Merge pull request #1997 from gravitl/GRA-1095-postup/down

remove postup/down

cli/cmd/network/create.go

@@ -44,8 +44,6 @@ var networkCreateCmd = &cobra.Command{
 			network.DefaultInterface = defaultInterface
 			network.DefaultListenPort = int32(defaultListenPort)
 			network.NodeLimit = int32(nodeLimit)
-			network.DefaultPostUp = defaultPostUp
-			network.DefaultPostDown = defaultPostDown
 			network.DefaultKeepalive = int32(defaultKeepalive)
 			if allowManualSignUp {
 				network.AllowManualSignUp = "yes"
@@ -67,8 +65,6 @@ func init() {
 	networkCreateCmd.Flags().BoolVar(&localNetwork, "local", false, "Is the network local (LAN) ?")
 	networkCreateCmd.Flags().BoolVar(&defaultACL, "default_acl", false, "Enable default Access Control List ?")
 	networkCreateCmd.Flags().StringVar(&defaultInterface, "interface", "", "Name of the network interface")
-	networkCreateCmd.Flags().StringVar(&defaultPostUp, "post_up", "", "Commands to run after server is up `;` separated")
-	networkCreateCmd.Flags().StringVar(&defaultPostDown, "post_down", "", "Commands to run after server is down `;` separated")
 	networkCreateCmd.Flags().StringVar(&defaultExtClientDNS, "ext_client_dns", "", "IPv4 address of DNS server to be used by external clients")
 	networkCreateCmd.Flags().IntVar(&defaultListenPort, "listen_port", 51821, "Default wireguard port each node will attempt to use")
 	networkCreateCmd.Flags().IntVar(&nodeLimit, "node_limit", 999999999, "Maximum number of nodes that can be associated with this network")

cli/cmd/network/flags.go

@@ -11,8 +11,6 @@ var (
 	defaultInterface          string
 	defaultListenPort         int
 	nodeLimit                 int
-	defaultPostUp             string
-	defaultPostDown           string
 	defaultKeepalive          int
 	allowManualSignUp         bool
 	defaultExtClientDNS       string

cli/cmd/network/update.go

@@ -47,8 +47,6 @@ var networkUpdateCmd = &cobra.Command{
 			network.DefaultInterface = defaultInterface
 			network.DefaultListenPort = int32(defaultListenPort)
 			network.NodeLimit = int32(nodeLimit)
-			network.DefaultPostUp = defaultPostUp
-			network.DefaultPostDown = defaultPostDown
 			network.DefaultKeepalive = int32(defaultKeepalive)
 			if allowManualSignUp {
 				network.AllowManualSignUp = "yes"
@@ -68,8 +66,6 @@ func init() {
 	networkUpdateCmd.Flags().BoolVar(&localNetwork, "local", false, "Is the network local (LAN) ?")
 	networkUpdateCmd.Flags().BoolVar(&defaultACL, "default_acl", false, "Enable default Access Control List ?")
 	networkUpdateCmd.Flags().StringVar(&defaultInterface, "interface", "", "Name of the network interface")
-	networkUpdateCmd.Flags().StringVar(&defaultPostUp, "post_up", "", "Commands to run after server is up `;` separated")
-	networkUpdateCmd.Flags().StringVar(&defaultPostDown, "post_down", "", "Commands to run after server is down `;` separated")
 	networkUpdateCmd.Flags().StringVar(&defaultExtClientDNS, "ext_client_dns", "", "IPv4 address of DNS server to be used by external clients")
 	networkUpdateCmd.Flags().IntVar(&defaultListenPort, "listen_port", 0, "Default wireguard port each node will attempt to use")
 	networkUpdateCmd.Flags().IntVar(&nodeLimit, "node_limit", 0, "Maximum number of nodes that can be associated with this network")

cli/cmd/node/update.go

@@ -34,8 +34,6 @@ var nodeUpdateCmd = &cobra.Command{
 			node.Address = address
 			node.Address6 = address6
 			node.LocalAddress = localAddress
-			node.PostUp = postUp
-			node.PostDown = postDown
 			node.PersistentKeepalive = int32(keepAlive)
 			if relayAddrs != "" {
 				node.RelayAddrs = strings.Split(relayAddrs, ",")

