package logic import ( "context" "encoding/json" "errors" "fmt" "net" "reflect" "sort" "strings" "sync" "time" "github.com/goombaio/namegenerator" "github.com/gravitl/netmaker/database" "github.com/gravitl/netmaker/db" "github.com/gravitl/netmaker/logger" "github.com/gravitl/netmaker/logic/acls" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/schema" "github.com/gravitl/netmaker/servercfg" "golang.org/x/exp/slog" "golang.zx2c4.com/wireguard/wgctrl/wgtypes" ) var ( extClientCacheMutex = &sync.RWMutex{} extClientCacheMap = make(map[string]models.ExtClient) ) func getAllExtClientsFromCache() (extClients []models.ExtClient) { extClientCacheMutex.RLock() for _, extclient := range extClientCacheMap { if extclient.Mutex == nil { extclient.Mutex = &sync.Mutex{} } extClients = append(extClients, extclient) } extClientCacheMutex.RUnlock() return } func deleteExtClientFromCache(key string) { extClientCacheMutex.Lock() delete(extClientCacheMap, key) extClientCacheMutex.Unlock() } func getExtClientFromCache(key string) (extclient models.ExtClient, ok bool) { extClientCacheMutex.RLock() extclient, ok = extClientCacheMap[key] if extclient.Mutex == nil { extclient.Mutex = &sync.Mutex{} } extClientCacheMutex.RUnlock() return } func storeExtClientInCache(key string, extclient models.ExtClient) { extClientCacheMutex.Lock() if extclient.Mutex == nil { extclient.Mutex = &sync.Mutex{} } extClientCacheMap[key] = extclient extClientCacheMutex.Unlock() } // ExtClient.GetEgressRangesOnNetwork - returns the egress ranges on network of ext client func GetEgressRangesOnNetwork(client *models.ExtClient) ([]string, error) { var result []string networkNodes, err := GetNetworkNodes(client.Network) if err != nil { return []string{}, err } // clientNode := client.ConvertToStaticNode() for _, currentNode := range networkNodes { if currentNode.Network != client.Network { continue } GetNodeEgressInfo(¤tNode) if currentNode.EgressDetails.IsInternetGateway && client.IngressGatewayID != currentNode.ID.String() { continue } if currentNode.EgressDetails.IsEgressGateway { // add the egress gateway range(s) to the result fmt.Println("EGRESSS EXTCLEINT: ", currentNode.EgressDetails) if len(currentNode.EgressDetails.EgressGatewayRanges) > 0 { result = append(result, currentNode.EgressDetails.EgressGatewayRanges...) } } } extclients, _ := GetNetworkExtClients(client.Network) for _, extclient := range extclients { if extclient.ClientID == client.ClientID { continue } result = append(result, extclient.ExtraAllowedIPs...) } return result, nil } // DeleteExtClient - deletes an existing ext client func DeleteExtClient(network string, clientid string) error { key, err := GetRecordKey(clientid, network) if err != nil { return err } extClient, err := GetExtClient(clientid, network) if err != nil { return err } err = database.DeleteRecord(database.EXT_CLIENT_TABLE_NAME, key) if err != nil { return err } if servercfg.CacheEnabled() { // recycle ip address if extClient.Address != "" { RemoveIpFromAllocatedIpMap(network, extClient.Address) } if extClient.Address6 != "" { RemoveIpFromAllocatedIpMap(network, extClient.Address6) } deleteExtClientFromCache(key) } if extClient.RemoteAccessClientID != "" { LogEvent(&models.Event{ Action: models.Disconnect, Source: models.Subject{ ID: extClient.OwnerID, Name: extClient.OwnerID, Type: models.UserSub, }, TriggeredBy: extClient.OwnerID, Target: models.Subject{ ID: extClient.Network, Name: extClient.Network, Type: models.NetworkSub, Info: extClient, }, NetworkID: models.NetworkID(extClient.Network), Origin: models.ClientApp, }) } go RemoveNodeFromAclPolicy(extClient.ConvertToStaticNode()) return nil } // DeleteExtClientAndCleanup - deletes an existing ext client and update ACLs func