gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2025-10-04 02:44:29 +08:00
Code Issues Projects Releases Packages Wiki Activity

freebsd post up/post down logic

Browse source
This commit is contained in:
Matthew R. Kasun 2022-08-25 06:40:37 -04:00
parent a69c12520d
commit a0c8795d38
2 changed files with 37 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
logic/gateway.go
View file

@ -56,6 +56,7 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
}
}
if node.OS == "freebsd" {
// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
postUpCmd = "kldload ipfw ipfw_nat ; "
postUpCmd += "ipfw disable one_pass ; "
postUpCmd += "ipfw nat 1 config if " + gateway.Interface + " same_ports unreg_only reset ; "
@ -285,6 +286,7 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error {
// firewallNFTCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the nftables firewall.
func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) {
// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
postUp := "nft add table ip filter ; "
postUp += "nft add chain ip filter FORWARD ; "
postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
@ -302,6 +304,7 @@ func firewallNFTCommandsCreateIngress(networkInterface string) (string, string)
// firewallNFTCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the nftables firewall.
func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
postUp := "nft add table ip filter ; "
postUp += "nft add chain ip filter FORWARD ; "
postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
@ -322,6 +325,7 @@ func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface s
// firewallIPTablesCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the iptables firewall.
func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, string) {
// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; "
postUp += "iptables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE"
@ -336,7 +340,7 @@ func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, str
// firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall.
func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT; "
postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT"
postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT; "

36
netclient/wireguard/common.go
View file

@ -341,11 +341,24 @@ func WriteWgConfig(node *models.Node, privateKey string, peers []wgtypes.PeerCon
//if node.DNSOn == "yes" {
// wireguard.Section(section_interface).Key("DNS").SetValue(cfg.Server.CoreDNSAddr)
//}
//need to split postup/postdown because ini lib adds a ` and the ` breaks freebsd
if node.PostUp != "" {
wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp)
parts := strings.Split(node.PostUp, " ; ")
for i, part := range parts {
if i == 0 {
wireguard.Section(section_interface).Key("PostUp").SetValue(part)
}
wireguard.Section(section_interface).Key("PostUp").AddShadow(part)
}
}
if node.PostDown != "" {
wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown)
parts := strings.Split(node.PostDown, " ; ")
for i, part := range parts {
if i == 0 {
wireguard.Section(section_interface).Key("PostDown").SetValue(part)
}
wireguard.Section(section_interface).Key("PostDown").AddShadow(part)
}
}
if node.MTU != 0 {
wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10))
@ -427,6 +440,7 @@ func UpdateWgPeers(file string, peers []wgtypes.PeerConfig) (*net.UDPAddr, error
// UpdateWgInterface - updates the interface section of a wireguard config file
func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) error {
log.Println("updating conf file ", file, nameserver, node.Name)
options := ini.LoadOptions{
AllowNonUniqueSections: true,
AllowShadows: true,
@ -451,11 +465,25 @@ func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) er
//if node.DNSOn == "yes" {
// wireguard.Section(section_interface).Key("DNS").SetValue(nameserver)
//}
//need to split postup/postdown because ini lib adds a quotes which breaks freebsd
if node.PostUp != "" {
wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp)
log.Println("updating PostUp")
parts := strings.Split(node.PostUp, " ; ")
for i, part := range parts {
if i == 0 {
wireguard.Section(section_interface).Key("PostUp").SetValue(part)
}
wireguard.Section(section_interface).Key("PostUp").AddShadow(part)
}
}
if node.PostDown != "" {
wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown)
parts := strings.Split(node.PostDown, ";")
for i, part := range parts {
if i == 0 {
wireguard.Section(section_interface).Key("PostDown").SetValue(part)
}
wireguard.Section(section_interface).Key("PostDown").AddShadow(part)
}
}
if node.MTU != 0 {
wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10))