Inicio Explorar Ayuda
Iniciar sesión
golang
/
netmaker
espejo de https://github.com/gravitl/netmaker
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

fetch acl rule for a node

abhishek9686 hace 9 meses
padre
58b6d54e61
commit
81e5d8673d
Se han modificado 3 ficheros con 39 adiciones y 31 borrados
Dividir vista Mostrar estadísticas de diff
  1. 32 25
      logic/acls.go
  2. 2 1
      logic/peers.go
  3. 5 5
      models/mqtt.go

+ 32 - 25
logic/acls.go
Ver fichero 

@@ -654,10 +654,10 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
 
 
 func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
+	rules = make(map[string][]models.AclRule)
 
 	if err == nil && defaultPolicy.Enabled {
 
-
 
 		return map[string][]models.AclRule{
 
-			defaultPolicy.ID: []models.AclRule{
 
+			defaultPolicy.ID: {
 
 				{
 
 					SrcIP:     node.NetworkRange,
 
 					SrcIP6:    node.NetworkRange6,
 
@@ -668,6 +668,7 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 			},
 
 		}
 
 	}
 
+
 
 	taggedNodes := GetTagMapWithNodesByNetwork(models.NetworkID(node.Network))
 
 	acls := listDevicePolicies(models.NetworkID(node.Network))
 
 	//allowedNodeUniqueMap := make(map[string]struct{})
 
@@ -678,35 +679,40 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 			}
 
 			srcTags := convAclTagToValueMap(acl.Src)
 
 			dstTags := convAclTagToValueMap(acl.Dst)
 
-
 
+			aclRules := []models.AclRule{}
 
 			if acl.AllowedDirection == models.TrafficDirectionBi {
 
 				var existsInSrcTag bool
 
 				var existsInDstTag bool
 
 				// if contains all resources, return entire cidr
 
 				if _, ok := srcTags["*"]; ok {
 
-					return []models.AclRule{
 
-						{
 
-							SrcIP:     node.NetworkRange,
 
-							SrcIP6:    node.NetworkRange6,
 
-							Proto:     []models.Protocol{models.ALL},
 
-							Port:      acl.Port,
 
-							Direction: acl.AllowedDirection,
 
-							Allowed:   true,
 
+					return map[string][]models.AclRule{
 
+						acl.ID: {
 
+							{
 
+								SrcIP:     node.NetworkRange,
 
+								SrcIP6:    node.NetworkRange6,
 
+								Proto:     []models.Protocol{models.ALL},
 
+								Port:      acl.Port,
 
+								Direction: acl.AllowedDirection,
 
+								Allowed:   true,
 
+							},
 
 						},
 
 					}
 
 				}
 
 				if _, ok := dstTags["*"]; ok {
 
-					return []models.AclRule{
 
-						{
 
-							SrcIP:     node.NetworkRange,
 
-							SrcIP6:    node.NetworkRange6,
 
-							Proto:     []models.Protocol{models.ALL},
 
-							Port:      acl.Port,
 
-							Direction: acl.AllowedDirection,
 
-							Allowed:   true,
 
+					return map[string][]models.AclRule{
 
+						acl.ID: {
 
+							{
 
+								SrcIP:     node.NetworkRange,
 
+								SrcIP6:    node.NetworkRange6,
 
+								Proto:     []models.Protocol{models.ALL},
 
+								Port:      acl.Port,
 
+								Direction: acl.AllowedDirection,
 
+								Allowed:   true,
 
+							},
 
 						},
 
 					}
 
 				}
 
+
 
 				if _, ok := srcTags[nodeTag.String()]; ok {
 
 					existsInSrcTag = true
 
 				}
 
@@ -722,7 +728,7 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 						// Get peers in the tags and add allowed rules
 
 						nodes := taggedNodes[models.TagID(dst)]
 