DeleteExtClientAndCleanup(extClient models.ExtClient) error { //delete extClient record err := DeleteExtClient(extClient.Network, extClient.ClientID) if err != nil { slog.Error("DeleteExtClientAndCleanup-remove extClient record: ", "Error", err.Error()) return err } //update ACLs var networkAcls acls.ACLContainer networkAcls, err = networkAcls.Get(acls.ContainerID(extClient.Network)) if err != nil { slog.Error("DeleteExtClientAndCleanup-update network acls: ", "Error", err.Error()) return err } for objId := range networkAcls { delete(networkAcls[objId], acls.AclID(extClient.ClientID)) } delete(networkAcls, acls.AclID(extClient.ClientID)) if _, err = networkAcls.Save(acls.ContainerID(extClient.Network)); err != nil { slog.Error("DeleteExtClientAndCleanup-update network acls:", "Error", err.Error()) return err } return nil } //TODO - enforce extclient-to-extclient on ingress gw /* 1. fetch all non-user static nodes a. check against each user node, if allowed add rule */ // GetNetworkExtClients - gets the ext clients of given network func GetNetworkExtClients(network string) ([]models.ExtClient, error) { var extclients []models.ExtClient if servercfg.CacheEnabled() { allextclients := getAllExtClientsFromCache() if len(allextclients) != 0 { for _, extclient := range allextclients { if extclient.Network == network { extclients = append(extclients, extclient) } } return extclients, nil } } records, err := database.FetchRecords(database.EXT_CLIENT_TABLE_NAME) if err != nil { if database.IsEmptyRecord(err) { return extclients, nil } return extclients, err } for _, value := range records { var extclient models.ExtClient err = json.Unmarshal([]byte(value), &extclient) if err != nil { continue } key, err := GetRecordKey(extclient.ClientID, extclient.Network) if err == nil { if servercfg.CacheEnabled() { storeExtClientInCache(key, extclient) } } if extclient.Network == network { extclients = append(extclients, extclient) } } return extclients, err } // GetExtClient - gets a single ext client on a network func GetExtClient(clientid string, network string) (models.ExtClient, error) { var extclient models.ExtClient key, err := GetRecordKey(clientid, network) if err != nil { return extclient, err } if servercfg.CacheEnabled() { if extclient, ok := getExtClientFromCache(key); ok { return extclient, nil } } data, err := database.FetchRecord(database.EXT_CLIENT_TABLE_NAME, key) if err != nil { return extclient, err } err = json.Unmarshal([]byte(data), &extclient) if servercfg.CacheEnabled() { storeExtClientInCache(key, extclient) } return extclient, err } // GetGwExtclients - return all ext clients attached to the passed gw id func GetGwExtclients(nodeID, network string) []models.ExtClient { gwClients := []models.ExtClient{} clients, err := GetNetworkExtClients(network) if err != nil { return gwClients } for _, client := range clients { if client.IngressGatewayID == nodeID { gwClients = append(gwClients, client) } } return gwClients } // GetExtClient - gets a single ext client on a network func GetExtClientByPubKey(publicKey string, network string) (*models.ExtClient, error) { netClients, err := GetNetworkExtClients(network) if err != nil { return nil, err } for i := range netClients { ec := netClients[i] if ec.PublicKey == publicKey { return &ec, nil } } return nil, fmt.Errorf("no client found") } // CreateExtClient - creates and saves an extclient func CreateExtClient(extclient *models.ExtClient) error { // lock because we may need unique IPs and having it concurrent makes parallel calls result in same "unique" IPs addressLock.Lock() defer addressLock.Unlock() if len(extclient.PublicKey) == 0 { privateKey, err := wgtypes.GeneratePrivateKey() if err != nil { return err } extclient.PrivateKey = privateKey.String() extclient.PublicKey = privateKey.PublicKey().String() } else if len(extclient.PrivateKey) == 0 && len(extclient.PublicKey) > 0 { extclient.PrivateKey = "[ENTER PRIVATE KEY]" } if extclient.ExtraAllowedIPs == nil { extclient.ExtraAllowedIPs = []string{} } parentNetwork, err := GetNetwork(extclient.Network) if err != nil { return err } if extclient.Address == "" { if parentNetwork.IsIPv4 == "yes" { newAddress, err := UniqueAddress(extclient.Network, true) if err != nil { return err } extclient.Address = newAddress.String() } } if extclient.Address6 == "" { if parentNetwork.IsIPv6 == "yes" { addr6, err := UniqueAddress6(extclient.Network, true) if err != nil { return err } extclient.Address6 = addr6.String() } } if extclient.ClientID == "" { extclient.ClientID, err = GenerateNodeName(extclient.Network) if err != nil { return err } } extclient.LastModified = time.Now().Unix() return SaveExtClient(extclient) } // GenerateNodeName - generates a random node name func GenerateNodeName(network string) (string, error) { seed := time.Now().UTC().UnixNano() nameGenerator := namegenerator.NewNameGenerator(seed) var name string cnt := 0 for { if cnt > 10 { return "", errors.New("couldn't generate random name, try again") } cnt += 1 name = nameGenerator.Generate() if len(name) > 15 { continue } _, err := GetExtClient(name, network) if err == nil { // config exists with same name continue } break } return name, nil } // SaveExtClient - saves an ext client to database func SaveExtClient(extclient *models.ExtClient) error { key, err := GetRecordKey(extclient.ClientID, extclient.Network) if err != nil { return err } data, err := json.Marshal(&extclient) if err != nil { return err } if err = database.Insert(key, string(data), database.EXT_CLIENT_TABLE_NAME); err != nil { return err } if servercfg.CacheEnabled() { storeExtClientInCache(key, *extclient) if _, ok := allocatedIpMap[extclient.Network]; ok { if extclient.Address != "" { AddIpToAllocatedIpMap(extclient.Network, net.ParseIP(extclient.Address)) } if extclient.Address6 != "" { AddIpToAllocatedIpMap(extclient.Network, net.ParseIP(extclient.Address6)) } } } return SetNetworkNodesLastModified(extclient.Network) } // UpdateExtClient - updates an ext client with new values func UpdateExtClient(old *models.ExtClient, update *models.CustomExtClient) models.ExtClient { new := *old new.ClientID = update.ClientID if update.PublicKey != "" && old.PublicKey != update.PublicKey { new.PublicKey = update.PublicKey } if update.DNS != old.DNS { new.DNS = update.DNS } if update.Enabled != old.Enabled { new.Enabled = update.Enabled } new.ExtraAllowedIPs = update.ExtraAllowedIPs if update.DeniedACLs != nil && !reflect.DeepEqual(old.DeniedACLs, update.DeniedACLs) { new.DeniedACLs = update.DeniedACLs } // replace any \r\n with \n in postup and postdown from HTTP request new.PostUp = strings.Replace(update.PostUp, "\r\n", "\n", -1) new.PostDown = strings.Replace(update.PostDown, "\r\n", "\n", -1) new.Tags = update.Tags return new } // GetExtClientsByID - gets the clients of attached gateway func GetExtClientsByID(nodeid, network string) ([]models.ExtClient, error) { var result []models.ExtClient currentClients, err := GetNetworkExtClients(network) if err != nil { return result, err } for i := range currentClients { if currentClients[i].IngressGatewayID == nodeid { result = append(result, currentClients[i]) } } return result, nil } // GetAllExtClients - gets all ext clients from DB func GetAllExtClients() ([]models.ExtClient, error) { var clients = []models.ExtClient{} currentNetworks, err := GetNetworks() if err != nil && database.IsEmptyRecord(err) { return clients, nil } else if err != nil { return clients, err } for i := range currentNetworks { netName := currentNetworks[i].NetID netClients, err := GetNetworkExtClients(netName) if err != nil { continue } clients = append(clients, netClients...) } return clients, nil } // GetAllExtClientsWithStatus - returns all external clients with // given status. func GetAllExtClientsWithStatus(status models.NodeStatus) ([]models.ExtClient, error) { extClients, err := GetAllExtClients() if err != nil { return nil, err } var validExtClients []models.ExtClient for _, extClient := range extClients { node := extClient.ConvertToStaticNode() GetNodeCheckInStatus(&node, false) if node.Status == status { validExtClients = append(validExtClients, extClient) } } return validExtClients, nil } // ToggleExtClientConnectivity - enables or disables an ext client func ToggleExtClientConnectivity(client *models.ExtClient, enable bool) (models.ExtClient, error) { update := models.CustomExtClient{ Enabled: enable, ClientID: client.ClientID, PublicKey: client.PublicKey, DNS: client.DNS, ExtraAllowedIPs: client.ExtraAllowedIPs, DeniedACLs: client.DeniedACLs, RemoteAccessClientID: client.RemoteAccessClientID, } // update in DB newClient := UpdateExtClient(client, &update) if err := DeleteExtClient(client.Network, client.ClientID); err != nil { slog.Error("failed to delete ext client during update", "id", client.ClientID, "network", client.Network, "error", err) return newClient, err } if err := SaveExtClient(&newClient); err != nil { slog.Error("failed to save updated ext client during update", "id", newClient.ClientID, "network", newClient.Network, "error", err) return newClient, err } return newClient, nil } // Sort a slice of net.IP addresses func sortIPs(ips []net.IP) { sort.Slice(ips, func(i, j int) bool { ip1, ip2 := ips[i].To16(), ips[j].To16() return string(ip1) < string(ip2) // Compare as byte slices }) } func GetStaticNodeIps(node models.Node) (ips []net.IP) { defer func() { sortIPs(ips) }() defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy) defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) extclients := GetStaticNodesByNetwork(models.NetworkID(node.Network), false) for _, extclient := range extclients { if extclient.IsUserNode && defaultUserPolicy.Enabled { continue } if !extclient.IsUserNode && defaultDevicePolicy.Enabled { continue } if extclient.StaticNode.Address != "" { ips = append(ips, extclient.StaticNode.AddressIPNet4().IP) } if extclient.StaticNode.Address6 != "" { ips = append(ips, extclient.StaticNode.AddressIPNet6().IP) } } return } func getFwRulesForNodeAndPeerOnGw(node, peer models.Node, allowedPolicies []models.Acl) (rules []models.FwRule) { for _, policy := range allowedPolicies { // if static peer dst rule not for ingress node -> skip if node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: net.IPNet{ IP: peer.Address.IP, Mask: net.CIDRMask(32, 32), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } if node.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address6.IP, Mask: net.CIDRMask(128, 128), }, DstIP: net.IPNet{ IP: peer.Address6.IP, Mask: net.CIDRMask(128, 128), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } if policy.AllowedDirection == models.TrafficDirectionBi { if node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: peer.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: net.IPNet{ IP: node.Address.IP, Mask: net.CIDRMask(32, 32), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } if node.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: peer.Address6.IP, Mask: net.CIDRMask(128, 128), }, DstIP: net.IPNet{ IP: node.Address6.IP, Mask: net.CIDRMask(128, 128), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } } if len(node.StaticNode.ExtraAllowedIPs) > 0 { for _, additionalAllowedIPNet := range node.StaticNode.ExtraAllowedIPs { _, ipNet, err := net.ParseCIDR(additionalAllowedIPNet) if err != nil { continue } if ipNet.IP.To4() != nil && peer.