compose/docker-compose.reference.yml

@@ -20,7 +20,6 @@ services:
       REST_BACKEND: "on" # Enables the REST backend (API running on API_PORT at SERVER_HTTP_HOST). Change to "off" to turn off.
       DISABLE_REMOTE_IP_CHECK: "off" # If turned "on", Server will not set Host based on remote IP check. This is already overridden if SERVER_HOST is set. Turned "off" by default.
       TELEMETRY: "on" # Whether or not to send telemetry data to help improve Netmaker. Switch to "off" to opt out of sending telemetry.
-      RCE: "off" # Enables setting PostUp and PostDown (arbitrary commands) on nodes from the server. Off by default.
       MASTER_KEY: "REPLACE_MASTER_KEY" # The admin master key for accessing the API. Change this in any production installation.
       CORS_ALLOWED_ORIGIN: "*" # The "allowed origin" for API requests. Change to restrict where API requests can come from with comma-separated URLs. ex:- https://dashboard.netmaker.domain1.com,https://dashboard.netmaker.domain2.com
       DISPLAY_KEYS: "on" # Show keys permanently in UI (until deleted) as opposed to 1-time display.

config/config.go

@@ -61,7 +61,6 @@ type ServerConfig struct {
 	FrontendURL           string `yaml:"frontendurl"`
 	DisplayKeys           string `yaml:"displaykeys"`
 	AzureTenant           string `yaml:"azuretenant"`
-	RCE                   string `yaml:"rce"`
 	Telemetry             string `yaml:"telemetry"`
 	HostNetwork           string `yaml:"hostnetwork"`
 	MQPort                string `yaml:"mqport"`

controllers/network.go

@@ -185,12 +185,6 @@ func updateNetwork(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-
-	if !servercfg.GetRce() {
-		newNetwork.DefaultPostDown = network.DefaultPostDown
-		newNetwork.DefaultPostUp = network.DefaultPostUp
-	}
-
 	rangeupdate4, rangeupdate6, holepunchupdate, groupsDelta, userDelta, err := logic.UpdateNetwork(&network, &newNetwork)
 	if err != nil {
 		logger.Log(0, r.Header.Get("user"), "failed to update network: ",

controllers/node.go

@@ -904,11 +904,6 @@ func updateNode(w http.ResponseWriter, r *http.Request) {
 	if currentNode.IsRelayed && (currentNode.Address.String() != newNode.Address.String() || currentNode.Address6.String() != newNode.Address6.String()) {
 		relayedUpdate = true
 	}
-
-	if !servercfg.GetRce() {
-		newNode.PostDown = currentNode.PostDown
-		newNode.PostUp = currentNode.PostUp
-	}
 	ifaceDelta := logic.IfaceDelta(&currentNode, newNode)
 
 	if ifaceDelta && servercfg.Is_EE {

controllers/node_test.go

@@ -49,11 +49,7 @@ func TestCreateEgressGateway(t *testing.T) {
 
 		node, err := logic.CreateEgressGateway(gateway)
 		t.Log(node.EgressGatewayNatEnabled)
-		t.Log(node.PostUp)
-		t.Log(node.PostDown)
 		assert.Nil(t, err)
-		assert.Contains(t, node.PostUp, "-j MASQUERADE")
-		assert.Contains(t, node.PostDown, "-j MASQUERADE")
 	})
 	t.Run("Success-Nat-Disabled", func(t *testing.T) {
 		deleteAllNodes()
@@ -63,11 +59,7 @@ func TestCreateEgressGateway(t *testing.T) {
 
 		node, err := logic.CreateEgressGateway(gateway)
 		t.Log(node.EgressGatewayNatEnabled)
-		t.Log(node.PostUp)
-		t.Log(node.PostDown)
 		assert.Nil(t, err)
-		assert.NotContains(t, node.PostUp, "-j MASUERADE")
-		assert.NotContains(t, node.PostDown, "-j MASUERADE")
 	})
 	t.Run("Success", func(t *testing.T) {
 		var gateway models.EgressGatewayRequest
@@ -81,8 +73,6 @@ func TestCreateEgressGateway(t *testing.T) {
 		node, err := logic.CreateEgressGateway(gateway)
 		t.Log(node)
 		assert.Nil(t, err)
-		assert.Contains(t, node.PostUp, "-j MASQUERADE")
-		assert.Contains(t, node.PostDown, "-j MASQUERADE")
 		assert.Equal(t, true, node.IsEgressGateway)
 		assert.Equal(t, gateway.Ranges, node.EgressGatewayRanges)
 	})
@@ -107,16 +97,12 @@ func TestDeleteEgressGateway(t *testing.T) {
 		assert.Nil(t, err)
 		assert.Equal(t, false, node.IsEgressGateway)
 		assert.Equal(t, []string([]string{}), node.EgressGatewayRanges)
-		assert.Equal(t, "", node.PostUp)
-		assert.Equal(t, "", node.PostDown)
 	})
 	t.Run("NotGateway", func(t *testing.T) {
 		node, err := logic.DeleteEgressGateway(gateway.NetID, gateway.NodeID)
 		assert.Nil(t, err)
 		assert.Equal(t, false, node.IsEgressGateway)
 		assert.Equal(t, []string([]string{}), node.EgressGatewayRanges)
-		assert.Equal(t, "", node.PostUp)
-		assert.Equal(t, "", node.PostDown)
 	})
 	t.Run("BadNode", func(t *testing.T) {
 		node, err := logic.DeleteEgressGateway(gateway.NetID, "01:02:03")