 						for _, node := range nodes {
 
-							rules = append(rules, models.AclRule{
 
+							aclRules = append(aclRules, models.AclRule{
 
 								SrcIP:     node.Address,
 
 								SrcIP6:    node.Address6,
 
 								Proto:     acl.Proto,
 
@@ -743,7 +749,7 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 						// Get peers in the tags and add allowed rules
 
 						nodes := taggedNodes[models.TagID(src)]
 
 						for _, node := range nodes {
 
-							rules = append(rules, models.AclRule{
 
+							aclRules = append(aclRules, models.AclRule{
 
 								SrcIP:     node.Address,
 
 								SrcIP6:    node.Address6,
 
 								Proto:     acl.Proto,
 
@@ -757,7 +763,7 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 				if existsInDstTag && existsInSrcTag {
 
 					nodes := taggedNodes[nodeTag]
 
 					for _, node := range nodes {
 
-						rules = append(rules, models.AclRule{
 
+						aclRules = append(aclRules, models.AclRule{
 
 							SrcIP:     node.Address,
 
 							SrcIP6:    node.Address6,
 
 							Proto:     acl.Proto,
 
@@ -777,7 +783,7 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 						// Get peers in the tags and add allowed rules
 
 						nodes := taggedNodes[models.TagID(src)]
 
 						for _, node := range nodes {
 
-							rules = append(rules, models.AclRule{
 
+							aclRules = append(aclRules, models.AclRule{
 
 								SrcIP:     node.Address,
 
 								SrcIP6:    node.Address6,
 
 								Proto:     acl.Proto,
 
@@ -789,9 +795,10 @@ func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
 
 					}
 
 				}
 
 			}
 
-
 
+			if len(aclRules) > 0 {
 
+				rules[acl.ID] = aclRules
 
+			}
 
 		}
 
 	}
 
-
 
 	return
 
 }

+ 2 - 1
logic/peers.go
Ver fichero 

@@ -76,7 +76,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		FwUpdate: models.FwUpdate{
 
 			EgressInfo:  make(map[string]models.EgressInfo),
 
 			IngressInfo: make(map[string]models.IngressInfo),
 
-			AclRules:    make(map[string]models.AclRule),
 
+			AclRules:    make(map[string]map[string][]models.AclRule),
 
 		},
 
 		PeerIDs:           make(models.PeerMap, 0),
 
 		Peers:             []wgtypes.PeerConfig{},
 
@@ -155,6 +155,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		if !hostPeerUpdate.IsInternetGw {
 
 			hostPeerUpdate.IsInternetGw = IsInternetGw(node)
 
 		}
 
+		hostPeerUpdate.FwUpdate.AclRules[node.Network] = GetAclRulesForNode(&node)
 
 		currentPeers := GetNetworkNodesMemory(allNodes, node.Network)
 
 		for _, peer := range currentPeers {
 
 			peer := peer

+ 5 - 5
models/mqtt.go
Ver fichero 

@@ -90,11 +90,11 @@ type KeyUpdate struct {
 
 
 // FwUpdate - struct for firewall updates
 
 type FwUpdate struct {
 
-	IsEgressGw  bool                   `json:"is_egress_gw"`
 
-	IsIngressGw bool                   `json:"is_ingress_gw"`
 
-	EgressInfo  map[string]EgressInfo  `json:"egress_info"`
 
-	IngressInfo map[string]IngressInfo `json:"ingress_info"`
 
-	AclRules    map[string]AclRule     `json:"acl_rules"`
 
+	IsEgressGw  bool                            `json:"is_egress_gw"`
 
+	IsIngressGw bool                            `json:"is_ingress_gw"`
 
+	EgressInfo  map[string]EgressInfo           `json:"egress_info"`
 
+	IngressInfo map[string]IngressInfo          `json:"ingress_info"`
 
+	AclRules    map[string]map[string][]AclRule `json:"acl_rules"`
 
 }
 
 
 // FailOverMeReq - struct for failover req