|
|
@@ -1,6 +1,7 @@
|
|
|
package logic
|
|
|
|
|
|
import (
|
|
|
+ "errors"
|
|
|
"fmt"
|
|
|
"log"
|
|
|
"net"
|
|
|
@@ -9,216 +10,25 @@ import (
|
|
|
"time"
|
|
|
|
|
|
"github.com/c-robinson/iplib"
|
|
|
- "github.com/gravitl/netmaker/database"
|
|
|
"github.com/gravitl/netmaker/logger"
|
|
|
- "github.com/gravitl/netmaker/logic/acls"
|
|
|
"github.com/gravitl/netmaker/logic/acls/nodeacls"
|
|
|
"github.com/gravitl/netmaker/models"
|
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
|
"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
|
|
|
)
|
|
|
|
|
|
-// GetNodePeers - fetches peers for a given node
|
|
|
-func GetNodePeers(network *models.Network, nodeid string, excludeRelayed bool, isP2S bool) ([]models.Node, error) {
|
|
|
- var peers []models.Node
|
|
|
-
|
|
|
- // networkNodes = all nodes in network
|
|
|
- // egressNetworkNodes = all egress gateways in network
|
|
|
- var networkNodes, egressNetworkNodes, err = getNetworkEgressAndNodes(network.NetID)
|
|
|
- if err != nil {
|
|
|
- return peers, nil
|
|
|
- }
|
|
|
-
|
|
|
- // udppeers = the peers parsed from the local interface
|
|
|
- // gives us correct port to reach
|
|
|
- udppeers, errN := database.GetPeers(network.NetID)
|
|
|
- if errN != nil {
|
|
|
- logger.Log(2, errN.Error())
|
|
|
- }
|
|
|
-
|
|
|
- // gets all the ACL rules
|
|
|
- currentNetworkACLs, aclErr := nodeacls.FetchAllACLs(nodeacls.NetworkID(network.NetID))
|
|
|
- if aclErr != nil {
|
|
|
- return peers, aclErr
|
|
|
- }
|
|
|
-
|
|
|
- /*
|
|
|
- at this point we have 4 lists of node information:
|
|
|
- - networkNodes: all nodes in network (models.Node)
|
|
|
- - egressNetworkNodes: all egress gateways in network (models.Node)
|
|
|
- - udppeers: all peers in database (parsed by server off of active WireGuard interface)
|
|
|
- - currentNetworkACLs: all ACL rules associated with the network
|
|
|
- - peers: a currently empty list that will be filled and returned
|
|
|
-
|
|
|
- */
|
|
|
-
|
|
|
- // we now parse through all networkNodes and format properly to set as "peers"
|
|
|
- for _, node := range networkNodes {
|
|
|
-
|
|
|
- // skip over any node that is disallowed by ACL rules
|
|
|
- if !currentNetworkACLs.IsAllowed(acls.AclID(nodeid), acls.AclID(node.ID)) {
|
|
|
- continue
|
|
|
- }
|
|
|
-
|
|
|
- // create an empty model to fill with peer info
|
|
|
- var peer = models.Node{}
|
|
|
-
|
|
|
- // set egress gateway information if it's an egress gateway
|
|
|
- if node.IsEgressGateway == "yes" { // handle egress stuff
|
|
|
- peer.EgressGatewayRanges = node.EgressGatewayRanges
|
|
|
- peer.IsEgressGateway = node.IsEgressGateway
|
|
|
- }
|
|
|
-
|
|
|
- // set ingress gateway information
|
|
|
- peer.IsIngressGateway = node.IsIngressGateway
|
|
|
-
|
|
|
- /*
|
|
|
- - similar to ACLs, we must determine if peer is allowed based on Relay information
|
|
|
- - if the nodes is "not relayed" (not behind a relay), it is ok
|
|
|
- - if the node IS relayed, but excludeRelay has not been marked, it is ok
|
|
|
- - excludeRelayed is marked for any node that is NOT a Relay Server
|
|
|
- - therefore, the peer is allowed as long as it is not "relayed", or the node it is being sent to is its relay server
|
|
|
- */
|
|
|
- allow := node.IsRelayed != "yes" || !excludeRelayed
