From 2d4f61459284a52c1641a334be3b59ab601f2192 Mon Sep 17 00:00:00 2001 From: Johan Siebens Date: Sun, 15 May 2022 08:11:45 +0200 Subject: [PATCH] feat: acl rules based on cidr ranges --- internal/domain/acl.go | 40 +++++++++++++++++++++++-------------- internal/domain/machine.go | 14 ++++++++++++- internal/service/machine.go | 4 ++-- 3 files changed, 40 insertions(+), 18 deletions(-) diff --git a/internal/domain/acl.go b/internal/domain/acl.go index d9d9b2c..4d510e0 100644 --- a/internal/domain/acl.go +++ b/internal/domain/acl.go @@ -58,7 +58,7 @@ func (a *aclEngine) isValidPeer(src *Machine, dest *Machine) bool { } for _, alias := range acl.Src { - if len(a.expandMachineAlias(src, alias)) != 0 { + if len(a.expandMachineAlias(src, alias, true)) != 0 { return true } } @@ -78,7 +78,7 @@ func (a *aclEngine) build(dst *Machine, peers []Machine) []tailcfg.FilterRule { var allSrcIPs []string for _, src := range acl.Src { for _, peer := range peers { - srcIPs := a.expandMachineAlias(&peer, src) + srcIPs := a.expandMachineAlias(&peer, src, true) allSrcIPs = append(allSrcIPs, srcIPs...) } } @@ -129,7 +129,7 @@ func (a *aclEngine) expandMachineDestToNetPortRanges(m *Machine, dest string) [] return nil } - ips := a.expandMachineAlias(m, alias) + ips := a.expandMachineAlias(m, alias, false) if len(ips) == 0 { return nil } @@ -148,26 +148,36 @@ func (a *aclEngine) expandMachineDestToNetPortRanges(m *Machine, dest string) [] return dests } -func (a *aclEngine) expandMachineAlias(m *Machine, src string) []string { - if src == "*" { - if src == "*" { +func (a *aclEngine) expandMachineAlias(m *Machine, alias string, src bool) []string { + if alias == "*" { + if alias == "*" { return []string{"*"} } } - machineIPs := []string{m.IPv4.String(), m.IPv6.String()} - - if strings.HasPrefix(src, "tag:") && m.HasTag(src[4:]) { - return machineIPs + if strings.HasPrefix(alias, "tag:") && m.HasTag(alias[4:]) { + return []string{m.IPv4.String(), m.IPv6.String()} } - if h, ok := a.policy.Hosts[src]; ok { - src = h + if h, ok := a.policy.Hosts[alias]; ok { + alias = h } - ip, err := netaddr.ParseIP(src) - if err == nil && m.HasIP(ip) { - return machineIPs + if src { + ip, err := netaddr.ParseIP(alias) + if err == nil && m.HasIP(ip) { + return []string{ip.String()} + } + } else { + ip, err := netaddr.ParseIP(alias) + if err == nil && m.IsAllowedIP(ip) { + return []string{ip.String()} + } + + prefix, err := netaddr.ParseIPPrefix(alias) + if err == nil && m.IsAllowedIPPrefix(prefix) { + return []string{prefix.String()} + } } return []string{} diff --git a/internal/domain/machine.go b/internal/domain/machine.go index 199f27a..788b9f8 100644 --- a/internal/domain/machine.go +++ b/internal/domain/machine.go @@ -57,7 +57,19 @@ func (m *Machine) HasTag(tag string) bool { return false } -func (m *Machine) IsAllowedIP(i netaddr.IPPrefix) bool { +func (m *Machine) IsAllowedIP(i netaddr.IP) bool { + if m.HasIP(i) { + return true + } + for _, t := range m.AllowIPs { + if t.Contains(i) { + return true + } + } + return false +} + +func (m *Machine) IsAllowedIPPrefix(i netaddr.IPPrefix) bool { for _, t := range m.AllowIPs { if t.Overlaps(i) { return true diff --git a/internal/service/machine.go b/internal/service/machine.go index 89a344f..cf3a7b9 100644 --- a/internal/service/machine.go +++ b/internal/service/machine.go @@ -92,7 +92,7 @@ func (s *Service) GetMachineRoutes(ctx context.Context, req *api.GetMachineRoute for _, r := range m.HostInfo.RoutableIPs { routes = append(routes, &api.RoutableIP{ Advertised: r.String(), - Allowed: m.IsAllowedIP(r), + Allowed: m.IsAllowedIPPrefix(r), }) } @@ -133,7 +133,7 @@ func (s *Service) SetMachineRoutes(ctx context.Context, req *api.SetMachineRoute for _, r := range m.HostInfo.RoutableIPs { routes = append(routes, &api.RoutableIP{ Advertised: r.String(), - Allowed: m.IsAllowedIP(r), + Allowed: m.IsAllowedIPPrefix(r), }) }