Skip to content

Commit 82175e6

Browse files
rabbitstackrabbitstack
committed
fix(action): Add single IP condition
The current limitation of the fw library, makes it impossible to install a filter with multiple IP addresses, so we shrink the list to use a single item
1 parent 7b6f483 commit 82175e6

File tree

1 file changed

+38
-47
lines changed

1 file changed

+38
-47
lines changed

pkg/rules/action/isolate_windows.go

Lines changed: 38 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -69,25 +69,28 @@ func (f *firewall) allow(whitelist []net.IP) error {
6969
f.mu.Lock()
7070
defer f.mu.Unlock()
7171
f.inbound = &wf.Rule{
72-
ID: inboundAllowRuleID,
73-
Name: inboundAllowRuleName,
74-
Layer: wf.LayerInboundIPPacketV4,
75-
Action: wf.ActionPermit,
76-
Conditions: []*wf.Match{
77-
{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
78-
{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
79-
},
72+
ID: inboundAllowRuleID,
73+
Name: inboundAllowRuleName,
74+
Layer: wf.LayerInboundIPPacketV4,
75+
Action: wf.ActionPermit,
76+
Conditions: make([]*wf.Match, 0),
8077
}
8178

8279
f.outbound = &wf.Rule{
83-
ID: outboundAllowRuleID,
84-
Name: outboundAllowRuleName,
85-
Layer: wf.LayerOutboundIPPacketV4,
86-
Action: wf.ActionPermit,
87-
Conditions: []*wf.Match{
88-
{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
89-
{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: netip.AddrFrom4([4]byte{127, 0, 0, 1})},
90-
},
80+
ID: outboundAllowRuleID,
81+
Name: outboundAllowRuleName,
82+
Layer: wf.LayerOutboundIPPacketV4,
83+
Action: wf.ActionPermit,
84+
Conditions: make([]*wf.Match, 0),
85+
}
86+
87+
// The current limitation of the fw
88+
// library, makes it impossible to
89+
// install a filter with multiple IP
90+
// addresses, so we shrink the list
91+
// to use a single item
92+
if len(whitelist) > 0 {
93+
whitelist = whitelist[:1]
9194
}
9295

9396
for _, addr := range whitelist {
@@ -157,11 +160,13 @@ func (f *firewall) hasAllowRules() bool {
157160
}
158161

159162
func (f *firewall) addIPCondition(addr net.IP) {
160-
ip := netip.AddrFrom4([4]byte(addr))
161-
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
162-
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
163-
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
164-
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
163+
ip, err := netip.ParseAddr(addr.String())
164+
if err == nil {
165+
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
166+
f.inbound.Conditions = append(f.inbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
167+
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPLocalAddress, Op: wf.MatchTypeEqual, Value: ip})
168+
f.outbound.Conditions = append(f.outbound.Conditions, &wf.Match{Field: wf.FieldIPRemoteAddress, Op: wf.MatchTypeEqual, Value: ip})
169+
}
165170
}
166171

167172
func (f *firewall) hasIPCondition(addr net.IP) bool {
@@ -177,7 +182,12 @@ func (f *firewall) hasIPCondition(addr net.IP) bool {
177182
continue
178183
}
179184

180-
if netip.AddrFrom4([4]byte(addr)) == address {
185+
netaddr, err := netip.ParseAddr(addr.String())
186+
if err != nil {
187+
continue
188+
}
189+
190+
if netaddr == address {
181191
return true
182192
}
183193
}
@@ -192,7 +202,12 @@ func (f *firewall) hasIPCondition(addr net.IP) bool {
192202
continue
193203
}
194204

195-
if netip.AddrFrom4([4]byte(addr)) == address {
205+
netaddr, err := netip.ParseAddr(addr.String())
206+
if err != nil {
207+
continue
208+
}
209+
210+
if netaddr == address {
196211
return true
197212
}
198213
}
@@ -223,30 +238,6 @@ func Isolate(whitelist []net.IP) error {
223238
}
224239

225240
switch {
226-
case fw.hasAllowRules() && len(whitelist) > 0:
227-
// rules were added and the whitelist
228-
// is given in the action. Check if
229-
// the given permitted addresses contain
230-
// an item that is not already in the
231-
// allowed rules conditions.
232-
refresh := true
233-
for _, addr := range whitelist {
234-
if fw.hasIPCondition(addr) {
235-
refresh = false
236-
break
237-
} else {
238-
fw.addIPCondition(addr)
239-
}
240-
}
241-
242-
if refresh {
243-
if err := fw.removeAllowRules(); err != nil {
244-
return err
245-
}
246-
return fw.allow(whitelist)
247-
}
248-
249-
return nil
250241
case fw.hasAllowRules():
251242
// rules were added and no new permitted
252243
// addresses are supplied in the action

0 commit comments

Comments
 (0)