gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-09-11 23:54:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix extclient comms to gws

Browse source
This commit is contained in:
abhishek9686 2025-03-05 23:06:38 +04:00
parent e22519c07e
commit 984db44c78
4 changed files with 51 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
logic/acls.go
View file

@ -915,7 +915,7 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo
for tagID := range nodeTags { for tagID := range nodeTags {
if _, ok := dstMap[tagID.String()]; ok { if _, ok := dstMap[tagID.String()]; ok || dstAll {
if srcAll { if srcAll {
allowed = true allowed = true
break break
@ -931,7 +931,7 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
break break
} }
if _, ok := srcMap[tagID.String()]; ok { if _, ok := srcMap[tagID.String()]; ok || srcAll {
if dstAll { if dstAll {
allowed = true allowed = true
break break
@ -953,7 +953,7 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo
} }
} }
for tagID := range peerTags { for tagID := range peerTags {
if _, ok := dstMap[tagID.String()]; ok { if _, ok := dstMap[tagID.String()]; ok || dstAll {
if srcAll { if srcAll {
allowed = true allowed = true
break break
@ -1051,7 +1051,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
} }
for tagID := range nodeTags { for tagID := range nodeTags {
allowed := false allowed := false
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok { if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || dstAll {
if srcAll { if srcAll {
allowed = true allowed = true
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
@ -1068,7 +1068,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
break break
} }
if _, ok := srcMap[tagID.String()]; ok { if _, ok := srcMap[tagID.String()]; ok || srcAll {
if dstAll { if dstAll {
allowed = true allowed = true
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
@ -1088,7 +1088,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
} }
for tagID := range peerTags { for tagID := range peerTags {
allowed := false allowed := false
if _, ok := dstMap[tagID.String()]; ok { if _, ok := dstMap[tagID.String()]; ok || dstAll {
if srcAll { if srcAll {
allowed = true allowed = true
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
@ -1096,7 +1096,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
} }
for tagID := range nodeTags { for tagID := range nodeTags {
if _, ok := srcMap[tagID.String()]; ok { if _, ok := srcMap[tagID.String()]; ok || srcAll {
allowed = true allowed = true
break break
} }
@ -1107,7 +1107,7 @@ func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool)
break break
} }
if _, ok := srcMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok { if _, ok := srcMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || srcAll {
if dstAll { if dstAll {
allowed = true allowed = true
allowedPolicies = append(allowedPolicies, policy) allowedPolicies = append(allowedPolicies, policy)
@ -1346,6 +1346,8 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
} }
srcTags := convAclTagToValueMap(acl.Src) srcTags := convAclTagToValueMap(acl.Src)
dstTags := convAclTagToValueMap(acl.Dst) dstTags := convAclTagToValueMap(acl.Dst)
_, srcAll := srcTags["*"]
_, dstAll := dstTags["*"]
aclRule := models.AclRule{ aclRule := models.AclRule{
ID: acl.ID, ID: acl.ID,
AllowedProtocol: acl.Proto, AllowedProtocol: acl.Proto,
@ -1358,16 +1360,16 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
var existsInSrcTag bool var existsInSrcTag bool
var existsInDstTag bool var existsInDstTag bool
if _, ok := srcTags[nodeTag.String()]; ok { if _, ok := srcTags[nodeTag.String()]; ok || srcAll {
existsInSrcTag = true existsInSrcTag = true
} }
if _, ok := srcTags[targetnode.ID.String()]; ok { if _, ok := srcTags[targetnode.ID.String()]; ok || srcAll {
existsInSrcTag = true existsInSrcTag = true
} }
if _, ok := dstTags[nodeTag.String()]; ok { if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
existsInDstTag = true existsInDstTag = true
} }
if _, ok := dstTags[targetnode.ID.String()]; ok { if _, ok := dstTags[targetnode.ID.String()]; ok || dstAll {
existsInDstTag = true existsInDstTag = true
} }
@ -1390,6 +1392,9 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
if node.ID == targetnode.ID { if node.ID == targetnode.ID {
continue continue
} }
if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {
continue
}
if node.Address.IP != nil { if node.Address.IP != nil {
aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4()) aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
} }
@ -1423,6 +1428,9 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
if node.ID == targetnode.ID { if node.ID == targetnode.ID {
continue continue
} }
if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {
continue
}
if node.Address.IP != nil { if node.Address.IP != nil {
aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4()) aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
} }
@ -1462,6 +1470,9 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
if node.ID == targetnode.ID { if node.ID == targetnode.ID {
continue continue
} }
if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {
continue
}
if node.Address.IP != nil { if node.Address.IP != nil {
aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4()) aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
} }
@ -1490,6 +1501,9 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
if node.ID == targetnode.ID { if node.ID == targetnode.ID {
continue continue
} }
if node.IsStatic && node.StaticNode.IngressGatewayID == targetnode.ID.String() {
continue
}
if node.Address.IP != nil { if node.Address.IP != nil {
aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4()) aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
} }

