From a3fe0a709660596602872c4e0313f8e020dc6d89 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 20 Nov 2024 16:28:07 +0400 Subject: [PATCH 01/24] handle acl rules on client --- firewall/acl.go | 38 +++++++++ firewall/firewall.go | 7 ++ firewall/firewall_nonlinux.go | 11 +++ firewall/iptables_linux.go | 144 ++++++++++++++++++++++++++++++++++ firewall/nftables_linux.go | 12 +++ go.mod | 12 ++- go.sum | 54 +++++++++++++ 7 files changed, 277 insertions(+), 1 deletion(-) create mode 100644 firewall/acl.go diff --git a/firewall/acl.go b/firewall/acl.go new file mode 100644 index 00000000..f306f08f --- /dev/null +++ b/firewall/acl.go @@ -0,0 +1,38 @@ +package firewall + +import ( + "reflect" + + "github.com/gravitl/netmaker/models" +) + +func ProcessAclRules(server string, aclRules map[string]models.AclRule) { + if fwCrtl == nil { + return + } + ruleTable := fwCrtl.FetchRuleTable(server, aclTable) + if len(ruleTable) == 0 && len(aclRules) > 0 { + fwCrtl.AddAclRules(server, aclRules) + return + } + // add new acl rules + for _, aclRule := range aclRules { + if _, ok := ruleTable[aclRule.ID]; !ok { + fwCrtl.UpsertAclRule(server, aclRule) + } else { + // check if there is a update + ruleCfg := ruleTable[aclRule.ID] + localAclRule := ruleCfg.extraInfo.(models.AclRule) + if (len(localAclRule.IPList) != len(aclRule.IPList)) || + (!reflect.DeepEqual(localAclRule.IPList, aclRule.IPList)) || + (len(localAclRule.IP6List) != len(aclRule.IP6List)) || + (!reflect.DeepEqual(localAclRule.IP6List, aclRule.IP6List)) || + (len(localAclRule.AllowedPorts) != len(aclRule.AllowedPorts)) || + (!reflect.DeepEqual(localAclRule.AllowedPorts, aclRule.AllowedPorts)) || + (localAclRule.Direction) != aclRule.Direction { + fwCrtl.DeleteAclRule(server, aclRule.ID) + fwCrtl.UpsertAclRule(server, aclRule) + } + } + } +} diff --git a/firewall/firewall.go b/firewall/firewall.go index fd3fb3c6..ec69dd69 100644 --- a/firewall/firewall.go +++ b/firewall/firewall.go @@ -17,6 +17,7 @@ type rulesCfg struct { type ruleInfo struct { rule []string + isIpv4 bool nfRule any table string chain string @@ -46,6 +47,12 @@ type firewallController interface { InsertEgressRoutingRules(server string, egressInfo models.EgressInfo) error // InsertIngressRoutingRules - inserts fw rules on ingress gw InsertIngressRoutingRules(server string, ingressInfo models.IngressInfo) error + // AddAclRules - inserts all rules related to acl policy + AddAclRules(server string, aclRules map[string]models.AclRule) + // UpsertAclRules - update a acl policy rules + UpsertAclRule(server string, aclRule models.AclRule) + // DeleteAclRule - cleanup all the rules associated with a acl policy + DeleteAclRule(server, aclID string) // RemoveRoutingRules removes all routing rules firewall rules of a peer RemoveRoutingRules(server, tableName, peerKey string) error // DeleteRoutingRule removes rules related to a peer diff --git a/firewall/firewall_nonlinux.go b/firewall/firewall_nonlinux.go index 398409b0..da59c590 100644 --- a/firewall/firewall_nonlinux.go +++ b/firewall/firewall_nonlinux.go @@ -55,6 +55,17 @@ func (unimplementedFirewall) AddEgressRoutingRule(server string, egressInfo mode func (unimplementedFirewall) DeleteRuleTable(server, ruleTableName string) { +} + +func (unimplementedFirewall) AddAclRules(server string, aclRules map[string]models.AclRule) { + +} +func (unimplementedFirewall) UpsertAclRule(server string, aclRule models.AclRule) { + +} + +func (unimplementedFirewall) DeleteAclRule(server string, aclID string) { + } func (unimplementedFirewall) RestrictUserToUserComms(server string, ingressInfo models.IngressInfo) error { return nil diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index e3e04504..cb9d4ca2 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -480,6 +480,150 @@ func (i *iptablesManager) AddEgressRoutingRule(server string, egressInfo models. return nil } +func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.AclRule) { + ruleTable := i.FetchRuleTable(server, aclTable) + defer i.SaveRules(server, aclTable, ruleTable) + i.mux.Lock() + defer i.mux.Unlock() + + for _, aclRule := range aclRules { + rules := []ruleInfo{} + if _, ok := ruleTable[aclRule.ID]; !ok { + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + } + if len(aclRule.IPList) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IPList { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} + err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + } + if len(aclRule.IP6List) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IP6List { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} + err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + } + } + if len(rules) > 0 { + rCfg := rulesCfg{ + rulesMap: map[string][]ruleInfo{ + aclRule.ID: rules, + }, + extraInfo: aclRule, + } + ruleTable[aclRule.ID] = rCfg + } + } +} + +func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { + ruleTable := i.FetchRuleTable(server, aclTable) + defer i.SaveRules(server, aclTable, ruleTable) + i.mux.Lock() + defer i.mux.Unlock() + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + rules := []ruleInfo{} + if _, ok := ruleTable[aclRule.ID]; !ok { + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + } + if len(aclRule.IPList) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IPList { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} + err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + } + if len(aclRule.IP6List) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IP6List { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} + err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + } + } + if len(rules) > 0 { + rCfg := rulesCfg{ + rulesMap: map[string][]ruleInfo{ + aclRule.ID: rules, + }, + extraInfo: aclRule, + } + ruleTable[aclRule.ID] = rCfg + } + +} + +func (i *iptablesManager) DeleteAclRule(server, aclID string) { + ruleTable := i.FetchRuleTable(server, aclTable) + defer i.SaveRules(server, aclTable, ruleTable) + i.mux.Lock() + defer i.mux.Unlock() + rulesCfg, ok := ruleTable[aclID] + if !ok { + return + } + rules := rulesCfg.rulesMap[aclID] + for _, rule := range rules { + if rule.isIpv4 { + i.ipv4Client.DeleteIfExists(rule.table, rule.chain, rule.rule...) + } else { + i.ipv6Client.DeleteIfExists(rule.table, rule.chain, rule.rule...) + } + } + delete(ruleTable, aclID) + +} + func (i *iptablesManager) cleanup(table, chain string) { err := i.ipv4Client.ClearAndDeleteChain(table, chain) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index c696efaf..36e97508 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -937,3 +937,15 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m ruleTable[ingressInfo.IngressID] = ingressRules return nil } + +func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models.AclRule) { + +} + +func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { + +} + +func (n *nftablesManager) DeleteAclRule(server, aclID string) { + +} diff --git a/go.mod b/go.mod index dc702d4c..0da64f51 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/google/nftables v0.2.0 github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.3 - github.com/gravitl/netmaker v0.26.0 + github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62 github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 github.com/guumaster/hostctl v1.1.4 github.com/hashicorp/go-version v1.7.0 @@ -42,21 +42,27 @@ require ( require ( aead.dev/minisign v0.2.0 // indirect + cloud.google.com/go/compute/metadata v0.3.0 // indirect + filippo.io/edwards25519 v1.1.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/coreos/go-oidc/v3 v3.9.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/docker v23.0.5+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.5.0 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect + github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.22.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e // indirect + github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -84,6 +90,7 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/seancfoley/bintree v1.3.1 // indirect github.com/seancfoley/ipaddress-go v1.7.0 // indirect + github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -94,10 +101,13 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect golang.org/x/mod v0.18.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/sync v0.8.0 // indirect golang.org/x/text v0.19.0 // indirect golang.org/x/tools v0.22.0 // indirect golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect + gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/mail.v2 v2.3.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index cfd7a66e..109dceb6 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,11 @@ aead.dev/minisign v0.2.0 h1:kAWrq/hBRu4AARY6AlciO83xhNnW9UaC8YipS2uhLPk= aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ= +cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= +cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= @@ -10,6 +16,8 @@ github.com/c-robinson/iplib v1.0.8 h1:exDRViDyL9UBLcfmlxxkY5odWX5092nPsQIykHXhIn github.com/c-robinson/iplib v1.0.8/go.mod h1:i3LuuFL1hRT5gFpBRnEydzw8R6yhGkF4szNDIbF8pgo= github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc= github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= +github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo= +github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -28,6 +36,8 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/eclipse/paho.mqtt.golang v1.4.3 h1:2kwcUGn8seMUfWndX0hGbvH8r7crgcJguQNCyp70xik= github.com/eclipse/paho.mqtt.golang v1.4.3/go.mod h1:CSYvoAlsMkhYOXh/oKyxa8EcBci6dVkLCbo5tTC1RIE= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -36,6 +46,8 @@ github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uq github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/glendc/go-external-ip v0.1.0 h1:iX3xQ2Q26atAmLTbd++nUce2P5ht5P4uD4V7caSY/xg= github.com/glendc/go-external-ip v0.1.0/go.mod h1:CNx312s2FLAJoWNdJWZ2Fpf5O4oLsMFwuYviHjS4uJE= +github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= +github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-ping/ping v1.1.0 h1:3MCGhVX4fyEUuhsfwPrsEdQw6xspHkv5zHsiSoDFZYw= github.com/go-ping/ping v1.1.0/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= @@ -52,6 +64,7 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/nftables v0.2.0 h1:PbJwaBmbVLzpeldoeUKGkE2RjstrjPKMl6oLrfEJ6/8= @@ -63,12 +76,20 @@ github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e h1:XmA6L9IP github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e/go.mod h1:AFIo+02s+12CEg8Gzz9kzhCbmbq6JcKNrhHffCGA9z4= github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g= github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gravitl/netmaker v0.26.0 h1:XzIv/7fSsH4taHWBk9cERg8G2IvW14AIkXOKJXAQl1c= github.com/gravitl/netmaker v0.26.0/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241118144836-81e5d8673d2a h1:uJdJTEjcELQkqVFif4Tuiqr3uS/AVhU1H1h7CJpKXd8= +github.com/gravitl/netmaker v0.26.1-0.20241118144836-81e5d8673d2a/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb h1:Kc9bOl7hzFlbxftOIph6mx7KqWCwLOBwJwfKes9PWH4= +github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62 h1:UHm/PPU88fgKp3dC6I+d8xKeQW7l23E7CjkOV6iZZNA= +github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 h1:g2fBXRNT9eiQohyHcoME3SVmeG7OKoJPWrs7A+009kU= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06/go.mod h1:12iViYKWAzRPj5/oEGAaD7Wje+Nuz8M9eDJbV7qhKAA= github.com/guumaster/hostctl v1.1.4 h1:4zb9wEurBlz/hQiXFz9feHHfunf7oj+9serAH8ohGuM= @@ -157,6 +178,8 @@ github.com/seancfoley/bintree v1.3.1 h1:cqmmQK7Jm4aw8gna0bP+huu5leVOgHGSJBEpUx3E github.com/seancfoley/bintree v1.3.1/go.mod h1:hIUabL8OFYyFVTQ6azeajbopogQc2l5C/hiXMcemWNU= github.com/seancfoley/ipaddress-go v1.7.0 h1:vWp3SR3k+HkV3aKiNO2vEe6xbVxS0x/Ixw6hgyP238s= github.com/seancfoley/ipaddress-go v1.7.0/go.mod h1:TQRZgv+9jdvzHmKoPGBMxyiaVmoI0rYpfEk8Q/sL/Iw= +github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0= +github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M= github.com/smarty/assertions v1.15.0 h1:cR//PqUBUiQRakZWqBiFFQ9wb8emQGDb0HeGdqGByCY= github.com/smarty/assertions v1.15.0/go.mod h1:yABtdzeQs6l1brC900WlRNwj6ZR55d7B+E8C6HtKdec= github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY= @@ -178,6 +201,7 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= @@ -193,6 +217,7 @@ github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1Y github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI= @@ -201,29 +226,41 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -239,19 +276,30 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= @@ -260,6 +308,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -274,11 +324,15 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb h1:9aqVcYED golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ= golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE= golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/mail.v2 v2.3.1 h1:WYFn/oANrAGP2C0dcV6/pbkPzv8yGzqTjPmTeO7qoXk= +gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 0ae0e9b2d2c6879097b44bbd69bac6ef7dc274d6 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 20 Nov 2024 16:37:17 +0400 Subject: [PATCH 02/24] trigger fw update --- functions/mqhandlers.go | 1 + 1 file changed, 1 insertion(+) diff --git a/functions/mqhandlers.go b/functions/mqhandlers.go index 0f7e988a..b964394e 100644 --- a/functions/mqhandlers.go +++ b/functions/mqhandlers.go @@ -530,6 +530,7 @@ func handleFwUpdate(server string, payload *models.FwUpdate) { } else { firewall.RemoveIngressRoutingRules(server) } + firewall.ProcessAclRules(server, payload.AclRules) } From 66c179ed5b0933bc07c82f9f34fb195e45acc880 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 28 Nov 2024 12:58:38 +0400 Subject: [PATCH 03/24] change default acl rule target --- firewall/acl.go | 9 +- firewall/firewall.go | 4 + firewall/firewall_nonlinux.go | 1 + firewall/iptables_linux.go | 192 ++++++++++++++++++++++++---------- firewall/nftables_linux.go | 2 + functions/mqhandlers.go | 5 +- go.mod | 2 +- go.sum | 8 ++ 8 files changed, 164 insertions(+), 59 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index f306f08f..487b869b 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -6,10 +6,17 @@ import ( "github.com/gravitl/netmaker/models" ) -func ProcessAclRules(server string, aclRules map[string]models.AclRule) { +func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { if fwCrtl == nil { return } + if fwUpdate.AllowAll { + fwCrtl.ChangeACLTarget(targetAccept) + } else { + fwCrtl.ChangeACLTarget(targetDrop) + } + return + aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) if len(ruleTable) == 0 && len(aclRules) > 0 { fwCrtl.AddAclRules(server, aclRules) diff --git a/firewall/firewall.go b/firewall/firewall.go index ec69dd69..bcf9c05a 100644 --- a/firewall/firewall.go +++ b/firewall/firewall.go @@ -34,6 +34,8 @@ const ( const ( staticNodeRules = "static-node" + targetAccept = "ACCEPT" + targetDrop = "DROP" ) type firewallController interface { @@ -43,6 +45,8 @@ type firewallController interface { ForwardRule() error // Add DROP Rules AddDropRules([]ruleInfo) + // ChangeACLTarget - deletes if any current target and adds rule with new target + ChangeACLTarget(target string) // InsertEgressRoutingRules - adds a egress routing rules for egressGw InsertEgressRoutingRules(server string, egressInfo models.EgressInfo) error // InsertIngressRoutingRules - inserts fw rules on ingress gw diff --git a/firewall/firewall_nonlinux.go b/firewall/firewall_nonlinux.go index da59c590..007cbe3e 100644 --- a/firewall/firewall_nonlinux.go +++ b/firewall/firewall_nonlinux.go @@ -24,6 +24,7 @@ func (unimplementedFirewall) AddIngressRoutingRule(server, extPeerKey, extPeerAd func (unimplementedFirewall) RefreshEgressRangesOnIngressGw(server string, ingressUpdate models.IngressInfo) error { return nil } +func (unimplementedFirewall) ChangeACLTarget(target string) {} func (unimplementedFirewall) RemoveRoutingRules(server, tableName, peerKey string) error { return nil diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index cb9d4ca2..78980c49 