dev.yaml

@@ -32,7 +32,6 @@ server:
   frontendurl: ""
   displaykeys: ""
   azuretenant: ""
-  rce: "off"
   telemetry: ""
   manageiptables: "off"
   portforwardservices: ""

go.mod

@@ -43,7 +43,6 @@ require (
 
 require (
 	github.com/guumaster/tablewriter v0.0.10
-	github.com/kr/pretty v0.3.1
 	github.com/matryer/is v1.4.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/spf13/cobra v1.6.1
@@ -53,9 +52,7 @@ require (
 	cloud.google.com/go/compute/metadata v0.2.1 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 )
 

go.sum

@@ -74,9 +74,8 @@ github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTx
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -118,9 +117,8 @@ github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJ
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
+github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rqlite/gorqlite v0.0.0-20210514125552-08ff1e76b22f h1:BSnJgAfHzEp7o8PYJ7YfwAVHhqu7BYUTggcn/LGlUWY=
 github.com/rqlite/gorqlite v0.0.0-20210514125552-08ff1e76b22f/go.mod h1:UW/gxgQwSePTvL1KA8QEHsXeYHP4xkoXgbDdN781p34=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=

logic/gateway.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/gravitl/netmaker/database"
@@ -48,62 +47,6 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 	node.EgressGatewayRanges = gateway.Ranges
 	node.EgressGatewayNatEnabled = models.ParseBool(gateway.NatEnabled)
 	node.EgressGatewayRequest = gateway // store entire request for use when preserving the egress gateway
-	postUpCmd := ""
-	postDownCmd := ""
-	ipv4, ipv6 := getNetworkProtocols(gateway.Ranges)
-	logger.Log(3, "creating egress gateway firewall in use is '", host.FirewallInUse, "'")
-	iface := models.WIREGUARD_INTERFACE
-	if host.OS == "linux" {
-		switch host.FirewallInUse {
-		case models.FIREWALL_NFTABLES:
-			// nftables only supported on Linux
-			// assumes chains eg FORWARD and postrouting already exist
-			logger.Log(3, "creating egress gateway nftables is present")
-			// down commands don't remove as removal of the rules leaves an empty chain while
-			// removing the chain with rules in it would remove all rules in that section (not safe
-			// if there are remaining rules on the host that need to stay).  In practice the chain is removed
-			// when non-empty even though the removal of a non-empty chain should not be possible per nftables wiki.
-			postUpCmd, postDownCmd = firewallNFTCommandsCreateEgress(iface, gateway.Interface, gateway.Ranges, node.EgressGatewayNatEnabled, ipv4, ipv6)
-
-		default: // iptables assumed
-			logger.Log(3, "creating egress gateway nftables is not present")
-			postUpCmd, postDownCmd = firewallIPTablesCommandsCreateEgress(iface, gateway.Interface, node.EgressGatewayNatEnabled, ipv4, ipv6)
-		}
-	}
-	if host.OS == "freebsd" {
-		// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-		postUpCmd = "kldload ipfw ipfw_nat ; "
-		postUpCmd += "ipfw disable one_pass ; "
-		postUpCmd += "ipfw nat 1 config if " + gateway.Interface + " same_ports unreg_only reset ; "
-		postUpCmd += "ipfw add 64000 reass all from any to any in ; "
-		postUpCmd += "ipfw add 64000 nat 1 ip from any to any in via " + gateway.Interface + " ; "
-		postUpCmd += "ipfw add 64000 check-state ; "
-		postUpCmd += "ipfw add 64000 nat 1 ip from any to any out via " + gateway.Interface + " ; "
-		postUpCmd += "ipfw add 65534 allow ip from any to any ; "
-		postDownCmd = "ipfw delete 64000 ; "
-		postDownCmd += "ipfw delete 65534 ; "
-		postDownCmd += "kldunload ipfw_nat ipfw"
-
-	}
-	if gateway.PostUp != "" {
-		postUpCmd = gateway.PostUp
-	}
-	if gateway.PostDown != "" {
-		postDownCmd = gateway.PostDown
-	}
-	if node.PostUp != "" {
-		if !strings.Contains(node.PostUp, postUpCmd) {
-			postUpCmd = node.PostUp + postUpCmd
-		}
-	}
-	if node.PostDown != "" {
