| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366 |
- package logic
- import (
- "context"
- "encoding/json"
- "errors"
- "maps"
- "net"
- "github.com/gravitl/netmaker/db"
- "github.com/gravitl/netmaker/models"
- "github.com/gravitl/netmaker/schema"
- )
- func ValidateEgressReq(e *schema.Egress) error {
- if e.Network == "" {
- return errors.New("network id is empty")
- }
- _, err := GetNetwork(e.Network)
- if err != nil {
- return errors.New("failed to get network " + err.Error())
- }
- if !e.IsInetGw {
- if e.Range == "" {
- return errors.New("egress range is empty")
- }
- _, _, err = net.ParseCIDR(e.Range)
- if err != nil {
- return errors.New("invalid egress range " + err.Error())
- }
- err = ValidateEgressRange(e.Network, []string{e.Range})
- if err != nil {
- return errors.New("invalid egress range " + err.Error())
- }
- } else {
- if len(e.Nodes) > 1 {
- return errors.New("can only set one internet routing node")
- }
- req := models.InetNodeReq{}
- for k := range e.Nodes {
- inetNode, err := GetNodeByID(k)
- if err != nil {
- return errors.New("invalid routing node " + err.Error())
- }
- // check if node is acting as egress gw already
- GetNodeEgressInfo(&inetNode)
- if err := ValidateInetGwReq(inetNode, req, false); err != nil {
- return err
- }
- }
- }
- if len(e.Nodes) != 0 {
- for k := range e.Nodes {
- _, err := GetNodeByID(k)
- if err != nil {
- return errors.New("invalid routing node " + err.Error())
- }
- }
- }
- return nil
- }
- func GetInetClientsFromAclPolicies(eID string) (inetClientIDs []string) {
- e := schema.Egress{ID: eID}
- err := e.Get(db.WithContext(context.TODO()))
- if err != nil || !e.Status {
- return
- }
- acls, _ := ListAclsByNetwork(models.NetworkID(e.Network))
- for _, acl := range acls {
- for _, dstI := range acl.Dst {
- if dstI.ID == models.EgressID {
- if dstI.Value != eID {
- continue
- }
- for _, srcI := range acl.Src {
- if srcI.Value == "*" {
- continue
- }
- if srcI.ID == models.NodeID {
- inetClientIDs = append(inetClientIDs, srcI.Value)
- }
- if srcI.ID == models.NodeTagID {
- inetClientIDs = append(inetClientIDs, GetNodeIDsWithTag(models.TagID(srcI.Value))...)
- }
- }
- }
- }
- }
- return
- }
- func isNodeUsingInternetGw(node *models.Node) {
- host, err := GetHost(node.HostID.String())
- if err != nil {
- return
- }
- if host.IsDefault || node.IsFailOver {
- return
- }
- nodeTags := maps.Clone(node.Tags)
- nodeTags[models.TagID(node.ID.String())] = struct{}{}
- acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
- var isUsing bool
- for _, acl := range acls {
- if !acl.Enabled {
- continue
- }
- srcVal := convAclTagToValueMap(acl.Src)
- for _, dstI := range acl.Dst {
- if dstI.ID == models.EgressID {
- e := schema.Egress{ID: dstI.Value}
- err := e.Get(db.WithContext(context.TODO()))
- if err != nil || !e.Status {
- continue
- }
- if e.IsInetGw {
- if _, ok := srcVal[node.ID.String()]; ok {
- for nodeID := range e.Nodes {
- if nodeID == node.ID.String() {
- continue
- }
- node.EgressDetails.InternetGwID = nodeID
- isUsing = true
- return
- }
- }
- for tagID := range nodeTags {
- if _, ok := srcVal[tagID.String()]; ok {
- for nodeID := range e.Nodes {
- if nodeID == node.ID.String() {
- continue
- }
- node.EgressDetails.InternetGwID = nodeID
- isUsing = true
- return
- }
- }
- }
- }
- }
- }
- }
- if !isUsing {
- node.EgressDetails.InternetGwID = ""
- }
- }
- func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
- nodeTags := maps.Clone(node.Tags)
- nodeTags[models.TagID(node.ID.String())] = struct{}{}
- if !e.IsInetGw {
- nodeTags[models.TagID("*")] = struct{}{}
- }
- acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
- if !e.IsInetGw {
- defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
- if defaultDevicePolicy.Enabled {
- return true
- }
- }
- for _, acl := range acls {
- if !acl.Enabled {
- continue
- }
- srcVal := convAclTagToValueMap(acl.Src)
- if !e.IsInetGw && acl.AllowedDirection == models.TrafficDirectionBi {
- if _, ok := srcVal["*"]; ok {
- return true
- }
- }
- for _, dstI := range acl.Dst {
- if !e.IsInetGw && dstI.ID == models.NodeTagID && dstI.Value == "*" {
- return true
- }
- if dstI.ID == models.EgressID && dstI.Value == e.ID {
- e := schema.Egress{ID: dstI.Value}
- err := e.Get(db.WithContext(context.TODO()))
- if err != nil {
- continue
- }
