Skip to content

Commit

Permalink
Merge pull request #3251 from gravitl/NET-1784-latest
Browse files Browse the repository at this point in the history
NET-1784: add allowed network cidr to acl rules
  • Loading branch information
abhishek9686 authored Dec 15, 2024
2 parents 116e2ef + 0216c59 commit b0f09e3
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 15 deletions.
37 changes: 29 additions & 8 deletions logic/peers.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,24 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
HostNetworkInfo: models.HostInfoMap{},
EndpointDetection: servercfg.IsEndpointDetectionEnabled(),
}
defer func() {
if !hostPeerUpdate.FwUpdate.AllowAll {
aclRule := models.AclRule{
ID: "allowed-network-rules",
AllowedProtocol: models.ALL,
Direction: models.TrafficDirectionBi,
Allowed: true,
}
for _, allowedNet := range hostPeerUpdate.FwUpdate.AllowedNetworks {
if allowedNet.IP.To4() != nil {
aclRule.IPList = append(aclRule.IPList, allowedNet)
} else {
aclRule.IP6List = append(aclRule.IP6List, allowedNet)
}
}
hostPeerUpdate.FwUpdate.AclRules["allowed-network-rules"] = aclRule
}
}()

slog.Debug("peer update for host", "hostId", host.ID.String())
peerIndexMap := make(map[string]int)
Expand Down Expand Up @@ -158,17 +176,20 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
}
defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
if node.NetworkRange.IP != nil {
hostPeerUpdate.FwUpdate.Networks = append(hostPeerUpdate.FwUpdate.Networks, node.NetworkRange)
}
if node.NetworkRange6.IP != nil {
hostPeerUpdate.FwUpdate.Networks = append(hostPeerUpdate.FwUpdate.Networks, node.NetworkRange6)
}

if !defaultDevicePolicy.Enabled || !defaultUserPolicy.Enabled {
if defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled {
if node.NetworkRange.IP != nil {
hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
}
if node.NetworkRange6.IP != nil {
hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
}

} else {
hostPeerUpdate.FwUpdate.AllowAll = false
hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node)
}
hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node)

currentPeers := GetNetworkNodesMemory(allNodes, node.Network)
for _, peer := range currentPeers {
peer := peer
Expand Down
14 changes: 7 additions & 7 deletions models/mqtt.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,13 +94,13 @@ type KeyUpdate struct {

// FwUpdate - struct for firewall updates
type FwUpdate struct {
AllowAll bool `json:"allow_all"`
Networks []net.IPNet `json:"networks"`
IsEgressGw bool `json:"is_egress_gw"`
IsIngressGw bool `json:"is_ingress_gw"`
EgressInfo map[string]EgressInfo `json:"egress_info"`
IngressInfo map[string]IngressInfo `json:"ingress_info"`
AclRules map[string]AclRule `json:"acl_rules"`
AllowAll bool `json:"allow_all"`
AllowedNetworks []net.IPNet `json:"networks"`
IsEgressGw bool `json:"is_egress_gw"`
IsIngressGw bool `json:"is_ingress_gw"`
EgressInfo map[string]EgressInfo `json:"egress_info"`
IngressInfo map[string]IngressInfo `json:"ingress_info"`
AclRules map[string]AclRule `json:"acl_rules"`
}

// FailOverMeReq - struct for failover req
Expand Down

0 comments on commit b0f09e3

Please sign in to comment.