package logic import ( "fmt" "log" "net" "strconv" "strings" "time" "github.com/c-robinson/iplib" "github.com/gravitl/netmaker/database" "github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logic/acls" "github.com/gravitl/netmaker/logic/acls/nodeacls" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/servercfg" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) // GetNodePeers - fetches peers for a given node func GetNodePeers(network *models.Network, nodeid string, excludeRelayed bool, isP2S bool) ([]models.Node, error) { var peers []models.Node // networkNodes = all nodes in network // egressNetworkNodes = all egress gateways in network var networkNodes, egressNetworkNodes, err = getNetworkEgressAndNodes(network.NetID) if err != nil { return peers, nil } // udppeers = the peers parsed from the local interface // gives us correct port to reach udppeers, errN := database.GetPeers(network.NetID) if errN != nil { logger.Log(2, errN.Error()) } // gets all the ACL rules currentNetworkACLs, aclErr := nodeacls.FetchAllACLs(nodeacls.NetworkID(network.NetID)) if aclErr != nil { return peers, aclErr } /* at this point we have 4 lists of node information: - networkNodes: all nodes in network (models.Node) - egressNetworkNodes: all egress gateways in network (models.Node) - udppeers: all peers in database (parsed by server off of active WireGuard interface) - currentNetworkACLs: all ACL rules associated with the network - peers: a currently empty list that will be filled and returned */ // we now parse through all networkNodes and format properly to set as "peers" for _, node := range networkNodes { // skip over any node that is disallowed by ACL rules if !currentNetworkACLs.IsAllowed(acls.AclID(nodeid), acls.AclID(node.ID)) { continue } // create an empty model to fill with peer info var peer = models.Node{} // set egress gateway information if it's an egress gateway if node.IsEgressGateway == "yes" { // handle egress stuff peer.EgressGatewayRanges = node.EgressGatewayRanges peer.IsEgressGateway = node.IsEgressGateway } // set ingress gateway information peer.IsIngressGateway = node.IsIngressGateway /* - similar to ACLs, we must determine if peer is allowed based on Relay information - if the nodes is "not relayed" (not behind a relay), it is ok - if the node IS relayed, but excludeRelay has not been marked, it is ok - excludeRelayed is marked for any node that is NOT a Relay Server - therefore, the peer is allowed as long as it is not "relayed", or the node it is being sent to is its relay server */ allow := node.IsRelayed != "yes" || !excludeRelayed // confirm conditions allow node to be added as peer // node should be in same network, not pending, and "allowed" based on above logic if node.Network == network.NetID && node.IsPending != "yes" && allow { // node info is cleansed to remove sensitive info using setPeerInfo peer = setPeerInfo(&node) // Sets ListenPort to UDP Hole Punching Port assuming: // - UDP Hole Punching is enabled // - udppeers retrieval did not return an error // - the endpoint is valid if node.UDPHolePunch == "yes" && errN == nil && CheckEndpoint(udppeers[node.PublicKey]) { endpointstring := udppeers[node.PublicKey] endpointarr := strings.Split(endpointstring, ":") if len(endpointarr) == 2 { port, err := strconv.Atoi(endpointarr[1]) if err == nil { peer.ListenPort = int32(port) } } } // if udp hole punching is on, but the node's port is still set to default (e.g. 51821), use the LocalListenPort // or, if port is for some reason zero use the LocalListenPort // but only do this if LocalListenPort is not zero if node.UDPHolePunch == "yes" && ((peer.ListenPort == node.ListenPort || peer.ListenPort == 0) && node.LocalListenPort != 0) { peer.ListenPort = node.LocalListenPort } // if the node is a relay, append the network cidr and any relayed egress ranges if node.IsRelay == "yes" { // TODO, check if addressrange6 needs to be appended peer.AllowedIPs = append(peer.AllowedIPs, network.AddressRange) for _, egressNode := range egressNetworkNodes { if egressNode.IsRelayed == "yes" && StringSliceContains(node.RelayAddrs, egressNode.Address) { peer.AllowedIPs = append(peer.AllowedIPs, egressNode.EgressGatewayRanges...) } } } // if the node is an ingress gateway, append all the extclient allowedips if peer.IsIngressGateway == "yes" { // handle ingress stuff if currentExtClients, err := GetExtPeersList(&node); err == nil { for i := range currentExtClients { if network.IsIPv4 == "yes" && currentExtClients[i].Address != "" { peer.AllowedIPs = append(peer.AllowedIPs, currentExtClients[i].Address) } if network.IsIPv6 == "yes" && currentExtClients[i].Address6 != "" { peer.AllowedIPs = append(peer.AllowedIPs, currentExtClients[i].Address6) } } } } // dont appent if this isn't a p2p network or if ACLs disallow if (!isP2S || peer.IsHub == "yes") && currentNetworkACLs.IsAllowed(acls.AclID(nodeid), acls.AclID(node.ID)) { peers = append(peers, peer) } } } return peers, err } // GetPeersList - gets the peers of a given network func GetPeersList(refnode *models.Node) ([]models.Node, error) { var peers []models.Node var err error var isP2S bool var networkName = refnode.Network var excludeRelayed = refnode.IsRelay != "yes" var relayedNodeAddr string if refnode.IsRelayed == "yes" { relayedNodeAddr = refnode.Address } network, err := GetNetwork(networkName) if err != nil { return peers, err } else if network.IsPointToSite == "yes" && refnode.IsHub != "yes" { isP2S = true } if refnode.IsRelayed != "yes" { // if the node is not being relayed, retrieve peers as normal peers, err = GetNodePeers(&network, refnode.ID, excludeRelayed, isP2S) } else { var relayNode models.Node // If this node IS being relayed node, we must first retrieve its relay relayNode, err = GetNodeRelay(networkName, relayedNodeAddr) if relayNode.Address != "" && err == nil { // we must cleanse sensitive info from the relay node var peerNode = setPeerInfo(&relayNode) // we must append the CIDR to the relay so the relayed node can reach the network peerNode.AllowedIPs = append(peerNode.AllowedIPs, network.AddressRange) // we must append the egress ranges to the relay so the relayed node can reach egress var _, egressNetworkNodes, err = getNetworkEgressAndNodes(networkName) if err == nil { for _, egress := range egressNetworkNodes { if egress.Address != relayedNodeAddr { peerNode.AllowedIPs = append(peerNode.AllowedIPs, egress.EgressGatewayRanges...) } } } // get the other peers that are behind the Relay // we dont want to go through the relay to reach them // I'm not sure if this is actually a good call to have this here // may want to test without it, I think it may return bad info nodepeers, err := GetNodePeers(&network, refnode.ID, false, isP2S) if err == nil && peerNode.UDPHolePunch == "yes" { for _, nodepeer := range nodepeers { // im not sure if this is good either if nodepeer.Address == peerNode.Address { // peerNode.Endpoint = nodepeer.Endpoint peerNode.ListenPort = nodepeer.ListenPort } } } if !isP2S || peerNode.IsHub == "yes" { peers = append(peers, peerNode) } } } return peers, err } // GetPeerUpdate - gets a wireguard peer config for each peer of a node func GetPeerUpdate(node *models.Node) (models.PeerUpdate, error) { var peerUpdate models.PeerUpdate var peers []wgtypes.PeerConfig var serverNodeAddresses = []models.ServerAddr{} currentPeers, err := GetPeers(node) if err != nil { return models.PeerUpdate{}, err } // #1 Set Keepalive values: set_keepalive // #2 Set local address: set_local - could be a LOT BETTER and fix some bugs with additional logic // #3 Set allowedips: set_allowedips for _, peer := range currentPeers { if peer.ID == node.ID { //skip yourself continue } pubkey, err := wgtypes.ParseKey(peer.PublicKey) if err != nil { return models.PeerUpdate{}, err } if node.Endpoint == peer.Endpoint { //peer is on same network // set_local if node.LocalAddress != peer.LocalAddress && peer.LocalAddress != "" { peer.Endpoint = peer.LocalAddress if peer.LocalListenPort != 0 { peer.ListenPort = peer.LocalListenPort } } else { continue } } endpoint := peer.Endpoint + ":" + strconv.FormatInt(int64(peer.ListenPort), 10) address, err := net.ResolveUDPAddr("udp", endpoint) if err != nil { return models.PeerUpdate{}, err } // set_allowedips allowedips := GetAllowedIPs(node, &peer) var keepalive time.Duration if node.PersistentKeepalive != 0 { // set_keepalive keepalive, _ = time.ParseDuration(strconv.FormatInt(int64(node.PersistentKeepalive), 10) + "s") } var peerData = wgtypes.PeerConfig{ PublicKey: pubkey, Endpoint: address, ReplaceAllowedIPs: true, AllowedIPs: allowedips, PersistentKeepaliveInterval: &keepalive, } peers = append(peers, peerData) if peer.IsServer == "yes" { serverNodeAddresses = append(serverNodeAddresses, models.ServerAddr{IsLeader: IsLeader(&peer), Address: peer.Address}) } } if node.IsIngressGateway == "yes" { extPeers, err := getExtPeers(node) if