExtraAllowedIPs) == 0 {
continue
}
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true) {
if ok, _ := IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true); !ok {
continue
}
for _, allowedRange := range extPeer.ExtraAllowedIPs {
@@ -766,7 +853,7 @@ func getExtpeersExtraRoutes(node models.Node) (egressRoutes []models.EgressNetwo
if len(extPeer.ExtraAllowedIPs) == 0 {
continue
}
if !IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true) {
if ok, _ := IsNodeAllowedToCommunicate(extPeer.ConvertToStaticNode(), node, true); !ok {
continue
}
egressRoutes = append(egressRoutes, getExtPeerEgressRoute(node, extPeer)...)