-		if !strings.Contains(node.PostDown, postDownCmd) {
-			postDownCmd = node.PostDown + postDownCmd
-		}
-	}
-
-	node.PostUp = postUpCmd
-	node.PostDown = postDownCmd
 	node.SetLastModified()
 	nodeData, err := json.Marshal(&node)
 	if err != nil {
@@ -136,39 +79,9 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
 	if err != nil {
 		return models.Node{}, err
 	}
-	host, err := GetHost(node.HostID.String())
-	if err != nil {
-		return models.Node{}, err
-
-	}
 	node.IsEgressGateway = false
 	node.EgressGatewayRanges = []string{}
 	node.EgressGatewayRequest = models.EgressGatewayRequest{} // remove preserved request as the egress gateway is gone
-	// needed in case we don't preserve a gateway (i.e., no ingress to preserve)
-	node.PostUp = ""
-	node.PostDown = ""
-	cidrs := []string{}
-	cidrs = append(cidrs, node.IngressGatewayRange)
-	cidrs = append(cidrs, node.IngressGatewayRange6)
-	ipv4, ipv6 := getNetworkProtocols(cidrs)
-	logger.Log(3, "deleting egress gateway firewall in use is '", host.FirewallInUse, "'")
-	if node.IsIngressGateway { // check if node is still an ingress gateway before completely deleting postdown/up rules
-		// still have an ingress gateway so preserve it
-		iface := models.WIREGUARD_INTERFACE
-		if host.OS == "linux" {
-			switch host.FirewallInUse {
-			case models.FIREWALL_NFTABLES:
-				// nftables only supported on Linux
-				// assumes chains eg FORWARD and postrouting already exist
-				logger.Log(3, "deleting egress gateway nftables is present")
-				node.PostUp, node.PostDown = firewallNFTCommandsCreateIngress(iface)
-			default:
-				logger.Log(3, "deleting egress gateway nftables is not present")
-				node.PostUp, node.PostDown = firewallIPTablesCommandsCreateIngress(iface, ipv4, ipv6)
-			}
-		}
-		// no need to preserve ingress gateway on FreeBSD as ingress is not supported on that OS
-	}
 	node.SetLastModified()
 
 	data, err := json.Marshal(&node)
@@ -184,7 +97,6 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
 // CreateIngressGateway - creates an ingress gateway
 func CreateIngressGateway(netid string, nodeid string, failover bool) (models.Node, error) {
 
-	var postUpCmd, postDownCmd string
 	node, err := GetNodeByID(nodeid)
 	if err != nil {
 		return models.Node{}, err
@@ -205,38 +117,9 @@ func CreateIngressGateway(netid string, nodeid string, failover bool) (models.No
 		return models.Node{}, err
 	}
 	node.IsIngressGateway = true
-	cidrs := []string{}
-	cidrs = append(cidrs, network.AddressRange)
-	cidrs = append(cidrs, network.AddressRange6)
 	node.IngressGatewayRange = network.AddressRange
 	node.IngressGatewayRange6 = network.AddressRange6
-	ipv4, ipv6 := getNetworkProtocols(cidrs)
-	logger.Log(3, "creating ingress gateway firewall in use is '", host.FirewallInUse, "'")
-	iface := models.WIREGUARD_INTERFACE
-	switch host.FirewallInUse {
-	case models.FIREWALL_NFTABLES:
-		// nftables only supported on Linux
-		// assumes chains eg FORWARD and postrouting already exist
-		logger.Log(3, "creating ingress gateway nftables is present")
-		postUpCmd, postDownCmd = firewallNFTCommandsCreateIngress(iface)
-	default:
-		logger.Log(3, "creating ingress gateway using nftables is not present")
-		postUpCmd, postDownCmd = firewallIPTablesCommandsCreateIngress(iface, ipv4, ipv6)
-	}
-
-	if node.PostUp != "" {
-		if !strings.Contains(node.PostUp, postUpCmd) {
-			postUpCmd = node.PostUp + postUpCmd
-		}
-	}
-	if node.PostDown != "" {
-		if !strings.Contains(node.PostDown, postDownCmd) {
-			postDownCmd = node.PostDown + postDownCmd
-		}
-	}
 	node.SetLastModified()
-	node.PostUp = postUpCmd
-	node.PostDown = postDownCmd
 	if failover && servercfg.Is_EE {
 		node.Failover = true
 	}
@@ -277,10 +160,6 @@ func DeleteIngressGateway(networkName string, nodeid string) (models.Node, bool,
 	node.IngressGatewayRange = ""
 	node.Failover = false
 
