Skip to content

Commit 1b6c87e

Browse files
rabbitstackrabbitstack
committed
fix(action): Add single IP condition
The current limitation of the fw library, makes it impossible to install a filter with multiple IP addresses, so we shrink the list to always append the first IP address in the list.
1 parent 372e54c commit 1b6c87e

File tree

1 file changed

+40
-47
lines changed

1 file changed

+40
-47
lines changed

pkg/rules/action/isolate_windows.go

Lines changed: 40 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -69,25 +69,28 @@ func (f *firewall) allow(whitelist []net.IP) error {
6969
f.mu.Lock()
7070
defer f.mu.Unlock()
7171
f.inbound = &wf.Rule{
72-
ID: inboundAllowRuleID,
73-
Name: inboundAllowRuleName,
74-
Layer: wf.LayerInboundIPPacketV4,
75-
Action: wf.ActionPermit,
76-
Conditions: []*wf.Match{
77-
{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
78-
{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
79-
},
72+
ID: inboundAllowRuleID,
73+
Name: inboundAllowRuleName,
74+
Layer: wf.LayerInboundIPPacketV4,
75+
Action: wf.ActionPermit,
76+
Conditions: make([]*wf.Match, 0),
8077
}
8178

8279
f.outbound = &wf.Rule{
83-
ID: outboundAllowRuleID,
84-
Name: outboundAllowRuleName,
85-
Layer: wf.LayerOutboundIPPacketV4,
86-
Action: wf.ActionPermit,
87-
Conditions: []*wf.Match{
88-
{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
89-
{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
90-
},
80+
ID: outboundAllowRuleID,
81+
Name: outboundAllowRuleName,
82+
Layer: wf.LayerOutboundIPPacketV4,
83+
Action: wf.ActionPermit,
84+
Conditions: make([]*wf.Match, 0),
85+
}
86+
87+
// The current limitation of the fw
88+
// library, makes it impossible to
89+
// install a filter with multiple IP
90+
// addresses, so we shrink the list
91+
// to use a single item
92+
if len(whitelist) > 0 {
93+
whitelist = whitelist[:1]
9194
}
9295

9396
for _, addr := range whitelist {
@@ -144,6 +147,7 @@ func (f *firewall) findAllowRules() error {
144147
return nil
145148
}
146149

150+
//nolint:unused
147151
func (f *firewall) removeAllowRules() error {
148152
f.mu.Lock()
149153
defer f.mu.Unlock()
@@ -157,13 +161,16 @@ func (f *firewall) hasAllowRules() bool {
157161
}
158162

159163
func (f *firewall) addIPCondition(addr net.IP) {
160-
ip := netip.AddrFrom4([4]byte(addr))
161-
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
162-
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
163-
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
164-
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
164+
ip, err := netip.ParseAddr(addr.String())
165+
if err == nil {
166+
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
167+
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
168+
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
169+
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
170+
}
165171
}
166172

173+
//nolint:unused
167174
func (f *firewall) hasIPCondition(addr net.IP) bool {
168175
f.mu.Lock()
169176
defer f.mu.Unlock()
@@ -177,7 +184,12 @@ func (f *firewall) hasIPCondition(addr net.IP) bool {
177184
continue
178185
}
179186

180-
if netip.AddrFrom4([4]byte(addr)) == address {
187+
netaddr, err := netip.ParseAddr(addr.String())
188+
if err != nil {
189+
continue
190+
}
191+
192+
if netaddr == address {
181193
return true
182194
}
183195
}
@@ -192,7 +204,12 @@ func (f *firewall) hasIPCondition(addr net.IP) bool {
192204
continue
193205
}
194206

195-
if netip.AddrFrom4([4]byte(addr)) == address {
207+
netaddr, err := netip.ParseAddr(addr.String())
208+
if err != nil {
209+
continue
210+
}
211+
212+
if netaddr == address {
196213
return true
197214
}
198215
}
@@ -223,30 +240,6 @@ func Isolate(whitelist []net.IP) error {
223240
}
224241

225242
switch {
226-
case fw.hasAllowRules() && len(whitelist) > 0:
227-
// rules were added and the whitelist
228-
// is given in the action. Check if
229-
// the given permitted addresses contain
230-
// an item that is not already in the
231-
// allowed rules conditions.
232-
refresh := true
233-
for _, addr := range whitelist {
234-
if fw.hasIPCondition(addr) {
235-
refresh = false
236-
break
237-
} else {
238-
fw.addIPCondition(addr)
239-
}
240-
}
241-
242-
if refresh {
243-
if err := fw.removeAllowRules(); err != nil {
244-
return err
245-
}
246-
return fw.allow(whitelist)
247-
}
248-
249-
return nil
250243
case fw.hasAllowRules():
251244
// rules were added and no new permitted
252245
// addresses are supplied in the action

0 commit comments

Comments
 (0)