NM-103: add dst rule to acls (#1095)

abhishek9686 · web-flow · commit 6b4d175055b7 · 2025-09-08T08:23:09.000+05:30
* add dst rule to acls

* update go mod
diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go
@@ -733,9 +733,16 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 		}
 		if len(aclRule.IPList) > 0 {
 			allowedIps := []string{}
+			dstAllowedIps := []string{}
 			for _, ip := range aclRule.IPList {
 				allowedIps = append(allowedIps, ip.String())
 			}
+			if len(aclRule.Dst) > 0 {
+				for _, ip := range aclRule.Dst {
+					dstAllowedIps = append(dstAllowedIps, ip.String())
+				}
+			}
+
 			rulesSpec := [][]string{}
 			if len(aclRule.AllowedPorts) > 0 {
 
@@ -744,6 +751,9 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 						continue
 					}
 					ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+					if len(dstAllowedIps) > 0 {
+						ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+					}
 					if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL {
 						ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 					}
@@ -759,6 +769,9 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 
 			} else {
 				ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+				if len(dstAllowedIps) > 0 {
+					ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+				}
 				if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL {
 					ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 				}
@@ -786,9 +799,15 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 
 		if len(aclRule.IP6List) > 0 {
 			allowedIps := []string{}
+			dstAllowedIps := []string{}
 			for _, ip := range aclRule.IP6List {
 				allowedIps = append(allowedIps, ip.String())
 			}
+			if len(aclRule.Dst6) > 0 {
+				for _, ip := range aclRule.Dst6 {
+					dstAllowedIps = append(dstAllowedIps, ip.String())
+				}
+			}
 			rulesSpec := [][]string{}
 			if len(aclRule.AllowedPorts) > 0 {
 
@@ -797,6 +816,9 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 						continue
 					}
 					ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+					if len(dstAllowedIps) > 0 {
+						ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+					}
 					if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL {
 						ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 					}
@@ -812,6 +834,9 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.
 
 			} else {
 				ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+				if len(dstAllowedIps) > 0 {
+					ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+				}
 				if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL {
 					ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 				}
@@ -864,16 +889,25 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) {
 	}
 	if len(aclRule.IPList) > 0 {
 		allowedIps := []string{}
+		dstAllowedIps := []string{}
 		for _, ip := range aclRule.IPList {
 			allowedIps = append(allowedIps, ip.String())
 		}
+		if len(aclRule.Dst) > 0 {
+			for _, ip := range aclRule.Dst {
+				dstAllowedIps = append(dstAllowedIps, ip.String())
+			}
+		}
 		rulesSpec := [][]string{}
 		if len(aclRule.AllowedPorts) > 0 {
 			for _, port := range aclRule.AllowedPorts {
 				if port == "" {
 					continue
 				}
 				ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+				if len(dstAllowedIps) > 0 {
+					ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+				}
 				if aclRule.AllowedProtocol.String() != "" {
 					ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 				}
@@ -889,6 +923,9 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) {
 
 		} else {
 			ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+			if len(dstAllowedIps) > 0 {
+				ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+			}
 			if aclRule.AllowedProtocol.String() != "" {
 				ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 			}
@@ -915,9 +952,15 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) {
 	}
 	if len(aclRule.IP6List) > 0 {
 		allowedIps := []string{}
+		dstAllowedIps := []string{}
 		for _, ip := range aclRule.IP6List {
 			allowedIps = append(allowedIps, ip.String())
 		}
+		if len(aclRule.Dst6) > 0 {
+			for _, ip := range aclRule.Dst6 {
+				dstAllowedIps = append(dstAllowedIps, ip.String())
+			}
+		}
 		rulesSpec := [][]string{}
 		if len(aclRule.AllowedPorts) > 0 {
 
@@ -926,6 +969,9 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) {
 					continue
 				}
 				ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+				if len(dstAllowedIps) > 0 {
+					ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+				}
 				if aclRule.AllowedProtocol.String() != "" {
 					ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 				}
@@ -940,6 +986,9 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) {
 
 		} else {
 			ruleSpec := []string{"-s", strings.Join(allowedIps, ",")}
+			if len(dstAllowedIps) > 0 {
+				ruleSpec = append(ruleSpec, "-d", strings.Join(dstAllowedIps, ","))
+			}
 			if aclRule.AllowedProtocol.String() != "" {
 				ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String())
 			}
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/google/nftables v0.3.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/gravitl/netmaker v1.0.1-0.20250829065133-ed913c1fb2b7
+	github.com/gravitl/netmaker v1.0.1-0.20250908022208-a3232234b3c9
 	github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06
 	github.com/guumaster/hostctl v1.1.4
 	github.com/hashicorp/go-version v1.7.0
@@ -41,28 +41,42 @@ require (
 
 require (
 	aead.dev/minisign v0.2.0 // indirect
+	cloud.google.com/go/auth v0.16.5 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
+	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.15.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/docker v25.0.6+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.27.0 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -72,26 +86,37 @@ require (
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/jwx v1.2.29 // indirect
+	github.com/lestrrat-go/option v1.0.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdlayher/genetlink v1.2.0 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/okta/okta-sdk-golang/v5 v5.0.6 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
+	github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/petermattis/goid v0.0.0-20240813172612-4fcff4a6cae7 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/posthog/posthog-go v1.6.4 // indirect
+	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/rivo/uniseg v0.4.6 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rqlite/gorqlite v0.0.0-20240122221808-a8a425b1a6aa // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/seancfoley/bintree v1.3.1 // indirect
 	github.com/seancfoley/ipaddress-go v1.7.1 // indirect
+	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
@@ -107,13 +132,21 @@ require (
 	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.35.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	google.golang.org/api v0.248.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
+	google.golang.org/grpc v1.74.2 // indirect
+	google.golang.org/protobuf v1.36.7 // indirect
+	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/mail.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gorm.io/datatypes v1.2.6 // indirect
 	gorm.io/driver/mysql v1.5.6 // indirect
diff --git a/go.sum b/go.sum
