mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-24 11:16:38 +00:00
add routed exposed services support in nmap
This commit is contained in:
pascal
@@ -179,6 +179,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
|
|||||||
peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
|
peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
|
||||||
resourcePolicies := account.GetResourcePoliciesMap()
|
resourcePolicies := account.GetResourcePoliciesMap()
|
||||||
routers := account.GetResourceRoutersMap()
|
routers := account.GetResourceRoutersMap()
|
||||||
|
resources := account.GetResourcesMap()
|
||||||
groupIDToUserIDs := account.GetActiveGroupUsers()
|
groupIDToUserIDs := account.GetActiveGroupUsers()
|
||||||
exposedServices := account.GetExposedServicesMap()
|
exposedServices := account.GetExposedServicesMap()
|
||||||
proxyPeers := account.GetProxyPeers()
|
proxyPeers := account.GetProxyPeers()
|
||||||
@@ -234,7 +235,7 @@ func (c *Controller) sendUpdateAccountPeers(ctx context.Context, accountID strin
|
|||||||
if c.experimentalNetworkMap(accountID) {
|
if c.experimentalNetworkMap(accountID) {
|
||||||
remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
|
remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, p.AccountID, p.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
|
||||||
} else {
|
} else {
|
||||||
remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs, exposedServices, proxyPeers)
|
remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, p.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, resources, c.accountManagerMetrics, groupIDToUserIDs, exposedServices, proxyPeers)
|
||||||
}
|
}
|
||||||
|
|
||||||
c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
|
c.metrics.CountCalcPeerNetworkMapDuration(time.Since(start))
|
||||||
@@ -330,6 +331,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
|
|||||||
peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
|
peersCustomZone := account.GetPeersCustomZone(ctx, dnsDomain)
|
||||||
resourcePolicies := account.GetResourcePoliciesMap()
|
resourcePolicies := account.GetResourcePoliciesMap()
|
||||||
routers := account.GetResourceRoutersMap()
|
routers := account.GetResourceRoutersMap()
|
||||||
|
resources := account.GetResourcesMap()
|
||||||
groupIDToUserIDs := account.GetActiveGroupUsers()
|
groupIDToUserIDs := account.GetActiveGroupUsers()
|
||||||
|
|
||||||
postureChecks, err := c.getPeerPostureChecks(account, peerId)
|
postureChecks, err := c.getPeerPostureChecks(account, peerId)
|
||||||
@@ -355,7 +357,7 @@ func (c *Controller) UpdateAccountPeer(ctx context.Context, accountId string, pe
|
|||||||
if c.experimentalNetworkMap(accountId) {
|
if c.experimentalNetworkMap(accountId) {
|
||||||
remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
|
remotePeerNetworkMap = c.getPeerNetworkMapExp(ctx, peer.AccountID, peer.ID, approvedPeersMap, peersCustomZone, accountZones, c.accountManagerMetrics)
|
||||||
} else {
|
} else {
|
||||||
remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, groupIDToUserIDs, account.GetExposedServicesMap(), account.GetProxyPeers())
|
remotePeerNetworkMap = account.GetPeerNetworkMap(ctx, peerId, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, resources, c.accountManagerMetrics, groupIDToUserIDs, account.GetExposedServicesMap(), account.GetProxyPeers())
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
||||||
@@ -471,7 +473,8 @@ func (c *Controller) GetValidatedPeerWithMap(ctx context.Context, isRequiresAppr
|
|||||||
} else {
|
} else {
|
||||||
resourcePolicies := account.GetResourcePoliciesMap()
|
resourcePolicies := account.GetResourcePoliciesMap()