|
|
|
-
|
|
|
- // confirm conditions allow node to be added as peer
|
|
|
- // node should be in same network, not pending, and "allowed" based on above logic
|
|
|
- if node.Network == network.NetID && node.IsPending != "yes" && allow {
|
|
|
-
|
|
|
- // node info is cleansed to remove sensitive info using setPeerInfo
|
|
|
- peer = setPeerInfo(&node)
|
|
|
-
|
|
|
- // Sets ListenPort to UDP Hole Punching Port assuming:
|
|
|
- // - UDP Hole Punching is enabled
|
|
|
- // - udppeers retrieval did not return an error
|
|
|
- // - the endpoint is valid
|
|
|
- if node.UDPHolePunch == "yes" && errN == nil && CheckEndpoint(udppeers[node.PublicKey]) {
|
|
|
- endpointstring := udppeers[node.PublicKey]
|
|
|
- endpointarr := strings.Split(endpointstring, ":")
|
|
|
- if len(endpointarr) == 2 {
|
|
|
- port, err := strconv.Atoi(endpointarr[1])
|
|
|
- if err == nil {
|
|
|
- peer.ListenPort = int32(port)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- // if udp hole punching is on, but the node's port is still set to default (e.g. 51821), use the LocalListenPort
|
|
|
- // or, if port is for some reason zero use the LocalListenPort
|
|
|
- // but only do this if LocalListenPort is not zero
|
|
|
- if node.UDPHolePunch == "yes" &&
|
|
|
- ((peer.ListenPort == node.ListenPort || peer.ListenPort == 0) && node.LocalListenPort != 0) {
|
|
|
- peer.ListenPort = node.LocalListenPort
|
|
|
- }
|
|
|
-
|
|
|
- // if the node is a relay, append the network cidr and any relayed egress ranges
|
|
|
- if node.IsRelay == "yes" { // TODO, check if addressrange6 needs to be appended
|
|
|
- peer.AllowedIPs = append(peer.AllowedIPs, network.AddressRange)
|
|
|
- for _, egressNode := range egressNetworkNodes {
|
|
|
- if egressNode.IsRelayed == "yes" && StringSliceContains(node.RelayAddrs, egressNode.Address) {
|
|
|
- peer.AllowedIPs = append(peer.AllowedIPs, egressNode.EgressGatewayRanges...)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- // if the node is an ingress gateway, append all the extclient allowedips
|
|
|
- if peer.IsIngressGateway == "yes" { // handle ingress stuff
|
|
|
- if currentExtClients, err := GetExtPeersList(&node); err == nil {
|
|
|
- for i := range currentExtClients {
|
|
|
- if network.IsIPv4 == "yes" && currentExtClients[i].Address != "" {
|
|
|
- peer.AllowedIPs = append(peer.AllowedIPs, currentExtClients[i].Address)
|
|
|
- }
|
|
|
- if network.IsIPv6 == "yes" && currentExtClients[i].Address6 != "" {
|
|
|
- peer.AllowedIPs = append(peer.AllowedIPs, currentExtClients[i].Address6)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- // dont appent if this isn't a p2p network or if ACLs disallow
|
|
|
- if (!isP2S || peer.IsHub == "yes") && currentNetworkACLs.IsAllowed(acls.AclID(nodeid), acls.AclID(node.ID)) {
|
|
|
- peers = append(peers, peer)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- return peers, err
|
|
|
-}
|
|
|
-
|
|
|
-// GetPeersList - gets the peers of a given network
|
|
|
-func GetPeersList(refnode *models.Node) ([]models.Node, error) {
|
|
|
- var peers []models.Node
|
|
|
- var err error
|
|
|
- var isP2S bool
|
|
|
- var networkName = refnode.Network
|
|
|
- var excludeRelayed = refnode.IsRelay != "yes"
|
|
|
- var relayedNodeAddr string