err == nil { peers = append(peers, extPeers...) } else { log.Println("ERROR RETRIEVING EXTERNAL PEERS", err) } } peerUpdate.Network = node.Network peerUpdate.ServerVersion = servercfg.Version peerUpdate.Peers = peers peerUpdate.ServerAddrs = serverNodeAddresses peerUpdate.DNS = getPeerDNS(node.Network) return peerUpdate, nil } func getExtPeers(node *models.Node) ([]wgtypes.PeerConfig, error) { var peers []wgtypes.PeerConfig extPeers, err := GetExtPeersList(node) if err != nil { return peers, err } for _, extPeer := range extPeers { pubkey, err := wgtypes.ParseKey(extPeer.PublicKey) if err != nil { logger.Log(1, "error parsing ext pub key:", err.Error()) continue } if node.PublicKey == extPeer.PublicKey { continue } var allowedips []net.IPNet var peer wgtypes.PeerConfig if extPeer.Address != "" { var peeraddr = net.IPNet{ IP: net.ParseIP(extPeer.Address), Mask: net.CIDRMask(32, 32), } if peeraddr.IP != nil && peeraddr.Mask != nil { allowedips = append(allowedips, peeraddr) } } if extPeer.Address6 != "" { var addr6 = net.IPNet{ IP: net.ParseIP(extPeer.Address6), Mask: net.CIDRMask(128, 128), } if addr6.IP != nil && addr6.Mask != nil { allowedips = append(allowedips, addr6) } } peer = wgtypes.PeerConfig{ PublicKey: pubkey, ReplaceAllowedIPs: true, AllowedIPs: allowedips, } peers = append(peers, peer) } return peers, nil } // GetAllowedIPs - calculates the wireguard allowedip field for a peer of a node based on the peer and node settings func GetAllowedIPs(node, peer *models.Node) []net.IPNet { var allowedips []net.IPNet if peer.Address != "" { var peeraddr = net.IPNet{ IP: net.ParseIP(peer.Address), Mask: net.CIDRMask(32, 32), } allowedips = append(allowedips, peeraddr) } if peer.Address6 != "" { var addr6 = net.IPNet{ IP: net.ParseIP(peer.Address6), Mask: net.CIDRMask(128, 128), } allowedips = append(allowedips, addr6) } // handle manually set peers for _, allowedIp := range peer.AllowedIPs { if iplib.Version(net.ParseIP(allowedIp)) == 4 { if _, ipnet, err := net.ParseCIDR(allowedIp); err == nil { nodeEndpointArr := strings.Split(node.Endpoint, ":") if !ipnet.Contains(net.IP(nodeEndpointArr[0])) && ipnet.IP.String() != peer.Address { // don't need to add an allowed ip that already exists.. allowedips = append(allowedips, *ipnet) } } else if appendip := net.ParseIP(allowedIp); appendip != nil && allowedIp != peer.Address { ipnet := net.IPNet{ IP: net.ParseIP(allowedIp), Mask: net.CIDRMask(32, 32), } allowedips = append(allowedips, ipnet) } } else if iplib.Version(net.ParseIP(allowedIp)) == 6 { ipnet := net.IPNet{ IP: net.ParseIP(allowedIp), Mask: net.CIDRMask(128, 128), } allowedips = append(allowedips, ipnet) } } // handle egress gateway peers if peer.IsEgressGateway == "yes" { //hasGateway = true ranges := peer.EgressGatewayRanges for _, iprange := range ranges { // go through each cidr for egress gateway _, ipnet, err := net.ParseCIDR(iprange) // confirming it's valid cidr if err != nil { logger.Log(1, "could not parse gateway IP range. Not adding ", iprange) continue // if can't parse CIDR } nodeEndpointArr := strings.Split(peer.Endpoint, ":") // getting the public ip of node if ipnet.Contains(net.ParseIP(nodeEndpointArr[0])) { // ensuring egress gateway range does not contain endpoint of node logger.Log(2, "egress IP range of ", iprange, " overlaps with ", node.Endpoint, ", omitting") continue // skip adding egress range if overlaps with node's ip } // TODO: Could put in a lot of great logic to avoid conflicts / bad routes if ipnet.Contains(net.ParseIP(node.LocalAddress)) { // ensuring egress gateway range does not contain public ip of node logger.Log(2, "egress IP range of ", iprange, " overlaps with ", node.LocalAddress, ", omitting") continue // skip adding egress range if overlaps with node's local ip } if err != nil { logger.Log(1, "error encountered when setting egress range", err.Error()) } else { allowedips = append(allowedips, *ipnet) } } } return allowedips } func getPeerDNS(network string) string { var dns string if nodes, err := GetNetworkNodes(network); err == nil { for i := range nodes { dns = dns + fmt.Sprintf("%s %s.%s\n", nodes[i].Address, nodes[i].Name, nodes[i].Network) } } if customDNSEntries, err := GetCustomDNS(network); err == nil { for _, entry := range customDNSEntries { // TODO - filter entries based on ACLs / given peers vs nodes in network dns = dns + fmt.Sprintf("%s %s.%s\n", entry.Address, entry.Name, entry.Network) } } return dns }