-	// default to removing postup and postdown
-	node.PostUp = ""
-	node.PostDown = ""
-
 	//logger.Log(3, "deleting ingress gateway firewall in use is '", host.FirewallInUse, "' and isEgressGateway is", node.IsEgressGateway)
 	if node.EgressGatewayRequest.NodeID != "" {
 		_, err := CreateEgressGateway(node.EgressGatewayRequest)
@@ -318,128 +197,3 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error {
 	}
 	return nil
 }
-
-// firewallNFTCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the nftables firewall.
-func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) {
-	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-	postUp := "nft add table ip filter ; "
-	postUp += "nft add chain ip filter FORWARD ; "
-	postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
-	postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
-	postUp += "nft add table nat ; "
-	postUp += "nft add chain nat postrouting ; "
-	postUp += "nft add rule ip nat postrouting oifname " + networkInterface + " counter masquerade ; "
-
-	// doesn't remove potentially empty tables or chains
-	postDown := "nft flush table filter ; "
-	postDown += "nft flush table nat ; "
-
-	return postUp, postDown
-}
-
-// firewallNFTCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the nftables firewall.
-func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface string, gatewayranges []string, egressNatEnabled bool, ipv4, ipv6 bool) (string, string) {
-	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-	postUp := ""
-	postDown := ""
-	if ipv4 {
-		postUp += "nft add table ip filter ; "
-		postUp += "nft add chain ip filter forward ; "
-		postUp += "nft add rule filter forward ct state related,established accept ; "
-		postUp += "nft add rule ip filter forward iifname " + networkInterface + " accept ; "
-		postUp += "nft add rule ip filter forward oifname " + networkInterface + " accept ; "
-		postUp += "nft add table nat ; "
-		postUp += "nft 'add chain ip nat prerouting { type nat hook prerouting priority 0 ;}' ; "
-		postUp += "nft 'add chain ip nat postrouting { type nat hook postrouting priority 0 ;}' ; "
-
-		postDown += "nft flush table filter ; "
-
-		if egressNatEnabled {
-			postUp += "nft add table nat ; "
-			postUp += "nft add chain nat postrouting ; "
-			postUp += "nft add rule ip nat postrouting oifname " + gatewayInterface + " counter masquerade ; "
-
-			postDown += "nft flush table nat ; "
-		}
-	}
-	if ipv6 {
-		postUp += "nft add table ip6 filter ; "
-		postUp += "nft add chain ip6 filter forward ; "
-		postUp += "nft add rule ip6 filter forward ct state related,established accept ; "
-		postUp += "nft add rule ip6 filter forward iifname " + networkInterface + " accept ; "
-		postUp += "nft add rule ip6 filter forward oifname " + networkInterface + " accept ; "
-
-		postDown += "nft flush table ip6 filter ; "
-
-		if egressNatEnabled {
-			postUp += "nft add table ip6 nat ; "
-			postUp += "nft 'add chain ip6 nat prerouting { type nat hook prerouting priority 0 ;}' ; "
-			postUp += "nft 'add chain ip6 nat postrouting { type nat hook postrouting priority 0 ;}' ; "
-			postUp += "nft add rule ip6 nat postrouting oifname " + gatewayInterface + " masquerade ; "
-
-			postDown += "nft flush table ip6 nat ; "
-		}
-	}
-
-	return postUp, postDown
-}
-
-// firewallIPTablesCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the iptables firewall.
-func firewallIPTablesCommandsCreateIngress(networkInterface string, ipv4, ipv6 bool) (string, string) {
-	postUp := ""
-	postDown := ""
-	if ipv4 {
-		// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-		postUp += "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postUp += "iptables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE ; "
-
-		// doesn't remove potentially empty tables or chains
-		postDown += "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postDown += "iptables -D FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postDown += "iptables -t nat -D POSTROUTING -o " + networkInterface + " -j MASQUERADE ; "
-	}
-	if ipv6 {
-		// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-		postUp += "ip6tables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postUp += "ip6tables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postUp += "ip6tables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE ; "
-
-		// doesn't remove potentially empty tables or chains
-		postDown += "ip6tables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postDown += "ip6tables -D FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postDown += "ip6tables -t nat -D POSTROUTING -o " + networkInterface + " -j MASQUERADE ; "
-	}
-	return postUp, postDown
-}
-
-// firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall.
-func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled bool, ipv4, ipv6 bool) (string, string) {
-	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-	postUp := ""
-	postDown := ""
-	if ipv4 {
-		postUp += "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postDown += "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postDown += "iptables -D FORWARD -o " + networkInterface + " -j ACCEPT ; "
-
-		if egressNatEnabled {
-			postUp += "iptables -t nat -A POSTROUTING -o " + gatewayInterface + " -j MASQUERADE ; "
-			postDown += "iptables -t nat -D POSTROUTING -o " + gatewayInterface + " -j MASQUERADE ; "
-		}
-	}
-	if ipv6 {
-		postUp += "ip6tables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postUp += "ip6tables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
-		postDown += "ip6tables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
-		postDown += "ip6tables -D FORWARD -o " + networkInterface + " -j ACCEPT ; "
-
-		if egressNatEnabled {
-			postUp += "ip6tables -t nat -A POSTROUTING -o " + gatewayInterface + " -j MASQUERADE ; "
-			postDown += "ip6tables -t nat -D POSTROUTING -o " + gatewayInterface + " -j MASQUERADE ; "
-		}
-	}
-	return postUp, postDown
-
-}

