Domů Procházet Nápověda
Přihlásit se
golang
/
netmaker
zrcadlo https://github.com/gravitl/netmaker
2
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Procházet zdrojové kódy

add static nodes to acl rules

abhishek9686 před 9 měsíci
rodič
49146816d2
revize
aa10e2e373
2 změnil soubory, kde provedl 87 přidání a 5 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 45 5
      logic/acls.go
  2. 42 0
      logic/extpeers.go

+ 45 - 5
logic/acls.go
Zobrazit soubor 

@@ -565,6 +565,13 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode
 
 
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
 
 func IsNodeAllowedToCommunicate(node, peer models.Node) (bool, []models.Acl) {
 
+	if node.ID.String() == "6901219b-9bee-412a-aa2a-4911c8387a6d" &&
 
+		peer.IsStatic && peer.StaticNode.ClientID == "cool-sky" {
 
+		fmt.Println("\n\n=========================================\n\n")
 
+		defer fmt.Println("\n\n=========================================\n\n")
 
+		fmt.Printf("=====> NODE: %s, Peer: %s", node.ID.String(), peer.ID.String())
 
+	}
 
+
 
 	if node.IsStatic {
 
 		node = node.StaticNode.ConvertToStaticNode()
 
 	}
 
@@ -587,10 +594,13 @@ func IsNodeAllowedToCommunicate(node, peer models.Node) (bool, []models.Acl) {
 
 		}
 
 		srcMap := convAclTagToValueMap(policy.Src)
 
 		dstMap := convAclTagToValueMap(policy.Dst)
 
-		// fmt.Printf("\n======> SRCMAP: %+v\n", srcMap)
 
-		// fmt.Printf("\n======> DSTMAP: %+v\n", dstMap)
 
-		// fmt.Printf("\n======> node Tags: %+v\n", node.Tags)
 
-		// fmt.Printf("\n======> peer Tags: %+v\n", peer.Tags)
 
+		if node.ID.String() == "6901219b-9bee-412a-aa2a-4911c8387a6d" &&
 
+			peer.IsStatic && peer.StaticNode.ClientID == "cool-sky" {
 
+			fmt.Printf("\n======> SRCMAP: %+v\n", srcMap)
 
+			fmt.Printf("\n======> DSTMAP: %+v\n", dstMap)
 
+			fmt.Printf("\n======> node Tags: %+v\n", node.Tags)
 
+			fmt.Printf("\n======> peer Tags: %+v\n", peer.Tags)
 
+		}
 
 		for tagID := range node.Tags {
 
 			allowed := false
 
 			if _, ok := dstMap[tagID.String()]; ok {
 
@@ -668,6 +678,10 @@ func IsNodeAllowedToCommunicate(node, peer models.Node) (bool, []models.Acl) {
 
 			}
 
 		}
 
 	}
 
+	if node.ID.String() == "6901219b-9bee-412a-aa2a-4911c8387a6d" &&
 
+		peer.IsStatic && peer.StaticNode.ClientID == "cool-sky" {
 
+		fmt.Printf("====> ALLOWED POLICIES: %+v", allowedPolicies)
 
+	}
 
 	if len(allowedPolicies) > 0 {
 
 		return true, allowedPolicies
 
 	}
 
@@ -720,7 +734,9 @@ func CheckIfTagAsActivePolicy(tagID models.TagID, netID models.NetworkID) bool {
 
 		}
 
 		for _, dstTagI := range acl.Dst {
 
 			if dstTagI.ID == models.DeviceAclID {
 
-				return true
 
+				if tagID.String() == dstTagI.Value {
 
+					return true
 
+				}
 
 			}
 
 		}
 
 	}
 
@@ -838,6 +854,12 @@ func GetAclRulesForNode(node *models.Node) (rules map[string]models.AclRule) {
 
 							if node.Address6.IP != nil {
 
 								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
 
 							}
 
+							if node.IsStatic && node.StaticNode.Address != "" {
 
+								aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())
 
+							}
 
+							if node.IsStatic && node.StaticNode.Address6 != "" {
 
+								aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())
 
+							}
 
 						}
 
 					}
 
 				}
 
@@ -856,6 +878,12 @@ func GetAclRulesForNode(node *models.Node) (rules map[string]models.AclRule) {
 
 							if node.Address6.IP != nil {
 
 								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
 
 							}
 
+							if node.IsStatic && node.StaticNode.Address != "" {
 
+								aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())
 