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -40,26 +40,54 @@ type iptablesManager struct { } var ( + aclInChainDropRule = ruleInfo{ + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", + "comment", "--comment", netmakerSignature, "-j", "DROP"}, + table: defaultIpTable, + chain: aclInputRulesChain, + } dropRules = []ruleInfo{ { - rule: []string{"-i", ncutils.GetInterfaceName(), "-j", "DROP"}, + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "comment", + "--comment", netmakerSignature, "-j", "RETURN"}, table: defaultIpTable, chain: netmakerFilterChain, }, + aclInChainDropRule, } // filter table netmaker jump rules filterNmJumpRules = []ruleInfo{ + { + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain, + "-m", "comment", "--comment", netmakerSignature}, + table: defaultIpTable, + chain: iptableINChain, + }, + { + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain, + "-m", "comment", "--comment", netmakerSignature}, + table: defaultIpTable, + chain: iptableFWDChain, + }, // { - // rule: []string{"-j", netmakerFilterChain}, - // table: defaultIpTable, - // chain: iptableFWDChain, - // }, - // { - // rule: []string{"-j", "RETURN"}, + // rule: []string{"-m", "comment", "--comment", netmakerSignature, "-j", "ACCEPT"}, // table: defaultIpTable, - // chain: netmakerFilterChain, + // chain: aclInputRulesChain, // }, + { + rule: []string{"-m", "comment", "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: aclOutputRulesChain, + }, + //iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + { + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableINChain, + }, } // nat table nm jump rules natNmJumpRules = []ruleInfo{ @@ -100,6 +128,40 @@ func createChain(iptables *iptables.IPTables, table, newChain string) error { return nil } +func (i *iptablesManager) ChangeACLTarget(target string) { + fmt.Println("===> ACL TARGET ", target) + ruleSpec := aclInChainDropRule.rule + table := aclInChainDropRule.table + chain := aclInChainDropRule.chain + ruleSpec[len(ruleSpec)-1] = target + ok4, _ := i.ipv4Client.Exists(table, chain, ruleSpec...) + ok6, _ := i.ipv4Client.Exists(table, chain, ruleSpec...) + if ok4 && ok6 { + return + } + fmt.Println("===>CHANGING ACL TARGET ", target) + if target == targetAccept { + + // remove any DROP rule + ruleSpec[len(ruleSpec)-1] = targetDrop + i.ipv4Client.DeleteIfExists(table, chain, ruleSpec...) + i.ipv6Client.DeleteIfExists(table, chain, ruleSpec...) + // Add ACCEPT RULE + ruleSpec[len(ruleSpec)-1] = targetAccept + i.ipv4Client.Append(table, chain, ruleSpec...) + i.ipv6Client.Append(table, chain, ruleSpec...) + } else { + // remove any ACCEPT rule + ruleSpec[len(ruleSpec)-1] = targetAccept + i.ipv4Client.DeleteIfExists(table, chain, ruleSpec...) + i.ipv6Client.DeleteIfExists(table, chain, ruleSpec...) + // Add DROP RULE + ruleSpec[len(ruleSpec)-1] = targetDrop + i.ipv4Client.Append(table, chain, ruleSpec...) + i.ipv6Client.Append(table, chain, ruleSpec...) + } +} + // iptablesManager.ForwardRule inserts forwarding rules func (i *iptablesManager) ForwardRule() error { i.mux.Lock() @@ -109,10 +171,7 @@ func (i *iptablesManager) ForwardRule() error { iptablesClient := i.ipv4Client // Set the policy To accept on forward chain iptablesClient.ChangePolicy(defaultIpTable, iptableFWDChain, "ACCEPT") - // remove DROP rule if present - createChain(iptablesClient, defaultIpTable, netmakerFilterChain) - createChain(iptablesClient, defaultIpTable, aclInputRulesChain) - createChain(iptablesClient, defaultIpTable, aclOutputRulesChain) + ruleSpec := []string{"-i", "netmaker", "-j", "ACCEPT"} ruleSpec = appendNetmakerCommentToRule(ruleSpec) ok, err := i.ipv4Client.Exists(defaultIpTable, iptableFWDChain, ruleSpec...) @@ -189,7 +248,16 @@ func (i *iptablesManager) CreateChains() error { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err } - + err = createChain(i.ipv4Client, defaultIpTable, aclInputRulesChain) + if err != nil { + logger.Log(1, "failed to create netmaker chain: ", err.Error()) + return err + } + err = createChain(i.ipv4Client, defaultIpTable, aclOutputRulesChain) + if err != nil { + logger.Log(1, "failed to create netmaker chain: ", err.Error()) + return err + } err = createChain(i.ipv6Client, defaultIpTable, netmakerFilterChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) @@ -200,6 +268,16 @@ func (i *iptablesManager) CreateChains() error { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err } + err = createChain(i.ipv6Client, defaultIpTable, aclInputRulesChain) + if err != nil { + logger.Log(1, "failed to create netmaker chain: ", err.Error()) + return err + } + err = createChain(i.ipv6Client, defaultIpTable, aclOutputRulesChain) + if err != nil { + logger.Log(1, "failed to create netmaker chain: ", err.Error()) + return err + } // add jump rules i.addJumpRules() return nil @@ -373,46 +451,46 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m } } ingressGwRoutes := []ruleInfo{} - for _, ip := range ingressInfo.StaticNodeIps { - iptablesClient := i.ipv4Client - networks := []string{ingressInfo.Network.String()} - for _, egressNet := range ingressInfo.EgressRanges { - networks = append(networks, egressNet.String()) - } - if ip.To4() == nil { - networks = []string{ingressInfo.Network6.String()} - for _, egressNet := range ingressInfo.EgressRanges6 { - networks = append(networks, egressNet.String()) - } - iptablesClient = i.ipv6Client - } - ruleSpec := []string{"-s", ip.String(), "-d", strings.Join(networks, ","), "-j", netmakerFilterChain} - ruleSpec = appendNetmakerCommentToRule(ruleSpec) - // to avoid duplicate iface route rule,delete if exists - iptablesClient.DeleteIfExists(defaultIpTable, iptableFWDChain, ruleSpec...) - err := iptablesClient.Insert(defaultIpTable, iptableFWDChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - } else { - ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - table: defaultIpTable, - chain: iptableFWDChain, - rule: ruleSpec, - }) - } - // to avoid duplicate iface route rule,delete if exists - iptablesClient.DeleteIfExists(defaultIpTable, iptableINChain, ruleSpec...) - err = iptablesClient.Insert(defaultIpTable, iptableINChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - } else { - ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - table: defaultIpTable, - chain: iptableINChain, - rule: ruleSpec, - }) - } - } + // for _, ip := range ingressInfo.StaticNodeIps { + // iptablesClient := i.ipv4Client + // networks := []string{ingressInfo.Network.String()} + // for _, egressNet := range ingressInfo.EgressRanges { + // networks = append(networks, egressNet.String()) + // } + // if ip.To4() == nil { + // networks = []string{ingressInfo.Network6.String()} + // for _, egressNet := range ingressInfo.EgressRanges6 { + // networks = append(networks, egressNet.String()) + // } + // iptablesClient = i.ipv6Client + // } + // ruleSpec := []string{"-s", ip.String(), "-d", strings.Join(networks, ","), "-j", netmakerFilterChain} + // ruleSpec = appendNetmakerCommentToRule(ruleSpec) + // // to avoid duplicate iface route rule,delete if exists + // iptablesClient.DeleteIfExists(defaultIpTable, iptableFWDChain, ruleSpec...) + // err := iptablesClient.Insert(defaultIpTable, iptableFWDChain, 1, ruleSpec...) + // if err != nil { + // logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + // } else { + // ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ + // table: defaultIpTable, + // chain: iptableFWDChain, + // rule: ruleSpec, + // }) + // } + // // to avoid duplicate iface route rule,delete if exists + // iptablesClient.DeleteIfExists(defaultIpTable, iptableINChain, ruleSpec...) + // err = iptablesClient.Insert(defaultIpTable, iptableINChain, 1, ruleSpec...) + // if err != nil { + // logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + // } else { + // ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ + // table: defaultIpTable, + // chain: iptableINChain, + // rule: ruleSpec, + // }) + // } + // } for _, rule := range ingressInfo.Rules { if !rule.Allow { continue @@ -425,14 +503,14 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m rule.DstIP.String(), "-j", "ACCEPT"} ruleSpec = appendNetmakerCommentToRule(ruleSpec) // to avoid duplicate iface route rule,delete if exists - iptablesClient.DeleteIfExists(defaultIpTable, netmakerFilterChain, ruleSpec...) - err := iptablesClient.Insert(defaultIpTable, netmakerFilterChain, 1, ruleSpec...) + iptablesClient.DeleteIfExists(defaultIpTable, aclInputRulesChain, ruleSpec...) + err := iptablesClient.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) if err != nil { logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) } else { ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ table: defaultIpTable, - chain: netmakerFilterChain, + chain: aclInputRulesChain, rule: ruleSpec, }) } @@ -798,6 +876,8 @@ func (i *iptablesManager) FlushAll() { i.removeJumpRules() i.clearNetmakerRules(defaultIpTable, iptableINChain) i.clearNetmakerRules(defaultIpTable, iptableFWDChain) + i.cleanup(defaultIpTable, aclInputRulesChain) + i.cleanup(defaultIpTable, aclOutputRulesChain) i.cleanup(defaultIpTable, netmakerFilterChain) i.cleanup(defaultNatTable, netmakerNatChain) } diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 36e97508..c2c18eda 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -949,3 +949,5 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { func (n *nftablesManager) DeleteAclRule(server, aclID string) { } + +func (n *nftablesManager) ChangeACLTarget(target string) {} diff --git a/functions/mqhandlers.go b/functions/mqhandlers.go index b964394e..516fdde5 100644 --- a/functions/mqhandlers.go +++ b/functions/mqhandlers.go @@ -530,7 +530,10 @@ func handleFwUpdate(server string, payload *models.FwUpdate) { } else { firewall.RemoveIngressRoutingRules(server) } - firewall.ProcessAclRules(server, payload.AclRules) + if payload.AllowAll { + + } + firewall.ProcessAclRules(server, payload) } diff --git a/go.mod b/go.mod index 0da64f51..bddf41aa 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/google/nftables v0.2.0 github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.3 - github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62 + github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 github.com/guumaster/hostctl v1.1.4 github.com/hashicorp/go-version v1.7.0 diff --git a/go.sum b/go.sum index 109dceb6..4d957e49 100644 --- a/go.sum +++ b/go.sum @@ -90,6 +90,14 @@ github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb h1:Kc9bOl7hzFl github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62 h1:UHm/PPU88fgKp3dC6I+d8xKeQW7l23E7CjkOV6iZZNA= github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241125073154-376d7c021b16 h1:PKvsBscOQJwx8rGow3xcu9ISEvOsxZgSiRIOvrtyAlk= +github.com/gravitl/netmaker v0.26.1-0.20241125073154-376d7c021b16/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241126070511-a11bbd932376 h1:vZAuYlFLhQLYS6siPFW1A1hgQvEERZ0iIUE9mUpU2fg= +github.com/gravitl/netmaker v0.26.1-0.20241126070511-a11bbd932376/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252 h1:iUR0pdfUwmlTLZyDC5LXJ580oo2JntaOzz5NDxCkzZU= +github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 h1:ZosmoHGzZON+1mi8s+PvDwW/OWbIinkomHFKMFTiL1s= +github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 h1:g2fBXRNT9eiQohyHcoME3SVmeG7OKoJPWrs7A+009kU= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06/go.mod h1:12iViYKWAzRPj5/oEGAaD7Wje+Nuz8M9eDJbV7qhKAA= github.com/guumaster/hostctl v1.1.4 h1:4zb9wEurBlz/hQiXFz9feHHfunf7oj+9serAH8ohGuM= From 737edb3d5cd08cccce51f6c634a5b480148b9b4b Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Fri, 29 Nov 2024 14:25:57 +0400 Subject: [PATCH 04/24] add acl rules for port and protocol --- firewall/acl.go | 3 +- firewall/iptables_linux.go | 83 +++++++++++++++++++++++++++++--------- go.mod | 2 +- go.sum | 2 + 4 files changed, 68 insertions(+), 22 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index 487b869b..bee8e808 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -1,6 +1,7 @@ package firewall import ( + "fmt" "reflect" "github.com/gravitl/netmaker/models" @@ -15,7 +16,7 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { } else { fwCrtl.ChangeACLTarget(targetDrop) } - return + fmt.Printf("======> ACL RULES: %+v\n", fwUpdate.AclRules) aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) if len(ruleTable) == 0 && len(aclRules) > 0 { diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 78980c49..a9de8268 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -563,7 +563,9 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. defer i.SaveRules(server, aclTable, ruleTable) i.mux.Lock() defer i.mux.Unlock() - + if ruleTable == nil { + ruleTable = make(ruletable) + } for _, aclRule := range aclRules { rules := []ruleInfo{} if _, ok := ruleTable[aclRule.ID]; !ok { @@ -576,35 +578,76 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. for _, ip := range aclRule.IPList { allowedIps = append(allowedIps, ip.String()) } - ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} - err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + rulesSpec := [][]string{} + if len(aclRule.AllowedPorts) > 0 { + if aclRule.AllowedProtocols.String() != "" { + for _, port := range aclRule.AllowedPorts { + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + } } else { - rules = append(rules, ruleInfo{ - isIpv4: true, - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, - }) + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + for _, ruleSpec := range rulesSpec { + err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } } } + if len(aclRule.IP6List) > 0 { allowedIps := []string{} for _, ip := range aclRule.IP6List { allowedIps = append(allowedIps, ip.String()) } - ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} - err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + rulesSpec := [][]string{} + if len(aclRule.AllowedPorts) > 0 { + if aclRule.AllowedProtocols.String() != "" { + for _, port := range aclRule.AllowedPorts { + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + } } else { - rules = append(rules, ruleInfo{ - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, - }) + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + + for _, ruleSpec := range rulesSpec { + err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } } } if len(rules) > 0 { diff --git a/go.mod b/go.mod index bddf41aa..d63df5b9 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/google/nftables v0.2.0 github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.3 - github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 + github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62 github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 github.com/guumaster/hostctl v1.1.4 github.com/hashicorp/go-version v1.7.0 diff --git a/go.sum b/go.sum index 4d957e49..be65a993 100644 --- a/go.sum +++ b/go.sum @@ -98,6 +98,8 @@ github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252 h1:iUR0pdfUwml github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 h1:ZosmoHGzZON+1mi8s+PvDwW/OWbIinkomHFKMFTiL1s= github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62 h1:ruM4W2Jh0vxL54LEauD9vrnj5xPhUHvy8mgzFtz9B3g= +github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 h1:g2fBXRNT9eiQohyHcoME3SVmeG7OKoJPWrs7A+009kU= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06/go.mod h1:12iViYKWAzRPj5/oEGAaD7Wje+Nuz8M9eDJbV7qhKAA= github.com/guumaster/hostctl v1.1.4 h1:4zb9wEurBlz/hQiXFz9feHHfunf7oj+9serAH8ohGuM= From 4faf67a7411b16b0eea8fd547b38962e78317cc1 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Mon, 2 Dec 2024 11:12:19 +0400 Subject: [PATCH 05/24] save aclrules, delete acl rules on update --- firewall/acl.go | 13 +++- firewall/firewall_linux.go | 2 + firewall/iptables_linux.go | 152 +++++++++++++++++++++++++++---------- firewall/nftables_linux.go | 12 +-- 4 files changed, 133 insertions(+), 46 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index bee8e808..e315a997 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -16,13 +16,17 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { } else { fwCrtl.ChangeACLTarget(targetDrop) } - fmt.Printf("======> ACL RULES: %+v\n", fwUpdate.AclRules) + aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) + fmt.Printf("======> ACL RULES: %+v\n, Curr Rule table: %+v\n", fwUpdate.AclRules, ruleTable) if len(ruleTable) == 0 && len(aclRules) > 0 { fwCrtl.AddAclRules(server, aclRules) + ruleTable := fwCrtl.FetchRuleTable(server, aclTable) + fmt.Printf("======> AFTER ACL RULES: Curr Rule table: %+v\n", ruleTable) return } + fmt.Println("## CHECKING New RULES==>") // add new acl rules for _, aclRule := range aclRules { if _, ok := ruleTable[aclRule.ID]; !ok { @@ -37,10 +41,17 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { (!reflect.DeepEqual(localAclRule.IP6List, aclRule.IP6List)) || (len(localAclRule.AllowedPorts) != len(aclRule.AllowedPorts)) || (!reflect.DeepEqual(localAclRule.AllowedPorts, aclRule.AllowedPorts)) || + (aclRule.AllowedProtocols != localAclRule.AllowedProtocols) || (localAclRule.Direction) != aclRule.Direction { fwCrtl.DeleteAclRule(server, aclRule.ID) fwCrtl.UpsertAclRule(server, aclRule) } } } + // check if any rules needs to be deleted + for aclID := range ruleTable { + if _, ok := aclRules[aclID]; !ok { + fwCrtl.DeleteAclRule(server, aclID) + } + } } diff --git a/firewall/firewall_linux.go b/firewall/firewall_linux.go index a4adf698..a7cbb959 100644 --- a/firewall/firewall_linux.go +++ b/firewall/firewall_linux.go @@ -33,6 +33,7 @@ func newFirewall() (firewallController, error) { ipv6Client: ipv6Client, ingRules: make(serverrulestable), engressRules: make(serverrulestable), + aclRules: make(serverrulestable), } return manager, nil } @@ -43,6 +44,7 @@ func newFirewall() (firewallController, error) { conn: &nftables.Conn{}, ingRules: make(serverrulestable), engressRules: make(serverrulestable), + aclRules: make(serverrulestable), } return manager, nil } diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index a9de8268..71712c33 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -36,6 +36,7 @@ type iptablesManager struct { ipv6Client *iptables.IPTables ingRules serverrulestable engressRules serverrulestable + aclRules serverrulestable mux sync.Mutex } @@ -580,19 +581,28 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } rulesSpec := [][]string{} if len(aclRule.AllowedPorts) > 0 { - if aclRule.AllowedProtocols.String() != "" { - for _, port := range aclRule.AllowedPorts { - ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + + for _, port := range aclRule.AllowedPorts { + if port == "" { + continue + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) - ruleSpec = append(ruleSpec, "--dport", port) - ruleSpec = append(ruleSpec, "-j", "ACCEPT") - rulesSpec = append(rulesSpec, ruleSpec) } + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) } + } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) } @@ -619,19 +629,28 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } rulesSpec := [][]string{} if len(aclRule.AllowedPorts) > 0 { - if aclRule.AllowedProtocols.String() != "" { - for _, port := range aclRule.AllowedPorts { - ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + + for _, port := range aclRule.AllowedPorts { + if port == "" { + continue + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) - ruleSpec = append(ruleSpec, "--dport", port) - ruleSpec = append(ruleSpec, "-j", "ACCEPT") - rulesSpec = append(rulesSpec, ruleSpec) } + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) } + } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) } @@ -651,6 +670,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } } if len(rules) > 0 { + fmt.Printf("====> IN ADDACLRULES: %+v\n", rules) rCfg := rulesCfg{ rulesMap: map[string][]ruleInfo{ aclRule.ID: rules, @@ -660,6 +680,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. ruleTable[aclRule.ID] = rCfg } } + fmt.Printf("===> AFTER ADDACLRULES: %+v\n", ruleTable) } func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { @@ -681,35 +702,87 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { for _, ip := range aclRule.IPList { allowedIps = append(allowedIps, ip.String()) } - ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} - err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + rulesSpec := [][]string{} + if len(aclRule.AllowedPorts) > 0 { + for _, port := range aclRule.AllowedPorts { + if port == "" { + continue + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) + } + } else { - rules = append(rules, ruleInfo{ - isIpv4: true, - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, - }) + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) + } + for _, ruleSpec := range rulesSpec { + err := i.ipv4Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + } } + } if len(aclRule.IP6List) > 0 { allowedIps := []string{} for _, ip := range aclRule.IP6List { allowedIps = append(allowedIps, ip.String()) } - ruleSpec := []string{"-s", strings.Join(allowedIps, ","), "-j", "ACCEPT"} - err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + rulesSpec := [][]string{} + if len(aclRule.AllowedPorts) > 0 { + + for _, port := range aclRule.AllowedPorts { + if port == "" { + continue + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + } else { - rules = append(rules, ruleInfo{ - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, - }) + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocols.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + rulesSpec = append(rulesSpec, ruleSpec) + } + for _, ruleSpec := range rulesSpec { + err := i.ipv6Client.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + } } } if len(rules) > 0 { @@ -814,14 +887,13 @@ func (i *iptablesManager) FetchRuleTable(server string, tableName string) ruleta switch tableName { case ingressTable: rules = i.ingRules[server] - if rules == nil { - rules = make(ruletable) - } case egressTable: rules = i.engressRules[server] - if rules == nil { - rules = make(ruletable) - } + case aclTable: + rules = i.aclRules[server] + } + if rules == nil { + rules = make(ruletable) } return rules } @@ -849,6 +921,8 @@ func (i *iptablesManager) SaveRules(server, tableName string, rules ruletable) { i.ingRules[server] = rules case egressTable: i.engressRules[server] = rules + case aclTable: + i.aclRules[server] = rules } } diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index c2c18eda..935ff6c8 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -21,6 +21,7 @@ type nftablesManager struct { conn *nftables.Conn ingRules serverrulestable engressRules serverrulestable + aclRules serverrulestable mux sync.Mutex } @@ -431,14 +432,13 @@ func (n *nftablesManager) FetchRuleTable(server string, tableName string) ruleta switch tableName { case ingressTable: rules = n.ingRules[server] - if rules == nil { - rules = make(ruletable) - } case egressTable: rules = n.engressRules[server] - if rules == nil { - rules = make(ruletable) - } + case aclTable: + rules = n.aclRules[server] + } + if rules == nil { + rules = make(ruletable) } return rules } From 7f63c1af7a62d9dea141cd2c6e3a6d0c5b120f0c Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Mon, 2 Dec 2024 13:52:09 +0400 Subject: [PATCH 06/24] chain forwarding rules --- firewall/iptables_linux.go | 16 +++++++++------- functions/mqhandlers.go | 3 --- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 71712c33..eb56e54c 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -71,11 +71,13 @@ var ( table: defaultIpTable, chain: iptableFWDChain, }, - // { - // rule: []string{"-m", "comment", "--comment", netmakerSignature, "-j", "ACCEPT"}, - // table: defaultIpTable, - // chain: aclInputRulesChain, - // }, + { + rule: []string{"-o", ncutils.GetInterfaceName(), "-j", aclOutputRulesChain, + "-m", "comment", "--comment", netmakerSignature}, + table: defaultIpTable, + chain: iptableFWDChain, + }, + { rule: []string{"-m", "comment", "--comment", netmakerSignature, "-j", "ACCEPT"}, table: defaultIpTable, @@ -173,7 +175,7 @@ func (i *iptablesManager) ForwardRule() error { // Set the policy To accept on forward chain iptablesClient.ChangePolicy(defaultIpTable, iptableFWDChain, "ACCEPT") - ruleSpec := []string{"-i", "netmaker", "-j", "ACCEPT"} + ruleSpec := []string{"-i", "netmaker", "-j", aclInputRulesChain} ruleSpec = appendNetmakerCommentToRule(ruleSpec) ok, err := i.ipv4Client.Exists(defaultIpTable, iptableFWDChain, ruleSpec...) if err == nil && !ok { @@ -187,7 +189,7 @@ func (i *iptablesManager) ForwardRule() error { logger.Log(1, fmt.Sprintf("failed to add rule: %v Err: %v", ruleSpec, err.Error())) } } - ruleSpec = []string{"-o", "netmaker", "-j", "ACCEPT"} + ruleSpec = []string{"-o", "netmaker", "-j", aclOutputRulesChain} ruleSpec = appendNetmakerCommentToRule(ruleSpec) ok, err = i.ipv4Client.Exists(defaultIpTable, iptableFWDChain, ruleSpec...) if err == nil && !ok { diff --git a/functions/mqhandlers.go b/functions/mqhandlers.go index 516fdde5..5ce74b4c 100644 --- a/functions/mqhandlers.go +++ b/functions/mqhandlers.go @@ -529,9 +529,6 @@ func handleFwUpdate(server string, payload *models.FwUpdate) { firewall.ProcessIngressUpdate(server, payload.IngressInfo) } else { firewall.RemoveIngressRoutingRules(server) - } - if payload.AllowAll { - } firewall.ProcessAclRules(server, payload) From 658ca9eedede2f9b8950dae33cd32b68dfaca9d7 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Mon, 2 Dec 2024 16:30:20 +0400 Subject: [PATCH 07/24] configure adv rules for user policies --- firewall/acl.go | 2 +- firewall/iptables_linux.go | 83 +++++++++++++++++++++++++------------- go.mod | 2 +- go.sum | 2 + 4 files changed, 58 insertions(+), 31 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index e315a997..07537436 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -41,7 +41,7 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { (!reflect.DeepEqual(localAclRule.IP6List, aclRule.IP6List)) || (len(localAclRule.AllowedPorts) != len(aclRule.AllowedPorts)) || (!reflect.DeepEqual(localAclRule.AllowedPorts, aclRule.AllowedPorts)) || - (aclRule.AllowedProtocols != localAclRule.AllowedProtocols) || + (aclRule.AllowedProtocol != localAclRule.AllowedProtocol) || (localAclRule.Direction) != aclRule.Direction { fwCrtl.DeleteAclRule(server, aclRule.ID) fwCrtl.UpsertAclRule(server, aclRule) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index eb56e54c..5b51e54a 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -502,20 +502,45 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m if rule.SrcIP.IP.To4() == nil { iptablesClient = i.ipv6Client } - ruleSpec := []string{"-s", rule.SrcIP.String(), "-d", - rule.DstIP.String(), "-j", "ACCEPT"} - ruleSpec = appendNetmakerCommentToRule(ruleSpec) - // to avoid duplicate iface route rule,delete if exists - iptablesClient.DeleteIfExists(defaultIpTable, aclInputRulesChain, ruleSpec...) - err := iptablesClient.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + rulesSpec := [][]string{} + if len(rule.AllowedPorts) > 0 { + + for _, port := range rule.AllowedPorts { + if port == "" { + continue + } + ruleSpec := []string{"-s", rule.SrcIP.String()} + if rule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) + } + ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) + } + } else { - ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, - }) + ruleSpec := []string{"-s", rule.SrcIP.String()} + if rule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + rulesSpec = append(rulesSpec, ruleSpec) + } + for _, ruleSpec := range rulesSpec { + // to avoid duplicate iface route rule,delete if exists + iptablesClient.DeleteIfExists(defaultIpTable, aclInputRulesChain, ruleSpec...) + err := iptablesClient.Insert(defaultIpTable, aclInputRulesChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + } } } @@ -589,8 +614,8 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -600,8 +625,8 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) @@ -637,8 +662,8 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -648,8 +673,8 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) @@ -711,8 +736,8 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -722,8 +747,8 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) @@ -758,8 +783,8 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -768,8 +793,8 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocols.String() != "" { - ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocols.String()) + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") rulesSpec = append(rulesSpec, ruleSpec) diff --git a/go.mod b/go.mod index d63df5b9..b167e3ad 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/google/nftables v0.2.0 github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.3 - github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62 + github.com/gravitl/netmaker v0.26.1-0.20241202121011-e2265eafc760 github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 github.com/guumaster/hostctl v1.1.4 github.com/hashicorp/go-version v1.7.0 diff --git a/go.sum b/go.sum index be65a993..e3afe78d 100644 --- a/go.sum +++ b/go.sum @@ -100,6 +100,8 @@ github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 h1:ZosmoHGzZON github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62 h1:ruM4W2Jh0vxL54LEauD9vrnj5xPhUHvy8mgzFtz9B3g= github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= +github.com/gravitl/netmaker v0.26.1-0.20241202121011-e2265eafc760 h1:HhPzhshmk3q75zmvoyOHArW3kFYcbGG/+nEBgrQuuRQ= +github.com/gravitl/netmaker v0.26.1-0.20241202121011-e2265eafc760/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 h1:g2fBXRNT9eiQohyHcoME3SVmeG7OKoJPWrs7A+009kU= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06/go.mod h1:12iViYKWAzRPj5/oEGAaD7Wje+Nuz8M9eDJbV7qhKAA= github.com/guumaster/hostctl v1.1.4 h1:4zb9wEurBlz/hQiXFz9feHHfunf7oj+9serAH8ohGuM= From 8ae3cbbdd6c1064eeaa770e5bf951858d6935cce Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 07:23:32 +0400 Subject: [PATCH 08/24] nftable rules --- firewall/nftables_linux.go | 144 ++++++++++++++++++++++++++----------- 1 file changed, 101 insertions(+), 43 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 935ff6c8..9281d381 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -59,46 +59,72 @@ var ( }, } nfFilterJumpRules = []ruleInfo{ - // { - // nfRule: &nftables.Rule{ - // Table: filterTable, - // Chain: &nftables.Chain{Name: netmakerFilterChain}, - // Exprs: []expr.Any{ - // &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, - // &expr.Cmp{ - // Op: expr.CmpOpEq, - // Register: 1, - // Data: []byte(ncutils.GetInterfaceName() + "\x00"), - // }, - // &expr.Counter{}, - // &expr.Verdict{Kind: expr.VerdictReturn}, - // }, - // UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", "RETURN")), - // }, - // rule: []string{"-i", ncutils.GetInterfaceName(), "-j", "RETURN"}, - // table: defaultIpTable, - // chain: netmakerFilterChain, - // }, - // { - // nfRule: &nftables.Rule{ - // Table: filterTable, - // Chain: &nftables.Chain{Name: iptableFWDChain}, - // Exprs: []expr.Any{ - // &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, - // &expr.Cmp{ - // Op: expr.CmpOpEq, - // Register: 1, - // Data: []byte(ncutils.GetInterfaceName() + "\x00"), - // }, - // &expr.Counter{}, - // &expr.Verdict{Kind: expr.VerdictJump, Chain: netmakerFilterChain}, - // }, - // UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain)), - // }, - // rule: []string{"-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain}, - // table: defaultIpTable, - // chain: netmakerFilterChain, - // }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableINChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclInputRulesChain, + }, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain)), + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, + table: defaultIpTable, + chain: netmakerFilterChain, + }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableFWDChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclInputRulesChain, + }, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain)), + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, + table: defaultIpTable, + chain: netmakerFilterChain, + }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableFWDChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + &expr.Verdict{Kind: expr.VerdictJump, Chain: netmakerFilterChain}, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain)), + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain}, + table: defaultIpTable, + chain: netmakerFilterChain, + }, } // nat table nm jump rules nfNatJumpRules = []ruleInfo{ @@ -188,6 +214,7 @@ func (n *nftablesManager) CreateChains() error { Hooknum: nftables.ChainHookInput, Priority: nftables.ChainPriorityFilter, }) + n.conn.AddChain(&nftables.Chain{ Name: "OUTPUT", Table: filterTable, @@ -232,7 +259,14 @@ func (n *nftablesManager) CreateChains() error { Table: filterTable, } n.conn.AddChain(filterChain) - + n.conn.AddChain(&nftables.Chain{ + Name: aclInputRulesChain, + Table: filterTable, + }) + n.conn.AddChain(&nftables.Chain{ + Name: aclOutputRulesChain, + Table: filterTable, + }) natChain := &nftables.Chain{ Name: netmakerNatChain, Table: natTable, @@ -254,7 +288,7 @@ func (n *nftablesManager) ForwardRule() error { } n.conn.AddRule(&nftables.Rule{ Table: filterTable, - Chain: &nftables.Chain{Name: iptableFWDChain}, + Chain: &nftables.Chain{Name: iptableINChain}, Exprs: []expr.Any{ &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, @@ -263,7 +297,31 @@ func (n *nftablesManager) ForwardRule() error { Register: 1, Data: []byte(ncutils.GetInterfaceName() + "\x00"), }, - &expr.Verdict{Kind: expr.VerdictAccept}, + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclInputRulesChain, + }, + }, + }) + n.conn.AddRule(&nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableFWDChain}, + Exprs: []expr.Any{ + // Match packets going out via the "netmaker" interface + &expr.Meta{ + Key: expr.MetaKeyOIFNAME, // Output interface name + Register: 1, + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + // Jump to the "aclRules" chain + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclOutputRulesChain, + }, }, }) return n.conn.Flush() From b858502c7432fdaed8cee77f05cecefa8e35b36b Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 08:12:17 +0400 Subject: [PATCH 09/24] add nftable jump rules for acl chain --- firewall/nftables_linux.go | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 9281d381..bc2c2b7a 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -40,7 +40,7 @@ var ( { nfRule: &nftables.Rule{ Table: filterTable, - Chain: &nftables.Chain{Name: netmakerFilterChain}, + Chain: &nftables.Chain{Name: aclInputRulesChain}, Exprs: []expr.Any{ &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, &expr.Cmp{ @@ -55,7 +55,7 @@ var ( }, rule: []string{"-i", ncutils.GetInterfaceName(), "-j", "DROP"}, table: defaultIpTable, - chain: netmakerFilterChain, + chain: aclInputRulesChain, }, } nfFilterJumpRules = []ruleInfo{ @@ -80,7 +80,7 @@ var ( }, rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, table: defaultIpTable, - chain: netmakerFilterChain, + chain: iptableINChain, }, { nfRule: &nftables.Rule{ @@ -103,27 +103,30 @@ var ( }, rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, table: defaultIpTable, - chain: netmakerFilterChain, + chain: iptableFWDChain, }, { nfRule: &nftables.Rule{ Table: filterTable, Chain: &nftables.Chain{Name: iptableFWDChain}, Exprs: []expr.Any{ - &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1}, &expr.Cmp{ Op: expr.CmpOpEq, Register: 1, Data: []byte(ncutils.GetInterfaceName() + "\x00"), }, &expr.Counter{}, - &expr.Verdict{Kind: expr.VerdictJump, Chain: netmakerFilterChain}, + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclOutputRulesChain, + }, }, - UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain)), + UserData: []byte(genRuleKey("-o", ncutils.GetInterfaceName(), "-j", aclOutputRulesChain)), }, - rule: []string{"-i", ncutils.GetInterfaceName(), "-j", netmakerFilterChain}, + rule: []string{"-o", ncutils.GetInterfaceName(), "-j", aclOutputRulesChain}, table: defaultIpTable, - chain: netmakerFilterChain, + chain: iptableFWDChain, }, } // nat table nm jump rules From 357a00505f926f0e043b94ebc02764b68aef59e7 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 10:53:10 +0400 Subject: [PATCH 10/24] add adv options to ingress rules --- firewall/iptables_linux.go | 40 --- firewall/nftables_linux.go | 488 +++++++++++++++---------------------- 2 files changed, 201 insertions(+), 327 deletions(-) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 5b51e54a..b561d6c1 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -454,46 +454,6 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m } } ingressGwRoutes := []ruleInfo{} - // for _, ip := range ingressInfo.StaticNodeIps { - // iptablesClient := i.ipv4Client - // networks := []string{ingressInfo.Network.String()} - // for _, egressNet := range ingressInfo.EgressRanges { - // networks = append(networks, egressNet.String()) - // } - // if ip.To4() == nil { - // networks = []string{ingressInfo.Network6.String()} - // for _, egressNet := range ingressInfo.EgressRanges6 { - // networks = append(networks, egressNet.String()) - // } - // iptablesClient = i.ipv6Client - // } - // ruleSpec := []string{"-s", ip.String(), "-d", strings.Join(networks, ","), "-j", netmakerFilterChain} - // ruleSpec = appendNetmakerCommentToRule(ruleSpec) - // // to avoid duplicate iface route rule,delete if exists - // iptablesClient.DeleteIfExists(defaultIpTable, iptableFWDChain, ruleSpec...) - // err := iptablesClient.Insert(defaultIpTable, iptableFWDChain, 1, ruleSpec...) - // if err != nil { - // logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - // } else { - // ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - // table: defaultIpTable, - // chain: iptableFWDChain, - // rule: ruleSpec, - // }) - // } - // // to avoid duplicate iface route rule,delete if exists - // iptablesClient.DeleteIfExists(defaultIpTable, iptableINChain, ruleSpec...) - // err = iptablesClient.Insert(defaultIpTable, iptableINChain, 1, ruleSpec...) - // if err != nil { - // logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - // } else { - // ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - // table: defaultIpTable, - // chain: iptableINChain, - // rule: ruleSpec, - // }) - // } - // } for _, rule := range ingressInfo.Rules { if !rule.Allow { continue diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index bc2c2b7a..b6a7272d 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -1,11 +1,14 @@ package firewall import ( + "encoding/binary" "errors" "fmt" "log" + "strconv" "strings" "sync" + "syscall" "golang.org/x/exp/slog" @@ -665,320 +668,230 @@ func genRuleKey(rule ...string) string { return strings.Join(rule, ":") } -func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo models.IngressInfo) error { - ruleTable := n.FetchRuleTable(server, ingressTable) - defer n.SaveRules(server, ingressTable, ruleTable) - n.mux.Lock() - defer n.mux.Unlock() - var ingressRules rulesCfg - var ok bool - ingressRules, ok = ruleTable[ingressInfo.IngressID] - if !ok { - ingressRules = rulesCfg{ - rulesMap: make(map[string][]ruleInfo), +func (n *nftablesManager) getExprForProto(proto models.Protocol, isv4 bool) []expr.Any { + + ipNetHeaderExpr := &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 9, // Offset for protocol in IPv4 header + Len: 1, // Protocol field length + } + if !isv4 { + ipNetHeaderExpr = &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 6, // Offset for "Next Header" field in IPv6 header + Len: 1, // Length of the "Next Header" field } } - ingressGwRoutes := []ruleInfo{} - for _, ip := range ingressInfo.StaticNodeIps { - network := ingressInfo.Network.String() - if ip.To4() == nil { - network = ingressInfo.Network6.String() + var protoExpr *expr.Cmp + switch proto { + case models.UDP: + + protoExpr = &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: []byte{syscall.IPPROTO_UDP}, // UDP protocol number } - ruleSpec := []string{"-s", ip.String(), "-d", network, "-j", netmakerFilterChain} - ruleSpec = appendNetmakerCommentToRule(ruleSpec) - n.deleteRule(defaultIpTable, iptableINChain, genRuleKey(ruleSpec...)) - // to avoid duplicate iface route rule,delete if exists - rule := &nftables.Rule{} - if ip.To4() != nil { - rule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: iptableINChain}, - Exprs: []expr.Any{ - // Match packets from source IP 100.59.157.250/32 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 12, // Source IP offset - Len: 4, // IPv4 address size - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ip.To4(), - }, - // Match packets to destination IP 100.59.157.0/24 using Bitwise operation - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 16, // Destination IP offset - Len: 4, // IPv4 address size - }, - // Apply a bitwise AND operation to match the subnet - &expr.Bitwise{ - SourceRegister: 1, - DestRegister: 1, - Len: 4, // Length of the IPv4 address - Mask: ingressInfo.Network.Mask, // /24 subnet mask - Xor: []byte{0, 0, 0, 0}, // No XOR - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ingressInfo.Network.IP.To4(), - }, - // Jump to the netmakerfilter chain - &expr.Verdict{ - Kind: expr.VerdictJump, - Chain: netmakerFilterChain, // Jump to the netmakerfilter chain - }, - }, - UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + + case models.TCP: + protoExpr = &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: []byte{syscall.IPPROTO_TCP}, // TCP protocol number + } + case models.ICMP: + if isv4 { + protoExpr = &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: []byte{syscall.IPPROTO_ICMP}, // ICMP protocol number } } else { - rule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: iptableINChain}, - Exprs: []expr.Any{ - // Match packets from source IP 2001:db8::1/128 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 8, // IPv6 Source IP offset - Len: 16, // IPv6 address length - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ip.To16(), // IPv6 source address - }, - // Match packets to destination IP 2001:db8::/64 using Bitwise operation - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 24, // IPv6 Destination IP offset - Len: 16, // IPv6 address length - }, - // Apply a bitwise AND operation to match the subnet - &expr.Bitwise{ - SourceRegister: 1, - DestRegister: 1, - Len: 16, // Length of the IPv6 address - Mask: ingressInfo.Network6.Mask, // /64 subnet mask - Xor: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // No XOR - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ingressInfo.Network6.IP.To16(), // IPv6 destination network - }, - // Jump to the netmakerfilter chain - &expr.Verdict{ - Kind: expr.VerdictJump, - Chain: netmakerFilterChain, // Jump to the netmakerfilter chain - }, - }, - UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + protoExpr = &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: []byte{syscall.IPPROTO_ICMPV6}, // ICMP protocol number } } + } + return []expr.Any{ + ipNetHeaderExpr, + protoExpr, + } +} - n.conn.InsertRule(rule) - if err := n.conn.Flush(); err != nil { - logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - } else { - ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - nfRule: rule, - table: defaultIpTable, - chain: iptableINChain, - rule: ruleSpec, - }) - } - - // rule for FWD chain - n.deleteRule(defaultIpTable, iptableFWDChain, genRuleKey(ruleSpec...)) - if ip.To4() != nil { - rule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: iptableFWDChain}, - Exprs: []expr.Any{ - // Match packets from source IP 100.59.157.250/32 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 12, // Source IP offset - Len: 4, // IPv4 address size - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ip.To4(), - }, - // Match packets to destination IP 100.59.157.0/24 using Bitwise operation - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 16, // Destination IP offset - Len: 4, // IPv4 address size - }, - // Apply a bitwise AND operation to match the subnet - &expr.Bitwise{ - SourceRegister: 1, - DestRegister: 1, - Len: 4, // Length of the IPv4 address - Mask: ingressInfo.Network.Mask, // /24 subnet mask - Xor: []byte{0, 0, 0, 0}, // No XOR - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ingressInfo.Network.IP.To4(), - }, - // Jump to the netmakerfilter chain - &expr.Verdict{ - Kind: expr.VerdictJump, - Chain: netmakerFilterChain, // Jump to the netmakerfilter chain - }, - }, - UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables +func (n *nftablesManager) getExprForPort(ports []string) []expr.Any { + var e []expr.Any + + ipTransPortHeader := &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseTransportHeader, + Offset: 2, // Offset for destination port in TCP header + Len: 2, // Port field length + } + for _, port := range ports { + + if strings.Contains(port, "-") { + // Destination port range (8000-9000) + ports := strings.Split(port, "-") + startPortStr := ports[0] + endPortStr := ports[1] + startPortInt, err := strconv.Atoi(startPortStr) + if err != nil { + continue } + endPortInt, err := strconv.Atoi(endPortStr) + if err != nil { + continue + } + startPort := uint16(startPortInt) + endPort := uint16(endPortInt) + startPortBytes := make([]byte, 2) + endPortBytes := make([]byte, 2) + binary.BigEndian.PutUint16(startPortBytes, startPort) + binary.BigEndian.PutUint16(endPortBytes, endPort) + e = append(e, &expr.Range{ + Op: expr.CmpOpEq, + Register: 1, + FromData: startPortBytes, + ToData: endPortBytes, + }) } else { - rule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: iptableFWDChain}, - Exprs: []expr.Any{ - // Match packets from source IP 2001:db8::1/128 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 8, // IPv6 Source IP offset - Len: 16, // IPv6 address length - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ip.To16(), // IPv6 source address - }, - // Match packets to destination IP 2001:db8::/64 using Bitwise operation - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 24, // IPv6 Destination IP offset - Len: 16, // IPv6 address length - }, - // Apply a bitwise AND operation to match the subnet - &expr.Bitwise{ - SourceRegister: 1, - DestRegister: 1, - Len: 16, // Length of the IPv6 address - Mask: ingressInfo.Network6.Mask, // /64 subnet mask - Xor: []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, // No XOR - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: ingressInfo.Network6.IP.To16(), // IPv6 destination network - }, - // Jump to the netmakerfilter chain - &expr.Verdict{ - Kind: expr.VerdictJump, - Chain: netmakerFilterChain, // Jump to the netmakerfilter chain - }, - }, - UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + portInt, err := strconv.Atoi(port) + if err != nil { + continue } + dport := uint16(portInt) + dPortBytes := make([]byte, 2) + binary.BigEndian.PutUint16(dPortBytes, dport) + e = append(e, &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: dPortBytes, // Port in network byte order + }) } + } + e = append(e, ipTransPortHeader) - n.conn.InsertRule(rule) - if err := n.conn.Flush(); err != nil { - logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - } else { - ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - nfRule: rule, - table: defaultIpTable, - chain: iptableFWDChain, - rule: ruleSpec, - }) + return e +} + +func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo models.IngressInfo) error { + ruleTable := n.FetchRuleTable(server, ingressTable) + defer n.SaveRules(server, ingressTable, ruleTable) + n.mux.Lock() + defer n.mux.Unlock() + var ingressRules rulesCfg + var ok bool + ingressRules, ok = ruleTable[ingressInfo.IngressID] + if !ok { + ingressRules = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), } } + ingressGwRoutes := []ruleInfo{} for _, rule := range ingressInfo.Rules { if !rule.Allow { continue } - ruleSpec := []string{"-s", rule.SrcIP.String(), "-d", - rule.DstIP.String(), "-j", "ACCEPT"} - n.deleteRule(defaultIpTable, netmakerFilterChain, genRuleKey(ruleSpec...)) + ruleSpec := []string{"-s", rule.SrcIP.String()} + if rule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) + } + if len(rule.AllowedPorts) > 0 { + ruleSpec = append(ruleSpec, "--dport", + strings.Join(rule.AllowedPorts, ",")) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) + n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) var