|
||||||
routers := account.GetResourceRoutersMap()
|
routers := account.GetResourceRoutersMap()
|
||||||
networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, c.accountManagerMetrics, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
resources := account.GetResourcesMap()
|
||||||
|
networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, approvedPeersMap, resourcePolicies, routers, resources, c.accountManagerMetrics, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
||||||
@@ -844,7 +847,8 @@ func (c *Controller) GetNetworkMap(ctx context.Context, peerID string) (*types.N
|
|||||||
} else {
|
} else {
|
||||||
resourcePolicies := account.GetResourcePoliciesMap()
|
resourcePolicies := account.GetResourcePoliciesMap()
|
||||||
routers := account.GetResourceRoutersMap()
|
routers := account.GetResourceRoutersMap()
|
||||||
networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, nil, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
resources := account.GetResourcesMap()
|
||||||
|
networkMap = account.GetPeerNetworkMap(ctx, peer.ID, peersCustomZone, accountZones, validatedPeers, resourcePolicies, routers, resources, nil, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
proxyNetworkMap, ok := proxyNetworkMaps[peer.ID]
|
||||||
|
|||||||
@@ -395,7 +395,7 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)
|
dnsDomain := h.networkMapController.GetDNSDomain(account.Settings)
|
||||||
|
|
||||||
netMap := account.GetPeerNetworkMap(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), nil, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
netMap := account.GetPeerNetworkMap(r.Context(), peerID, dns.CustomZone{}, nil, validPeers, account.GetResourcePoliciesMap(), account.GetResourceRoutersMap(), account.GetResourcesMap(), nil, account.GetActiveGroupUsers(), account.GetExposedServicesMap(), account.GetProxyPeers())
|
||||||
|
|
||||||
util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
|
util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -574,9 +574,9 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
|
|||||||
|
|
||||||
var setupKeyID string
|
var setupKeyID string
|
||||||
var setupKeyName string
|
var setupKeyName string
|
||||||
var ephemeral bool
|
|
||||||
var groupsToAdd []string
|
var groupsToAdd []string
|
||||||
var allowExtraDNSLabels bool
|
var allowExtraDNSLabels bool
|
||||||
|
ephemeral := peer.Ephemeral
|
||||||
switch {
|
switch {
|
||||||
case addedByUser:
|
case addedByUser:
|
||||||
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
|
user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
|
||||||
@@ -732,9 +732,11 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
|
if !peer.ProxyEmbedded {
|
||||||
if err != nil {
|
err = transaction.AddPeerToAllGroup(ctx, accountID, newPeer.ID)
|
||||||
return fmt.Errorf("failed adding peer to All group: %w", err)
|
if err != nil {
|
||||||
|
return fmt.Errorf("failed adding peer to All group: %w", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
switch {
|
switch {
|
||||||
|
|||||||
@@ -283,9 +283,10 @@ func (a *Account) GetPeerNetworkMap(
|
|||||||
validatedPeersMap map[string]struct{},
|
validatedPeersMap map[string]struct{},
|
||||||
resourcePolicies map[string][]*Policy,
|
resourcePolicies map[string][]*Policy,
|
||||||
routers map[string]map[string]*routerTypes.NetworkRouter,
|
routers map[string]map[string]*routerTypes.NetworkRouter,
|
||||||
|
resourcesMap map[string]*resourceTypes.NetworkResource,
|
||||||
metrics *telemetry.AccountManagerMetrics,
|
metrics *telemetry.AccountManagerMetrics,
|
||||||
groupIDToUserIDs map[string][]string,
|
