From c0f107b302ea008ad3f501a7ec253c1c6b4f12f9 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 23 Oct 2024 14:15:13 +0400 Subject: [PATCH] remove userips usage, add allow all to fwupdate --- logic/acls.go | 3 +++ logic/extpeers.go | 9 +++++---- logic/peers.go | 24 ++++++++++++++---------- models/mqtt.go | 2 +- pro/logic/failover.go | 2 +- 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/logic/acls.go b/logic/acls.go index a17ea02d..fb7e34e9 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -457,6 +457,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool { continue } dstMap := convAclTagToValueMap(policy.Dst) + if _, ok := dstMap["*"]; ok { + return true + } for tagID := range peer.Tags { if _, ok := dstMap[tagID.String()]; ok { return true diff --git a/logic/extpeers.go b/logic/extpeers.go index 83c604fe..c1ada3b4 100644 --- a/logic/extpeers.go +++ b/logic/extpeers.go @@ -417,6 +417,7 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) { func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { // fetch user access to static clients via policies + nodes, _ := GetNetworkNodes(node.Network) nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...) userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network)) @@ -521,18 +522,18 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { return } -func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, []net.IP, error) { +func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) { var peers []wgtypes.PeerConfig var idsAndAddr []models.IDandAddr var egressRoutes []models.EgressNetworkRoutes var extUserIps []net.IP extPeers, err := GetNetworkExtClients(node.Network) if err != nil { - return peers, idsAndAddr, egressRoutes, extUserIps, err + return peers, idsAndAddr, egressRoutes, err } host, err := GetHost(node.HostID.String()) if err != nil { - return peers, idsAndAddr, egressRoutes, extUserIps, err + return peers, idsAndAddr, egressRoutes, err } for _, extPeer := range extPeers { extPeer := extPeer @@ -613,7 +614,7 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA IsExtClient: true, }) } - return peers, idsAndAddr, egressRoutes, extUserIps, nil + return peers, idsAndAddr, egressRoutes, nil } diff --git a/logic/peers.go b/logic/peers.go index af72dcf8..fce82f9b 100644 --- a/logic/peers.go +++ b/logic/peers.go @@ -288,19 +288,23 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N var extPeers []wgtypes.PeerConfig var extPeerIDAndAddrs []models.IDandAddr var egressRoutes []models.EgressNetworkRoutes - var extUserIps []net.IP if node.IsIngressGateway { hostPeerUpdate.FwUpdate.IsIngressGw = true - extPeers, extPeerIDAndAddrs, egressRoutes, extUserIps, err = GetExtPeers(&node, &node) + extPeers, extPeerIDAndAddrs, egressRoutes, err = GetExtPeers(&node, &node) if err == nil { - hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = models.IngressInfo{ - IngressID: node.ID.String(), - UserIps: extUserIps, - Network: node.NetworkRange, - Network6: node.NetworkRange6, - Rules: GetFwRulesOnIngressGateway(node), - StaticNodeIps: GetStaticNodeIps(node), + defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy) + defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) + ingFwUpdate := models.IngressInfo{ + IngressID: node.ID.String(), + Network: node.NetworkRange, + Network6: node.NetworkRange6, + AllowAll: defaultDevicePolicy.Enabled && defaultUserPolicy.Default, } + if !ingFwUpdate.AllowAll { + ingFwUpdate.StaticNodeIps = GetStaticNodeIps(node) + ingFwUpdate.Rules = GetFwRulesOnIngressGateway(node) + } + hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...) hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...) for _, extPeerIdAndAddr := range extPeerIDAndAddrs { @@ -432,7 +436,7 @@ func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet // handle ingress gateway peers if peer.IsIngressGateway { - extPeers, _, _, _, err := GetExtPeers(peer, node) + extPeers, _, _, err := GetExtPeers(peer, node) if err != nil { logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error()) } diff --git a/models/mqtt.go b/models/mqtt.go index a27c36ec..3ff6043f 100644 --- a/models/mqtt.go +++ b/models/mqtt.go @@ -37,9 +37,9 @@ type IngressInfo struct { IngressID string `json:"ingress_id"` Network net.IPNet `json:"network"` Network6 net.IPNet `json:"network6"` - UserIps []net.IP `json:"user_ips"` StaticNodeIps []net.IP `json:"static_node_ips"` Rules []FwRule `json:"rules"` + AllowAll bool `json:"allow_all"` } // EgressInfo - struct for egress info diff --git a/pro/logic/failover.go b/pro/logic/failover.go index f90173e5..788e09e0 100644 --- a/pro/logic/failover.go +++ b/pro/logic/failover.go @@ -148,7 +148,7 @@ func GetFailOverPeerIps(peer, node *models.Node) []net.IPNet { } // handle ingress gateway peers if failOverpeer.IsIngressGateway { - extPeers, _, _, _, err := logic.GetExtPeers(&failOverpeer, node) + extPeers, _, _, err := logic.GetExtPeers(&failOverpeer, node) if err != nil { logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error()) }