Skip to content

Commit aa913d6

Browse files
abhishek9686abhishek9686
authored
NM-116: Acl Fixes (#3652)
* handle all resources tag on gw * add egress domain ranges to node acls * simplify extclient egress alloweips, handle nil acl rule * fix static node status check for gw acls * skip ns ip if contains network cidr * skip ns ip if contains network cidr * skip ns ip if contains network cidr
1 parent 061ae11 commit aa913d6

File tree

6 files changed

+107
-28
lines changed

6 files changed

+107
-28
lines changed

logic/acls.go

Lines changed: 47 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -50,16 +50,31 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
5050
if defaultDevicePolicy.Enabled {
5151
return
5252
}
53+
defer func() {
54+
if len(rules) == 0 && IsNodeAllowedToCommunicateWithAllRsrcs(node) {
55+
if node.NetworkRange.IP != nil {
56+
rules = append(rules, models.FwRule{
57+
SrcIP: node.NetworkRange,
58+
Allow: true,
59+
})
60+
}
61+
if node.NetworkRange6.IP != nil {
62+
rules = append(rules, models.FwRule{
63+
SrcIP: node.NetworkRange6,
64+
Allow: true,
65+
})
66+
}
67+
return
68+
}
69+
}()
70+
5371
for _, nodeI := range nodes {
5472
if !nodeI.IsStatic || nodeI.IsUserNode {
5573
continue
5674
}
57-
if !node.StaticNode.Enabled {
75+
if !nodeI.StaticNode.Enabled {
5876
continue
5977
}
60-
// if nodeI.StaticNode.IngressGatewayID != node.ID.String() {
61-
// continue
62-
// }
6378
if IsNodeAllowedToCommunicateWithAllRsrcs(nodeI) {
6479
if nodeI.Address.IP != nil {
6580
rules = append(rules, models.FwRule{
@@ -525,7 +540,18 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
525540
continue
526541
}
527542
if _, ok := eI.Nodes[targetnode.ID.String()]; ok {
528-
if eI.Range != "" {
543+
if servercfg.IsPro && eI.Domain != "" && len(eI.DomainAns) > 0 {
544+
for _, domainAnsI := range eI.DomainAns {
545+
ip, cidr, err := net.ParseCIDR(domainAnsI)
546+
if err == nil {
547+
if ip.To4() != nil {
548+
egressRanges4 = append(egressRanges4, *cidr)
549+
} else {
550+
egressRanges6 = append(egressRanges6, *cidr)
551+
}
552+
}
553+
}
554+
} else if eI.Range != "" {
529555
_, cidr, err := net.ParseCIDR(eI.Range)
530556
if err == nil {
531557
if cidr.IP.To4() != nil {
@@ -535,6 +561,7 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
535561
}
536562
}
537563
}
564+
dstTags[targetnode.ID.String()] = struct{}{}
538565
}
539566
}
540567
break
@@ -544,7 +571,18 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
544571
err := e.Get(db.WithContext(context.TODO()))
545572
if err == nil && e.Status && len(e.Nodes) > 0 {
546573
if _, ok := e.Nodes[targetnode.ID.String()]; ok {
547-
if e.Range != "" {
574+
if servercfg.IsPro && e.Domain != "" && len(e.DomainAns) > 0 {
575+
for _, domainAnsI := range e.DomainAns {
576+
ip, cidr, err := net.ParseCIDR(domainAnsI)
577+
if err == nil {
578+
if ip.To4() != nil {
579+
egressRanges4 = append(egressRanges4, *cidr)
580+
} else {
581+
egressRanges6 = append(egressRanges6, *cidr)
582+
}
583+
}
584+
}
585+
} else if e.Range != "" {
548586
_, cidr, err := net.ParseCIDR(e.Range)
549587
if err == nil {
550588
if cidr.IP.To4() != nil {
@@ -554,6 +592,7 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
554592
}
555593
}
556594
}
595+
dstTags[targetnode.ID.String()] = struct{}{}
557596
}
558597

559598
}
@@ -800,10 +839,10 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
800839
if node.ID == targetnode.ID {
801840
continue
802841
}
803-
if node.Address.IP != nil {
842+
if !node.IsStatic && node.Address.IP != nil {
804843
aclRule.IPList = append(aclRule.IPList, node.AddressIPNet4())
805844
}
806-
if node.Address6.IP != nil {
845+
if !node.IsStatic && node.Address6.IP != nil {
807846
aclRule.IP6List = append(aclRule.IP6List, node.AddressIPNet6())
808847
}
809848
if node.IsStatic && node.StaticNode.Address != "" {

logic/dns.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -434,6 +434,25 @@ func validateNameserverReq(ns schema.Nameserver) error {
434434
if len(ns.Servers) == 0 {
435435
return errors.New("atleast one nameserver should be specified")
436436
}
437+
network, err := GetNetwork(ns.NetworkID)
438+
if err != nil {
439+
return errors.New("invalid network id")
440+
}
441+
_, cidr, err4 := net.ParseCIDR(network.AddressRange)
442+
_, cidr6, err6 := net.ParseCIDR(network.AddressRange6)
443+
for _, nsIPStr := range ns.Servers {
444+
nsIP := net.ParseIP(nsIPStr)
445+
if nsIP == nil {
446+
return errors.New("invalid nameserver " + nsIPStr)
447+
}
448+
if err4 == nil && nsIP.To4() != nil {
449+
if cidr.Contains(nsIP) {
450+
return errors.New("cannot use netmaker IP as nameserver")
451+
}
452+
} else if err6 == nil && cidr6.Contains(nsIP) {
453+
return errors.New("cannot use netmaker IP as nameserver")
454+
}
455+
}
437456
if !ns.MatchAll && len(ns.MatchDomains) == 0 {
438457
return errors.New("atleast one match domain is required")
439458
}

logic/extpeers.go

Lines changed: 3 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -70,23 +70,12 @@ func storeExtClientInCache(key string, extclient models.ExtClient) {
7070
func GetEgressRangesOnNetwork(client *models.ExtClient) ([]string, error) {
7171

