leviathonbeast/ionscale
1
0
Fork 0
mirror of https://github.com/jsiebens/ionscale.git synced 2026-03-31 15:07:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: acl rules based on cidr ranges

Browse Source
This commit is contained in:
Johan Siebens
2022-05-15 08:11:45 +02:00
parent 3aceacbc8d
commit 2d4f614592
3 changed files with 40 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/domain/acl.go
+25 -15
View File
@@ -58,7 +58,7 @@ func (a *aclEngine) isValidPeer(src *Machine, dest *Machine) bool {
} }
for _, alias := range acl.Src { for _, alias := range acl.Src {
if len(a.expandMachineAlias(src, alias)) != 0 { if len(a.expandMachineAlias(src, alias, true)) != 0 {
return true return true
} }
} }
@@ -78,7 +78,7 @@ func (a *aclEngine) build(dst *Machine, peers []Machine) []tailcfg.FilterRule {
var allSrcIPs []string var allSrcIPs []string
for _, src := range acl.Src { for _, src := range acl.Src {
for _, peer := range peers { for _, peer := range peers {
srcIPs := a.expandMachineAlias(&peer, src) srcIPs := a.expandMachineAlias(&peer, src, true)
allSrcIPs = append(allSrcIPs, srcIPs...) allSrcIPs = append(allSrcIPs, srcIPs...)
} }
} }
@@ -129,7 +129,7 @@ func (a *aclEngine) expandMachineDestToNetPortRanges(m *Machine, dest string) []
return nil return nil
} }
ips := a.expandMachineAlias(m, alias) ips := a.expandMachineAlias(m, alias, false)
if len(ips) == 0 { if len(ips) == 0 {
return nil return nil
} }
@@ -148,26 +148,36 @@ func (a *aclEngine) expandMachineDestToNetPortRanges(m *Machine, dest string) []
return dests return dests
} }
func (a *aclEngine) expandMachineAlias(m *Machine, src string) []string { func (a *aclEngine) expandMachineAlias(m *Machine, alias string, src bool) []string {
if src == "*" { if alias == "*" {
if src == "*" { if alias == "*" {
return []string{"*"} return []string{"*"}
} }
} }
machineIPs := []string{m.IPv4.String(), m.IPv6.String()} if strings.HasPrefix(alias, "tag:") && m.HasTag(alias[4:]) {
return []string{m.IPv4.String(), m.IPv6.String()}
if strings.HasPrefix(src, "tag:") && m.HasTag(src[4:]) {
return machineIPs
} }
if h, ok := a.policy.Hosts[src]; ok { if h, ok := a.policy.Hosts[alias]; ok {
src = h alias = h
} }
ip, err := netaddr.ParseIP(src) if src {
if err == nil && m.HasIP(ip) { ip, err := netaddr.ParseIP(alias)
return machineIPs if err == nil && m.HasIP(ip) {
return []string{ip.String()}
}
} else {
ip, err := netaddr.ParseIP(alias)
if err == nil && m.IsAllowedIP(ip) {
return []string{ip.String()}
}
prefix, err := netaddr.ParseIPPrefix(alias)
if err == nil && m.IsAllowedIPPrefix(prefix) {
return []string{prefix.String()}
}
} }
return []string{} return []string{}
internal/domain/machine.go
+13 -1
View File
@@ -57,7 +57,19 @@ func (m *Machine) HasTag(tag string) bool {
return false return false
} }
func (m *Machine) IsAllowedIP(i netaddr.IPPrefix) bool { func (m *Machine) IsAllowedIP(i netaddr.IP) bool {
if m.HasIP(i) {
return true
}
for _, t := range m.AllowIPs {
if t.Contains(i) {
return true
}
}
return false
}
func (m *Machine) IsAllowedIPPrefix(i netaddr.IPPrefix) bool {
for _, t := range m.AllowIPs { for _, t := range m.AllowIPs {
if t.Overlaps(i) { if t.Overlaps(i) {
return true return true
internal/service/machine.go
+2 -2
View File
@@ -92,7 +92,7 @@ func (s *Service) GetMachineRoutes(ctx context.Context, req *api.GetMachineRoute
for _, r := range m.HostInfo.RoutableIPs { for _, r := range m.HostInfo.RoutableIPs {
routes = append(routes, &api.RoutableIP{ routes = append(routes, &api.RoutableIP{
Advertised: r.String(), Advertised: r.String(),
Allowed: m.IsAllowedIP(r), Allowed: m.IsAllowedIPPrefix(r),
}) })
} }
@@ -133,7 +133,7 @@ func (s *Service) SetMachineRoutes(ctx context.Context, req *api.SetMachineRoute
for _, r := range m.HostInfo.RoutableIPs { for _, r := range m.HostInfo.RoutableIPs {
routes = append(routes, &api.RoutableIP{ routes = append(routes, &api.RoutableIP{
Advertised: r.String(), Advertised: r.String(),
Allowed: m.IsAllowedIP(r), Allowed: m.IsAllowedIPPrefix(r),
}) })
} }