Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

allow gateways tag

abhishek9686 3 months ago
parent
749849e185
commit
704119a933
3 changed files with 56 additions and 11 deletions
Split View Show Diff Stats
  1. 29 4
      logic/acls.go
  2. 21 7
      logic/peers.go
  3. 6 0
      pro/logic/acls.go

+ 29 - 4
logic/acls.go
View File 

@@ -57,6 +57,9 @@ func CheckIfNodeHasAccessToAllResources(targetnode *models.Node) bool {
 
 	}
 
 	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}
 
 	targetNodeTags["*"] = struct{}{}
 
+	if targetnode.IsGw {
 
+		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetnode.Network, models.GwTagName))] = struct{}{}
 
+	}
 
 	for _, acl := range acls {
 
 		if !acl.Enabled {
 
 			continue
 
@@ -107,6 +110,9 @@ var CheckIfAnyActiveEgressPolicy = func(targetNode models.Node) bool {
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 
 	targetNodeTags["*"] = struct{}{}
 
+	if targetNode.IsGw {
 
+		targetNodeTags[models.TagID(fmt.Sprintf("%s.%s", targetNode.Network, models.GwTagName))] = struct{}{}
 
+	}
 
 	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
 	for _, acl := range acls {
 
 		if !acl.Enabled || acl.RuleType != models.DevicePolicy {
 
@@ -378,6 +384,9 @@ var IsAclPolicyValid = func(acl models.Acl) (err error) {
 
 			if srcI.Value == "*" {
 
 				continue
 
 			}
 
+			if srcI.ID == models.NodeTagID && srcI.Value == fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName) {
 
+				continue
 
+			}
 
 			if err = checkIfAclTagisValid(acl, srcI, true); err != nil {
 
 				return err
 
 			}
 
@@ -387,6 +396,9 @@ var IsAclPolicyValid = func(acl models.Acl) (err error) {
 
 			if dstI.Value == "*" {
 
 				continue
 
 			}
 
+			if dstI.ID == models.NodeTagID && dstI.Value == fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName) {
 
+				continue
 
+			}
 
 			if err = checkIfAclTagisValid(acl, dstI, false); err != nil {
 
 				return
 
 			}
 
@@ -399,10 +411,10 @@ var IsAclPolicyValid = func(acl models.Acl) (err error) {
 
 
 var IsPeerAllowed = func(node, peer models.Node, checkDefaultPolicy bool) bool {
 
 	var nodeId, peerId string
 
-	if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID {
 
+	if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {
 
 		return true
 
 	}
 
-	if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID {
 
+	if peer.IsGw && node.IsRelayed && node.RelayedBy == peer.ID.String() {
 
 		return true
 
 	}
 
 	if node.IsStatic {
 
@@ -422,6 +434,12 @@ var IsPeerAllowed = func(node, peer models.Node, checkDefaultPolicy bool) bool {
 
 	nodeTags := make(map[models.TagID]struct{})
 
 	nodeTags[models.TagID(nodeId)] = struct{}{}
 
 	peerTags[models.TagID(peerId)] = struct{}{}
 
+	if peer.IsGw {
 
+		peerTags[models.TagID(fmt.Sprintf("%s.%s", peer.Network, models.GwTagName))] = struct{}{}
 
+	}
 
+	if node.IsGw {
 
+		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}
 
+	}
 
 	if checkDefaultPolicy {
 
 		// check default policy if all allowed return true
 
 		defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
@@ -656,6 +674,12 @@ func isNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
 
 
 	nodeTags[models.TagID(nodeId)] = struct{}{}
 
 	peerTags[models.TagID(peerId)] = struct{}{}
 
+	if peer.IsGw {
 
+		peerTags[models.TagID(fmt.Sprintf("%s.%s", peer.Network, models.GwTagName))] = struct{}{}
 
+	}
 
+	if node.IsGw {
 
+		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}
 
+	}
 
 	if checkDefaultPolicy {
 
 		// check default policy if all allowed return true
 
 		defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
@@ -947,7 +971,7 @@ func ListAcls() (acls []models.Acl) {
 
 			}
 
 			skip := false
 
 			for _, srcI := range acl.Src {
 
-				if srcI.ID == models.NodeTagID && acl.ID != fmt.Sprintf("%s.%s", acl.NetworkID.String(), "all-nodes") {
 
+				if srcI.ID == models.NodeTagID && (srcI.Value != "*" && srcI.Value != fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName)) {
 
 					skip = true
 
 					break
 
 				}
 
@@ -956,7 +980,8 @@ func ListAcls() (acls []models.Acl) {
 
 				continue
 
 			}
 
 			for _, dstI := range acl.Dst {
 
-				if dstI.ID == models.NodeTagID && acl.ID != fmt.Sprintf("%s.%s", acl.NetworkID.String(), "all-nodes") {
 