nfRule *nftables.Rule if rule.SrcIP.IP.To4() != nil { - nfRule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: netmakerFilterChain}, - Exprs: []expr.Any{ - // Match packets from source IP 100.59.157.252/32 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 12, // IPv4 Source IP offset - Len: 4, // IPv4 address size - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: rule.SrcIP.IP.To4(), // IPv4 source address - }, - // Match packets to destination IP 100.59.157.250/32 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 16, // IPv4 Destination IP offset - Len: 4, // IPv4 address size - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: rule.DstIP.IP.To4(), // IPv4 destination address - }, - // Accept the packet - &expr.Verdict{ - Kind: expr.VerdictAccept, // ACCEPT verdict - }, + e := []expr.Any{ + // Match packets from source IP 100.59.157.252/32 + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 12, // IPv4 Source IP offset + Len: 4, // IPv4 address size + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: rule.SrcIP.IP.To4(), // IPv4 source address + }, + // Match packets to destination IP 100.59.157.250/32 + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 16, // IPv4 Destination IP offset + Len: 4, // IPv4 address size + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: rule.DstIP.IP.To4(), // IPv4 destination address }, + } + if rule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(rule.AllowedProtocol, true)...) + } + if len(rule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(rule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule = &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables } } else { - nfRule = &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: netmakerFilterChain}, - Exprs: []expr.Any{ - // Match packets from source IP 2001:db8::1/128 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 8, // IPv6 Source IP offset - Len: 16, // IPv6 address length - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: rule.SrcIP.IP.To16(), // IPv6 source address - }, - // Match packets to destination IP 2001:db8::2/128 - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 24, // IPv6 Destination IP offset - Len: 16, // IPv6 address length - }, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: rule.DstIP.IP.To16(), // IPv6 destination address - }, - // Accept the packet - &expr.Verdict{ - Kind: expr.VerdictAccept, // ACCEPT verdict - }, + e := []expr.Any{ + // Match packets from source IP 2001:db8::1/128 + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 8, // IPv6 Source IP offset + Len: 16, // IPv6 address length + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: rule.SrcIP.IP.To16(), // IPv6 source address + }, + // Match packets to destination IP 2001:db8::2/128 + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 24, // IPv6 Destination IP offset + Len: 16, // IPv6 address length + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: rule.DstIP.IP.To16(), // IPv6 destination address }, + } + if rule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(rule.AllowedProtocol, false)...) + } + if len(rule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(rule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule = &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: netmakerFilterChain}, + Exprs: e, UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables } } @@ -988,10 +901,11 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m } else { ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ table: defaultIpTable, - chain: netmakerFilterChain, + chain: aclInputRulesChain, rule: ruleSpec, }) } + } ingressRules.rulesMap[staticNodeRules] = ingressGwRoutes ingressRules.extraInfo = ingressInfo From ac9796ab12b4ad90b71b26a4cba9bf0f282264e4 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 12:30:33 +0400 Subject: [PATCH 11/24] update aclinput chain verdict --- firewall/nftables_linux.go | 40 ++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index b6a7272d..2e1f7efd 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -199,7 +199,7 @@ func (n *nftablesManager) CreateChains() error { n.deleteChain(defaultIpTable, netmakerFilterChain) n.deleteChain(defaultNatTable, netmakerNatChain) - + //defaultDropPolicy := nftables.ChainPolicyDrop defaultForwardPolicy := new(nftables.ChainPolicy) *defaultForwardPolicy = nftables.ChainPolicyAccept @@ -265,10 +265,12 @@ func (n *nftablesManager) CreateChains() error { Table: filterTable, } n.conn.AddChain(filterChain) - n.conn.AddChain(&nftables.Chain{ + + aclInChain := &nftables.Chain{ Name: aclInputRulesChain, Table: filterTable, - }) + } + n.conn.AddChain(aclInChain) n.conn.AddChain(&nftables.Chain{ Name: aclOutputRulesChain, Table: filterTable, @@ -925,4 +927,34 @@ func (n *nftablesManager) DeleteAclRule(server, aclID string) { } -func (n *nftablesManager) ChangeACLTarget(target string) {} +func (n *nftablesManager) ChangeACLTarget(target string) { + + v := &expr.Verdict{ + Kind: expr.VerdictAccept, + } + if target == targetDrop { + v = &expr.Verdict{ + Kind: expr.VerdictDrop, + } + } + r := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + v, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", target)), + } + n.conn.ReplaceRule(r) + // Apply the changes + if err := n.conn.Flush(); err != nil { + log.Fatalf("Error flushing changes: %v\n", err) + } +} From 394cbe73c5a6dbe8f61aec574ced590123233737 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 13:52:16 +0400 Subject: [PATCH 12/24] add input related, established jump rule --- firewall/nftables_linux.go | 49 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 2 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 2e1f7efd..7c0eecb7 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -85,6 +85,49 @@ var ( table: defaultIpTable, chain: iptableINChain, }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableINChain}, + Exprs: []expr.Any{ + // Match on input interface (-i netmaker) + &expr.Meta{ + Key: expr.MetaKeyIIFNAME, // Input interface name + Register: 1, // Store in register 1 + }, + &expr.Cmp{ + Op: expr.CmpOpEq, // Equals operation + Register: 1, // Compare register 1 + Data: []byte(ncutils.GetInterfaceName() + "\x00"), // Interface name "netmaker" (null-terminated string) + }, + // Match on conntrack state (-m conntrack --ctstate RELATED,ESTABLISHED) + &expr.Ct{ + Key: expr.CtKeySTATE, + Register: 1, + }, + &expr.Bitwise{ + SourceRegister: 1, // Use register 1 from Ct expression + DestRegister: 1, // Output to same register + Len: 4, // State length + Mask: []byte{0x06, 0x00, 0x00, 0x00}, // Mask for RELATED (2) and ESTABLISHED (4) + Xor: []byte{0x00, 0x00, 0x00, 0x00}, // No XOR + }, + &expr.Cmp{ + Op: expr.CmpOpNeq, // Check if the bitwise result is not zero + Register: 1, + Data: []byte{0x00, 0x00, 0x00, 0x00}, + }, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT")), // Add comment + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableINChain, + }, { nfRule: &nftables.Rule{ Table: filterTable, @@ -200,6 +243,7 @@ func (n *nftablesManager) CreateChains() error { n.deleteChain(defaultIpTable, netmakerFilterChain) n.deleteChain(defaultNatTable, netmakerNatChain) //defaultDropPolicy := nftables.ChainPolicyDrop + defaultAcceptPolicy := nftables.ChainPolicyAccept defaultForwardPolicy := new(nftables.ChainPolicy) *defaultForwardPolicy = nftables.ChainPolicyAccept @@ -272,8 +316,9 @@ func (n *nftablesManager) CreateChains() error { } n.conn.AddChain(aclInChain) n.conn.AddChain(&nftables.Chain{ - Name: aclOutputRulesChain, - Table: filterTable, + Name: aclOutputRulesChain, + Table: filterTable, + Policy: &defaultAcceptPolicy, }) natChain := &nftables.Chain{ Name: netmakerNatChain, From 634bf4e9aa2dca82bdf6a5ffa552f91e96e89733 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 13:53:07 +0400 Subject: [PATCH 13/24] add input related, established verdict accept --- firewall/nftables_linux.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 7c0eecb7..97ca18f4 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -117,6 +117,9 @@ var ( Register: 1, Data: []byte{0x00, 0x00, 0x00, 0x00}, }, + &expr.Verdict{ + Kind: expr.VerdictAccept, + }, }, UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", From 5d6904fb363112560de003ad5bd80f3a1c705d7c Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 19:00:36 +0400 Subject: [PATCH 14/24] nftables check if rule exists --- firewall/firewall_nonlinux.go | 3 - firewall/iptables_linux.go | 65 ++------------ firewall/nftables_linux.go | 156 +++++++++++++++++++++++++++------- go.mod | 22 ++--- go.sum | 90 +++----------------- 5 files changed, 152 insertions(+), 184 deletions(-) diff --git a/firewall/firewall_nonlinux.go b/firewall/firewall_nonlinux.go index 007cbe3e..f03ce24a 100644 --- a/firewall/firewall_nonlinux.go +++ b/firewall/firewall_nonlinux.go @@ -50,9 +50,6 @@ func (unimplementedFirewall) FlushAll() { func (unimplementedFirewall) InsertEgressRoutingRules(server string, egressInfo models.EgressInfo) error { return nil } -func (unimplementedFirewall) AddEgressRoutingRule(server string, egressInfo models.EgressInfo, peerInfo models.PeerRouteInfo) error { - return nil -} func (unimplementedFirewall) DeleteRuleTable(server, ruleTableName string) { diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index b561d6c1..c119f9be 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -17,10 +17,10 @@ import ( // constants needed to manage and create iptable rules const ( - ipv6 = "ipv6" - ipv4 = "ipv4" - defaultIpTable = "filter" - netmakerFilterChain = "netmakerfilter" + ipv6 = "ipv6" + ipv4 = "ipv4" + defaultIpTable = "filter" + //netmakerFilterChain = "netmakerfilter" defaultNatTable = "nat" netmakerNatChain = "netmakernat" iptableFWDChain = "FORWARD" @@ -48,12 +48,7 @@ var ( chain: aclInputRulesChain, } dropRules = []ruleInfo{ - { - rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "comment", - "--comment", netmakerSignature, "-j", "RETURN"}, - table: defaultIpTable, - chain: netmakerFilterChain, - }, + aclInChainDropRule, } @@ -235,18 +230,12 @@ func (i *iptablesManager) CreateChains() error { defer i.mux.Unlock() // remove jump rules i.removeJumpRules() - i.cleanup(defaultIpTable, netmakerFilterChain) i.cleanup(defaultNatTable, netmakerNatChain) i.clearNetmakerRules(defaultIpTable, iptableINChain) i.clearNetmakerRules(defaultIpTable, iptableFWDChain) //errMSGFormat := "iptables: failed creating %s chain %s,error: %v" - err := createChain(i.ipv4Client, defaultIpTable, netmakerFilterChain) - if err != nil { - logger.Log(1, "failed to create netmaker chain: ", err.Error()) - return err - } - err = createChain(i.ipv4Client, defaultNatTable, netmakerNatChain) + err := createChain(i.ipv4Client, defaultNatTable, netmakerNatChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err @@ -261,11 +250,7 @@ func (i *iptablesManager) CreateChains() error { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err } - err = createChain(i.ipv6Client, defaultIpTable, netmakerFilterChain) - if err != nil { - logger.Log(1, "failed to create netmaker chain: ", err.Error()) - return err - } + err = createChain(i.ipv6Client, defaultNatTable, netmakerNatChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) @@ -511,41 +496,6 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m return nil } -// iptablesManager.AddEgressRoutingRule - inserts iptable rule for gateway peer -func (i *iptablesManager) AddEgressRoutingRule(server string, egressInfo models.EgressInfo, - peer models.PeerRouteInfo) error { - if !peer.Allow { - return nil - } - ruleTable := i.FetchRuleTable(server, egressTable) - defer i.SaveRules(server, egressTable, ruleTable) - i.mux.Lock() - defer i.mux.Unlock() - iptablesClient := i.ipv4Client - - if !isAddrIpv4(egressInfo.EgressGwAddr.String()) { - iptablesClient = i.ipv6Client - } - - ruleSpec := []string{"-s", peer.PeerAddr.String(), "-d", strings.Join(egressInfo.EgressGWCfg.Ranges, ","), "-j", "ACCEPT"} - err := iptablesClient.Insert(defaultIpTable, netmakerFilterChain, 1, ruleSpec...) - if err != nil { - logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) - } else { - - ruleTable[egressInfo.EgressID].rulesMap[peer.PeerKey] = []ruleInfo{ - { - table: defaultIpTable, - chain: netmakerFilterChain, - rule: ruleSpec, - }, - } - - } - - return nil -} - func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.AclRule) { ruleTable := i.FetchRuleTable(server, aclTable) defer i.SaveRules(server, aclTable, ruleTable) @@ -982,7 +932,6 @@ func (i *iptablesManager) FlushAll() { i.clearNetmakerRules(defaultIpTable, iptableFWDChain) i.cleanup(defaultIpTable, aclInputRulesChain) i.cleanup(defaultIpTable, aclOutputRulesChain) - i.cleanup(defaultIpTable, netmakerFilterChain) i.cleanup(defaultNatTable, netmakerNatChain) } diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 97ca18f4..39499681 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -235,18 +235,20 @@ func (n *nftablesManager) CreateChains() error { defer n.mux.Unlock() // remove jump rules n.removeJumpRules() - + n.conn.FlushTable(filterTable) + n.conn.FlushTable(natTable) + n.conn.Flush() n.conn.AddTable(filterTable) n.conn.AddTable(natTable) if err := n.conn.Flush(); err != nil { + fmt.Println("-==> HERE ERRROR: ", err) return err } - n.deleteChain(defaultIpTable, netmakerFilterChain) - n.deleteChain(defaultNatTable, netmakerNatChain) + // n.deleteChain(defaultNatTable, netmakerNatChain) //defaultDropPolicy := nftables.ChainPolicyDrop - defaultAcceptPolicy := nftables.ChainPolicyAccept + //defaultAcceptPolicy := nftables.ChainPolicyAccept defaultForwardPolicy := new(nftables.ChainPolicy) *defaultForwardPolicy = nftables.ChainPolicyAccept @@ -307,21 +309,15 @@ func (n *nftablesManager) CreateChains() error { Priority: nftables.ChainPriorityNATDest, }) - filterChain := &nftables.Chain{ - Name: netmakerFilterChain, - Table: filterTable, - } - n.conn.AddChain(filterChain) - aclInChain := &nftables.Chain{ Name: aclInputRulesChain, Table: filterTable, } n.conn.AddChain(aclInChain) n.conn.AddChain(&nftables.Chain{ - Name: aclOutputRulesChain, - Table: filterTable, - Policy: &defaultAcceptPolicy, + Name: aclOutputRulesChain, + Table: filterTable, + //Policy: &defaultAcceptPolicy, }) natChain := &nftables.Chain{ Name: netmakerNatChain, @@ -330,6 +326,7 @@ func (n *nftablesManager) CreateChains() error { n.conn.AddChain(natChain) if err := n.conn.Flush(); err != nil { + fmt.Println("===============> ERRORRRRR: ", err) return err } // add jump rules @@ -940,7 +937,7 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m }) nfRule = &nftables.Rule{ Table: filterTable, - Chain: &nftables.Chain{Name: netmakerFilterChain}, + Chain: &nftables.Chain{Name: aclInputRulesChain}, Exprs: e, UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables } @@ -976,7 +973,8 @@ func (n *nftablesManager) DeleteAclRule(server, aclID string) { } func (n *nftablesManager) ChangeACLTarget(target string) { - + // check if rule exists with current target + fmt.Println("===> ACL TARGET ", target) v := &expr.Verdict{ Kind: expr.VerdictAccept, } @@ -985,24 +983,124 @@ func (n *nftablesManager) ChangeACLTarget(target string) { Kind: expr.VerdictDrop, } } - r := &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: aclInputRulesChain}, - Exprs: []expr.Any{ - &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: []byte(ncutils.GetInterfaceName() + "\x00"), - }, - &expr.Counter{}, - v, + e := []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), }, + &expr.Counter{}, + v, + } + r := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", target)), } - n.conn.ReplaceRule(r) + if n.ruleExists(r) { + return + } + fmt.Println("===>CHANGING ACL TARGET ", target) + // delete old target and insert new rule + oldVerdict := &expr.Verdict{ + Kind: expr.VerdictAccept, + } + if target == targetAccept { + oldVerdict = &expr.Verdict{ + Kind: expr.VerdictDrop, + } + } + e[len(e)-1] = oldVerdict + r.Exprs = e + n.conn.DelRule(r) + e[len(e)-1] = v + r.Exprs = e + n.conn.InsertRule(r) // Apply the changes if err := n.conn.Flush(); err != nil { - log.Fatalf("Error flushing changes: %v\n", err) + logger.Log(0, "Error Changing ACL TArget: %v\n", err.Error()) + } +} + +func (n *nftablesManager) ruleExists(r *nftables.Rule) bool { + rules, err := n.conn.GetRules(r.Table, r.Chain) + if err != nil { + return false + } + for _, rule := range rules { + fmt.Printf("======> RULE: %+v\n", rule) + if rulesEqual(r, rule) { + return true + } + } + return false +} + +// rulesEqual checks if two rules are equivalent +func rulesEqual(rule1, rule2 *nftables.Rule) bool { + // Simplistic comparison: compare expressions (extend as needed) + if len(rule1.Exprs) != len(rule2.Exprs) { + return false + } + if string(rule1.UserData) == string(rule2.UserData) { + return true + } + //for i := range rule1.Exprs { + + // // Compare the expression bytes + // if !exprEqual(rule1.Exprs[i], rule2.Exprs[i]) { + // return false + // } + //} + + return false +} + +// exprEqual compares two nftables expressions +func exprEqual(e1, e2 expr.Any) bool { + // Use a type switch to compare expressions by type + switch ex1 := e1.