mirror of
https://github.com/slackhq/nebula.git
synced 2025-11-22 08:24:25 +01:00
Change name from forward to unsafe
This commit is contained in:
Nate Brown
78
firewall.go
78
firewall.go
@@ -23,7 +23,7 @@ import (
|
||||
)
|
||||
|
||||
type FirewallInterface interface {
|
||||
AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
|
||||
AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
|
||||
}
|
||||
|
||||
type conn struct {
|
||||
@@ -31,7 +31,7 @@ type conn struct {
|
||||
|
||||
// record why the original connection passed the firewall, so we can re-validate after ruleset changes.
|
||||
incoming bool
|
||||
forward bool
|
||||
unsafe bool
|
||||
rulesVersion uint16
|
||||
}
|
||||
|
||||
@@ -39,10 +39,10 @@ type conn struct {
|
||||
type Firewall struct {
|
||||
Conntrack *FirewallConntrack
|
||||
|
||||
InRules *FirewallTable
|
||||
OutRules *FirewallTable
|
||||
ForwardInRules *FirewallTable
|
||||
ForwardOutRules *FirewallTable
|
||||
InRules *FirewallTable
|
||||
OutRules *FirewallTable
|
||||
UnsafeInRules *FirewallTable
|
||||
UnsafeOutRules *FirewallTable
|
||||
|
||||
InSendReject bool
|
||||
OutSendReject bool
|
||||
@@ -170,8 +170,8 @@ func NewFirewall(l *logrus.Logger, tcpTimeout, UDPTimeout, defaultTimeout time.D
|
||||
},
|
||||
InRules: newFirewallTable(),
|
||||
OutRules: newFirewallTable(),
|
||||
ForwardInRules: newFirewallTable(),
|
||||
ForwardOutRules: newFirewallTable(),
|
||||
UnsafeInRules: newFirewallTable(),
|
||||
UnsafeOutRules: newFirewallTable(),
|
||||
TCPTimeout: tcpTimeout,
|
||||
UDPTimeout: UDPTimeout,
|
||||
DefaultTimeout: defaultTimeout,
|
||||
@@ -214,7 +214,7 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
|
||||
|
||||
fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", false)
|
||||
|
||||
//TODO: do we also need firewall.forward_inbound_action and firewall.forward_outbound_action?
|
||||
//TODO: do we also need firewall.unsafe_inbound_action and firewall.unsafe_outbound_action?
|
||||
inboundAction := c.GetString("firewall.inbound_action", "drop")
|
||||
switch inboundAction {
|
||||
case "reject":
|
||||
@@ -261,11 +261,11 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
|
||||
}
|
||||
|
||||
// AddRule properly creates the in memory rule structure for a firewall table.
|
||||
func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
|
||||
func (f *Firewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
|
||||
// We need this rule string because we generate a hash. Removing this will break firewall reload.
|
||||
ruleString := fmt.Sprintf(
|
||||
"forward: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
|
||||
forward, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
|
||||
"unsafe: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
|
||||
unsafe, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
|
||||
)
|
||||
f.rules += ruleString + "\n"
|
||||
|
||||
@@ -275,8 +275,8 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
|
||||
}
|
||||
|
||||
fields := m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}
|
||||
if forward {
|
||||
fields["forward"] = true
|
||||
if unsafe {
|
||||
fields["unsafe"] = true
|
||||
}
|
||||
f.l.WithField("firewallRule", fields).Info("Firewall rule added")
|
||||
|
||||
@@ -286,15 +286,15 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
|
||||
)
|
||||
|
||||
if incoming {
|
||||
if forward {
|
||||
ft = f.ForwardInRules
|
||||
if unsafe {
|
||||
ft = f.UnsafeInRules
|
||||
} else {
|
||||
ft = f.InRules
|
||||
}
|
||||
|
||||
} else {
|
||||
if forward {
|
||||
ft = f.ForwardOutRules
|
||||
if unsafe {
|
||||
ft = f.UnsafeOutRules
|
||||
} else {
|
||||
ft = f.OutRules
|
||||
}
|
||||
@@ -334,18 +334,18 @@ func (f *Firewall) GetRuleHashes() string {
|
||||
return "SHA:" + f.GetRuleHash() + ",FNV:" + strconv.FormatUint(uint64(f.GetRuleHashFNV()), 10)
|
||||
}
|
||||
|
||||
func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *config.C, fw FirewallInterface) error {
|
||||
func AddFirewallRulesFromConfig(l *logrus.Logger, unsafe, inbound bool, c *config.C, fw FirewallInterface) error {
|
||||
var table string
|
||||
if inbound {
|
||||
if forward {
|
||||
table = "firewall.forward_inbound"
|
||||
if unsafe {
|
||||
table = "firewall.unsafe_inbound"
