zishuo/netmaker
1
0
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-13 12:34:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

add allow rules for nodes

Browse Source
This commit is contained in:
abhishek9686
2024-10-23 13:19:16 +04:00
parent dc7e262602
commit ffb75fa6c1
2 changed files with 77 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
logic/acls.go
View File

@@ -449,6 +449,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
peer = peer.StaticNode.ConvertToStaticNode() peer = peer.StaticNode.ConvertToStaticNode()
} }
policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network)) policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network))
if userName == "abhi-rac" {
fmt.Printf("=====> POLICIES: %+v\n", policies)
}
for _, policy := range policies { for _, policy := range policies {
if !policy.Enabled { if !policy.Enabled {
continue continue

65
logic/extpeers.go
View File

@@ -417,19 +417,24 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {
func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
// fetch user access to static clients via policies // fetch user access to static clients via policies
extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), true) nodes, _ := GetNetworkNodes(node.Network)
nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)
userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network)) userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
for _, userNodeI := range userNodes { for _, userNodeI := range userNodes {
for _, extclient := range extclients { for _, peer := range nodes {
if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, extclient) { if peer.IsUserNode {
continue
}
if IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer) {
if peer.IsStatic {
if userNodeI.StaticNode.Address != "" { if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP, SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: extclient.StaticNode.AddressIPNet4().IP, DstIP: peer.StaticNode.AddressIPNet4().IP,
Allow: true, Allow: true,
}) })
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
SrcIp: extclient.StaticNode.AddressIPNet4().IP, SrcIp: peer.StaticNode.AddressIPNet4().IP,
DstIP: userNodeI.StaticNode.AddressIPNet4().IP, DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
Allow: true, Allow: true,
}) })
@@ -437,22 +442,52 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if userNodeI.StaticNode.Address6 != "" { if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP, SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: extclient.StaticNode.AddressIPNet6().IP, DstIP: peer.StaticNode.AddressIPNet6().IP,
Allow: true, Allow: true,
}) })
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
SrcIp: extclient.StaticNode.AddressIPNet6().IP, SrcIp: peer.StaticNode.AddressIPNet6().IP,
DstIP: userNodeI.StaticNode.AddressIPNet6().IP, DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
Allow: true, Allow: true,
}) })
} }
} else {
if userNodeI.StaticNode.Address != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet4().IP,
DstIP: peer.Address.IP,
Allow: true,
})
// rules = append(rules, models.FwRule{
// SrcIp: peer.Address.IP,
// DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
// Allow: true,
// })
}
if userNodeI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{
SrcIp: userNodeI.StaticNode.AddressIPNet6().IP,
DstIP: peer.Address6.IP,
Allow: true,
})
// rules = append(rules, models.FwRule{
// SrcIp: peer.Address6.IP,
// DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
// Allow: true,
// })
}
}
} }
} }
} }
for _, extclientI := range extclients { for _, extclientI := range nodes {
for _, extclient := range extclients { if !extclientI.IsStatic || extclientI.IsUserNode {
if extclient.StaticNode.ClientID == extclientI.StaticNode.ClientID { continue
}
for _, extclient := range nodes {
if extclient.StaticNode.ClientID == extclientI.StaticNode.ClientID || extclient.IsUserNode {
continue continue
} }
if IsNodeAllowedToCommunicate(extclientI, extclient) { if IsNodeAllowedToCommunicate(extclientI, extclient) {
@@ -462,6 +497,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
DstIP: extclient.StaticNode.AddressIPNet4().IP, DstIP: extclient.StaticNode.AddressIPNet4().IP,
Allow: true, Allow: true,
}) })
// rules = append(rules, models.FwRule{
// SrcIp: extclient.StaticNode.AddressIPNet4().IP,
// DstIP: extclientI.StaticNode.AddressIPNet4().IP,
// Allow: true,
// })
} }
if extclientI.StaticNode.Address6 != "" { if extclientI.StaticNode.Address6 != "" {
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
@@ -469,6 +509,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
DstIP: extclient.StaticNode.AddressIPNet6().IP, DstIP: extclient.StaticNode.AddressIPNet6().IP,
Allow: true, Allow: true,
}) })
// rules = append(rules, models.FwRule{
// SrcIp: extclient.StaticNode.AddressIPNet6().IP,
// DstIP: extclientI.StaticNode.AddressIPNet6().IP,
// Allow: true,
// })
} }
} }
} }