7272
var result []string
73-
networkNodes, err := GetNetworkNodes(client.Network)
74-
if err != nil {
75-
return []string{}, err
76-
}
7773
eli, _ := (&schema.Egress{Network: client.Network}).ListByNetwork(db.WithContext(context.TODO()))
78-
acls, _ := ListAclsByNetwork(models.NetworkID(client.Network))
79-
// clientNode := client.ConvertToStaticNode()
80-
for _, currentNode := range networkNodes {
81-
if currentNode.Network != client.Network {
74+
for _, eI := range eli {
75+
if !eI.Status || eI.Range == "" {
8276
continue
8377
}
84-
GetNodeEgressInfo(&currentNode, eli, acls)
85-
if currentNode.EgressDetails.IsEgressGateway { // add the egress gateway range(s) to the result
86-
if len(currentNode.EgressDetails.EgressGatewayRanges) > 0 {
87-
result = append(result, currentNode.EgressDetails.EgressGatewayRanges...)
88-
}
89-
}
78+
result = append(result, eI.Range)
9079
}
9180
extclients, _ := GetNetworkExtClients(client.Network)
9281
for _, extclient := range extclients {

logic/peers.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -149,10 +149,11 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
149149
}
150150
defer func() {
151151
if !hostPeerUpdate.FwUpdate.AllowAll {
152-
153-
hostPeerUpdate.FwUpdate.EgressInfo["allowed-network-rules"] = models.EgressInfo{
154-
EgressID: "allowed-network-rules",
155-
EgressFwRules: make(map[string]models.AclRule),
152+
if len(hostPeerUpdate.FwUpdate.AllowedNetworks) > 0 {
153+
hostPeerUpdate.FwUpdate.EgressInfo["allowed-network-rules"] = models.EgressInfo{
154+
EgressID: "allowed-network-rules",
155+
EgressFwRules: make(map[string]models.AclRule),
156+
}
156157
}
157158
for _, aclRule := range hostPeerUpdate.FwUpdate.AllowedNetworks {
158159
hostPeerUpdate.FwUpdate.AclRules[aclRule.ID] = aclRule

migrate/migrate.go

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"encoding/json"
66
"fmt"
77
"log"
8+
"net"
89
"os"
910
"time"
1011

@@ -63,6 +64,10 @@ func migrateNameservers() {
6364
}
6465

6566
for _, netI := range nets {
67+
_, cidr, err := net.ParseCIDR(netI.AddressRange)
68+
if err != nil {
69+
continue
70+
}
6671
if len(netI.NameServers) > 0 {
6772
ns := schema.Nameserver{
6873
ID: uuid.NewString(),
@@ -78,8 +83,14 @@ func migrateNameservers() {
7883
Status: true,
7984
CreatedBy: user.UserName,
8085
}
81-
for _, ip := range netI.NameServers {
82-
ns.Servers = append(ns.Servers, ip)
86+
87+
for _, nsIP := range netI.NameServers {
88+
if net.ParseIP(nsIP) == nil {
89+
continue
90+
}
91+
if !cidr.Contains(net.ParseIP(nsIP)) {
92+
ns.Servers = append(ns.Servers, nsIP)
93+
}
8394
}
8495
ns.Create(db.WithContext(context.TODO()))
8596
netI.NameServers = []string{}

pro/logic/dns.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package logic
33
import (
44
"context"
55
"errors"
6+
"net"
67

78
"github.com/gravitl/netmaker/db"
89
"github.com/gravitl/netmaker/logic"
@@ -20,6 +21,25 @@ func ValidateNameserverReq(ns schema.Nameserver) error {
2021
if len(ns.Servers) == 0 {
2122
return errors.New("atleast one nameserver should be specified")
2223
}
24+
network, err := logic.GetNetwork(ns.NetworkID)
25+
if err != nil {
26+
return errors.New("invalid network id")
27+
}
28+
_, cidr, err4 := net.ParseCIDR(network.AddressRange)
29+
_, cidr6, err6 := net.ParseCIDR(network.AddressRange6)
30+
for _, nsIPStr := range ns.Servers {
31+
nsIP := net.ParseIP(nsIPStr)
32+
if nsIP == nil {
33+
return errors.New("invalid nameserver " + nsIPStr)
34+
}
35+
if err4 == nil && nsIP.To4() != nil {
36+
if cidr.Contains(nsIP) {
37+
return errors.New("cannot use netmaker IP as nameserver")
38+
}
39+
} else if err6 == nil && cidr6.Contains(nsIP) {
40+
return errors.New("cannot use netmaker IP as nameserver")
41+
}
42+
}
2343
if !ns.MatchAll && len(ns.MatchDomains) == 0 {
2444
return errors.New("atleast one match domain is required")
2545
}

0 commit comments

Comments
 (0)