|
|
|
- if refnode.IsRelayed == "yes" {
|
|
|
- relayedNodeAddr = refnode.Address
|
|
|
- }
|
|
|
-
|
|
|
- network, err := GetNetwork(networkName)
|
|
|
- if err != nil {
|
|
|
- return peers, err
|
|
|
- } else if network.IsPointToSite == "yes" && refnode.IsHub != "yes" {
|
|
|
- isP2S = true
|
|
|
- }
|
|
|
- if refnode.IsRelayed != "yes" {
|
|
|
- // if the node is not being relayed, retrieve peers as normal
|
|
|
- peers, err = GetNodePeers(&network, refnode.ID, excludeRelayed, isP2S)
|
|
|
- } else {
|
|
|
- var relayNode models.Node
|
|
|
- // If this node IS being relayed node, we must first retrieve its relay
|
|
|
- relayNode, err = GetNodeRelay(networkName, relayedNodeAddr)
|
|
|
- if relayNode.Address != "" && err == nil {
|
|
|
- // we must cleanse sensitive info from the relay node
|
|
|
- var peerNode = setPeerInfo(&relayNode)
|
|
|
-
|
|
|
- // we must append the CIDR to the relay so the relayed node can reach the network
|
|
|
- peerNode.AllowedIPs = append(peerNode.AllowedIPs, network.AddressRange)
|
|
|
-
|
|
|
- // we must append the egress ranges to the relay so the relayed node can reach egress
|
|
|
- var _, egressNetworkNodes, err = getNetworkEgressAndNodes(networkName)
|
|
|
- if err == nil {
|
|
|
- for _, egress := range egressNetworkNodes {
|
|
|
- if egress.Address != relayedNodeAddr {
|
|
|
- peerNode.AllowedIPs = append(peerNode.AllowedIPs, egress.EgressGatewayRanges...)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
-
|
|
|
- // get the other peers that are behind the Relay
|
|
|
- // we dont want to go through the relay to reach them
|
|
|
- // I'm not sure if this is actually a good call to have this here
|
|
|
- // may want to test without it, I think it may return bad info
|
|
|
- nodepeers, err := GetNodePeers(&network, refnode.ID, false, isP2S)
|
|
|
- if err == nil && peerNode.UDPHolePunch == "yes" {
|
|
|
- for _, nodepeer := range nodepeers {
|
|
|
-
|
|
|
- // im not sure if this is good either
|
|
|
- if nodepeer.Address == peerNode.Address {
|
|
|
- // peerNode.Endpoint = nodepeer.Endpoint
|
|
|
- peerNode.ListenPort = nodepeer.ListenPort
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- if !isP2S || peerNode.IsHub == "yes" {
|
|
|
- peers = append(peers, peerNode)
|
|
|
- }
|
|
|
- }
|
|
|
- }
|
|
|
- return peers, err
|
|
|
-}
|
|
|
-
|
|
|
// GetPeerUpdate - gets a wireguard peer config for each peer of a node
|
|
|
func GetPeerUpdate(node *models.Node) (models.PeerUpdate, error) {
|
|
|
var peerUpdate models.PeerUpdate
|
|
|
var peers []wgtypes.PeerConfig
|
|
|
var serverNodeAddresses = []models.ServerAddr{}
|
|
|
- currentPeers, err := GetPeers(node)
|
|
|
+ currentPeers, err := GetNetworkNodes(node.Network)
|
|
|
if err != nil {
|
|
|
return models.PeerUpdate{}, err
|
|
|
}
|
|
|
+ if node.IsRelayed == "yes" {
|
|
|
+ return GetPeerUpdateForRelayedNode(node)
|
|
|
+ }
|
|
|
|
|
|
// #1 Set Keepalive values: set_keepalive
|
|
|
// #2 Set local address: set_local - could be a LOT BETTER and fix some bugs with additional logic
|
|
|
@@ -228,6 +38,14 @@ func GetPeerUpdate(node *models.Node) (models.PeerUpdate, error) {
|
|
|
//skip yourself
|
|
|
continue
|
|
|
}
|
|
|
+ if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(peer.ID)) {
|
|
