personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-23 08:54:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Change name from forward to unsafe

Browse Source
This commit is contained in:
Nate Brown
2025-11-21 14:21:08 -06:00
parent 281a9017ce
commit c69b009650
2 changed files with 40 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
firewall.go
View File

@@ -23,7 +23,7 @@ import (
) )
type FirewallInterface interface { type FirewallInterface interface {
AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr string, caName string, caSha string) error
} }
type conn struct { type conn struct {
@@ -31,7 +31,7 @@ type conn struct {
// record why the original connection passed the firewall, so we can re-validate after ruleset changes. // record why the original connection passed the firewall, so we can re-validate after ruleset changes.
incoming bool incoming bool
forward bool unsafe bool
rulesVersion uint16 rulesVersion uint16
} }
@@ -41,8 +41,8 @@ type Firewall struct {
InRules *FirewallTable InRules *FirewallTable
OutRules *FirewallTable OutRules *FirewallTable
ForwardInRules *FirewallTable UnsafeInRules *FirewallTable
ForwardOutRules *FirewallTable UnsafeOutRules *FirewallTable
InSendReject bool InSendReject bool
OutSendReject bool OutSendReject bool
@@ -170,8 +170,8 @@ func NewFirewall(l *logrus.Logger, tcpTimeout, UDPTimeout, defaultTimeout time.D
}, },
InRules: newFirewallTable(), InRules: newFirewallTable(),
OutRules: newFirewallTable(), OutRules: newFirewallTable(),
ForwardInRules: newFirewallTable(), UnsafeInRules: newFirewallTable(),
ForwardOutRules: newFirewallTable(), UnsafeOutRules: newFirewallTable(),
TCPTimeout: tcpTimeout, TCPTimeout: tcpTimeout,
UDPTimeout: UDPTimeout, UDPTimeout: UDPTimeout,
DefaultTimeout: defaultTimeout, DefaultTimeout: defaultTimeout,
@@ -214,7 +214,7 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", false) fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", false)
//TODO: do we also need firewall.forward_inbound_action and firewall.forward_outbound_action? //TODO: do we also need firewall.unsafe_inbound_action and firewall.unsafe_outbound_action?
inboundAction := c.GetString("firewall.inbound_action", "drop") inboundAction := c.GetString("firewall.inbound_action", "drop")
switch inboundAction { switch inboundAction {
case "reject": case "reject":
@@ -261,11 +261,11 @@ func NewFirewallFromConfig(l *logrus.Logger, cs *CertState, c *config.C) (*Firew
} }
// AddRule properly creates the in memory rule structure for a firewall table. // AddRule properly creates the in memory rule structure for a firewall table.
func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error { func (f *Firewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, cidr, localCidr, caName string, caSha string) error {
// We need this rule string because we generate a hash. Removing this will break firewall reload. // We need this rule string because we generate a hash. Removing this will break firewall reload.
ruleString := fmt.Sprintf( ruleString := fmt.Sprintf(
"forward: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s", "unsafe: %v, incoming: %v, proto: %v, startPort: %v, endPort: %v, groups: %v, host: %v, ip: %v, localIp: %v, caName: %v, caSha: %s",
forward, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha, unsafe, incoming, proto, startPort, endPort, groups, host, cidr, localCidr, caName, caSha,
) )
f.rules += ruleString + "\n" f.rules += ruleString + "\n"
@@ -275,8 +275,8 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
} }
fields := m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha} fields := m{"direction": direction, "proto": proto, "startPort": startPort, "endPort": endPort, "groups": groups, "host": host, "cidr": cidr, "localCidr": localCidr, "caName": caName, "caSha": caSha}
if forward { if unsafe {
fields["forward"] = true fields["unsafe"] = true
} }
f.l.WithField("firewallRule", fields).Info("Firewall rule added") f.l.WithField("firewallRule", fields).Info("Firewall rule added")
@@ -286,15 +286,15 @@ func (f *Firewall) AddRule(forward, incoming bool, proto uint8, startPort int32,
) )
if incoming { if incoming {
if forward { if unsafe {
ft = f.ForwardInRules ft = f.UnsafeInRules
} else { } else {
ft = f.InRules ft = f.InRules
} }
} else { } else {
if forward { if unsafe {
ft = f.ForwardOutRules ft = f.UnsafeOutRules
} else { } else {
ft = f.OutRules ft = f.OutRules
} }
@@ -334,18 +334,18 @@ func (f *Firewall) GetRuleHashes() string {
return "SHA:" + f.GetRuleHash() + ",FNV:" + strconv.FormatUint(uint64(f.GetRuleHashFNV()), 10) return "SHA:" + f.GetRuleHash() + ",FNV:" + strconv.FormatUint(uint64(f.GetRuleHashFNV()), 10)
} }
func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *config.C, fw FirewallInterface) error { func AddFirewallRulesFromConfig(l *logrus.Logger, unsafe, inbound bool, c *config.C, fw FirewallInterface) error {
var table string var table string
if inbound { if inbound {
if forward { if unsafe {
table = "firewall.forward_inbound" table = "firewall.unsafe_inbound"
} else { } else {
table = "firewall.inbound" table = "firewall.inbound"
} }