logic/nodes.go

@@ -247,14 +247,6 @@ func SetNodeDefaults(node *models.Node) {
 	if node.PersistentKeepalive == 0 {
 		node.PersistentKeepalive = time.Second * time.Duration(parentNetwork.DefaultKeepalive)
 	}
-	if node.PostUp == "" {
-		postup := parentNetwork.DefaultPostUp
-		node.PostUp = postup
-	}
-	if node.PostDown == "" {
-		postdown := parentNetwork.DefaultPostDown
-		node.PostDown = postdown
-	}
 	node.SetLastModified()
 	node.SetLastCheckIn()
 	node.SetDefaultConnected()

logic/util.go

@@ -152,20 +152,3 @@ func RemoveStringSlice(slice []string, i int) []string {
 }
 
 // == private ==
-
-func getNetworkProtocols(cidrs []string) (bool, bool) {
-	ipv4 := false
-	ipv6 := false
-	for _, cidr := range cidrs {
-		ip, _, err := net.ParseCIDR(cidr)
-		if err != nil {
-			continue
-		}
-		if ip.To4() == nil {
-			ipv6 = true
-		} else {
-			ipv4 = true
-		}
-	}
-	return ipv4, ipv6
-}

logic/zombie.go

@@ -33,12 +33,11 @@ func CheckZombies(newnode *models.Node, mac net.HardwareAddr) {
 		return
 	}
 	for _, node := range nodes {
-		host, err := GetHost(node.HostID.String())
-		if err != nil {
-			// should we delete the node if host not found ??
+		if node.ID == newnode.ID {
+			//skip self
 			continue
 		}
-		if host.MacAddress.String() == mac.String() || time.Now().After(node.ExpirationDateTime) {
+		if node.HostID == newnode.HostID || time.Now().After(node.ExpirationDateTime) {
 			logger.Log(0, "adding ", node.ID.String(), " to zombie list")
 			newZombie <- node.ID
 		}

models/api_node.go

@@ -14,8 +14,6 @@ type ApiNode struct {
 	Address                 string   `json:"address" validate:"omitempty,ipv4"`
 	Address6                string   `json:"address6" validate:"omitempty,ipv6"`
 	LocalAddress            string   `json:"localaddress" validate:"omitempty,ipv4"`
-	PostUp                  string   `json:"postup"`
-	PostDown                string   `json:"postdown"`
 	AllowedIPs              []string `json:"allowedips"`
 	PersistentKeepalive     int32    `json:"persistentkeepalive"`
 	LastModified            int64    `json:"lastmodified"`
@@ -53,8 +51,6 @@ func (a *ApiNode) ConvertToServerNode(currentNode *Node) *Node {
 	convertedNode.Connected = a.Connected
 	convertedNode.ID, _ = uuid.Parse(a.ID)
 	convertedNode.HostID, _ = uuid.Parse(a.HostID)
-	convertedNode.PostUp = a.PostUp
-	convertedNode.PostDown = a.PostDown
 	convertedNode.IsLocal = a.IsLocal
 	convertedNode.IsRelay = a.IsRelay
 	convertedNode.IsRelayed = a.IsRelayed
@@ -127,8 +123,6 @@ func (nm *Node) ConvertToAPINode() *ApiNode {
 	if isEmptyAddr(apiNode.LocalAddress) {
 		apiNode.LocalAddress = ""
 	}
-	apiNode.PostDown = nm.PostDown
-	apiNode.PostUp = nm.PostUp
 	apiNode.PersistentKeepalive = int32(nm.PersistentKeepalive.Seconds())
 	apiNode.LastModified = nm.LastModified.Unix()
 	apiNode.LastCheckIn = nm.LastCheckIn.Unix()