13
logic/extpeers.go
View file

@ -458,6 +458,7 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {
func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []models.Acl) (rules []models.FwRule) { func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []models.Acl) (rules []models.FwRule) {
for _, policy := range allowedPolicies { for _, policy := range allowedPolicies {
// if static peer dst rule not for ingress node -> skip
rules = append(rules, models.FwRule{ rules = append(rules, models.FwRule{
SrcIP: net.IPNet{ SrcIP: net.IPNet{
IP: node.Address.IP, IP: node.Address.IP,
@ -677,13 +678,19 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
if !nodeI.IsStatic || nodeI.IsUserNode { if !nodeI.IsStatic || nodeI.IsUserNode {
continue continue
} }
if nodeI.StaticNode.IngressGatewayID != node.ID.String() { // if nodeI.StaticNode.IngressGatewayID != node.ID.String() {
continue // continue
} // }
for _, peer := range nodes { for _, peer := range nodes {
if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode { if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {
continue continue
} }
// if nodeI.StaticNode.IngressGatewayID != node.ID.String() && !peer.IsGw {
// continue
// }
// if peer.IsStatic && peer.StaticNode.IngressGatewayID !=node.ID.String(){
// }
if ok, allowedPolicies := IsNodeAllowedToCommunicateV1(nodeI.StaticNode.ConvertToStaticNode(), peer, true); ok { if ok, allowedPolicies := IsNodeAllowedToCommunicateV1(nodeI.StaticNode.ConvertToStaticNode(), peer, true); ok {
rules = append(rules, getFwRulesForNodeAndPeerOnGw(nodeI.StaticNode.ConvertToStaticNode(), peer, allowedPolicies)...) rules = append(rules, getFwRulesForNodeAndPeerOnGw(nodeI.StaticNode.ConvertToStaticNode(), peer, allowedPolicies)...)
} }