+							}
 
+							if node.IsStatic && node.StaticNode.Address6 != "" {
 
+								aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())
 
+							}
 
 						}
 
 					}
 
 				}
 
@@ -868,6 +896,12 @@ func GetAclRulesForNode(node *models.Node) (rules map[string]models.AclRule) {
 
 						if node.Address6.IP != nil {
 
 							aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
 
 						}
 
+						if node.IsStatic && node.StaticNode.Address != "" {
 
+							aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())
 
+						}
 
+						if node.IsStatic && node.StaticNode.Address6 != "" {
 
+							aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())
 
+						}
 
 					}
 
 				}
 
 			} else {
 
@@ -886,6 +920,12 @@ func GetAclRulesForNode(node *models.Node) (rules map[string]models.AclRule) {
 
 							if node.Address6.IP != nil {
 
 								aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
 
 							}
 
+							if node.IsStatic && node.StaticNode.Address != "" {
 
+								aclRule.IPList = append(aclRule.IPList, node.StaticNode.AddressIPNet4())
 
+							}
 
+							if node.IsStatic && node.StaticNode.Address6 != "" {
 
+								aclRule.IP6List = append(aclRule.IP6List, node.StaticNode.AddressIPNet6())
 
+							}
 
 						}
 
 					}
 
 				}

+ 42 - 0
logic/extpeers.go
Zobrazit soubor 

@@ -599,6 +599,15 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 								AllowedPorts:    policy.Port,
 
 								Allow:           true,
 
 							})
 
+							if policy.AllowedDirection == models.TrafficDirectionBi {
 
+								rules = append(rules, models.FwRule{
 
+									SrcIP:           peer.StaticNode.AddressIPNet4(),
 
+									DstIP:           nodeI.StaticNode.AddressIPNet4(),
 
+									AllowedProtocol: policy.Proto,
 
+									AllowedPorts:    policy.Port,
 
+									Allow:           true,
 
+								})
 
+							}
 
 						}
 
 
 					}
 
@@ -611,6 +620,15 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 								AllowedPorts:    policy.Port,
 
 								Allow:           true,
 
 							})
 
+							if policy.AllowedDirection == models.TrafficDirectionBi {
 
+								rules = append(rules, models.FwRule{
 
+									SrcIP:           peer.StaticNode.AddressIPNet6(),
 
+									DstIP:           nodeI.StaticNode.AddressIPNet6(),
 
+									AllowedProtocol: policy.Proto,
 
+									AllowedPorts:    policy.Port,
 
+									Allow:           true,
 
+								})
 
+							}
 
 						}
 
 					}
 
 					if len(peer.StaticNode.ExtraAllowedIPs) > 0 {
 
@@ -649,6 +667,18 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 								AllowedPorts:    policy.Port,
 
 								Allow:           true,
 
 							})
 
+							if policy.AllowedDirection == models.TrafficDirectionBi {
 
+								rules = append(rules, models.FwRule{
 
+									SrcIP: net.IPNet{
 
+										IP:   peer.Address.IP,
 
+										Mask: net.CIDRMask(32, 32),
 
+									},
 
+									DstIP:           nodeI.StaticNode.AddressIPNet4(),
 
+									AllowedProtocol: policy.Proto,
 
+									AllowedPorts:    policy.Port,
 
+									Allow:           true,
 
+								})
 
+							}
 
 						}
 
 					}
 
 					if nodeI.StaticNode.Address6 != "" {
 
@@ -663,6 +693,18 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 
 								AllowedPorts:    policy.Port,
 
 								Allow:           true,
 
 							})
 
+							if policy.AllowedDirection == models.TrafficDirectionBi {
 
+								rules = append(rules, models.FwRule{
 
+									SrcIP: net.IPNet{
 
+										IP:   peer.Address6.IP,
 
+										Mask: net.CIDRMask(128, 128),
 
+									},
 
+									DstIP:           nodeI.StaticNode.AddressIPNet6(),
 
+									AllowedProtocol: policy.Proto,
 
+									AllowedPorts:    policy.Port,
 
+									Allow:           true,
 
+								})
 
+							}
 
 						}
 
 					}
 
 				}