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: peer.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: *ipNet, Allow: true, }) } else if peer.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: peer.Address6.IP, Mask: net.CIDRMask(128, 128), }, DstIP: *ipNet, Allow: true, }) } } } if len(peer.StaticNode.ExtraAllowedIPs) > 0 { for _, additionalAllowedIPNet := range peer.StaticNode.ExtraAllowedIPs { _, ipNet, err := net.ParseCIDR(additionalAllowedIPNet) if err != nil { continue } if ipNet.IP.To4() != nil && node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: *ipNet, Allow: true, }) } else if node.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address6.IP, Mask: net.CIDRMask(128, 128), }, DstIP: *ipNet, Allow: true, }) } } } // add egress range rules for _, dstI := range policy.Dst { if dstI.ID == models.EgressID { e := schema.Egress{ID: dstI.Value} err := e.Get(db.WithContext(context.TODO())) if err != nil { continue } dstI.Value = e.Range ip, cidr, err := net.ParseCIDR(dstI.Value) if err == nil { if ip.To4() != nil { if node.Address.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address.IP, Mask: net.CIDRMask(32, 32), }, DstIP: *cidr, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } } else { if node.Address6.IP != nil { rules = append(rules, models.FwRule{ SrcIP: net.IPNet{ IP: node.Address6.IP, Mask: net.CIDRMask(128, 128), }, DstIP: *cidr, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } } } } } } return } func getFwRulesForUserNodesOnGw(node models.Node, nodes []models.Node) (rules []models.FwRule) { defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy) userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network)) for _, userNodeI := range userNodes { for _, peer := range nodes { if peer.IsUserNode { continue } if ok, allowedPolicies := IsUserAllowedToCommunicate(userNodeI.StaticNode.OwnerID, peer); ok { if peer.IsStatic { peer = peer.StaticNode.ConvertToStaticNode() } if !defaultUserPolicy.Enabled { for _, policy := range allowedPolicies { if userNodeI.StaticNode.Address != "" { rules = append(rules, models.FwRule{ SrcIP: userNodeI.StaticNode.AddressIPNet4(), DstIP: net.IPNet{ IP: peer.Address.IP, Mask: net.CIDRMask(32, 32), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } if userNodeI.StaticNode.Address6 != "" { rules = append(rules, models.FwRule{ SrcIP: userNodeI.StaticNode.AddressIPNet6(), DstIP: net.IPNet{ IP: peer.Address6.IP, Mask: net.CIDRMask(128, 128), }, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } // add egress ranges for _, dstI := range policy.Dst { if dstI.ID == models.EgressID { e := schema.Egress{ID: dstI.Value} err := e.Get(db.WithContext(context.TODO())) if err != nil { continue } dstI.Value = e.Range ip, cidr, err := net.ParseCIDR(dstI.Value) if err == nil { if ip.To4() != nil && userNodeI.StaticNode.Address != "" { rules = append(rules, models.FwRule{ SrcIP: userNodeI.StaticNode.AddressIPNet4(), DstIP: *cidr, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } else if ip.To16() != nil && userNodeI.StaticNode.Address6 != "" { rules = append(rules, models.FwRule{ SrcIP: userNodeI.StaticNode.AddressIPNet6(), DstIP: *cidr, AllowedProtocol: policy.Proto, AllowedPorts: policy.Port, Allow: true, }) } } } } } } } } } return } func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) { // fetch user access to static clients via policies defer func() { sort.Slice(rules, func(i, j int) bool { if !rules[i].SrcIP.IP.Equal(rules[j].SrcIP.IP) { return string(rules[i].SrcIP.IP.To16()) < string(rules[j].SrcIP.IP.To16()) } return