|
+ //skip if not permitted by acl
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ if peer.IsRelayed == "yes" {
|
|
|
+ //skip -- willl be added to relay
|
|
|
+ continue
|
|
|
+ }
|
|
|
pubkey, err := wgtypes.ParseKey(peer.PublicKey)
|
|
|
if err != nil {
|
|
|
return models.PeerUpdate{}, err
|
|
|
@@ -406,6 +224,48 @@ func GetAllowedIPs(node, peer *models.Node) []net.IPNet {
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
+ // handle ingress gateway peers
|
|
|
+ if peer.IsIngressGateway == "yes" {
|
|
|
+ extPeers, err := getExtPeers(peer)
|
|
|
+ if err != nil {
|
|
|
+ logger.Log(2, "could not retrieve ext peers for ", peer.Name, err.Error())
|
|
|
+ }
|
|
|
+ for _, extPeer := range extPeers {
|
|
|
+ allowedips = append(allowedips, extPeer.AllowedIPs...)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ // handle relay gateway peers
|
|
|
+ if peer.IsRelay == "yes" {
|
|
|
+ for _, ip := range peer.RelayAddrs {
|
|
|
+ //find node ID of relayed peer
|
|
|
+ relayedPeer, err := findNode(ip)
|
|
|
+ if err != nil {
|
|
|
+ logger.Log(0, "failed to find node for ip ", ip, err.Error())
|
|
|
+ }
|
|
|
+ if relayedPeer.ID == node.ID {
|
|
|
+ //skip self
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ //check if acl permits comms
|
|
|
+ if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(relayedPeer.ID)) {
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ if iplib.Version(net.ParseIP(ip)) == 4 {
|
|
|
+ relayAddr := net.IPNet{
|
|
|
+ IP: net.ParseIP(ip),
|
|
|
+ Mask: net.CIDRMask(32, 32),
|
|
|
+ }
|
|
|
+ allowedips = append(allowedips, relayAddr)
|
|
|
+ }
|
|
|
+ if iplib.Version(net.ParseIP(ip)) == 6 {
|
|
|
+ relayAddr := net.IPNet{
|
|
|
+ IP: net.ParseIP(ip),
|
|
|
+ Mask: net.CIDRMask(128, 128),
|
|
|
+ }
|
|
|
+ allowedips = append(allowedips, relayAddr)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
return allowedips
|
|
|
}
|
|
|
|
|
|
@@ -425,3 +285,89 @@ func getPeerDNS(network string) string {
|
|
|
}
|
|
|
return dns
|
|
|
}
|
|
|
+
|
|
|
+func GetPeerUpdateForRelayedNode(node *models.Node) (models.PeerUpdate, error) {
|
|
|
+ var peerUpdate models.PeerUpdate
|
|
|
+ var peers []wgtypes.PeerConfig
|
|
|
+ var serverNodeAddresses = []models.ServerAddr{}
|
|
|
+ var allowedips []net.IPNet
|
|
|
+ //find node that is relaying us
|
|
|
+ relay := FindRelay(node)
|
|
|
+ if relay == nil {
|
|
|
+ return models.PeerUpdate{}, errors.New("not found")
|
|
|
+ }
|
|
|
+ //add relay to lists of allowed ip
|
|
|
+ if relay.Address != "" {
|
|
|
+ relayIP := net.IPNet{
|
|
|
+ IP: net.ParseIP(relay.Address),
|
|
|
+ Mask: net.CIDRMask(32, 32),
|
|
|
+ }
|
|
|
+ allowedips = append(allowedips, relayIP)
|
|
|
+ }
|
|
|
+ if relay.Address6 != "" {
|
|
|
+ relayIP6 := net.IPNet{
|
|
|
+ IP: net.ParseIP(relay.Address6),
|
|
|
+ Mask: net.CIDRMask(128, 128),
|
|
|
+ }
|
|
|
+ allowedips = append(allowedips, relayIP6)
|
|
|
+ }
|
|
|
+ //get PeerUpdate for relayed node
|
|
|
+ relayPeerUpdate, err := GetPeerUpdate(relay)
|
|
|
+ if err != nil {
|
|
|
+ return models.PeerUpdate{}, err
|
|
|
+ }
|
|
|
+ //add the relays allowed ips from all of the relay's peers
|
|
|
+ for _, peer := range relayPeerUpdate.Peers {
|
|
|
+ allowedips = append(allowedips, peer.AllowedIPs...)
