Home Explore Help
Sign In
golang
/
nebula
mirror of https://github.com/slackhq/nebula
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Change name from forward to unsafe

Nate Brown 3 weeks ago
parent
281a9017ce
commit
c69b009650
2 changed files with 40 additions and 40 deletions
Split View Show Diff Stats
  1. 39 39
      firewall.go
  2. 1 1
      firewall_test.go

+ 39 - 39
firewall.go
View File 

@@ -23,7 +23,7 @@ import (
 
 )
 
 
 type FirewallInterface interface {
 
-	AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
 
+	AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
 
 }
 
 
 type conn struct {
 
@@ -31,7 +31,7 @@ type conn struct {
 
 
 	// record why the original connection passed the firewall, so we can re-validate after ruleset changes.
 
 	incoming     bool
 
-	forward      bool
 
+	unsafe       bool
 
 	rulesVersion uint16
 
 }
 
 
@@ -39,10 +39,10 @@ type conn struct {
 
 type Firewall struct {
 
 	Conntrack *FirewallConntrack
 
 
-	InRules         *FirewallTable
 
-	OutRules        *FirewallTable
 
-	ForwardInRules  *FirewallTable
 
-	ForwardOutRules *FirewallTable
 
+	InRules        *FirewallTable
 
+	OutRules       *FirewallTable
 
+	UnsafeInRules  *FirewallTable
 
+	UnsafeOutRules *FirewallTable
 
 
 	InSendReject  bool
 
 	OutSendReject bool
 
@@ -170,8 +170,8 @@ func NewFirewall(l *logrus.Logger, tcpTimeout, UDPTimeout, defaultTimeout time.D
 
 		},
 
 		InRules:           newFirewallTable(),
 
 		OutRules:          newFirewallTable(),
 
-		ForwardInRules:    newFirewallTable(),
 
-		ForwardOutRules:   newFirewallTable(),
 
+		UnsafeInRules:     newFirewallTable(),
 
+		UnsafeOutRules:    newFirewallTable(),
 
 		TCPTimeout:        tcpTimeout,
 
 		UDPTimeout:        UDPTimeout,
 
 		DefaultTimeout:    defaultTimeout,
 
@@ -214,7 +214,7 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
 
 
 	fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", false)
 
 
-	//TODO: do we also need firewall.forward_inbound_action and firewall.forward_outbound_action?
 
+	//TODO: do we also need firewall.unsafe_inbound_action and firewall.unsafe_outbound_action?
 
 	inboundAction := c.GetString("firewall.inbound_action", "drop")
 
 	switch inboundAction {
 
 	case "reject":
 
@@ -261,11 +261,11 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
 
 }
 
 
 // AddRule properly creates the in memory rule structure for a firewall table.
 
-func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
 
+func (f *Firewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
 
 	// We need this rule string because we generate a hash. Removing this will break firewall reload.
 
 	ruleString := fmt.Sprintf(
 
-		"forward: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
 
-		forward, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
 
+		"unsafe: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
 
+		unsafe, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
 
 	)
 
 	f.rules += ruleString + "\n"
 
 
@@ -275,8 +275,8 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
 
 	}
 
 
 	fields := m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}
 
-	if forward {
 
-		fields["forward"] = true
 
+	if unsafe {
 
+		fields["unsafe"] = true
 
 	}
 
 	f.l.WithField("firewallRule", fields).Info("Firewall rule added")
 
 
@@ -286,15 +286,15 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
 
 	)
 
 
 	if incoming {
 
-		if forward {
 
-			ft = f.ForwardInRules
 
+		if unsafe {
 
+			ft = f.UnsafeInRules
 
 		} else {
 
 			ft = f.InRules
 
 		}
 
 
 	} else {
 
-		if forward {
 
-			ft = f.ForwardOutRules
 
+		if unsafe {
 
+			ft = f.UnsafeOutRules
 
 		} else {
 
 			ft = f.OutRules
 
 		}
 
@@ -334,18 +334,18 @@ func (f *Firewall) GetRuleHashes() string {
 
 	return "SHA:" + f.GetRuleHash() + ",FNV:" + strconv.FormatUint(uint64(f.GetRuleHashFNV()), 10)
 
 }
 
 
-func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *config.C, fw FirewallInterface) error {
 
+func AddFirewallRulesFromConfig(l *logrus.Logger, unsafe, inbound bool, c *config.C, fw FirewallInterface) error {
 
 	var table string
 
 	if inbound {
 
-		if forward {
 
-			table = "firewall.forward_inbound"
 
