Merge pull request #3221 from gravitl/NET-1784-v1

Net 1784 v1

controllers/acls.go

@@ -67,27 +67,27 @@ func aclPolicyTypes(w http.ResponseWriter, r *http.Request) {
 				},
 				PortRange: "443",
 			},
-			{
-				Name: "MySQL",
-				AllowedProtocols: []models.Protocol{
-					models.TCP,
-				},
-				PortRange: "3306",
-			},
-			{
-				Name: "DNS TCP",
-				AllowedProtocols: []models.Protocol{
-					models.TCP,
-				},
-				PortRange: "53",
-			},
-			{
-				Name: "DNS UDP",
-				AllowedProtocols: []models.Protocol{
-					models.UDP,
-				},
-				PortRange: "53",
-			},
+			// {
+			// 	Name: "MySQL",
+			// 	AllowedProtocols: []models.Protocol{
+			// 		models.TCP,
+			// 	},
+			// 	PortRange: "3306",
+			// },
+			// {
+			// 	Name: "DNS TCP",
+			// 	AllowedProtocols: []models.Protocol{
+			// 		models.TCP,
+			// 	},
+			// 	PortRange: "53",
+			// },
+			// {
+			// 	Name: "DNS UDP",
+			// 	AllowedProtocols: []models.Protocol{
+			// 		models.UDP,
+			// 	},
+			// 	PortRange: "53",
+			// },
 			{
 				Name: "All TCP",
 				AllowedProtocols: []models.Protocol{

logic/acls.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"sort"
 	"sync"
 	"time"
@@ -674,19 +675,17 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
 	return nil
 }
 
-func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) map[string][]models.AclRule {
+func GetAclRulesForNode(node *models.Node) (rules map[string]models.AclRule) {
 	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
-	rules = make(map[string][]models.AclRule)
+	rules = make(map[string]models.AclRule)
 	if err == nil && defaultPolicy.Enabled {
-		return map[string][]models.AclRule{
+		return map[string]models.AclRule{
 			defaultPolicy.ID: {
-				{
-					SrcIP:     node.NetworkRange,
-					SrcIP6:    node.NetworkRange6,
-					Proto:     []models.Protocol{models.ALL},
-					Direction: models.TrafficDirectionBi,
-					Allowed:   true,
-				},
+				IPList:           []net.IPNet{node.NetworkRange},
+				IP6List:          []net.IPNet{node.NetworkRange6},
+				AllowedProtocols: []models.Protocol{models.ALL},
+				Direction:        models.TrafficDirectionBi,
+				Allowed:          true,
 			},
 		}
 	}
@@ -701,36 +700,38 @@ func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) ma
 			}
 			srcTags := convAclTagToValueMap(acl.Src)
 			dstTags := convAclTagToValueMap(acl.Dst)
-			aclRules := []models.AclRule{}
+			aclRule := models.AclRule{
+				ID:               acl.ID,
+				AllowedProtocols: acl.Proto,
+				AllowedPorts:     acl.Port,
+				Direction:        acl.AllowedDirection,
+				Allowed:          true,
+			}
 			if acl.AllowedDirection == models.TrafficDirectionBi {
 				var existsInSrcTag bool
 				var existsInDstTag bool
 				// if contains all resources, return entire cidr
 				if _, ok := srcTags["*"]; ok {
-					return map[string][]models.AclRule{
+					return map[string]models.AclRule{
 						acl.ID: {
-							{
-								SrcIP:     node.NetworkRange,
-								SrcIP6:    node.NetworkRange6,
-								Proto:     []models.Protocol{models.ALL},
-								Port:      acl.Port,
-								Direction: acl.AllowedDirection,
-								Allowed:   true,
-							},
+							IPList:           []net.IPNet{node.NetworkRange},
+							IP6List:          []net.IPNet{node.NetworkRange6},
+							AllowedProtocols: []models.Protocol{models.ALL},
+							AllowedPorts:     acl.Port,
+							Direction:        acl.AllowedDirection,
+							Allowed:          true,
 						},
 					}
 				}
 				if _, ok := dstTags["*"]; ok {
-					return map[string][]models.AclRule{
+					return map[string]models.AclRule{
 						acl.ID: {
-							{
-								SrcIP:     node.NetworkRange,
-								SrcIP6:    node.NetworkRange6,
-								Proto:     []models.Protocol{models.ALL},
-								Port:      acl.Port,
-								Direction: acl.AllowedDirection,
-								Allowed:   true,
-							},
+							IPList:           []net.IPNet{node.NetworkRange},
+							IP6List:          []net.IPNet{node.NetworkRange6},
+							AllowedProtocols: []models.Protocol{models.ALL},
+							AllowedPorts:     acl.Port,
+							Direction:        acl.AllowedDirection,
+							Allowed:          true,
 						},
 					}
 				}
@@ -741,6 +742,7 @@ func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) ma
 				if _, ok := dstTags[nodeTag.String()]; ok {
 					existsInDstTag = true
 				}
+
 				if existsInSrcTag {
 					// get all dst tags
 					for dst := range dstTags {
@@ -750,17 +752,14 @@ func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) ma
 						// Get peers in the tags and add allowed rules
 						nodes := taggedNodes[models.TagID(dst)]
 						for _, node := range nodes {
-							aclRules = append(aclRules, models.AclRule{
-								SrcIP:     node.Address,
-								SrcIP6:    node.Address6,
-								Proto:     acl.Proto,
-								Port:      acl.Port,
-								Direction: acl.AllowedDirection,
-								Allowed:   true,
-							})
+							if node.Address.IP != nil {
+								aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
+							}
+							if node.Address6.IP != nil {
+								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
+							}
 						}
 					}
-
 				}
 				if existsInDstTag {
 					// get all src tags
@@ -771,28 +770,24 @@ func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) ma
 						// Get peers in the tags and add allowed rules
 						nodes := taggedNodes[models.TagID(src)]
 						for _, node := range nodes {
-							aclRules = append(aclRules, models.AclRule{
-								SrcIP:     node.Address,
-								SrcIP6:    node.Address6,
-								Proto:     acl.Proto,
-								Port:      acl.Port,
-								Direction: acl.AllowedDirection,
-								Allowed:   true,
-							})
+							if node.Address.IP != nil {
+								aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
+							}
+							if node.Address6.IP != nil {
+								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
+							}
 						}
 					}
 				}
 				if existsInDstTag && existsInSrcTag {
 					nodes := taggedNodes[nodeTag]
 					for _, node := range nodes {
-						aclRules = append(aclRules, models.AclRule{
-							SrcIP:     node.Address,
-							SrcIP6:    node.Address6,
-							Proto:     acl.Proto,
-							Port:      acl.Port,
-							Direction: acl.AllowedDirection,
-							Allowed:   true,
-						})
+						if node.Address.IP != nil {
+							aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
+						}
+						if node.Address6.IP != nil {
+							aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
+						}
 					}
 				}
 			} else {
@@ -805,20 +800,18 @@ func GetAclRulesForNode(node *models.Node, rules map[string][]models.AclRule) ma
 						// Get peers in the tags and add allowed rules
 						nodes := taggedNodes[models.TagID(src)]
 						for _, node := range nodes {
-							aclRules = append(aclRules, models.AclRule{
-								SrcIP:     node.Address,
-								SrcIP6:    node.Address6,
-								Proto:     acl.Proto,
-								Port:      acl.Port,
-								Direction: acl.AllowedDirection,
-								Allowed:   true,
-							})
+							if node.Address.IP != nil {
+								aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
+							}
+							if node.Address6.IP != nil {
+								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
+							}
 						}
 					}
 				}
 			}
-			if len(aclRules) > 0 {
-				rules[acl.ID] = aclRules
+			if len(aclRule.IPList) > 0 || len(aclRule.IP6List) > 0 {
+				rules[acl.ID] = aclRule
 			}
 		}
 	}