+
 
+				if dstI.ID == models.NodeTagID && (dstI.Value != "*" && dstI.Value != fmt.Sprintf("%s.%s", acl.NetworkID.String(), models.GwTagName)) {
 
 					skip = true
 
 					break
 
 				}

+ 21 - 7
logic/peers.go
View File 

@@ -111,7 +111,7 @@ func GetHostPeerInfo(host *models.Host) (models.HostPeerInfo, error) {
 
 				!peer.PendingDelete &&
 
 				peer.Connected &&
 
 				nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) &&
 
-				(defaultDevicePolicy.Enabled || allowedToComm) {
 
+				(allowedToComm) {
 
 
 				networkPeersInfo[peerHost.PublicKey.String()] = models.IDandAddr{
 
 					ID:         peer.ID.String(),
 
@@ -144,6 +144,9 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 	if host == nil {
 
 		return models.HostPeerUpdate{}, errors.New("host is nil")
 
 	}
 
+	if host.Name == "nm-server" {
 
+		fmt.Println("===> CHECKING FOR HOST ", host.Name)
 
+	}
 
 
 	// track which nodes are deleted
 
 	// after peer calculation, if peer not in list, add delete config of peer
 
@@ -203,10 +206,12 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		}
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
-		fmt.Println("====> Checking for ", host.Name, CheckIfAnyActiveEgressPolicy(node), CheckIfNodeHasAccessToAllResources(&node))
 
+		anyActiveEgressPolicy := CheckIfAnyActiveEgressPolicy(node)
 
+		nodeHasAccessToAllRsrcs := CheckIfNodeHasAccessToAllResources(&node)
 
+		anyUniDirectionPolicy := CheckIfAnyPolicyisUniDirectional(node)
 
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
 
-			(!CheckIfAnyPolicyisUniDirectional(node) && !CheckIfAnyActiveEgressPolicy(node)) ||
 
-			CheckIfNodeHasAccessToAllResources(&node) {
 
+			(!anyUniDirectionPolicy && !anyActiveEgressPolicy) ||
 
+			nodeHasAccessToAllRsrcs {
 
 			aclRule := models.AclRule{
 
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 
 				AllowedProtocol: models.ALL,
 
@@ -251,6 +256,9 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 				logger.Log(1, "no peer host", peer.HostID.String(), err.Error())
 
 				continue
 
 			}
 
+			if host.Name == "nm-server" {
 
+				fmt.Println("===> CHECKING FOR PEER ", peerHost.Name)
 
+			}
 
 			peerConfig := wgtypes.PeerConfig{
 
 				PublicKey:                   peerHost.PublicKey,
 
 				PersistentKeepaliveInterval: &peerHost.PersistentKeepalive,
 
@@ -366,13 +374,17 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 				allowedToComm = true
 
 			} else {
 
 				allowedToComm = IsPeerAllowed(node, peer, false)
 
+				if host.Name == "nm-server" {
 
+					fmt.Println("===> CHECKING FOR HOST ", peerHost.Name, allowedToComm)
 
+				}
 
+
 
 			}
 
 			if peer.Action != models.NODE_DELETE &&
 
 				!peer.PendingDelete &&
 
 				peer.Connected &&
 
 				nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) &&
 
-				(defaultDevicePolicy.Enabled || allowedToComm) &&
 
-				(deletedNode == nil || (deletedNode != nil && peer.ID.String() != deletedNode.ID.String())) {
 
+				(allowedToComm) &&
 
+				(deletedNode == nil || (peer.ID.String() != deletedNode.ID.String())) {
 
 				peerConfig.AllowedIPs = GetAllowedIPs(&node, &peer, nil) // only append allowed IPs if valid connection
 
 			}
 
 
@@ -421,7 +433,9 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 			hostPeerUpdate.FwUpdate.IsIngressGw = true
 
 			extPeers, extPeerIDAndAddrs, egressRoutes, err = GetExtPeers(&node, &node)
 
 			if err == nil {
 
-				if !defaultDevicePolicy.Enabled || !defaultUserPolicy.Enabled {
 
+				if !((defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
 
+					(!anyUniDirectionPolicy && !anyActiveEgressPolicy) ||
 
+					nodeHasAccessToAllRsrcs) {
 
 					ingFwUpdate := models.IngressInfo{
 
 						IngressID:     node.ID.String(),
 
 						Network:       node.NetworkRange,

+ 6 - 0
pro/logic/acls.go
View File 

@@ -312,6 +312,12 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
 
 	if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID {
 
 		return true
 
 	}
 
+	if node.IsGw && peer.IsRelayed && peer.RelayedBy == node.ID.String() {
 
+		return true
 
+	}
 
+	if peer.IsGw && node.IsRelayed && node.RelayedBy == peer.ID.String() {
 
+		return true
 
+	}
 
 	if node.IsStatic {
 
 		nodeId = node.StaticNode.ClientID
 
 		node = node.StaticNode.ConvertToStaticNode()