- if node.IsStatic {
- if _, ok := srcVal[node.StaticNode.ClientID]; ok {
- return true
- }
- } else {
- if _, ok := srcVal[node.ID.String()]; ok {
- return true
- }
- }
- for tagID := range nodeTags {
- if _, ok := srcVal[tagID.String()]; ok {
- return true
- }
- }
- }
- }
- }
- return false
- }
- func AddEgressInfoToPeerByAccess(node, targetNode *models.Node) {
- eli, _ := (&schema.Egress{Network: targetNode.Network}).ListByNetwork(db.WithContext(context.TODO()))
- req := models.EgressGatewayRequest{
- NodeID: targetNode.ID.String(),
- NetID: targetNode.Network,
- }
- defer func() {
- if targetNode.Mutex != nil {
- targetNode.Mutex.Lock()
- }
- isNodeUsingInternetGw(targetNode)
- if targetNode.Mutex != nil {
- targetNode.Mutex.Unlock()
- }
- }()
- for _, e := range eli {
- if !e.Status || e.Network != targetNode.Network {
- continue
- }
- if !DoesNodeHaveAccessToEgress(node, &e) {
- if node.IsRelayed && node.RelayedBy == targetNode.ID.String() {
- if !DoesNodeHaveAccessToEgress(targetNode, &e) {
- continue
- }
- } else {
- continue
- }
- }
- if metric, ok := e.Nodes[targetNode.ID.String()]; ok {
- if e.IsInetGw {
- targetNode.EgressDetails.IsInternetGateway = true
- targetNode.EgressDetails.InetNodeReq = models.InetNodeReq{
- InetNodeClientIDs: GetInetClientsFromAclPolicies(e.ID),
- }
- req.Ranges = append(req.Ranges, "0.0.0.0/0")
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: "0.0.0.0/0",
- Nat: true,
- RouteMetric: 256,
- })
- req.Ranges = append(req.Ranges, "::/0")
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: "::/0",
- Nat: true,
- RouteMetric: 256,
- })
- } else {
- m64, err := metric.(json.Number).Int64()
- if err != nil {
- m64 = 256
- }
- m := uint32(m64)
- req.Ranges = append(req.Ranges, e.Range)
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: e.Range,
- Nat: e.Nat,
- RouteMetric: m,
- })
- }
- }
- }
- if targetNode.Mutex != nil {
- targetNode.Mutex.Lock()
- }
- if len(req.Ranges) > 0 {
- targetNode.EgressDetails.IsEgressGateway = true
- targetNode.EgressDetails.EgressGatewayRanges = req.Ranges
- targetNode.EgressDetails.EgressGatewayRequest = req
- } else {
- targetNode.EgressDetails = models.EgressDetails{}
- }
- if targetNode.Mutex != nil {
- targetNode.Mutex.Unlock()
- }
- }
- func GetNodeEgressInfo(targetNode *models.Node) {
- eli, _ := (&schema.Egress{Network: targetNode.Network}).ListByNetwork(db.WithContext(context.TODO()))
- req := models.EgressGatewayRequest{
- NodeID: targetNode.ID.String(),
- NetID: targetNode.Network,
- }
- defer func() {
- if targetNode.Mutex != nil {
- targetNode.Mutex.Lock()
- }
- isNodeUsingInternetGw(targetNode)
- if targetNode.Mutex != nil {
- targetNode.Mutex.Unlock()
- }
- }()
- for _, e := range eli {
- if !e.Status || e.Network != targetNode.Network {
- continue
- }
- if metric, ok := e.Nodes[targetNode.ID.String()]; ok {
- if e.IsInetGw {
- targetNode.EgressDetails.IsInternetGateway = true
- targetNode.EgressDetails.InetNodeReq = models.InetNodeReq{
- InetNodeClientIDs: GetInetClientsFromAclPolicies(e.ID),
- }
- req.Ranges = append(req.Ranges, "0.0.0.0/0")
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: "0.0.0.0/0",
- Nat: true,
- RouteMetric: 256,
- })
- req.Ranges = append(req.Ranges, "::/0")
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: "::/0",
- Nat: true,
- RouteMetric: 256,
- })
- } else {
- m64, err := metric.(json.Number).Int64()
- if err != nil {
- m64 = 256
- }
- m := uint32(m64)
- req.Ranges = append(req.Ranges, e.Range)
- req.RangesWithMetric = append(req.RangesWithMetric, models.EgressRangeMetric{
- Network: e.Range,
- Nat: e.Nat,
- RouteMetric: m,
- })
- }
- }
- }
- if targetNode.Mutex != nil {
- targetNode.Mutex.Lock()
- }
- if len(req.Ranges) > 0 {
- targetNode.EgressDetails.IsEgressGateway = true
- targetNode.EgressDetails.EgressGatewayRanges = req.Ranges
- targetNode.EgressDetails.EgressGatewayRequest = req
- } else {
- targetNode.EgressDetails = models.EgressDetails{}
- }
- if targetNode.Mutex != nil {
- targetNode.Mutex.Unlock()
- }
- }
- func RemoveNodeFromEgress(node models.Node) {
- egs, _ := (&schema.Egress{}).ListByNetwork(db.WithContext(context.TODO()))
- for _, egI := range egs {
- if _, ok := egI.Nodes[node.ID.String()]; ok {
- delete(egI.Nodes, node.ID.String())
- egI.Update(db.WithContext(context.TODO()))
- }
- }
- }
|