(type) { + case *expr.Meta: + ex2, ok := e2.(*expr.Meta) + if !ok { + return false + } + return ex1.Key == ex2.Key && ex1.Register == ex2.Register + + case *expr.Cmp: + ex2, ok := e2.(*expr.Cmp) + if !ok { + return false + } + return ex1.Op == ex2.Op && ex1.Register == ex2.Register && string(ex1.Data) == string(ex2.Data) + + case *expr.Ct: + ex2, ok := e2.(*expr.Ct) + if !ok { + return false + } + return ex1.Key == ex2.Key && ex1.Register == ex2.Register + + case *expr.Bitwise: + ex2, ok := e2.(*expr.Bitwise) + if !ok { + return false + } + return ex1.SourceRegister == ex2.SourceRegister && + ex1.DestRegister == ex2.DestRegister && + ex1.Len == ex2.Len && + string(ex1.Mask) == string(ex2.Mask) && + string(ex1.Xor) == string(ex2.Xor) + case *expr.Verdict: + ex2, ok := e2.(*expr.Verdict) + if !ok { + return false + } + return ex1.Kind == ex2.Kind && ex1.Chain == ex2.Chain + default: + // Unknown or unsupported expression type + return false } } diff --git a/go.mod b/go.mod index b167e3ad..f4643387 100644 --- a/go.mod +++ b/go.mod @@ -27,11 +27,11 @@ require ( github.com/spf13/viper v1.19.0 github.com/stretchr/testify v1.9.0 github.com/vishvananda/netlink v1.3.0 - golang.org/x/crypto v0.28.0 + golang.org/x/crypto v0.29.0 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 - golang.org/x/net v0.30.0 - golang.org/x/sys v0.26.0 - golang.org/x/term v0.25.0 + golang.org/x/net v0.31.0 + golang.org/x/sys v0.27.0 + golang.org/x/term v0.26.0 golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb golang.zx2c4.com/wireguard/windows v0.5.3 @@ -42,27 +42,21 @@ require ( require ( aead.dev/minisign v0.2.0 // indirect - cloud.google.com/go/compute/metadata v0.3.0 // indirect - filippo.io/edwards25519 v1.1.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/Microsoft/go-winio v0.6.1 // indirect - github.com/coreos/go-oidc/v3 v3.9.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/docker/distribution v2.8.1+incompatible // indirect github.com/docker/docker v23.0.5+incompatible // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.5.0 // indirect - github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect - github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.22.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e // indirect - github.com/gorilla/handlers v1.5.2 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect @@ -90,7 +84,6 @@ require ( github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/seancfoley/bintree v1.3.1 // indirect github.com/seancfoley/ipaddress-go v1.7.0 // indirect - github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect github.com/sourcegraph/conc v0.3.0 // indirect github.com/spf13/afero v1.11.0 // indirect github.com/spf13/cast v1.6.0 // indirect @@ -101,13 +94,10 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect golang.org/x/mod v0.18.0 // indirect - golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.8.0 // indirect - golang.org/x/text v0.19.0 // indirect + golang.org/x/sync v0.9.0 // indirect + golang.org/x/text v0.20.0 // indirect golang.org/x/tools v0.22.0 // indirect golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect - gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect gopkg.in/ini.v1 v1.67.0 // indirect - gopkg.in/mail.v2 v2.3.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) diff --git a/go.sum b/go.sum index e3afe78d..a7e481cd 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,5 @@ aead.dev/minisign v0.2.0 h1:kAWrq/hBRu4AARY6AlciO83xhNnW9UaC8YipS2uhLPk= aead.dev/minisign v0.2.0/go.mod h1:zdq6LdSd9TbuSxchxwhpA9zEb9YXcVGoE8JakuiGaIQ= -cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= -cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= -cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= -filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= -filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= @@ -16,8 +10,6 @@ github.com/c-robinson/iplib v1.0.8 h1:exDRViDyL9UBLcfmlxxkY5odWX5092nPsQIykHXhIn github.com/c-robinson/iplib v1.0.8/go.mod h1:i3LuuFL1hRT5gFpBRnEydzw8R6yhGkF4szNDIbF8pgo= github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc= github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q= -github.com/coreos/go-oidc/v3 v3.9.0 h1:0J/ogVOd4y8P0f0xUh8l9t07xRP/d8tccvjHl2dcsSo= -github.com/coreos/go-oidc/v3 v3.9.0/go.mod h1:rTKz2PYwftcrtoCzV5g5kvfJoWcm0Mk8AF8y1iAQro4= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -36,8 +28,6 @@ github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/eclipse/paho.mqtt.golang v1.4.3 h1:2kwcUGn8seMUfWndX0hGbvH8r7crgcJguQNCyp70xik= github.com/eclipse/paho.mqtt.golang v1.4.3/go.mod h1:CSYvoAlsMkhYOXh/oKyxa8EcBci6dVkLCbo5tTC1RIE= -github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= -github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -46,8 +36,6 @@ github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uq github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/glendc/go-external-ip v0.1.0 h1:iX3xQ2Q26atAmLTbd++nUce2P5ht5P4uD4V7caSY/xg= github.com/glendc/go-external-ip v0.1.0/go.mod h1:CNx312s2FLAJoWNdJWZ2Fpf5O4oLsMFwuYviHjS4uJE= -github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= -github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-ping/ping v1.1.0 h1:3MCGhVX4fyEUuhsfwPrsEdQw6xspHkv5zHsiSoDFZYw= github.com/go-ping/ping v1.1.0/go.mod h1:xIFjORFzTxqIV/tDVGO4eDy/bLuSyawEeojSm3GfRGk= github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= @@ -64,7 +52,6 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/nftables v0.2.0 h1:PbJwaBmbVLzpeldoeUKGkE2RjstrjPKMl6oLrfEJ6/8= @@ -76,30 +63,10 @@ github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e h1:XmA6L9IP github.com/goombaio/namegenerator v0.0.0-20181006234301-989e774b106e/go.mod h1:AFIo+02s+12CEg8Gzz9kzhCbmbq6JcKNrhHffCGA9z4= github.com/gopherjs/gopherjs v1.17.2 h1:fQnZVsXk8uxXIStYb0N4bGk7jeyTalG/wsZjQ25dO0g= github.com/gopherjs/gopherjs v1.17.2/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= -github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= -github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gravitl/netmaker v0.26.0 h1:XzIv/7fSsH4taHWBk9cERg8G2IvW14AIkXOKJXAQl1c= -github.com/gravitl/netmaker v0.26.0/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241118144836-81e5d8673d2a h1:uJdJTEjcELQkqVFif4Tuiqr3uS/AVhU1H1h7CJpKXd8= -github.com/gravitl/netmaker v0.26.1-0.20241118144836-81e5d8673d2a/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb h1:Kc9bOl7hzFlbxftOIph6mx7KqWCwLOBwJwfKes9PWH4= -github.com/gravitl/netmaker v0.26.1-0.20241120085704-031a0c14aceb/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62 h1:UHm/PPU88fgKp3dC6I+d8xKeQW7l23E7CjkOV6iZZNA= -github.com/gravitl/netmaker v0.26.1-0.20241120090954-f5145745ee62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241125073154-376d7c021b16 h1:PKvsBscOQJwx8rGow3xcu9ISEvOsxZgSiRIOvrtyAlk= -github.com/gravitl/netmaker v0.26.1-0.20241125073154-376d7c021b16/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241126070511-a11bbd932376 h1:vZAuYlFLhQLYS6siPFW1A1hgQvEERZ0iIUE9mUpU2fg= -github.com/gravitl/netmaker v0.26.1-0.20241126070511-a11bbd932376/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252 h1:iUR0pdfUwmlTLZyDC5LXJ580oo2JntaOzz5NDxCkzZU= -github.com/gravitl/netmaker v0.26.1-0.20241128033555-52f6529ac252/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1 h1:ZosmoHGzZON+1mi8s+PvDwW/OWbIinkomHFKMFTiL1s= -github.com/gravitl/netmaker v0.26.1-0.20241128044908-a91bf8184ca1/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= -github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62 h1:ruM4W2Jh0vxL54LEauD9vrnj5xPhUHvy8mgzFtz9B3g= -github.com/gravitl/netmaker v0.26.1-0.20241128115930-a3cfeccd1f62/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/netmaker v0.26.1-0.20241202121011-e2265eafc760 h1:HhPzhshmk3q75zmvoyOHArW3kFYcbGG/+nEBgrQuuRQ= github.com/gravitl/netmaker v0.26.1-0.20241202121011-e2265eafc760/go.mod h1:J5tvCRmUXFnv3qmmgrGZTmj0GLst+W0kHqUjgtr+G9M= github.com/gravitl/tcping v0.1.2-0.20230801110928-546055ebde06 h1:g2fBXRNT9eiQohyHcoME3SVmeG7OKoJPWrs7A+009kU= @@ -190,8 +157,6 @@ github.com/seancfoley/bintree v1.3.1 h1:cqmmQK7Jm4aw8gna0bP+huu5leVOgHGSJBEpUx3E github.com/seancfoley/bintree v1.3.1/go.mod h1:hIUabL8OFYyFVTQ6azeajbopogQc2l5C/hiXMcemWNU= github.com/seancfoley/ipaddress-go v1.7.0 h1:vWp3SR3k+HkV3aKiNO2vEe6xbVxS0x/Ixw6hgyP238s= github.com/seancfoley/ipaddress-go v1.7.0/go.mod h1:TQRZgv+9jdvzHmKoPGBMxyiaVmoI0rYpfEk8Q/sL/Iw= -github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0= -github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M= github.com/smarty/assertions v1.15.0 h1:cR//PqUBUiQRakZWqBiFFQ9wb8emQGDb0HeGdqGByCY= github.com/smarty/assertions v1.15.0/go.mod h1:yABtdzeQs6l1brC900WlRNwj6ZR55d7B+E8C6HtKdec= github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY= @@ -213,7 +178,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= @@ -229,7 +193,6 @@ github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1Y github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI= @@ -238,43 +201,31 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211209193657-4570a0811e8b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= -golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= -golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= +golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0= golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= -golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= +golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -288,40 +239,27 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= +golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= +golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= +golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA= golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -336,15 +274,11 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb h1:9aqVcYED golang.zx2c4.com/wireguard/wgctrl v0.0.0-20221104135756-97bc4ad4a1cb/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ= golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE= golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI= -gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= -gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/mail.v2 v2.3.1 h1:WYFn/oANrAGP2C0dcV6/pbkPzv8yGzqTjPmTeO7qoXk= -gopkg.in/mail.v2 v2.3.1/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From cb5f152d91d37131ce44c5755cc5c0f2c31e2c35 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 19:06:58 +0400 Subject: [PATCH 15/24] add established rule on top --- firewall/iptables_linux.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 5b51e54a..2ddfd651 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -59,6 +59,14 @@ var ( // filter table netmaker jump rules filterNmJumpRules = []ruleInfo{ + //iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + { + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableINChain, + }, { rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain, "-m", "comment", "--comment", netmakerSignature}, @@ -83,14 +91,6 @@ var ( table: defaultIpTable, chain: aclOutputRulesChain, }, - //iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - { - rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", - "--comment", netmakerSignature, "-j", "ACCEPT"}, - table: defaultIpTable, - chain: iptableINChain, - }, } // nat table nm jump rules natNmJumpRules = []ruleInfo{ From 22ab3cfa3fa86b6b9d985f8ff664708659c2ae4f Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 4 Dec 2024 23:37:33 +0400 Subject: [PATCH 16/24] fix nftables change target --- firewall/nftables_linux.go | 192 ++++++++++++++++++------------------- 1 file changed, 93 insertions(+), 99 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 39499681..57c32f05 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -62,29 +62,6 @@ var ( }, } nfFilterJumpRules = []ruleInfo{ - { - nfRule: &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: iptableINChain}, - Exprs: []expr.Any{ - &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: []byte(ncutils.GetInterfaceName() + "\x00"), - }, - &expr.Counter{}, - &expr.Verdict{ - Kind: expr.VerdictJump, - Chain: aclInputRulesChain, - }, - }, - UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain)), - }, - rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, - table: defaultIpTable, - chain: iptableINChain, - }, { nfRule: &nftables.Rule{ Table: filterTable, @@ -131,6 +108,30 @@ var ( table: defaultIpTable, chain: iptableINChain, }, + { + + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableINChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + &expr.Verdict{ + Kind: expr.VerdictJump, + Chain: aclInputRulesChain, + }, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain)), + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain}, + table: defaultIpTable, + chain: iptableINChain, + }, { nfRule: &nftables.Rule{ Table: filterTable, @@ -177,6 +178,28 @@ var ( table: defaultIpTable, chain: iptableFWDChain, }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclOutputRulesChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + &expr.Verdict{ + Kind: expr.VerdictAccept, + }, + }, + UserData: []byte(genRuleKey("-o", ncutils.GetInterfaceName(), "-j", targetAccept)), + }, + rule: []string{"-o", ncutils.GetInterfaceName(), "-j", targetAccept}, + table: defaultIpTable, + chain: aclOutputRulesChain, + }, } // nat table nm jump rules nfNatJumpRules = []ruleInfo{ @@ -317,7 +340,6 @@ func (n *nftablesManager) CreateChains() error { n.conn.AddChain(&nftables.Chain{ Name: aclOutputRulesChain, Table: filterTable, - //Policy: &defaultAcceptPolicy, }) natChain := &nftables.Chain{ Name: netmakerNatChain, @@ -983,23 +1005,23 @@ func (n *nftablesManager) ChangeACLTarget(target string) { Kind: expr.VerdictDrop, } } - e := []expr.Any{ - &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, - &expr.Cmp{ - Op: expr.CmpOpEq, - Register: 1, - Data: []byte(ncutils.GetInterfaceName() + "\x00"), + + newRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + v, }, - &expr.Counter{}, - v, - } - r := &nftables.Rule{ - Table: filterTable, - Chain: &nftables.Chain{Name: aclInputRulesChain}, - Exprs: e, UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", target)), } - if n.ruleExists(r) { + if n.ruleExists(newRule) { return } fmt.Println("===>CHANGING ACL TARGET ", target) @@ -1007,17 +1029,44 @@ func (n *nftablesManager) ChangeACLTarget(target string) { oldVerdict := &expr.Verdict{ Kind: expr.VerdictAccept, } + oldTarget := targetAccept if target == targetAccept { oldVerdict = &expr.Verdict{ Kind: expr.VerdictDrop, } + oldTarget = targetDrop + } + oldRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: []expr.Any{ + &expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1}, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: []byte(ncutils.GetInterfaceName() + "\x00"), + }, + &expr.Counter{}, + oldVerdict, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-j", oldTarget)), + } + rules, err := n.conn.GetRules(newRule.Table, newRule.Chain) + if err != nil { + log.Fatalf("Error fetching rules: %v", err) + } + for _, rI := range rules { + if rulesEqual(rI, oldRule) { + logger.Log(0, "DELETING OLD TARGET ", oldTarget) + err = n.conn.DelRule(rI) + if err != nil { + logger.Log(0, "failed to delete old target ", err.Error()) + } + break + } } - e[len(e)-1] = oldVerdict - r.Exprs = e - n.conn.DelRule(r) - e[len(e)-1] = v - r.Exprs = e - n.conn.InsertRule(r) + + n.conn.InsertRule(newRule) // Apply the changes if err := n.conn.Flush(); err != nil { logger.Log(0, "Error Changing ACL TArget: %v\n", err.Error()) @@ -1040,67 +1089,12 @@ func (n *nftablesManager) ruleExists(r *nftables.Rule) bool { // rulesEqual checks if two rules are equivalent func rulesEqual(rule1, rule2 *nftables.Rule) bool { - // Simplistic comparison: compare expressions (extend as needed) if len(rule1.Exprs) != len(rule2.Exprs) { return false } if string(rule1.UserData) == string(rule2.UserData) { return true } - //for i := range rule1.Exprs { - - // // Compare the expression bytes - // if !exprEqual(rule1.Exprs[i], rule2.Exprs[i]) { - // return false - // } - //} return false } - -// exprEqual compares two nftables expressions -func exprEqual(e1, e2 expr.Any) bool { - // Use a type switch to compare expressions by type - switch ex1 := e1.