groupIDToUserIDs map[string][]string,
|
||||||
exposedServices map[string][]*reverseproxy.ReverseProxy, // routerPeer -> list of exposed services
|
exposedServices map[string][]*reverseproxy.ReverseProxy,
|
||||||
proxyPeers []*nbpeer.Peer,
|
proxyPeers []*nbpeer.Peer,
|
||||||
) *NetworkMap {
|
) *NetworkMap {
|
||||||
start := time.Now()
|
start := time.Now()
|
||||||
@@ -309,7 +310,7 @@ func (a *Account) GetPeerNetworkMap(
|
|||||||
var authorizedUsers map[string]map[string]struct{}
|
var authorizedUsers map[string]map[string]struct{}
|
||||||
var enableSSH bool
|
var enableSSH bool
|
||||||
if peer.ProxyEmbedded {
|
if peer.ProxyEmbedded {
|
||||||
aclPeers, firewallRules = a.GetProxyConnectionResources(exposedServices)
|
aclPeers, firewallRules = a.GetProxyConnectionResources(ctx, exposedServices)
|
||||||
} else {
|
} else {
|
||||||
aclPeers, firewallRules, authorizedUsers, enableSSH = a.GetPeerConnectionResources(ctx, peer, validatedPeersMap, groupIDToUserIDs)
|
aclPeers, firewallRules, authorizedUsers, enableSSH = a.GetPeerConnectionResources(ctx, peer, validatedPeersMap, groupIDToUserIDs)
|
||||||
proxyAclPeers, proxyFirewallRules := a.GetPeerProxyResources(exposedServices[peerID], proxyPeers)
|
proxyAclPeers, proxyFirewallRules := a.GetPeerProxyResources(exposedServices[peerID], proxyPeers)
|
||||||
@@ -328,14 +329,34 @@ func (a *Account) GetPeerNetworkMap(
|
|||||||
peersToConnect = append(peersToConnect, p)
|
peersToConnect = append(peersToConnect, p)
|
||||||
}
|
}
|
||||||
|
|
||||||
routesUpdate := a.GetRoutesToSync(ctx, peerID, peersToConnect, peerGroups)
|
var routes, networksRoutes []*route.Route
|
||||||
routesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
|
var isRouter bool
|
||||||
isRouter, networkResourcesRoutes, sourcePeers := a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
|
var sourcePeers map[string]struct{}
|
||||||
var networkResourcesFirewallRules []*RouteFirewallRule
|
var routesFirewallRules []*RouteFirewallRule
|
||||||
if isRouter {
|
if peer.ProxyEmbedded {
|
||||||
networkResourcesFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networkResourcesRoutes, resourcePolicies)
|
routes, routesFirewallRules, aclPeers = a.GetPeerProxyRoutes(ctx, peer, exposedServices, resourcesMap, routers, proxyPeers)
|
||||||
|
for _, p := range aclPeers {
|
||||||
|
expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
|
||||||
|
if a.Settings.PeerLoginExpirationEnabled && expired {
|
||||||
|
expiredPeers = append(expiredPeers, p)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
peersToConnect = append(peersToConnect, p)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
oldRoutes := a.GetRoutesToSync(ctx, peerID, peersToConnect, peerGroups)
|
||||||
|
oldRoutesFirewallRules := a.GetPeerRoutesFirewallRules(ctx, peerID, validatedPeersMap)
|
||||||
|
proxyRoutes, proxyRoutesFirewallRules, _ := a.GetPeerProxyRoutes(ctx, peer, exposedServices, resourcesMap, routers, proxyPeers)
|
||||||
|
isRouter, networksRoutes, sourcePeers = a.GetNetworkResourcesRoutesToSync(ctx, peerID, resourcePolicies, routers)
|
||||||
|
var networksFirewallRules []*RouteFirewallRule
|
||||||
|
if isRouter {
|
||||||
|
networksFirewallRules = a.GetPeerNetworkResourceFirewallRules(ctx, peer, validatedPeersMap, networksRoutes, resourcePolicies)
|
||||||
|
}
|
||||||
|
routes = slices.Concat(networksRoutes, oldRoutes, proxyRoutes)
|
||||||
|
routesFirewallRules = slices.Concat(networksFirewallRules, oldRoutesFirewallRules, proxyRoutesFirewallRules)
|
||||||
}
|
}
|
||||||
peersToConnectIncludingRouters := a.addNetworksRoutingPeers(networkResourcesRoutes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