|
||||
} else {
|
||||
table = "firewall.inbound"
|
||||
}
|
||||
|
||||
} else {
|
||||
if forward {
|
||||
table = "firewall.forward_outbound"
|
||||
if unsafe {
|
||||
table = "firewall.unsafe_outbound"
|
||||
} else {
|
||||
table = "firewall.outbound"
|
||||
}
|
||||
@@ -421,7 +421,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *conf
|
||||
l.Warnf("%s rule #%v; %s", table, i, warning)
|
||||
}
|
||||
|
||||
err = fw.AddRule(forward, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
|
||||
err = fw.AddRule(unsafe, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
|
||||
}
|
||||
@@ -482,18 +482,18 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
|
||||
return ErrInvalidLocalIP
|
||||
}
|
||||
|
||||
useForward := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
|
||||
useUnsafe := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
|
||||
|
||||
var table *FirewallTable
|
||||
if incoming {
|
||||
if useForward {
|
||||
table = f.ForwardInRules
|
||||
if useUnsafe {
|
||||
table = f.UnsafeInRules
|
||||
} else {
|
||||
table = f.InRules
|
||||
}
|
||||
} else {
|
||||
if useForward {
|
||||
table = f.ForwardOutRules
|
||||
if useUnsafe {
|
||||
table = f.UnsafeOutRules
|
||||
} else {
|
||||
table = f.OutRules
|
||||
}
|
||||
@@ -506,13 +506,13 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
|
||||
}
|
||||
|
||||
// We always want to conntrack since it is a faster operation
|
||||
f.addConn(fp, useForward, incoming)
|
||||
f.addConn(fp, useUnsafe, incoming)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f *Firewall) metrics(incoming bool) firewallMetrics {
|
||||
//TODO: need forward metrics too
|
||||
//TODO: need unsafe metrics too
|
||||
if incoming {
|
||||
return f.incomingMetrics
|
||||
} else {
|
||||
@@ -562,14 +562,14 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
||||
// it still passes with the current rule set
|
||||
var table *FirewallTable
|
||||
if c.incoming {
|
||||
if c.forward {
|
||||
table = f.ForwardInRules
|
||||
if c.unsafe {
|
||||
table = f.UnsafeInRules
|
||||
} else {
|
||||
table = f.InRules
|
||||
}
|
||||
} else {
|
||||
if c.forward {
|
||||
table = f.ForwardOutRules
|
||||
if c.unsafe {
|
||||
table = f.UnsafeOutRules
|
||||
} else {
|
||||
table = f.OutRules
|
||||
}
|
||||
@@ -581,7 +581,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
||||
h.logger(f.l).
|
||||
WithField("fwPacket", fp).
|
||||
WithField("incoming", c.incoming).
|
||||
WithField("forward", c.forward).
|
||||
WithField("unsafe", c.unsafe).
|
||||
WithField("rulesVersion", f.rulesVersion).
|
||||
WithField("oldRulesVersion", c.rulesVersion).
|
||||
Debugln("dropping old conntrack entry, does not match new ruleset")
|
||||
@@ -595,7 +595,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
||||
h.logger(f.l).
|
||||
WithField("fwPacket", fp).
|
||||
WithField("incoming", c.incoming).
|
||||
WithField("forward", c.forward).
|
||||
WithField("unsafe", c.unsafe).
|
||||
WithField("rulesVersion", f.rulesVersion).
|
||||
WithField("oldRulesVersion", c.rulesVersion).
|
||||
Debugln("keeping old conntrack entry, does match new ruleset")
|
||||
@@ -622,7 +622,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
|
||||
return true
|
||||
}
|
||||
|
||||
func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
|
||||
func (f *Firewall) addConn(fp firewall.Packet, unsafe, incoming bool) {
|
||||
var timeout time.Duration
|
||||
c := &conn{}
|
||||
|
||||
@@ -645,7 +645,7 @@ func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
|
||||
// Record which rulesVersion allowed this connection, so we can retest after
|
||||
// firewall reload
|
||||
c.incoming = incoming
|
||||
c.forward = forward
|
||||
c.unsafe = unsafe
|
||||
c.rulesVersion = f.rulesVersion
|
||||
c.Expires = time.Now().Add(timeout)
|
||||
conntrack.Conns[fp] = c
|
||||
|
||||
@@ -1356,7 +1356,7 @@ type mockFirewall struct {
|
||||
nextCallReturn error
|
||||
}
|
||||
|
||||
func (mf *mockFirewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
|
||||
func (mf *mockFirewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
|
||||
mf.lastCall = addRuleCall{
|
||||
incoming: incoming,
|
||||
proto: proto,
|
||||
|
||||
Reference in New Issue
Block a user