} else { } else {
if forward { if unsafe {
table = "firewall.forward_outbound" table = "firewall.unsafe_outbound"
} else { } else {
table = "firewall.outbound" table = "firewall.outbound"
} }
@@ -421,7 +421,7 @@ func AddFirewallRulesFromConfig(l *logrus.Logger, forward, inbound bool, c *conf
l.Warnf("%s rule #%v; %s", table, i, warning) l.Warnf("%s rule #%v; %s", table, i, warning)
} }
err = fw.AddRule(forward, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha) err = fw.AddRule(unsafe, inbound, proto, startPort, endPort, r.Groups, r.Host, r.Cidr, r.LocalCidr, r.CAName, r.CASha)
if err != nil { if err != nil {
return fmt.Errorf("%s rule #%v; `%s`", table, i, err) return fmt.Errorf("%s rule #%v; `%s`", table, i, err)
} }
@@ -482,18 +482,18 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
return ErrInvalidLocalIP return ErrInvalidLocalIP
} }
useForward := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe useUnsafe := remoteNetworkType == NetworkTypeUnsafe || localNetworkType == NetworkTypeUnsafe
var table *FirewallTable var table *FirewallTable
if incoming { if incoming {
if useForward { if useUnsafe {
table = f.ForwardInRules table = f.UnsafeInRules
} else { } else {
table = f.InRules table = f.InRules
} }
} else { } else {
if useForward { if useUnsafe {
table = f.ForwardOutRules table = f.UnsafeOutRules
} else { } else {
table = f.OutRules table = f.OutRules
} }
@@ -506,13 +506,13 @@ func (f *Firewall) Drop(fp firewall.Packet, incoming bool, h *HostInfo, caPool *
} }
// We always want to conntrack since it is a faster operation // We always want to conntrack since it is a faster operation
f.addConn(fp, useForward, incoming) f.addConn(fp, useUnsafe, incoming)
return nil return nil
} }
func (f *Firewall) metrics(incoming bool) firewallMetrics { func (f *Firewall) metrics(incoming bool) firewallMetrics {
//TODO: need forward metrics too //TODO: need unsafe metrics too
if incoming { if incoming {
return f.incomingMetrics return f.incomingMetrics
} else { } else {
@@ -562,14 +562,14 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
// it still passes with the current rule set // it still passes with the current rule set
var table *FirewallTable var table *FirewallTable
if c.incoming { if c.incoming {
if c.forward { if c.unsafe {
table = f.ForwardInRules table = f.UnsafeInRules
} else { } else {
table = f.InRules table = f.InRules
} }
} else { } else {
if c.forward { if c.unsafe {
table = f.ForwardOutRules table = f.UnsafeOutRules
} else { } else {
table = f.OutRules table = f.OutRules
} }
@@ -581,7 +581,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
h.logger(f.l). h.logger(f.l).
WithField("fwPacket", fp). WithField("fwPacket", fp).
WithField("incoming", c.incoming). WithField("incoming", c.incoming).
WithField("forward", c.forward). WithField("unsafe", c.unsafe).
WithField("rulesVersion", f.rulesVersion). WithField("rulesVersion", f.rulesVersion).
WithField("oldRulesVersion", c.rulesVersion). WithField("oldRulesVersion", c.rulesVersion).
Debugln("dropping old conntrack entry, does not match new ruleset") Debugln("dropping old conntrack entry, does not match new ruleset")
@@ -595,7 +595,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
h.logger(f.l). h.logger(f.l).
WithField("fwPacket", fp). WithField("fwPacket", fp).
WithField("incoming", c.incoming). WithField("incoming", c.incoming).
WithField("forward", c.forward). WithField("unsafe", c.unsafe).
WithField("rulesVersion", f.rulesVersion). WithField("rulesVersion", f.rulesVersion).
WithField("oldRulesVersion", c.rulesVersion). WithField("oldRulesVersion", c.rulesVersion).
Debugln("keeping old conntrack entry, does match new ruleset") Debugln("keeping old conntrack entry, does match new ruleset")
@@ -622,7 +622,7 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
return true return true
} }
func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) { func (f *Firewall) addConn(fp firewall.Packet, unsafe, incoming bool) {
var timeout time.Duration var timeout time.Duration
c := &conn{} c := &conn{}
@@ -645,7 +645,7 @@ func (f *Firewall) addConn(fp firewall.Packet, forward, incoming bool) {
// Record which rulesVersion allowed this connection, so we can retest after // Record which rulesVersion allowed this connection, so we can retest after
// firewall reload // firewall reload
c.incoming = incoming c.incoming = incoming
c.forward = forward c.unsafe = unsafe
c.rulesVersion = f.rulesVersion c.rulesVersion = f.rulesVersion
c.Expires = time.Now().Add(timeout) c.Expires = time.Now().Add(timeout)
conntrack.Conns[fp] = c conntrack.Conns[fp] = c

2
firewall_test.go
View File

@@ -1356,7 +1356,7 @@ type mockFirewall struct {
nextCallReturn error nextCallReturn error
} }
func (mf *mockFirewall) AddRule(forward, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error { func (mf *mockFirewall) AddRule(unsafe, incoming bool, proto uint8, startPort int32, endPort int32, groups []string, host string, ip, localIp, caName string, caSha string) error {
mf.lastCall = addRuleCall{ mf.lastCall = addRuleCall{
incoming: incoming, incoming: incoming,
proto: proto, proto: proto,