From 9d365c9c281dacb1cfc6069347e3914e877dc7c8 Mon Sep 17 00:00:00 2001 From: 0xdcarns Date: Fri, 22 Apr 2022 16:15:40 -0400 Subject: [PATCH] changes to allowedip parsing to handle ipv6 better --- logic/server.go | 87 +++++++++++++++++++++------------ netclient/ncutils/peerhelper.go | 1 + netclient/wireguard/common.go | 1 - 3 files changed, 56 insertions(+), 33 deletions(-) diff --git a/logic/server.go b/logic/server.go index 7c38ce83..3e1b03ea 100644 --- a/logic/server.go +++ b/logic/server.go @@ -16,6 +16,7 @@ import ( "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/netclient/ncutils" "github.com/gravitl/netmaker/servercfg" + "github.com/seancfoley/ipaddress-go/ipaddr" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) @@ -237,24 +238,47 @@ func GetServerPeers(serverNode *models.Node) ([]wgtypes.PeerConfig, bool, []stri } var peer wgtypes.PeerConfig - var peeraddr = net.IPNet{ - IP: net.ParseIP(node.Address), - Mask: net.CIDRMask(32, 32), + var allowedips = []net.IPNet{} + if node.Address != "" { + var peeraddr = net.IPNet{ + IP: net.ParseIP(node.Address), + Mask: net.CIDRMask(32, 32), + } + if peeraddr.IP != nil && peeraddr.Mask != nil { + allowedips = append(allowedips, peeraddr) + } } - var allowedips = []net.IPNet{ - peeraddr, + + if node.Address6 != "" { + var addr6 = net.IPNet{ + IP: net.ParseIP(node.Address6), + Mask: net.CIDRMask(128, 128), + } + if addr6.IP != nil && addr6.Mask != nil { + allowedips = append(allowedips, addr6) + } } + // handle manually set peers for _, allowedIp := range node.AllowedIPs { - if _, ipnet, err := net.ParseCIDR(allowedIp); err == nil { - nodeEndpointArr := strings.Split(node.Endpoint, ":") - if !ipnet.Contains(net.IP(nodeEndpointArr[0])) && ipnet.IP.String() != node.Address { // don't need to add an allowed ip that already exists.. - allowedips = append(allowedips, *ipnet) + currentIP := ipaddr.NewIPAddressString(allowedIp).GetAddress() + if currentIP.IsIPv4() { + if _, ipnet, err := net.ParseCIDR(allowedIp); err == nil { + nodeEndpointArr := strings.Split(node.Endpoint, ":") + if !ipnet.Contains(net.IP(nodeEndpointArr[0])) && ipnet.IP.String() != node.Address { // don't need to add an allowed ip that already exists.. + allowedips = append(allowedips, *ipnet) + } + } else if appendip := net.ParseIP(allowedIp); appendip != nil && allowedIp != node.Address { + ipnet := net.IPNet{ + IP: net.ParseIP(allowedIp), + Mask: net.CIDRMask(32, 32), + } + allowedips = append(allowedips, ipnet) } - } else if appendip := net.ParseIP(allowedIp); appendip != nil && allowedIp != node.Address { + } else if currentIP.IsIPv6() { ipnet := net.IPNet{ - IP: net.ParseIP(allowedIp), - Mask: net.CIDRMask(32, 32), + IP: currentIP.GetNetIP(), + Mask: net.CIDRMask(128, 128), } allowedips = append(allowedips, ipnet) } @@ -269,31 +293,30 @@ func GetServerPeers(serverNode *models.Node) ([]wgtypes.PeerConfig, bool, []stri logger.Log(1, "could not parse gateway IP range. Not adding", iprange) continue // if can't parse CIDR } - nodeEndpointArr := strings.Split(node.Endpoint, ":") // getting the public ip of node - if ipnet.Contains(net.ParseIP(nodeEndpointArr[0])) { // ensuring egress gateway range does not contain public ip of node - logger.Log(2, "egress IP range of", iprange, "overlaps with", node.Endpoint, ", omitting") - continue // skip adding egress range if overlaps with node's ip - } - if ipnet.Contains(net.ParseIP(serverNode.LocalAddress)) { // ensuring egress gateway range does not contain public ip of node - logger.Log(2, "egress IP range of", iprange, "overlaps with", serverNode.LocalAddress, ", omitting") - continue // skip adding egress range if overlaps with node's local ip - } - gateways = append(gateways, iprange) - if err != nil { - logger.Log(1, "ERROR ENCOUNTERED SETTING GATEWAY:", err.Error()) - } else { + currentAddr := ipaddr.NewIPAddressString(ipnet.String()).GetAddress() + if currentAddr.IsIPv4() { + nodeEndpointArr := strings.Split(node.Endpoint, ":") // getting the public ip of node + if ipnet.Contains(net.ParseIP(nodeEndpointArr[0])) { // ensuring egress gateway range does not contain public ip of node + logger.Log(2, "egress IP range of", iprange, "overlaps with", node.Endpoint, ", omitting") + continue // skip adding egress range if overlaps with node's ip + } + if ipnet.Contains(net.ParseIP(serverNode.LocalAddress)) { // ensuring egress gateway range does not contain public ip of node + logger.Log(2, "egress IP range of", iprange, "overlaps with", serverNode.LocalAddress, ", omitting") + continue // skip adding egress range if overlaps with node's local ip + } + gateways = append(gateways, iprange) + if err != nil { + logger.Log(1, "ERROR ENCOUNTERED SETTING GATEWAY:", err.Error()) + } else { + allowedips = append(allowedips, *ipnet) + } + } else if currentAddr.IsIPv6() { allowedips = append(allowedips, *ipnet) } } ranges = nil } - if node.Address6 != "" { - var addr6 = net.IPNet{ - IP: net.ParseIP(node.Address6), - Mask: net.CIDRMask(128, 128), - } - allowedips = append(allowedips, addr6) - } + peer = wgtypes.PeerConfig{ PublicKey: pubkey, PersistentKeepaliveInterval: &(keepalivedur), diff --git a/netclient/ncutils/peerhelper.go b/netclient/ncutils/peerhelper.go index 546d5a92..fd0c9da3 100644 --- a/netclient/ncutils/peerhelper.go +++ b/netclient/ncutils/peerhelper.go @@ -10,6 +10,7 @@ import ( "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) +// GetPeers - gets the peers from a given WireGuard interface func GetPeers(iface string) ([]wgtypes.Peer, error) { var peers []wgtypes.Peer diff --git a/netclient/wireguard/common.go b/netclient/wireguard/common.go index 987d1614..26ac629a 100644 --- a/netclient/wireguard/common.go +++ b/netclient/wireguard/common.go @@ -80,7 +80,6 @@ func SetPeers(iface string, node *models.Node, peers []wgtypes.PeerConfig) error _, err = ncutils.RunCmd("wg set "+iface+" peer "+peer.PublicKey.String()+ " persistent-keepalive "+keepAliveString+ " allowed-ips "+allowedips, true) - } else { _, err = ncutils.RunCmd("wg set "+iface+" peer "+peer.PublicKey.String()+ " endpoint "+udpendpoint+