models/network.go

@@ -17,7 +17,6 @@ type Network struct {
 	DefaultInterface    string                `json:"defaultinterface" bson:"defaultinterface" validate:"min=1,max=15"`
 	DefaultListenPort   int32                 `json:"defaultlistenport,omitempty" bson:"defaultlistenport,omitempty" validate:"omitempty,min=1024,max=65535"`
 	NodeLimit           int32                 `json:"nodelimit" bson:"nodelimit"`
-	DefaultPostUp       string                `json:"defaultpostup" bson:"defaultpostup"`
 	DefaultPostDown     string                `json:"defaultpostdown" bson:"defaultpostdown"`
 	DefaultKeepalive    int32                 `json:"defaultkeepalive" bson:"defaultkeepalive" validate:"omitempty,max=1000"`
 	AccessKeys          []AccessKey           `json:"accesskeys" bson:"accesskeys"`

models/node.go

@@ -66,8 +66,6 @@ type CommonNode struct {
 	Connected           bool          `json:"connected" yaml:"connected"`
 	Address             net.IPNet     `json:"address" yaml:"address"`
 	Address6            net.IPNet     `json:"address6" yaml:"address6"`
-	PostUp              string        `json:"postup" yaml:"postup"`
-	PostDown            string        `json:"postdown" yaml:"postdown"`
 	Action              string        `json:"action" yaml:"action"`
 	LocalAddress        net.IPNet     `json:"localaddress" yaml:"localaddress"`
 	IsLocal             bool          `json:"islocal" yaml:"islocal"`
@@ -115,8 +113,6 @@ type LegacyNode struct {
 	ProxyListenPort         int32                `json:"proxy_listen_port" bson:"proxy_listen_port" yaml:"proxy_listen_port" validate:"numeric,min=0,max=65535"`
 	PublicKey               string               `json:"publickey" bson:"publickey" yaml:"publickey" validate:"required,base64"`
 	Endpoint                string               `json:"endpoint" bson:"endpoint" yaml:"endpoint" validate:"required,ip"`
-	PostUp                  string               `json:"postup" bson:"postup" yaml:"postup"`
-	PostDown                string               `json:"postdown" bson:"postdown" yaml:"postdown"`
 	AllowedIPs              []string             `json:"allowedips" bson:"allowedips" yaml:"allowedips"`
 	PersistentKeepalive     int32                `json:"persistentkeepalive" bson:"persistentkeepalive" yaml:"persistentkeepalive" validate:"omitempty,numeric,max=1000"`
 	IsHub                   string               `json:"ishub" bson:"ishub" yaml:"ishub" validate:"checkyesorno"`
@@ -368,12 +364,6 @@ func (newNode *Node) Fill(currentNode *Node) { // TODO add new field for nftable
 	if newNode.Address6.String() == "" {
 		newNode.Address6 = currentNode.Address6
 	}
-	if newNode.PostUp == "" {
-		newNode.PostUp = currentNode.PostUp
-	}
-	if newNode.PostDown == "" {
-		newNode.PostDown = currentNode.PostDown
-	}
 	if newNode.PersistentKeepalive < 0 {
 		newNode.PersistentKeepalive = currentNode.PersistentKeepalive
 	}
@@ -527,8 +517,6 @@ func (ln *LegacyNode) ConvertToNewNode() (*Host, *Node) {
 			Mask: net.CIDRMask(128, 128),
 		}
 	}
-	node.PostUp = ln.PostUp
-	node.PostDown = ln.PostDown
 	node.Action = ln.Action
 	node.IsLocal = parseBool(ln.IsLocal)
 	node.IsEgressGateway = parseBool(ln.IsEgressGateway)
@@ -552,8 +540,6 @@ func (n *Node) Legacy(h *Host, s *ServerConfig, net *Network) *LegacyNode {
 	l.ProxyListenPort = int32(h.ProxyListenPort)
 	l.PublicKey = h.PublicKey.String()
 	l.Endpoint = h.EndpointIP.String()
-	l.PostUp = n.PostUp
-	l.PostDown = n.PostDown
 	//l.AllowedIPs =
 	l.AccessKey = ""
 	l.Interface = WIREGUARD_INTERFACE

