Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
golang
/
netmaker
-ын хуулбар https://github.com/gravitl/netmaker
2
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Эх сурвалжийг харах

fix all resource egress policy

abhishek9686 4 сар өмнө
parent
3401971387
commit
35ba445c7c
1 өөрчлөгдсөн 52 нэмэгдсэн , 29 устгасан
Өөрчлөллтийг нэгтгэж харах Өөрчлөлтийн статистик харах
  1. 52 29
      logic/acls.go

+ 52 - 29
logic/acls.go
Файл харах 

@@ -675,6 +675,17 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode
 
 			continue
 
 			continue
 
 		}
 
 		}
 
 		dstMap := convAclTagToValueMap(policy.Dst)
 
 		dstMap := convAclTagToValueMap(policy.Dst)
 
+		for _, dst := range policy.Dst {
 
+			if dst.ID == models.EgressID {
 
+				e := schema.Egress{ID: dst.Value}
 
+				err := e.Get(db.WithContext(context.TODO()))
 
+				if err == nil {
 
+					for nodeID := range e.Nodes {
 
+						dstMap[nodeID] = struct{}{}
 
+					}
 
+				}
 
+			}
 
+		}
 
 		if _, ok := dstMap["*"]; ok {
 
 		if _, ok := dstMap["*"]; ok {
 
 			allowedPolicies = append(allowedPolicies, policy)
 
 			allowedPolicies = append(allowedPolicies, policy)
 
 			continue
 
 			continue
 
@@ -1794,9 +1805,15 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 			if acl policy has egress route and it is present in target node egress ranges
 
 			if acl policy has egress route and it is present in target node egress ranges
 
 			fetch all the nodes in that policy and add rules
 
 			fetch all the nodes in that policy and add rules
 
 	*/
 
 	*/
 
-
 
-	for _, rangeI := range targetnode.EgressGatewayRanges {
 
-		targetNodeTags[models.TagID(rangeI)] = struct{}{}
 
+	egs, _ := (&schema.Egress{Network: targetnode.Network}).ListByNetwork(db.WithContext(context.TODO()))
 
+	if len(egs) == 0 {
 
+		return
 
+	}
 
+	for _, egI := range egs {
 
+		if _, ok := egI.Nodes[targetnode.ID.String()]; ok {
 
+			targetNodeTags[models.TagID(egI.Range)] = struct{}{}
 
+			targetNodeTags[models.TagID(egI.ID)] = struct{}{}
 
+		}
 
 	}
 
 	}
 
 	for _, acl := range acls {
 
 	for _, acl := range acls {
 
 		if !acl.Enabled {
 
 		if !acl.Enabled {
 
@@ -1804,28 +1821,17 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 		}
 
 		}
 
 		srcTags := convAclTagToValueMap(acl.Src)
 
 		srcTags := convAclTagToValueMap(acl.Src)
 
 		dstTags := convAclTagToValueMap(acl.Dst)
 
 		dstTags := convAclTagToValueMap(acl.Dst)
 
-		for _, dst := range acl.Dst {
 
-			if dst.ID == models.EgressID {
 
-				e := schema.Egress{ID: dst.Value}
 
-				err := e.Get(db.WithContext(context.TODO()))
 
-				if err == nil {
 
-					for nodeID := range e.Nodes {
 
-						dstTags[nodeID] = struct{}{}
 
-					}
 
-					dstTags[e.Range] = struct{}{}
 
-				}
 
-			}
 
-		}
 
 		_, srcAll := srcTags["*"]
 
 		_, srcAll := srcTags["*"]
 
 		_, dstAll := dstTags["*"]
 
 		_, dstAll := dstTags["*"]
 
+		aclRule := models.AclRule{
 
+			ID:              acl.ID,
 
+			AllowedProtocol: acl.Proto,
 
+			AllowedPorts:    acl.Port,
 
+			Direction:       acl.AllowedDirection,
 
+			Allowed:         true,
 
+		}
 
 		for nodeTag := range targetNodeTags {
 
 		for nodeTag := range targetNodeTags {
 
-			aclRule := models.AclRule{
 
-				ID:              acl.ID,
 
-				AllowedProtocol: acl.Proto,
 
-				AllowedPorts:    acl.Port,
 
-				Direction:       acl.AllowedDirection,
 
-				Allowed:         true,
 
-			}
 
+
 
 			if nodeTag != "*" {
 
 			if nodeTag != "*" {
 
 				ip, cidr, err := net.ParseCIDR(nodeTag.String())
 
 				ip, cidr, err := net.ParseCIDR(nodeTag.String())
 
 				if err != nil {
 
 				if err != nil {
 
@@ -1857,6 +1863,15 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
 
 				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
 
 					existsInDstTag = true
 
 					existsInDstTag = true
 
 				}
 
 				}
 
+				if srcAll || dstAll {
 
+					if targetnode.NetworkRange.IP != nil {
 
+						aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
 
+					}
 
+					if targetnode.NetworkRange6.IP != nil {
 
+						aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
 
+					}
 
+					break
 
+				}
 
 
 
 				if existsInSrcTag && !existsInDstTag {
 
 				if existsInSrcTag && !existsInDstTag {
 
 					// get all dst tags
 
 					// get all dst tags
 
@@ -1964,8 +1979,16 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 					}
 
 					}
 
 				}
 
 				}
 
 			} else {
 
 			} else {
 
-				_, all := dstTags["*"]
 
-				if _, ok := dstTags[nodeTag.String()]; ok || all {
 
+				if dstAll {
 
+					if targetnode.NetworkRange.IP != nil {
 
+						aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
 
+					}
 
+					if targetnode.NetworkRange6.IP != nil {
 
+						aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
 
+					}
 
+					break
 
+				}
 
+				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
 
 					// get all src tags
 
 					// get all src tags
 
 					for src := range srcTags {
 
 					for src := range srcTags {
 
 						if src == nodeTag.String() {
 
 						if src == nodeTag.String() {
 
@@ -1993,13 +2016,13 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 					}
 
 					}
 
 				}
 
 				}
 
 			}
 
 			}
 
-			if len(aclRule.IPList) > 0 || len(aclRule.IP6List) > 0 {
 
-				aclRule.IPList = UniqueIPNetList(aclRule.IPList)
 
-				aclRule.IP6List = UniqueIPNetList(aclRule.IP6List)
 
-				rules[acl.ID] = aclRule
 
-			}
 
 
 
 		}
 
 		}
 
+		if len(aclRule.IPList) > 0 || len(aclRule.IP6List) > 0 {
 
+			aclRule.IPList = UniqueIPNetList(aclRule.IPList)
 
+			aclRule.IP6List = UniqueIPNetList(aclRule.IP6List)
 
+			rules[acl.ID] = aclRule
 
+		}
 
 
 
 	}
 
 	}
 
 	return
 
 	return