|
|
|
+ }
|
|
|
+ //delete any ips not permitted by acl
|
|
|
+ for i, ip := range allowedips {
|
|
|
+ target, err := findNode(ip.IP.String())
|
|
|
+ if err != nil {
|
|
|
+ logger.Log(0, "failed to find node for ip", ip.IP.String(), err.Error())
|
|
|
+ continue
|
|
|
+ }
|
|
|
+ if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID), nodeacls.NodeID(target.ID)) {
|
|
|
+ logger.Log(0, "deleting node from relayednode per acl", node.Name, target.Name)
|
|
|
+ allowedips = append(allowedips[:i], allowedips[i+1:]...)
|
|
|
+ }
|
|
|
+ }
|
|
|
+ //delete self from allowed ips
|
|
|
+ for i, ip := range allowedips {
|
|
|
+ if ip.IP.String() == node.Address || ip.IP.String() == node.Address6 {
|
|
|
+ allowedips = append(allowedips[:i], allowedips[i+1:]...)
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ pubkey, err := wgtypes.ParseKey(relay.PublicKey)
|
|
|
+ if err != nil {
|
|
|
+ return models.PeerUpdate{}, err
|
|
|
+ }
|
|
|
+ endpoint := relay.Endpoint + ":" + strconv.FormatInt(int64(relay.ListenPort), 10)
|
|
|
+ address, err := net.ResolveUDPAddr("udp", endpoint)
|
|
|
+ if err != nil {
|
|
|
+ return models.PeerUpdate{}, err
|
|
|
+ }
|
|
|
+ var keepalive time.Duration
|
|
|
+ if node.PersistentKeepalive != 0 {
|
|
|
+ // set_keepalive
|
|
|
+ keepalive, _ = time.ParseDuration(strconv.FormatInt(int64(node.PersistentKeepalive), 10) + "s")
|
|
|
+ }
|
|
|
+ var peerData = wgtypes.PeerConfig{
|
|
|
+ PublicKey: pubkey,
|
|
|
+ Endpoint: address,
|
|
|
+ ReplaceAllowedIPs: true,
|
|
|
+ AllowedIPs: allowedips,
|
|
|
+ PersistentKeepaliveInterval: &keepalive,
|
|
|
+ }
|
|
|
+ peers = append(peers, peerData)
|
|
|
+ if relay.IsServer == "yes" {
|
|
|
+ serverNodeAddresses = append(serverNodeAddresses, models.ServerAddr{IsLeader: IsLeader(relay), Address: relay.Address})
|
|
|
+ }
|
|
|
+ peerUpdate.Network = node.Network
|
|
|
+ peerUpdate.ServerVersion = servercfg.Version
|
|
|
+ peerUpdate.Peers = peers
|
|
|
+ peerUpdate.ServerAddrs = serverNodeAddresses
|
|
|
+ peerUpdate.DNS = getPeerDNS(node.Network)
|
|
|
+ return peerUpdate, nil
|
|
|
+}
|
Matthew R Kasun