+		if unsafe {
 
+			table = "firewall.unsafe_inbound"
 
 		} else {
 
 			table = "firewall.inbound"
 
 		}
 
 
 	} else {
 
-		if forward {
 
-			table = "firewall.forward_outbound"
 
+		if unsafe {
 
+			table = "firewall.unsafe_outbound"
 
 		} else {
 
 			table = "firewall.outbound"
 
 		}
 
@@ -421,7 +421,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *conf
 
 			l.Warnf("%s rule #%v; %s", table, i, warning)
 
 		}
 
 
-		err = fw.AddRule(forward, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
 
+		err = fw.AddRule(unsafe, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
 
 		if err != nil {
 
 			return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
 
 		}
 
@@ -482,18 +482,18 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
 
 		return ErrInvalidLocalIP
 
 	}
 
 
-	useForward := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
 
+	useUnsafe := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
 
 
 	var table *FirewallTable
 
 	if incoming {
 
-		if useForward {
 
-			table = f.ForwardInRules
 
+		if useUnsafe {
 
+			table = f.UnsafeInRules
 
 		} else {
 
 			table = f.InRules
 
 		}
 
 	} else {
 
-		if useForward {
 
-			table = f.ForwardOutRules
 
+		if useUnsafe {
 
+			table = f.UnsafeOutRules
 
 		} else {
 
 			table = f.OutRules
 
 		}
 
@@ -506,13 +506,13 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
 
 	}
 
 
 	// We always want to conntrack since it is a faster operation
 
-	f.addConn(fp, useForward, incoming)
 
+	f.addConn(fp, useUnsafe, incoming)
 
 
 	return nil
 
 }
 
 
 func (f *Firewall) metrics(incoming bool) firewallMetrics {
 
-	//TODO: need forward metrics too
 
+	//TODO: need unsafe metrics too
 
 	if incoming {
 
 		return f.incomingMetrics
 
 	} else {
 
@@ -562,14 +562,14 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 
 		// it still passes with the current rule set
 
 		var table *FirewallTable
 
 		if c.incoming {
 
-			if c.forward {
 
-				table = f.ForwardInRules
 
+			if c.unsafe {
 
+				table = f.UnsafeInRules
 
 			} else {
 
 				table = f.InRules
 
 			}
 
 		} else {
 
-			if c.forward {
 
-				table = f.ForwardOutRules
 
+			if c.unsafe {
 
+				table = f.UnsafeOutRules
 
 			} else {
 
 				table = f.OutRules
 
 			}
 
@@ -581,7 +581,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 
 				h.logger(f.l).
 
 					WithField("fwPacket", fp).
 
 					WithField("incoming", c.incoming).
 
-					WithField("forward", c.forward).
 
+					WithField("unsafe", c.unsafe).
 
 					WithField("rulesVersion", f.rulesVersion).
 
 					WithField("oldRulesVersion", c.rulesVersion).
 
 					Debugln("dropping old conntrack entry, does not match new ruleset")
 
@@ -595,7 +595,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 
 			h.logger(f.l).
 
 				WithField("fwPacket", fp).
 
 				WithField("incoming", c.incoming).
 
-				WithField("forward", c.forward).
 
+				WithField("unsafe", c.unsafe).
 
 				WithField("rulesVersion", f.rulesVersion).
 
 				WithField("oldRulesVersion", c.rulesVersion).
 
 				Debugln("keeping old conntrack entry, does match new ruleset")
 
@@ -622,7 +622,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 
 	return true
 
 }
 
 
-func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
 
+func (f *Firewall) addConn(fp firewall.Packet, unsafe, incoming bool) {
 
 	var timeout time.Duration
 
 	c := &conn{}
 
 
@@ -645,7 +645,7 @@ func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
 
 	// Record which rulesVersion allowed this connection, so we can retest after
 
 	// firewall reload
 
 	c.incoming = incoming
 
-	c.forward = forward
 
+	c.unsafe = unsafe
 
 	c.rulesVersion = f.rulesVersion
 
 	c.Expires = time.Now().Add(timeout)
 
 	conntrack.Conns[fp] = c

+ 1 - 1
firewall_test.go
View File 

@@ -1356,7 +1356,7 @@ type mockFirewall struct {
 
 	nextCallReturn error
 
 }
 
 
-func (mf *mockFirewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
 
+func (mf *mockFirewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
 
 	mf.lastCall = addRuleCall{
 
 		incoming:  incoming,
 
 		proto:     proto,