From 8f370a74a9957eba785061d0d2fec0c0417a4c9b Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 6 Mar 2025 19:01:53 +0400 Subject: [PATCH] fix ipv6 addr rules on gw node --- logic/extpeers.go | 84 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 60 insertions(+), 24 deletions(-) diff --git a/logic/extpeers.go b/logic/extpeers.go index 1d969700..1656fddb 100644 --- a/logic/extpeers.go +++ b/logic/extpeers.go @@ -459,27 +459,14 @@ func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []mode for _, policy := range allowedPolicies { // if static peer dst rule not for ingress node -> skip - rules = append(rules, models.FwRule{ - SrcIP: net.IPNet{ - IP: node.Address.IP, - Mask: net.CIDRMask(32, 32), - }, - DstIP: net.IPNet{ - IP: peer.Address.IP, - Mask: net.CIDRMask(32, 32), - }, - AllowedProtocol: policy.Proto, - AllowedPorts: policy.Port, - Allow: true, - }) - if policy.AllowedDirection == models.TrafficDirectionBi { + if node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ - IP: peer.Address.IP, + IP: node.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: net.IPNet{ - IP: node.Address.IP, + IP: peer.Address.IP, Mask: net.CIDRMask(32, 32), }, AllowedProtocol: policy.Proto, @@ -487,13 +474,62 @@ func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []mode Allow: true, }) } + + if node.Address6.IP != nil { + rules = append(rules, models.FwRule{ + SrcIP: net.IPNet{ + IP: node.Address6.IP, + Mask: net.CIDRMask(128, 128), + }, + DstIP: net.IPNet{ + IP: peer.Address6.IP, + Mask: net.CIDRMask(128, 128), + }, + AllowedProtocol: policy.Proto, + AllowedPorts: policy.Port, + Allow: true, + }) + } + if policy.AllowedDirection == models.TrafficDirectionBi { + if node.Address.IP != nil { + rules = append(rules, models.FwRule{ + SrcIP: net.IPNet{ + IP: peer.Address.IP, + Mask: net.CIDRMask(32, 32), + }, + DstIP: net.IPNet{ + IP: node.Address.IP, + Mask: net.CIDRMask(32, 32), + }, + AllowedProtocol: policy.Proto, + AllowedPorts: policy.Port, + Allow: true, + }) + } + + if node.Address6.IP != nil { + rules = append(rules, models.FwRule{ + SrcIP: net.IPNet{ + IP: peer.Address6.IP, + Mask: net.CIDRMask(128, 128), + }, + DstIP: net.IPNet{ + IP: node.Address6.IP, + Mask: net.CIDRMask(128, 128), + }, + AllowedProtocol: policy.Proto, + AllowedPorts: policy.Port, + Allow: true, + }) + } + } if len(node.StaticNode.ExtraAllowedIPs) > 0 { for _, additionalAllowedIPNet := range node.StaticNode.ExtraAllowedIPs { _, ipNet, err := net.ParseCIDR(additionalAllowedIPNet) if err != nil { continue } - if ipNet.IP.To4() != nil { + if ipNet.IP.To4() != nil && peer.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: peer.Address.IP, @@ -502,11 +538,11 @@ func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []mode DstIP: *ipNet, Allow: true, }) - } else { + } else if peer.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ - IP: peer.Address.IP, - Mask: net.CIDRMask(32, 32), + IP: peer.Address6.IP, + Mask: net.CIDRMask(128, 128), }, DstIP: *ipNet, Allow: true, @@ -522,7 +558,7 @@ func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []mode if err != nil { continue } - if ipNet.IP.To4() != nil { + if ipNet.IP.To4() != nil && node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address.IP, @@ -531,11 +567,11 @@ func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []mode DstIP: *ipNet, Allow: true, }) - } else { + } else if node.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ - IP: node.Address.IP, - Mask: net.CIDRMask(32, 32), + IP: node.Address6.IP, + Mask: net.CIDRMask(128, 128), }, DstIP: *ipNet, Allow: true,