Change name from forward to unsafe

firewall.go

@@ -23,7 +23,7 @@ import (
 )
 
 type FirewallInterface interface {
-	AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
+	AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
 }
 
 type conn struct {
@@ -31,7 +31,7 @@ type conn struct {
 
 	// record why the original connection passed the firewall, so we can re-validate after ruleset changes.
 	incoming     bool
-	forward      bool
+	unsafe       bool
 	rulesVersion uint16
 }
 
@@ -39,10 +39,10 @@ type conn struct {
 type Firewall struct {
 	Conntrack *FirewallConntrack
 
-	InRules         *FirewallTable
-	OutRules        *FirewallTable
-	ForwardInRules  *FirewallTable
-	ForwardOutRules *FirewallTable
+	InRules        *FirewallTable
+	OutRules       *FirewallTable
+	UnsafeInRules  *FirewallTable
+	UnsafeOutRules *FirewallTable
 
 	InSendReject  bool
 	OutSendReject bool
@@ -170,8 +170,8 @@ func NewFirewall(l *logrus.Logger, tcpTimeout, UDPTimeout, defaultTimeout time.D
 		},
 		InRules:           newFirewallTable(),
 		OutRules:          newFirewallTable(),
-		ForwardInRules:    newFirewallTable(),
-		ForwardOutRules:   newFirewallTable(),
+		UnsafeInRules:     newFirewallTable(),
+		UnsafeOutRules:    newFirewallTable(),
 		TCPTimeout:        tcpTimeout,
 		UDPTimeout:        UDPTimeout,
 		DefaultTimeout:    defaultTimeout,
@@ -214,7 +214,7 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
 
 	fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", false)
 
-	//TODO: do we also need firewall.forward_inbound_action and firewall.forward_outbound_action?
+	//TODO: do we also need firewall.unsafe_inbound_action and firewall.unsafe_outbound_action?
 	inboundAction := c.GetString("firewall.inbound_action", "drop")
 	switch inboundAction {
 	case "reject":
@@ -261,11 +261,11 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
 }
 
 // AddRule properly creates the in memory rule structure for a firewall table.
-func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
+func (f *Firewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
 	// We need this rule string because we generate a hash. Removing this will break firewall reload.
 	ruleString := fmt.Sprintf(
-		"forward: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
-		forward, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
+		"unsafe: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
+		unsafe, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
 	)
 	f.rules += ruleString + "\n"
 
@@ -275,8 +275,8 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
 	}
 
 	fields := m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}
-	if forward {
-		fields["forward"] = true
+	if unsafe {
+		fields["unsafe"] = true
 	}
 	f.l.WithField("firewallRule", fields).Info("Firewall rule added")
 
@@ -286,15 +286,15 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
 	)
 
 	if incoming {
-		if forward {
-			ft = f.ForwardInRules
+		if unsafe {
+			ft = f.UnsafeInRules
 		} else {
 			ft = f.InRules
 		}
 
 	} else {
-		if forward {
-			ft = f.ForwardOutRules
+		if unsafe {
+			ft = f.UnsafeOutRules
 		} else {
 			ft = f.OutRules
 		}
@@ -334,18 +334,18 @@ func (f *Firewall) GetRuleHashes() string {
 	return "SHA:" + f.GetRuleHash() + ",FNV:" + strconv.FormatUint(uint64(f.GetRuleHashFNV()), 10)
 }
 
-func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *config.C, fw FirewallInterface) error {
+func AddFirewallRulesFromConfig(l *logrus.Logger, unsafe, inbound bool, c *config.C, fw FirewallInterface) error {
 	var table string
 	if inbound {
-		if forward {
-			table = "firewall.forward_inbound"
+		if unsafe {
+			table = "firewall.unsafe_inbound"
 		} else {
 			table = "firewall.inbound"
 		}
 
 	} else {
-		if forward {
-			table = "firewall.forward_outbound"
+		if unsafe {
+			table = "firewall.unsafe_outbound"
 		} else {
 			table = "firewall.outbound"
 		}
@@ -421,7 +421,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *conf
 			l.Warnf("%s rule #%v; %s", table, i, warning)
 		}
 
-		err = fw.AddRule(forward, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
+		err = fw.AddRule(unsafe, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
 		if err != nil {
 			return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
 		}
@@ -482,18 +482,18 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
 		return ErrInvalidLocalIP
 	}
 
-	useForward := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
+	useUnsafe := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
 
 	var table *FirewallTable
 	if incoming {
-		if useForward {
-			table = f.ForwardInRules
+		if useUnsafe {
+			table = f.UnsafeInRules
 		} else {
 			table = f.InRules
 		}
 	} else {
-		if useForward {
-			table = f.ForwardOutRules
+		if useUnsafe {
+			table = f.UnsafeOutRules
 		} else {
 			table = f.OutRules
 		}
@@ -506,13 +506,13 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
 	}
 
 	// We always want to conntrack since it is a faster operation
-	f.addConn(fp, useForward, incoming)
+	f.addConn(fp, useUnsafe, incoming)
 
 	return nil
 }
 
 func (f *Firewall) metrics(incoming bool) firewallMetrics {
-	//TODO: need forward metrics too
+	//TODO: need unsafe metrics too
 	if incoming {
 		return f.incomingMetrics
 	} else {
@@ -562,14 +562,14 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 		// it still passes with the current rule set
 		var table *FirewallTable
 		if c.incoming {
-			if c.forward {
-				table = f.ForwardInRules
+			if c.unsafe {
+				table = f.UnsafeInRules
 			} else {
 				table = f.InRules
 			}
 		} else {
-			if c.forward {
-				table = f.ForwardOutRules
+			if c.unsafe {
+				table = f.UnsafeOutRules
 			} else {
 				table = f.OutRules
 			}
@@ -581,7 +581,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 				h.logger(f.l).
 					WithField("fwPacket", fp).
 					WithField("incoming", c.incoming).
-					WithField("forward", c.forward).
+					WithField("unsafe", c.unsafe).
 					WithField("rulesVersion", f.rulesVersion).
 					WithField("oldRulesVersion", c.rulesVersion).
 					Debugln("dropping old conntrack entry, does not match new ruleset")
@@ -595,7 +595,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 			h.logger(f.l).
 				WithField("fwPacket", fp).
 				WithField("incoming", c.incoming).
-				WithField("forward", c.forward).
+				WithField("unsafe", c.unsafe).
 				WithField("rulesVersion", f.rulesVersion).
 				WithField("oldRulesVersion", c.rulesVersion).
 				Debugln("keeping old conntrack entry, does match new ruleset")
@@ -622,7 +622,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 	return true
 }
 
-func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
+func (f *Firewall) addConn(fp firewall.Packet, unsafe, incoming bool) {
 	var timeout time.Duration
 	c := &conn{}
 
@@ -645,7 +645,7 @@ func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
 	// Record which rulesVersion allowed this connection, so we can retest after
 	// firewall reload
 	c.incoming = incoming
-	c.forward = forward
+	c.unsafe = unsafe
 	c.rulesVersion = f.rulesVersion
 	c.Expires = time.Now().Add(timeout)
 	conntrack.Conns[fp] = c

firewall_test.go

@@ -1356,7 +1356,7 @@ type mockFirewall struct {
 	nextCallReturn error
 }
 
-func (mf *mockFirewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
+func (mf *mockFirewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
 	mf.lastCall = addRuleCall{
 		incoming:  incoming,
 		proto:     proto,