18
logic/nodes.go
View file

@ -836,12 +836,12 @@ func GetTagMapWithNodesByNetwork(netID models.NetworkID, withStaticNodes bool) (
tagNodesMap = make(map[models.TagID][]models.Node) tagNodesMap = make(map[models.TagID][]models.Node)
nodes, _ := GetNetworkNodes(netID.String()) nodes, _ := GetNetworkNodes(netID.String())
for _, nodeI := range nodes { for _, nodeI := range nodes {
if nodeI.Tags == nil {
continue
}
tagNodesMap[models.TagID(nodeI.ID.String())] = []models.Node{ tagNodesMap[models.TagID(nodeI.ID.String())] = []models.Node{
nodeI, nodeI,
} }
if nodeI.Tags == nil {
continue
}
for nodeTagID := range nodeI.Tags { for nodeTagID := range nodeI.Tags {
tagNodesMap[nodeTagID] = append(tagNodesMap[nodeTagID], nodeI) tagNodesMap[nodeTagID] = append(tagNodesMap[nodeTagID], nodeI)
} }
@ -860,7 +860,7 @@ func AddTagMapWithStaticNodes(netID models.NetworkID,
return tagNodesMap return tagNodesMap
} }
for _, extclient := range extclients { for _, extclient := range extclients {
if extclient.Tags == nil || extclient.RemoteAccessClientID != "" { if extclient.RemoteAccessClientID != "" {
continue continue
} }
tagNodesMap[models.TagID(extclient.ClientID)] = []models.Node{ tagNodesMap[models.TagID(extclient.ClientID)] = []models.Node{
@ -869,6 +869,10 @@ func AddTagMapWithStaticNodes(netID models.NetworkID,
StaticNode: extclient, StaticNode: extclient,
}, },
} }
if extclient.Tags == nil {
continue
}
for tagID := range extclient.Tags { for tagID := range extclient.Tags {
tagNodesMap[tagID] = append(tagNodesMap[tagID], models.Node{ tagNodesMap[tagID] = append(tagNodesMap[tagID], models.Node{
IsStatic: true, IsStatic: true,
@ -891,6 +895,12 @@ func AddTagMapWithStaticNodesWithUsers(netID models.NetworkID,
return tagNodesMap return tagNodesMap
} }
for _, extclient := range extclients { for _, extclient := range extclients {
tagNodesMap[models.TagID(extclient.ClientID)] = []models.Node{
{
IsStatic: true,
StaticNode: extclient,
},
}
if extclient.Tags == nil { if extclient.Tags == nil {
continue continue
} }

2
scripts/nm-quick.sh
View file

@ -253,7 +253,7 @@ save_config() { (
fi fi
# copy entries from the previous config # copy entries from the previous config
local toCopy=("SERVER_HOST" "SERVER_HOST6" "MASTER_KEY" "MQ_USERNAME" "MQ_PASSWORD" "LICENSE_KEY" "NETMAKER_TENANT_ID" local toCopy=("SERVER_HOST" "SERVER_HOST6" "MASTER_KEY" "MQ_USERNAME" "MQ_PASSWORD" "LICENSE_KEY" "NETMAKER_TENANT_ID"
"INSTALL_TYPE" "NODE_ID" "DNS_MODE" "NETCLIENT_AUTO_UPDATE" "API_PORT" "INSTALL_TYPE" "NODE_ID" "DNS_MODE" "NETCLIENT_AUTO_UPDATE" "API_PORT" "MANAGE_DNS" "DEFAULT_DOMAIN"
"CORS_ALLOWED_ORIGIN" "DISPLAY_KEYS" "DATABASE" "SERVER_BROKER_ENDPOINT" "VERBOSITY" "CORS_ALLOWED_ORIGIN" "DISPLAY_KEYS" "DATABASE" "SERVER_BROKER_ENDPOINT" "VERBOSITY"
"DEBUG_MODE" "REST_BACKEND" "DISABLE_REMOTE_IP_CHECK" "TELEMETRY" "ALLOWED_EMAIL_DOMAINS" "AUTH_PROVIDER" "CLIENT_ID" "CLIENT_SECRET" "DEBUG_MODE" "REST_BACKEND" "DISABLE_REMOTE_IP_CHECK" "TELEMETRY" "ALLOWED_EMAIL_DOMAINS" "AUTH_PROVIDER" "CLIENT_ID" "CLIENT_SECRET"
"FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_AUTO_DISABLE" "CACHING_ENABLED" "ENDPOINT_DETECTION" "FRONTEND_URL" "AZURE_TENANT" "OIDC_ISSUER" "EXPORTER_API_PORT" "JWT_VALIDITY_DURATION" "RAC_AUTO_DISABLE" "CACHING_ENABLED" "ENDPOINT_DETECTION"