models/structs.go

@@ -161,8 +161,6 @@ type EgressGatewayRequest struct {
 	NatEnabled string   `json:"natenabled" bson:"natenabled"`
 	Ranges     []string `json:"ranges" bson:"ranges"`
 	Interface  string   `json:"interface" bson:"interface"`
-	PostUp     string   `json:"postup" bson:"postup"`
-	PostDown   string   `json:"postdown" bson:"postdown"`
 }
 
 // RelayRequest - relay request struct

netclient/ncutils/iface.go

@@ -23,8 +23,6 @@ func IfaceDelta(currentNode *models.LegacyNode, newNode *models.LegacyNode) bool
 		newNode.PersistentKeepalive != currentNode.PersistentKeepalive ||
 		newNode.DNSOn != currentNode.DNSOn ||
 		newNode.Connected != currentNode.Connected ||
-		newNode.PostUp != currentNode.PostUp ||
-		newNode.PostDown != currentNode.PostDown ||
 		len(newNode.AllowedIPs) != len(currentNode.AllowedIPs) {
 		return true
 	}

servercfg/serverconf.go

@@ -76,11 +76,6 @@ func GetServerConfig() config.ServerConfig {
 	cfg.ClientID = authInfo[1]
 	cfg.ClientSecret = authInfo[2]
 	cfg.FrontendURL = GetFrontendURL()
-	if GetRce() {
-		cfg.RCE = "on"
-	} else {
-		cfg.RCE = "off"
-	}
 	cfg.Telemetry = Telemetry()
 	cfg.Server = GetServer()
 	cfg.Verbosity = GetVerbosity()
@@ -599,11 +594,6 @@ func GetAzureTenant() string {
 	return azureTenant
 }
 
-// GetRce - sees if Rce is enabled, off by default
-func GetRce() bool {
-	return os.Getenv("RCE") == "on" || config.Config.Server.RCE == "on"
-}
-
 // GetMQServerPort - get mq port for server
 func GetMQServerPort() string {
 	port := "1883" //default

swagger.yaml

@@ -105,12 +105,6 @@ definitions:
             nodeid:
                 type: string
                 x-go-name: NodeID
-            postdown:
-                type: string
-                x-go-name: PostDown
-            postup:
-                type: string
-                x-go-name: PostUp
             ranges:
                 items:
                     type: string
@@ -270,12 +264,6 @@ definitions:
                 format: int32
                 type: integer
                 x-go-name: DefaultMTU
-            defaultpostdown:
-                type: string
-                x-go-name: DefaultPostDown
-            defaultpostup:
-                type: string
-                x-go-name: DefaultPostUp
             defaultudpholepunch:
                 type: string
                 x-go-name: DefaultUDPHolePunch
@@ -454,12 +442,6 @@ definitions:
                 format: int32
                 type: integer
                 x-go-name: PersistentKeepalive
-            postdown:
-                type: string
-                x-go-name: PostDown
-            postup:
-                type: string
-                x-go-name: PostUp
             publickey:
                 type: string
                 x-go-name: PublicKey
@@ -638,8 +620,6 @@ definitions:
                 type: string
             PublicIPService:
                 type: string
-            RCE:
-                type: string
             RestBackend:
                 type: string
             SQLConn:

test/network_test.go.bak

@@ -467,17 +467,14 @@ func TestUpdateNetwork(t *testing.T) {
 	})
 	t.Run("UpdatePostUP", func(t *testing.T) {
 		type Network struct {
-			DefaultPostUp string
 		}
 		var network Network
-		network.DefaultPostUp = "sudo wg add-conf wc-netmaker /etc/wireguard/peers/conf"
 		response, err := api(t, network, http.MethodPut, baseURL+"/api/networks/skynet", "secretkey")
 		assert.Nil(t, err, err)
 		assert.Equal(t, http.StatusOK, response.StatusCode)
 		defer response.Body.Close()
 		err = json.NewDecoder(response.Body).Decode(&returnedNetwork)
 		assert.Nil(t, err, err)
-		assert.Equal(t, network.DefaultPostUp, returnedNetwork.DefaultPostUp)
 	})
 	t.Run("UpdatePostDown", func(t *testing.T) {
 		type Network struct {