logic/peers.go

@@ -76,7 +76,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		FwUpdate: models.FwUpdate{
 			EgressInfo:  make(map[string]models.EgressInfo),
 			IngressInfo: make(map[string]models.IngressInfo),
-			AclRules:    make(map[string][]models.AclRule),
+			AclRules:    make(map[string]models.AclRule),
 		},
 		PeerIDs:           make(models.PeerMap, 0),
 		Peers:             []wgtypes.PeerConfig{},
@@ -155,7 +155,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		if !hostPeerUpdate.IsInternetGw {
 			hostPeerUpdate.IsInternetGw = IsInternetGw(node)
 		}
-		hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node, hostPeerUpdate.FwUpdate.AclRules)
+		hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node)
 		currentPeers := GetNetworkNodesMemory(allNodes, node.Network)
 		for _, peer := range currentPeers {
 			peer := peer

models/acl.go

@@ -93,11 +93,11 @@ type ProtocolType struct {
 }
 
 type AclRule struct {
-	ID        string                  `json:"id"`
-	SrcIP     net.IPNet               `json:"src_ip"`
-	SrcIP6    net.IPNet               `json:"dst_ip"`
-	Proto     []Protocol              `json:"protocol"` // tcp, udp etc.
-	Port      []int                   `json:"port"`
-	Direction AllowedTrafficDirection `json:"direction"` // inbound or outbound
-	Allowed   bool                    `json:"allowed"`
+	ID               string                  `json:"id"`
+	IPList           []net.IPNet             `json:"ip_list"`
+	IP6List          []net.IPNet             `json:"ip6_list"`
+	AllowedProtocols []Protocol              `json:"allowed_protocols"` // tcp, udp, etc.
+	AllowedPorts     []int                   `json:"allowed_ports"`
+	Direction        AllowedTrafficDirection `json:"direction"` // single or two-way
+	Allowed          bool
 }

models/mqtt.go

@@ -94,7 +94,7 @@ type FwUpdate struct {
 	IsIngressGw bool                   `json:"is_ingress_gw"`
 	EgressInfo  map[string]EgressInfo  `json:"egress_info"`
 	IngressInfo map[string]IngressInfo `json:"ingress_info"`
-	AclRules    map[string][]AclRule   `json:"acl_rules"`
+	AclRules    map[string]AclRule     `json:"acl_rules"`
 }
 
 // FailOverMeReq - struct for failover req

models/node.go

@@ -201,6 +201,19 @@ func (node *Node) PrimaryAddress() string {
 	return node.Address6.IP.String()
 }
 
+func (node *Node) AddressIPNet4() net.IPNet {
+	return net.IPNet{
+		IP:   node.Address.IP,
+		Mask: net.CIDRMask(32, 32),
+	}
+}
+func (node *Node) AddressIPNet6() net.IPNet {
+	return net.IPNet{
+		IP:   node.Address6.IP,
+		Mask: net.CIDRMask(128, 128),
+	}
+}
+
 // ExtClient.PrimaryAddress - returns ipv4 IPNet format
 func (extPeer *ExtClient) AddressIPNet4() net.IPNet {
 	return net.IPNet{