Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix ingress firewall updates

abhishek9686 10 months ago
parent
148c1fdc8f
commit
6c52b68214
3 changed files with 19 additions and 2 deletions
Unified View Show Diff Stats
  1. 1 2
      controllers/ext_client.go
  2. 3 0
      logic/acls.go
  3. 15 0
      logic/extpeers.go

+ 1 - 2
controllers/ext_client.go
View File 

@@ -452,6 +452,7 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 
 	extclient.OwnerID = userName
 
 	extclient.OwnerID = userName
 
 	extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID
 
 	extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID
 
 	extclient.IngressGatewayID = nodeid
 
 	extclient.IngressGatewayID = nodeid
 
+	extclient.Network = node.Network
 
 	extclient.Tags = make(map[models.TagID]struct{})
 
 	extclient.Tags = make(map[models.TagID]struct{})
 
 	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
 
 	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
 
 		models.RemoteAccessTagName))] = struct{}{}
 
 		models.RemoteAccessTagName))] = struct{}{}
 
@@ -459,8 +460,6 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 
 		extclient.DNS = node.IngressDNS
 
 		extclient.DNS = node.IngressDNS
 
 	}
 
 	}
 
-
 
-	extclient.Network = node.Network
 
 	host, err := logic.GetHost(node.HostID.String())
 
 	host, err := logic.GetHost(node.HostID.String())
 
 	if err != nil {
 
 	if err != nil {
 
 		logger.Log(0, r.Header.Get("user"),
 
 		logger.Log(0, r.Header.Get("user"),

+ 3 - 0
logic/acls.go
View File 

@@ -445,6 +445,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 
 	if err != nil {
 
 	if err != nil {
 
 		return false
 
 		return false
 
 	}
 
 	}
 
+	if peer.IsStatic {
 
+		peer = peer.StaticNode.ConvertToStaticNode()
 
+	}
 
 	policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network))
 
 	policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network))
 
 	for _, policy := range policies {
 
 	for _, policy := range policies {
 
 		if !policy.Enabled {
 
 		if !policy.Enabled {

+ 15 - 0
logic/extpeers.go
View File 

@@ -428,6 +428,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 						DstIP: extclient.StaticNode.AddressIPNet4().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet4().IP,
 
 						Allow: true,
 
 						Allow: true,
 
 					})
 
 					})
 
+					rules = append(rules, models.FwRule{
 
+						SrcIp: extclient.StaticNode.AddressIPNet4().IP,
 
+						DstIP: userNodeI.StaticNode.AddressIPNet4().IP,
 
+						Allow: true,
 
+					})
 
 				}
 
 				}
 
 				if userNodeI.StaticNode.Address6 != "" {
 
 				if userNodeI.StaticNode.Address6 != "" {
 
 					rules = append(rules, models.FwRule{
 
 					rules = append(rules, models.FwRule{
 
@@ -435,6 +440,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 						DstIP: extclient.StaticNode.AddressIPNet6().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet6().IP,
 
 						Allow: true,
 
 						Allow: true,
 
 					})
 
 					})
 
+					rules = append(rules, models.FwRule{
 
+						SrcIp: extclient.StaticNode.AddressIPNet6().IP,
 
+						DstIP: userNodeI.StaticNode.AddressIPNet6().IP,
 
+						Allow: true,
 
+					})
 
 				}
 
 				}
 
 			}
 
 			}
 
 		}
 
 		}
 
@@ -442,17 +452,22 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 
 
 	for _, extclientI := range extclients {
 
 	for _, extclientI := range extclients {
 
 		for _, extclient := range extclients {
 
 		for _, extclient := range extclients {
 
+			if extclient.StaticNode.ClientID == extclientI.StaticNode.ClientID {
 
+				continue
 
+			}
 
 			if IsNodeAllowedToCommunicate(extclientI, extclient) {
 
 			if IsNodeAllowedToCommunicate(extclientI, extclient) {
 
 				if extclientI.StaticNode.Address != "" {
 
 				if extclientI.StaticNode.Address != "" {
 
 					rules = append(rules, models.FwRule{
 
 					rules = append(rules, models.FwRule{
 
 						SrcIp: extclientI.StaticNode.AddressIPNet4().IP,
 
 						SrcIp: extclientI.StaticNode.AddressIPNet4().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet4().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet4().IP,
 
+						Allow: true,
 
 					})
 
 					})
 
 				}
 
 				}
 
 				if extclientI.StaticNode.Address6 != "" {
 
 				if extclientI.StaticNode.Address6 != "" {
 
 					rules = append(rules, models.FwRule{
 
 					rules = append(rules, models.FwRule{
 
 						SrcIp: extclientI.StaticNode.AddressIPNet6().IP,
 
 						SrcIp: extclientI.StaticNode.AddressIPNet6().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet6().IP,
 
 						DstIP: extclient.StaticNode.AddressIPNet6().IP,
 
+						Allow: true,
 
 					})
 
 					})
 
 				}
 
 				}
 
 			}
 
 			}