From 6c52b68214d1f1cd0739154910540a082a7f15b7 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Tue, 22 Oct 2024 19:54:23 +0400 Subject: [PATCH] fix ingress firewall updates --- controllers/ext_client.go | 3 +-- logic/acls.go | 3 +++ logic/extpeers.go | 15 +++++++++++++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/controllers/ext_client.go b/controllers/ext_client.go index 3f1f9323..cc8bfada 100644 --- a/controllers/ext_client.go +++ b/controllers/ext_client.go @@ -452,6 +452,7 @@ func createExtClient(w http.ResponseWriter, r *http.Request) { extclient.OwnerID = userName extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID extclient.IngressGatewayID = nodeid + extclient.Network = node.Network extclient.Tags = make(map[models.TagID]struct{}) extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network, models.RemoteAccessTagName))] = struct{}{} @@ -459,8 +460,6 @@ func createExtClient(w http.ResponseWriter, r *http.Request) { if (extclient.DNS == "") && (node.IngressDNS != "") { extclient.DNS = node.IngressDNS } - - extclient.Network = node.Network host, err := logic.GetHost(node.HostID.String()) if err != nil { logger.Log(0, r.Header.Get("user"), diff --git a/logic/acls.go b/logic/acls.go index 9ab8ed19..1eaa16b4 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -445,6 +445,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool { if err != nil { return false } + if peer.IsStatic { + peer = peer.StaticNode.ConvertToStaticNode() + } policies := listPoliciesOfUser(*user, models.NetworkID(peer.Network)) for _, policy := range policies { if !policy.Enabled { diff --git a/logic/extpeers.go b/logic/extpeers.go index f13fcec4..62c723d2 100644 --- a/logic/extpeers.go +++ b/logic/extpeers.go @@ -428,6 +428,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { DstIP: extclient.StaticNode.AddressIPNet4().IP, Allow: true, }) + rules = append(rules, models.FwRule{ + SrcIp: extclient.StaticNode.AddressIPNet4().IP, + DstIP: userNodeI.StaticNode.AddressIPNet4().IP, + Allow: true, + }) } if userNodeI.StaticNode.Address6 != "" { rules = append(rules, models.FwRule{ @@ -435,6 +440,11 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { DstIP: extclient.StaticNode.AddressIPNet6().IP, Allow: true, }) + rules = append(rules, models.FwRule{ + SrcIp: extclient.StaticNode.AddressIPNet6().IP, + DstIP: userNodeI.StaticNode.AddressIPNet6().IP, + Allow: true, + }) } } } @@ -442,17 +452,22 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { for _, extclientI := range extclients { for _, extclient := range extclients { + if extclient.StaticNode.ClientID == extclientI.StaticNode.ClientID { + continue + } if IsNodeAllowedToCommunicate(extclientI, extclient) { if extclientI.StaticNode.Address != "" { rules = append(rules, models.FwRule{ SrcIp: extclientI.StaticNode.AddressIPNet4().IP, DstIP: extclient.StaticNode.AddressIPNet4().IP, + Allow: true, }) } if extclientI.StaticNode.Address6 != "" { rules = append(rules, models.FwRule{ SrcIp: extclientI.StaticNode.AddressIPNet6().IP, DstIP: extclient.StaticNode.AddressIPNet6().IP, + Allow: true, }) } }