(type) { - case *expr.Meta: - ex2, ok := e2.(*expr.Meta) - if !ok { - return false - } - return ex1.Key == ex2.Key && ex1.Register == ex2.Register - - case *expr.Cmp: - ex2, ok := e2.(*expr.Cmp) - if !ok { - return false - } - return ex1.Op == ex2.Op && ex1.Register == ex2.Register && string(ex1.Data) == string(ex2.Data) - - case *expr.Ct: - ex2, ok := e2.(*expr.Ct) - if !ok { - return false - } - return ex1.Key == ex2.Key && ex1.Register == ex2.Register - - case *expr.Bitwise: - ex2, ok := e2.(*expr.Bitwise) - if !ok { - return false - } - return ex1.SourceRegister == ex2.SourceRegister && - ex1.DestRegister == ex2.DestRegister && - ex1.Len == ex2.Len && - string(ex1.Mask) == string(ex2.Mask) && - string(ex1.Xor) == string(ex2.Xor) - case *expr.Verdict: - ex2, ok := e2.(*expr.Verdict) - if !ok { - return false - } - return ex1.Kind == ex2.Kind && ex1.Chain == ex2.Chain - default: - // Unknown or unsupported expression type - return false - } -} From c42b30abd34f423de9873526f795462601bcc61b Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 5 Dec 2024 00:36:28 +0400 Subject: [PATCH 17/24] add acls funcs for nftables --- firewall/nftables_linux.go | 331 ++++++++++++++++++++++++++++++++++++- 1 file changed, 327 insertions(+), 4 deletions(-) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 57c32f05..6817eb84 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "log" + "net" "strconv" "strings" "sync" @@ -969,9 +970,10 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) } else { ingressGwRoutes = append(ingressGwRoutes, ruleInfo{ - table: defaultIpTable, - chain: aclInputRulesChain, - rule: ruleSpec, + nfRule: nfRule, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, }) } @@ -981,17 +983,338 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m ruleTable[ingressInfo.IngressID] = ingressRules return nil } +func (n *nftablesManager) GetSrcIpsExpr(ips []net.IPNet, isIpv4 bool) []expr.Any { + var e []expr.Any + if isIpv4 { + for _, ip := range ips { + // Match first source IP + e = append(e, + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 12, // Source IP offset in IPv4 header + Len: 4, // IPv4 address length + }, + &expr.Bitwise{ + SourceRegister: 1, + DestRegister: 1, + Len: 4, + Mask: ip.Mask, // Match for 100.64.0.0/24 + Xor: net.IPv4zero.To4(), + }, + &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: ip.IP.To4(), + }, + ) + } + + } else { + for _, ip := range ips { + e = append(e, + &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 8, // Source IP offset in IPv6 header + Len: 16, // IPv6 address length + }, + &expr.Bitwise{ + SourceRegister: 1, + DestRegister: 1, + Len: 16, + Mask: ip.Mask, // Match for /64 subnet + Xor: make([]byte, 16), // IPv6 zero address + }, + &expr.Cmp{ + Register: 1, + Op: expr.CmpOpEq, + Data: ip.IP.To16(), // Replace with subnet prefix + }, + ) + } + } + return e +} func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models.AclRule) { + ruleTable := n.FetchRuleTable(server, aclTable) + defer n.SaveRules(server, aclTable, ruleTable) + n.mux.Lock() + defer n.mux.Unlock() + if ruleTable == nil { + ruleTable = make(ruletable) + } + for _, aclRule := range aclRules { + rules := []ruleInfo{} + if _, ok := ruleTable[aclRule.ID]; !ok { + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + } + if len(aclRule.IPList) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IPList { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) + } + if len(aclRule.AllowedPorts) > 0 { + ruleSpec = append(ruleSpec, "--dport", + strings.Join(aclRule.AllowedPorts, ",")) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) + e := []expr.Any{} + e = append(e, n.GetSrcIpsExpr(aclRule.IPList, true)...) + if aclRule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(aclRule.AllowedProtocol, true)...) + } + if len(aclRule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, + UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + } + n.conn.InsertRule(nfRule) + if err := n.conn.Flush(); err != nil { + logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + nfRule: nfRule, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + + } + + if len(aclRule.IP6List) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IP6List { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) + } + if len(aclRule.AllowedPorts) > 0 { + ruleSpec = append(ruleSpec, "--dport", + strings.Join(aclRule.AllowedPorts, ",")) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) + e := []expr.Any{} + e = append(e, n.GetSrcIpsExpr(aclRule.IPList, false)...) + if aclRule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(aclRule.AllowedProtocol, false)...) + } + if len(aclRule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, + UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + } + n.conn.InsertRule(nfRule) + if err := n.conn.Flush(); err != nil { + logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: false, + nfRule: nfRule, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + if len(rules) > 0 { + fmt.Printf("====> IN ADDACLRULES: %+v\n", rules) + rCfg := rulesCfg{ + rulesMap: map[string][]ruleInfo{ + aclRule.ID: rules, + }, + extraInfo: aclRule, + } + ruleTable[aclRule.ID] = rCfg + } + } + } } func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { + ruleTable := n.FetchRuleTable(server, aclTable) + defer n.SaveRules(server, aclTable, ruleTable) + n.mux.Lock() + defer n.mux.Unlock() + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + rules := []ruleInfo{} + if _, ok := ruleTable[aclRule.ID]; !ok { + ruleTable[aclRule.ID] = rulesCfg{ + rulesMap: make(map[string][]ruleInfo), + } + } + if len(aclRule.IPList) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IPList { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) + } + if len(aclRule.AllowedPorts) > 0 { + ruleSpec = append(ruleSpec, "--dport", + strings.Join(aclRule.AllowedPorts, ",")) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) + e := []expr.Any{} + e = append(e, n.GetSrcIpsExpr(aclRule.IPList, true)...) + if aclRule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(aclRule.AllowedProtocol, true)...) + } + if len(aclRule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, + UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + } + n.conn.InsertRule(nfRule) + if err := n.conn.Flush(); err != nil { + logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: true, + nfRule: nfRule, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + + } + + if len(aclRule.IP6List) > 0 { + allowedIps := []string{} + for _, ip := range aclRule.IP6List { + allowedIps = append(allowedIps, ip.String()) + } + ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} + if aclRule.AllowedProtocol.String() != "" { + ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) + } + if len(aclRule.AllowedPorts) > 0 { + ruleSpec = append(ruleSpec, "--dport", + strings.Join(aclRule.AllowedPorts, ",")) + } + ruleSpec = append(ruleSpec, "-j", "ACCEPT") + ruleSpec = appendNetmakerCommentToRule(ruleSpec) + n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) + e := []expr.Any{} + e = append(e, n.GetSrcIpsExpr(aclRule.IPList, false)...) + if aclRule.AllowedProtocol.String() != "" { + e = append(e, n.getExprForProto(aclRule.AllowedProtocol, false)...) + } + if len(aclRule.AllowedPorts) > 0 { + e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) + } + e = append(e, // Accept the packet + &expr.Verdict{ + Kind: expr.VerdictAccept, // ACCEPT verdict + }) + nfRule := &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: aclInputRulesChain}, + Exprs: e, + UserData: []byte(genRuleKey(ruleSpec...)), // Equivalent to the comment in iptables + } + n.conn.InsertRule(nfRule) + if err := n.conn.Flush(); err != nil { + logger.Log(0, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + rules = append(rules, ruleInfo{ + isIpv4: false, + nfRule: nfRule, + table: defaultIpTable, + chain: aclInputRulesChain, + rule: ruleSpec, + }) + + } + + if len(rules) > 0 { + fmt.Printf("====> IN ADDACLRULES: %+v\n", rules) + rCfg := rulesCfg{ + rulesMap: map[string][]ruleInfo{ + aclRule.ID: rules, + }, + extraInfo: aclRule, + } + ruleTable[aclRule.ID] = rCfg + } + } + + if len(rules) > 0 { + rCfg := rulesCfg{ + rulesMap: map[string][]ruleInfo{ + aclRule.ID: rules, + }, + extraInfo: aclRule, + } + ruleTable[aclRule.ID] = rCfg + } } func (n *nftablesManager) DeleteAclRule(server, aclID string) { - + ruleTable := n.FetchRuleTable(server, aclTable) + defer n.SaveRules(server, aclTable, ruleTable) + n.mux.Lock() + defer n.mux.Unlock() + rulesCfg, ok := ruleTable[aclID] + if !ok { + return + } + rules := rulesCfg.rulesMap[aclID] + for _, rule := range rules { + n.deleteRule(rule.table, rule.chain, genRuleKey(rule.rule...)) + } + n.conn.Flush() + delete(ruleTable, aclID) } func (n *nftablesManager) ChangeACLTarget(target string) { From 2f5dbf934572c8153cff99be31202475642f8a16 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 5 Dec 2024 10:03:10 +0400 Subject: [PATCH 18/24] check for all protocol and skip --- firewall/acl.go | 3 ++- firewall/nftables_linux.go | 35 +++++++++++++++++++---------------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index 07537436..aaf94289 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -11,12 +11,13 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { if fwCrtl == nil { return } + if fwUpdate.AllowAll { fwCrtl.ChangeACLTarget(targetAccept) } else { fwCrtl.ChangeACLTarget(targetDrop) } - + return aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) fmt.Printf("======> ACL RULES: %+v\n, Curr Rule table: %+v\n", fwUpdate.AclRules, ruleTable) diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 6817eb84..2870d232 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -272,10 +272,18 @@ func (n *nftablesManager) CreateChains() error { // n.deleteChain(defaultNatTable, netmakerNatChain) //defaultDropPolicy := nftables.ChainPolicyDrop - //defaultAcceptPolicy := nftables.ChainPolicyAccept + defaultAcceptPolicy := new(nftables.ChainPolicy) + *defaultAcceptPolicy = nftables.ChainPolicyAccept defaultForwardPolicy := new(nftables.ChainPolicy) *defaultForwardPolicy = nftables.ChainPolicyAccept - + n.conn.AddChain(&nftables.Chain{ + Name: iptableINChain, + Table: filterTable, + Type: nftables.ChainTypeFilter, + Hooknum: nftables.ChainHookInput, + Priority: nftables.ChainPriorityFilter, + Policy: defaultAcceptPolicy, + }) forwardChain := &nftables.Chain{ Name: iptableFWDChain, Table: filterTable, @@ -286,14 +294,6 @@ func (n *nftablesManager) CreateChains() error { } n.conn.AddChain(forwardChain) - n.conn.AddChain(&nftables.Chain{ - Name: iptableINChain, - Table: filterTable, - Type: nftables.ChainTypeFilter, - Hooknum: nftables.ChainHookInput, - Priority: nftables.ChainPriorityFilter, - }) - n.conn.AddChain(&nftables.Chain{ Name: "OUTPUT", Table: filterTable, @@ -587,6 +587,8 @@ func (n *nftablesManager) SaveRules(server, tableName string, rules ruletable) { n.ingRules[server] = rules case egressTable: n.engressRules[server] = rules + case aclTable: + n.aclRules[server] = rules } } @@ -865,6 +867,7 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m if !rule.Allow { continue } + fmt.Printf("=====>\n\n INg RULE: %+v\n\n", rule) ruleSpec := []string{"-s", rule.SrcIP.String()} if rule.AllowedProtocol.String() != "" { ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) @@ -904,7 +907,7 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m Data: rule.DstIP.IP.To4(), // IPv4 destination address }, } - if rule.AllowedProtocol.String() != "" { + if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(rule.AllowedProtocol, true)...) } if len(rule.AllowedPorts) > 0 { @@ -948,7 +951,7 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m Data: rule.DstIP.IP.To16(), // IPv6 destination address }, } - if rule.AllowedProtocol.String() != "" { + if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(rule.AllowedProtocol, false)...) } if len(rule.AllowedPorts) > 0 { @@ -1070,7 +1073,7 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) e := []expr.Any{} e = append(e, n.GetSrcIpsExpr(aclRule.IPList, true)...) - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(aclRule.AllowedProtocol, true)...) } if len(aclRule.AllowedPorts) > 0 { @@ -1120,7 +1123,7 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) e := []expr.Any{} e = append(e, n.GetSrcIpsExpr(aclRule.IPList, false)...) - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(aclRule.AllowedProtocol, false)...) } if len(aclRule.AllowedPorts) > 0 { @@ -1196,7 +1199,7 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) e := []expr.Any{} e = append(e, n.GetSrcIpsExpr(aclRule.IPList, true)...) - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(aclRule.AllowedProtocol, true)...) } if len(aclRule.AllowedPorts) > 0 { @@ -1246,7 +1249,7 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) e := []expr.Any{} e = append(e, n.GetSrcIpsExpr(aclRule.IPList, false)...) - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { e = append(e, n.getExprForProto(aclRule.AllowedProtocol, false)...) } if len(aclRule.AllowedPorts) > 0 { From 95b58c66f9eab40dea43053db67c81925e76b5ca Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 5 Dec 2024 10:06:48 +0400 Subject: [PATCH 19/24] ignore all protocol --- firewall/iptables_linux.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 2ddfd651..8989e5b1 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -510,7 +510,7 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m continue } ruleSpec := []string{"-s", rule.SrcIP.String()} - if rule.AllowedProtocol.String() != "" { + if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) @@ -521,7 +521,7 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m } else { ruleSpec := []string{"-s", rule.SrcIP.String()} - if rule.AllowedProtocol.String() != "" { + if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -614,7 +614,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) @@ -625,7 +625,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") @@ -662,7 +662,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. continue } ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) @@ -673,7 +673,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. } else { ruleSpec := []string{"-s", strings.Join(allowedIps, ",")} - if aclRule.AllowedProtocol.String() != "" { + if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "-j", "ACCEPT") From a23fc02c426dac98888af1e5b0d932d9dab83fd1 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 5 Dec 2024 15:50:21 +0400 Subject: [PATCH 20/24] remove return --- firewall/acl.go | 1 - 1 file changed, 1 deletion(-) diff --git a/firewall/acl.go b/firewall/acl.go index aaf94289..b2c7f5cd 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -17,7 +17,6 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { } else { fwCrtl.ChangeACLTarget(targetDrop) } - return aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) fmt.Printf("======> ACL RULES: %+v\n, Curr Rule table: %+v\n", fwUpdate.AclRules, ruleTable) From ca7154ce2629c8026389adb4e42cd4e6ce96c50a Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Fri, 6 Dec 2024 00:21:01 +0400 Subject: [PATCH 21/24] add LOCAL only rule on ingress gw --- firewall/iptables_linux.