string(rules[i].DstIP.IP.To16()) < string(rules[j].DstIP.IP.To16()) }) }() defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) nodes, _ := GetNetworkNodes(node.Network) nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...) rules = getFwRulesForUserNodesOnGw(node, nodes) if defaultDevicePolicy.Enabled { return } for _, nodeI := range nodes { if !nodeI.IsStatic || nodeI.IsUserNode { continue } // if nodeI.StaticNode.IngressGatewayID != node.ID.String() { // continue // } for _, peer := range nodes { if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode { continue } if nodeI.StaticNode.IngressGatewayID != node.ID.String() && ((!peer.IsStatic && peer.ID.String() != node.ID.String()) || (peer.IsStatic && peer.StaticNode.IngressGatewayID != node.ID.String())) { continue } if peer.IsStatic { peer = peer.StaticNode.ConvertToStaticNode() } var allowedPolicies1 []models.Acl var ok bool if ok, allowedPolicies1 = IsNodeAllowedToCommunicateV1(nodeI.StaticNode.ConvertToStaticNode(), peer, true); ok { rules = append(rules, getFwRulesForNodeAndPeerOnGw(nodeI.StaticNode.ConvertToStaticNode(), peer, allowedPolicies1)...) } if ok, allowedPolicies2 := IsNodeAllowedToCommunicateV1(peer, nodeI.StaticNode.ConvertToStaticNode(), true); ok { rules = append(rules, getFwRulesForNodeAndPeerOnGw(peer, nodeI.StaticNode.ConvertToStaticNode(), GetUniquePolicies(allowedPolicies1, allowedPolicies2))...) } } } return } func GetUniquePolicies(policies1, policies2 []models.Acl) []models.Acl { policies1Map := make(map[string]struct{}) for _, policy1I := range policies1 { policies1Map[policy1I.ID] = struct{}{} } for i := len(policies2) - 1; i >= 0; i-- { if _, ok := policies1Map[policies2[i].ID]; ok { policies2 = append(policies2[:i], policies2[i+1:]...) } } return policies2 } func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) { var peers []wgtypes.PeerConfig var idsAndAddr []models.IDandAddr var egressRoutes []models.EgressNetworkRoutes extPeers, err := GetNetworkExtClients(node.Network) if err != nil { return peers, idsAndAddr, egressRoutes, err } host, err := GetHost(node.HostID.String()) if err != nil { return peers, idsAndAddr, egressRoutes, err } for _, extPeer := range extPeers { extPeer := extPeer if !IsClientNodeAllowed(&extPeer, peer.ID.String()) { continue } if extPeer.RemoteAccessClientID == "" { if ok := IsPeerAllowed(extPeer.ConvertToStaticNode(), *peer, true); !ok { continue } } else { if ok, _ := IsUserAllowedToCommunicate(extPeer.OwnerID, *peer); !ok { continue } } pubkey, err := wgtypes.ParseKey(extPeer.PublicKey) if err != nil { logger.Log(1, "error parsing ext pub key:", err.Error()) continue } if host.PublicKey.String() == extPeer.PublicKey || extPeer.IngressGatewayID != node.ID.String() || !extPeer.Enabled { continue } var allowedips []net.IPNet var peer wgtypes.PeerConfig if extPeer.Address != "" { var peeraddr = net.IPNet{ IP: net.ParseIP(extPeer.Address), Mask: net.CIDRMask(32, 32), } if peeraddr.IP != nil && peeraddr.Mask != nil { allowedips = append(allowedips, peeraddr) } } if extPeer.Address6 != "" { var addr6 = net.IPNet{ IP: net.ParseIP(extPeer.Address6), Mask: net.CIDRMask(128, 128), } if addr6.IP != nil && addr6.Mask != nil { allowedips = append(allowedips, addr6) } } for _, extraAllowedIP := range extPeer.ExtraAllowedIPs { _, cidr, err := net.ParseCIDR(extraAllowedIP) if err == nil { allowedips = append(allowedips, *cidr) } } egressRoutes = append(egressRoutes, getExtPeerEgressRoute(*node, extPeer)...) primaryAddr := extPeer.Address if primaryAddr == "" { primaryAddr = extPeer.Address6 } peer = wgtypes.PeerConfig{ PublicKey: pubkey, ReplaceAllowedIPs: true, AllowedIPs: allowedips, } peers = append(peers, peer) idsAndAddr = append(idsAndAddr, models.IDandAddr{ ID: peer.PublicKey.String(), Name: extPeer.ClientID, Address: primaryAddr, IsExtClient: true, }) } return peers, idsAndAddr, egressRoutes, nil } func getExtPeerEgressRoute(node models.Node, extPeer models.ExtClient) (egressRoutes []models.EgressNetworkRoutes) { r := models.EgressNetworkRoutes{ PeerKey: extPeer.PublicKey, EgressGwAddr: extPeer.AddressIPNet4(), EgressGwAddr6: extPeer.AddressIPNet6(), NodeAddr: node.Address, NodeAddr6: node.Address6, EgressRanges: extPeer.ExtraAllowedIPs, } for _, extraAllowedIP := range extPeer.ExtraAllowedIPs { r.EgressRangesWithMetric = append(r.EgressRangesWithMetric, models.EgressRangeMetric{ Network: extraAllowedIP, RouteMetric: 256, }) } egressRoutes = append(egressRoutes, r) return } func getExtpeerEgressRanges(node models.Node) (ranges, ranges6 []net.IPNet) { extPeers, err := GetNetworkExtClients(node.Network) if err != nil { return } for _, extPeer := range extPeers { if len(extPeer.ExtraAllowedIPs) == 0 { continue } if ok, _ := IsNodeAllowedToCommunicateV1(extPeer.ConvertToStaticNode(), node, true); !ok { continue } for _, allowedRange := range extPeer.ExtraAllowedIPs { _, ipnet, err := net.ParseCIDR(allowedRange) if err == nil { if ipnet.IP.To4() != nil { ranges = append(ranges, *ipnet) } else { ranges6 = append(ranges6, *ipnet) } } } } return } func getExtpeersExtraRoutes(node models.Node) (egressRoutes []models.EgressNetworkRoutes) { extPeers, err := GetNetworkExtClients(node.Network) if err != nil { return } for _, extPeer := range extPeers { if len(extPeer.ExtraAllowedIPs) == 0 { continue } if ok, _ := IsNodeAllowedToCommunicateV1(extPeer.ConvertToStaticNode(), node, true); !ok { continue } egressRoutes = append(egressRoutes, getExtPeerEgressRoute(node, extPeer)...) } return } func GetExtclientAllowedIPs(client models.ExtClient) (allowedIPs []string) { gwnode, err := GetNodeByID(client.IngressGatewayID) if err != nil { logger.Log(0, fmt.Sprintf("failed to get ingress gateway node [%s] info: %v", client.IngressGatewayID, err)) return } network, err := GetParentNetwork(client.Network) if err != nil { logger.Log(1, "Could not retrieve Ingress Gateway Network", client.Network) return } if IsInternetGw(gwnode) { egressrange := "0.0.0.0/0" if gwnode.Address6.IP != nil && client.Address6 != "" { egressrange += "," + "::/0" } allowedIPs = []string{egressrange} } else { allowedIPs = []string{network.AddressRange} if network.AddressRange6 != "" { allowedIPs = append(allowedIPs, network.AddressRange6) } if egressGatewayRanges, err := GetEgressRangesOnNetwork(&client); err == nil { allowedIPs = append(allowedIPs, egressGatewayRanges...) } } return } func GetStaticUserNodesByNetwork(network models.NetworkID) (staticNode []models.Node) { extClients, err := GetAllExtClients() if err != nil { return } for _, extI := range extClients { if extI.Network == network.String() { if extI.RemoteAccessClientID != "" { n := extI.ConvertToStaticNode() staticNode = append(staticNode, n) } } } return } func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode []models.Node) { extClients, err := GetAllExtClients() if err != nil { return } SortExtClient(extClients[:]) for _, extI := range extClients { if extI.Network == network.String() { if onlyWg && extI.RemoteAccessClientID != "" { continue } n := models.Node{ IsStatic: true, StaticNode: extI, IsUserNode: extI.RemoteAccessClientID != "", } staticNode = append(staticNode, n) } } return } func GetStaticNodesByGw(gwNode models.Node) (staticNode []models.Node) { extClients, err := GetAllExtClients() if err != nil { return } for _, extI := range extClients { if extI.IngressGatewayID == gwNode.ID.String() { n := models.Node{ IsStatic: true, StaticNode: extI, IsUserNode: extI.RemoteAccessClientID != "", } staticNode = append(staticNode, n) } } return }