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 8989e5b1..a43a1dd7 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -510,6 +510,9 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m continue } ruleSpec := []string{"-s", rule.SrcIP.String()} + if rule.DstIP.IP != nil { + ruleSpec = append(ruleSpec, "-d", rule.DstIP.String()) + } if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) } @@ -521,6 +524,9 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m } else { ruleSpec := []string{"-s", rule.SrcIP.String()} + if rule.DstIP.IP != nil { + ruleSpec = append(ruleSpec, "-d", rule.DstIP.String()) + } if rule.AllowedProtocol.String() != "" && rule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", rule.AllowedProtocol.String()) } @@ -618,6 +624,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -628,6 +635,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -666,6 +674,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -676,6 +685,7 @@ func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models. if aclRule.AllowedProtocol.String() != "" && aclRule.AllowedProtocol != models.ALL { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -740,6 +750,7 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -750,6 +761,7 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { if aclRule.AllowedProtocol.String() != "" { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) rulesSpec = append(rulesSpec, ruleSpec) @@ -787,6 +799,7 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } ruleSpec = append(ruleSpec, "--dport", port) + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") rulesSpec = append(rulesSpec, ruleSpec) } @@ -796,6 +809,7 @@ func (i *iptablesManager) UpsertAclRule(server string, aclRule models.AclRule) { if aclRule.AllowedProtocol.String() != "" { ruleSpec = append(ruleSpec, "-p", aclRule.AllowedProtocol.String()) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") rulesSpec = append(rulesSpec, ruleSpec) } From e5f79f4f2f5069b3a371568f579bfe2563842616 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Fri, 6 Dec 2024 00:59:31 +0400 Subject: [PATCH 22/24] add established and related state rule on fwd chain --- firewall/iptables_linux.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index a43a1dd7..7f67182c 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -73,6 +73,20 @@ var ( table: defaultIpTable, chain: iptableINChain, }, + { + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableFWDChain, + }, + { + rule: []string{"-o", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableFWDChain, + }, { rule: []string{"-i", ncutils.GetInterfaceName(), "-j", aclInputRulesChain, "-m", "comment", "--comment", netmakerSignature}, From cc747d3b8c267e1348515bce5f2234a8ea79136c Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Sat, 7 Dec 2024 15:59:58 +0400 Subject: [PATCH 23/24] add local dst rule --- firewall/acl.go | 5 +- firewall/nftables_linux.go | 191 +++++++++++++++++++++++++++++++++---- firewall/utils.go | 24 +++++ 3 files changed, 197 insertions(+), 23 deletions(-) diff --git a/firewall/acl.go b/firewall/acl.go index b2c7f5cd..4bb3a65a 100644 --- a/firewall/acl.go +++ b/firewall/acl.go @@ -19,14 +19,11 @@ func ProcessAclRules(server string, fwUpdate *models.FwUpdate) { } aclRules := fwUpdate.AclRules ruleTable := fwCrtl.FetchRuleTable(server, aclTable) - fmt.Printf("======> ACL RULES: %+v\n, Curr Rule table: %+v\n", fwUpdate.AclRules, ruleTable) + fmt.Printf("======> ACL RULES: %+v \n", fwUpdate.AclRules) if len(ruleTable) == 0 && len(aclRules) > 0 { fwCrtl.AddAclRules(server, aclRules) - ruleTable := fwCrtl.FetchRuleTable(server, aclTable) - fmt.Printf("======> AFTER ACL RULES: Curr Rule table: %+v\n", ruleTable) return } - fmt.Println("## CHECKING New RULES==>") // add new acl rules for _, aclRule := range aclRules { if _, ok := ruleTable[aclRule.ID]; !ok { diff --git a/firewall/nftables_linux.go b/firewall/nftables_linux.go index 2870d232..cc6217b0 100644 --- a/firewall/nftables_linux.go +++ b/firewall/nftables_linux.go @@ -109,6 +109,98 @@ var ( table: defaultIpTable, chain: iptableINChain, }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableFWDChain}, + Exprs: []expr.Any{ + // Match on input interface (-i netmaker) + &expr.Meta{ + Key: expr.MetaKeyIIFNAME, // Input interface name + Register: 1, // Store in register 1 + }, + &expr.Cmp{ + Op: expr.CmpOpEq, // Equals operation + Register: 1, // Compare register 1 + Data: []byte(ncutils.GetInterfaceName() + "\x00"), // Interface name "netmaker" (null-terminated string) + }, + // Match on conntrack state (-m conntrack --ctstate RELATED,ESTABLISHED) + &expr.Ct{ + Key: expr.CtKeySTATE, + Register: 1, + }, + &expr.Bitwise{ + SourceRegister: 1, // Use register 1 from Ct expression + DestRegister: 1, // Output to same register + Len: 4, // State length + Mask: []byte{0x06, 0x00, 0x00, 0x00}, // Mask for RELATED (2) and ESTABLISHED (4) + Xor: []byte{0x00, 0x00, 0x00, 0x00}, // No XOR + }, + &expr.Cmp{ + Op: expr.CmpOpNeq, // Check if the bitwise result is not zero + Register: 1, + Data: []byte{0x00, 0x00, 0x00, 0x00}, + }, + &expr.Verdict{ + Kind: expr.VerdictAccept, + }, + }, + UserData: []byte(genRuleKey("-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT")), // Add comment + }, + rule: []string{"-i", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableFWDChain, + }, + { + nfRule: &nftables.Rule{ + Table: filterTable, + Chain: &nftables.Chain{Name: iptableFWDChain}, + Exprs: []expr.Any{ + // Match on input interface (-i netmaker) + &expr.Meta{ + Key: expr.MetaKeyOIFNAME, // Input interface name + Register: 1, // Store in register 1 + }, + &expr.Cmp{ + Op: expr.CmpOpEq, // Equals operation + Register: 1, // Compare register 1 + Data: []byte(ncutils.GetInterfaceName() + "\x00"), // Interface name "netmaker" (null-terminated string) + }, + // Match on conntrack state (-m conntrack --ctstate RELATED,ESTABLISHED) + &expr.Ct{ + Key: expr.CtKeySTATE, + Register: 1, + }, + &expr.Bitwise{ + SourceRegister: 1, // Use register 1 from Ct expression + DestRegister: 1, // Output to same register + Len: 4, // State length + Mask: []byte{0x06, 0x00, 0x00, 0x00}, // Mask for RELATED (2) and ESTABLISHED (4) + Xor: []byte{0x00, 0x00, 0x00, 0x00}, // No XOR + }, + &expr.Cmp{ + Op: expr.CmpOpNeq, // Check if the bitwise result is not zero + Register: 1, + Data: []byte{0x00, 0x00, 0x00, 0x00}, + }, + &expr.Verdict{ + Kind: expr.VerdictAccept, + }, + }, + UserData: []byte(genRuleKey("-o", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT")), // Add comment + }, + rule: []string{"-o", ncutils.GetInterfaceName(), "-m", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", "-m", "comment", + "--comment", netmakerSignature, "-j", "ACCEPT"}, + table: defaultIpTable, + chain: iptableFWDChain, + }, { nfRule: &nftables.Rule{ @@ -989,28 +1081,32 @@ func (n *nftablesManager) InsertIngressRoutingRules(server string, ingressInfo m func (n *nftablesManager) GetSrcIpsExpr(ips []net.IPNet, isIpv4 bool) []expr.Any { var e []expr.Any if isIpv4 { + e = append(e, &expr.Payload{ + DestRegister: 1, + Base: expr.PayloadBaseNetworkHeader, + Offset: 12, // Source IP offset in IPv4 header + Len: 4, // IPv4 address length + }) + for _, ip := range ips { // Match first source IP - e = append(e, - &expr.Payload{ - DestRegister: 1, - Base: expr.PayloadBaseNetworkHeader, - Offset: 12, // Source IP offset in IPv4 header - Len: 4, // IPv4 address length - }, - &expr.Bitwise{ - SourceRegister: 1, - DestRegister: 1, - Len: 4, - Mask: ip.Mask, // Match for 100.64.0.0/24 - Xor: net.IPv4zero.To4(), - }, + /* + // Match source IPs + &expr.Cmp{ + Op: expr.CmpOpEq, Register: 1, - Op: expr.CmpOpEq, - Data: ip.IP.To4(), + Data: []byte{ + 100, 64, 0, 1, // 100.64.0.1 + 100, 64, 255, 254, // 100.64.255.254 + }, }, - ) + */ + e = append(e, &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: ip.IP.To4(), + }) } } else { @@ -1068,6 +1164,7 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. ruleSpec = append(ruleSpec, "--dport", strings.Join(aclRule.AllowedPorts, ",")) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) @@ -1079,6 +1176,9 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. if len(aclRule.AllowedPorts) > 0 { e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) } + // Match destination type LOCAL + e = append(e, n.getLocalExpr()...) + e = append(e, // Accept the packet &expr.Verdict{ Kind: expr.VerdictAccept, // ACCEPT verdict @@ -1118,6 +1218,7 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. ruleSpec = append(ruleSpec, "--dport", strings.Join(aclRule.AllowedPorts, ",")) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) @@ -1129,6 +1230,9 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. if len(aclRule.AllowedPorts) > 0 { e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) } + // Match destination type LOCAL + e = append(e, n.getLocalExpr()...) + e = append(e, // Accept the packet &expr.Verdict{ Kind: expr.VerdictAccept, // ACCEPT verdict @@ -1154,7 +1258,6 @@ func (n *nftablesManager) AddAclRules(server string, aclRules map[string]models. } if len(rules) > 0 { - fmt.Printf("====> IN ADDACLRULES: %+v\n", rules) rCfg := rulesCfg{ rulesMap: map[string][]ruleInfo{ aclRule.ID: rules, @@ -1194,6 +1297,7 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { ruleSpec = append(ruleSpec, "--dport", strings.Join(aclRule.AllowedPorts, ",")) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) @@ -1205,6 +1309,9 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { if len(aclRule.AllowedPorts) > 0 { e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) } + // Match destination type LOCAL + e = append(e, n.getLocalExpr()...) + e = append(e, // Accept the packet &expr.Verdict{ Kind: expr.VerdictAccept, // ACCEPT verdict @@ -1244,6 +1351,7 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { ruleSpec = append(ruleSpec, "--dport", strings.Join(aclRule.AllowedPorts, ",")) } + ruleSpec = append(ruleSpec, "-m", "addrtype", "--dst-type", "LOCAL") ruleSpec = append(ruleSpec, "-j", "ACCEPT") ruleSpec = appendNetmakerCommentToRule(ruleSpec) n.deleteRule(defaultIpTable, aclInputRulesChain, genRuleKey(ruleSpec...)) @@ -1255,6 +1363,9 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { if len(aclRule.AllowedPorts) > 0 { e = append(e, n.getExprForPort(aclRule.AllowedPorts)...) } + // Match destination type LOCAL + e = append(e, n.getLocalExpr()...) + e = append(e, // Accept the packet &expr.Verdict{ Kind: expr.VerdictAccept, // ACCEPT verdict @@ -1280,7 +1391,6 @@ func (n *nftablesManager) UpsertAclRule(server string, aclRule models.AclRule) { } if len(rules) > 0 { - fmt.Printf("====> IN ADDACLRULES: %+v\n", rules) rCfg := rulesCfg{ rulesMap: map[string][]ruleInfo{ aclRule.ID: rules, @@ -1424,3 +1534,46 @@ func rulesEqual(rule1, rule2 *nftables.Rule) bool { return false } + +// AddLocalRule is a wrapper to match packets with LOCAL destination type (IPv4 and IPv6). +func (n *nftablesManager) getLocalExpr() (e []expr.Any) { + return + localIPs, err := GetLocalIPs() + if err != nil { + return + } + + for _, localIP := range localIPs { + var base expr.PayloadBase + var offsetDst, lenIP uint32 + if localIP.To4() != nil { + // IPv4-specific parameters + base = expr.PayloadBaseNetworkHeader + offsetDst = 16 // Destination IP in IPv4 header + lenIP = 4 // IPv4 address length + } else { + // IPv6-specific parameters + base = expr.PayloadBaseNetworkHeader + offsetDst = 24 // Destination IP in IPv6 header + lenIP = 16 // IPv6 address length + } + + e = append(e, []expr.Any{ + + // Match destination IP (local IP) + &expr.Payload{ + DestRegister: 1, + Base: base, + Offset: offsetDst, + Len: lenIP, + }, + &expr.Cmp{ + Op: expr.CmpOpEq, + Register: 1, + Data: localIP, + }, + }...) + } + + return nil +} diff --git a/firewall/utils.go b/firewall/utils.go index 4ae8e515..ad3a4a68 100644 --- a/firewall/utils.go +++ b/firewall/utils.go @@ -1,6 +1,7 @@ package firewall import ( + "net" "net/netip" ) @@ -17,3 +18,26 @@ func isAddrIpv4(addr string) bool { } return isIpv4 } + +// GetLocalIPs retrieves all local IPs (IPv4 and IPv6) on the machine. +func GetLocalIPs() ([]net.IP, error) { + var localIPs []net.IP + interfaces, err := net.Interfaces() + if err != nil { + return nil, err + } + + for _, iface := range interfaces { + addrs, err := iface.Addrs() + if err != nil { + return nil, err + } + for _, addr := range addrs { + ip, _, err := net.ParseCIDR(addr.String()) + if err == nil { + localIPs = append(localIPs, ip) + } + } + } + return localIPs, nil +} From 52ac40f05934d7c5ea3d362174877024bad805af Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Wed, 11 Dec 2024 12:27:33 +0400 Subject: [PATCH 24/24] resolve merge conflicts --- firewall/iptables_linux.go | 52 ++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 13 deletions(-) diff --git a/firewall/iptables_linux.go b/firewall/iptables_linux.go index 90aab9a4..a84d995d 100644 --- a/firewall/iptables_linux.go +++ b/firewall/iptables_linux.go @@ -249,22 +249,18 @@ func (i *iptablesManager) CreateChains() error { defer i.mux.Unlock() // remove jump rules i.removeJumpRules() + i.cleanup(defaultIpTable, netmakerFilterChain) i.cleanup(defaultNatTable, netmakerNatChain) i.clearNetmakerRules(defaultIpTable, iptableINChain) i.clearNetmakerRules(defaultIpTable, iptableFWDChain) //errMSGFormat := "iptables: failed creating %s chain %s,error: %v" - err := createChain(i.ipv4Client, defaultNatTable, netmakerNatChain) + err := createChain(i.ipv4Client, defaultIpTable, netmakerFilterChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err } - err = createChain(i.ipv4Client, defaultIpTable, aclInputRulesChain) - if err != nil { - logger.Log(1, "failed to create netmaker chain: ", err.Error()) - return err - } - err = createChain(i.ipv4Client, defaultIpTable, aclOutputRulesChain) + err = createChain(i.ipv4Client, defaultNatTable, netmakerNatChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err @@ -284,12 +280,7 @@ func (i *iptablesManager) CreateChains() error { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err } - err = createChain(i.ipv6Client, defaultIpTable, aclInputRulesChain) - if err != nil { - logger.Log(1, "failed to create netmaker chain: ", err.Error()) - return err - } - err = createChain(i.ipv6Client, defaultIpTable, aclOutputRulesChain) + err = createChain(i.ipv6Client, defaultNatTable, netmakerNatChain) if err != nil { logger.Log(1, "failed to create netmaker chain: ", err.Error()) return err @@ -580,6 +571,41 @@ func (i *iptablesManager) InsertIngressRoutingRules(server string, ingressInfo m return nil } +// iptablesManager.AddEgressRoutingRule - inserts iptable rule for gateway peer +func (i *iptablesManager) AddEgressRoutingRule(server string, egressInfo models.EgressInfo, + peer models.PeerRouteInfo) error { + if !peer.Allow { + return nil + } + ruleTable := i.FetchRuleTable(server, egressTable) + defer i.SaveRules(server, egressTable, ruleTable) + i.mux.Lock() + defer i.mux.Unlock() + iptablesClient := i.ipv4Client + + if !isAddrIpv4(egressInfo.EgressGwAddr.String()) { + iptablesClient = i.ipv6Client + } + + ruleSpec := []string{"-s", peer.PeerAddr.String(), "-d", strings.Join(egressInfo.EgressGWCfg.Ranges, ","), "-j", "ACCEPT"} + err := iptablesClient.Insert(defaultIpTable, netmakerFilterChain, 1, ruleSpec...) + if err != nil { + logger.Log(1, fmt.Sprintf("failed to add rule: %v, Err: %v ", ruleSpec, err.Error())) + } else { + + ruleTable[egressInfo.EgressID].rulesMap[peer.PeerKey] = []ruleInfo{ + { + table: defaultIpTable, + chain: netmakerFilterChain, + rule: ruleSpec, + }, + } + + } + + return nil +} + func (i *iptablesManager) AddAclRules(server string, aclRules map[string]models.AclRule) { ruleTable := i.FetchRuleTable(server, aclTable) defer i.SaveRules(server, aclTable, ruleTable)