|
|
||||||
|
peersToConnectIncludingRouters := a.addNetworksRoutingPeers(routes, peer, peersToConnect, expiredPeers, isRouter, sourcePeers)
|
||||||
|
|
||||||
dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
|
dnsManagementStatus := a.getPeerDNSManagementStatus(peerID)
|
||||||
dnsUpdate := nbdns.Config{
|
dnsUpdate := nbdns.Config{
|
||||||
@@ -363,31 +384,31 @@ func (a *Account) GetPeerNetworkMap(
|
|||||||
nm := &NetworkMap{
|
nm := &NetworkMap{
|
||||||
Peers: peersToConnectIncludingRouters,
|
Peers: peersToConnectIncludingRouters,
|
||||||
Network: a.Network.Copy(),
|
Network: a.Network.Copy(),
|
||||||
Routes: slices.Concat(networkResourcesRoutes, routesUpdate),
|
Routes: routes,
|
||||||
DNSConfig: dnsUpdate,
|
DNSConfig: dnsUpdate,
|
||||||
OfflinePeers: expiredPeers,
|
OfflinePeers: expiredPeers,
|
||||||
FirewallRules: firewallRules,
|
FirewallRules: firewallRules,
|
||||||
RoutesFirewallRules: slices.Concat(networkResourcesFirewallRules, routesFirewallRules),
|
RoutesFirewallRules: routesFirewallRules,
|
||||||
AuthorizedUsers: authorizedUsers,
|
AuthorizedUsers: authorizedUsers,
|
||||||
EnableSSH: enableSSH,
|
EnableSSH: enableSSH,
|
||||||
}
|
}
|
||||||
|
|
||||||
if metrics != nil {
|
if metrics != nil {
|
||||||
objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routesUpdate) + len(networkResourcesRoutes) + len(firewallRules) + +len(networkResourcesFirewallRules) + len(routesFirewallRules))
|
objectCount := int64(len(peersToConnectIncludingRouters) + len(expiredPeers) + len(routes) + len(firewallRules) + +len(routesFirewallRules))
|
||||||
metrics.CountNetworkMapObjects(objectCount)
|
metrics.CountNetworkMapObjects(objectCount)
|
||||||
metrics.CountGetPeerNetworkMapDuration(time.Since(start))
|
metrics.CountGetPeerNetworkMapDuration(time.Since(start))
|
||||||
|
|
||||||
if objectCount > 5000 {
|
if objectCount > 5000 {
|
||||||
log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
|
log.WithContext(ctx).Tracef("account: %s has a total resource count of %d objects, "+
|
||||||
"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, network resources routes: %d, network resources firewall rules: %d, routes firewall rules: %d",
|
"peers to connect: %d, expired peers: %d, routes: %d, firewall rules: %d, routes firewall rules: %d",
|
||||||
a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routesUpdate), len(firewallRules), len(networkResourcesRoutes), len(networkResourcesFirewallRules), len(routesFirewallRules))
|
a.Id, objectCount, len(peersToConnectIncludingRouters), len(expiredPeers), len(routes), len(firewallRules), len(routesFirewallRules))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return nm
|
return nm
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Account) GetProxyConnectionResources(exposedServices map[string][]*reverseproxy.ReverseProxy) ([]*nbpeer.Peer, []*FirewallRule) {
|
func (a *Account) GetProxyConnectionResources(ctx context.Context, exposedServices map[string][]*reverseproxy.ReverseProxy) ([]*nbpeer.Peer, []*FirewallRule) {
|
||||||
var aclPeers []*nbpeer.Peer
|
var aclPeers []*nbpeer.Peer
|
||||||
var firewallRules []*FirewallRule
|
var firewallRules []*FirewallRule
|
||||||
|
|
||||||
@@ -400,8 +421,7 @@ func (a *Account) GetProxyConnectionResources(exposedServices map[string][]*reve
|
|||||||
if !target.Enabled {
|
if !target.Enabled {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
switch target.TargetType {
|
if target.TargetType == reverseproxy.TargetTypePeer {
|
||||||
case reverseproxy.TargetTypePeer:
|
|
||||||
tpeer := a.GetPeer(target.TargetId)
|
tpeer := a.GetPeer(target.TargetId)
|
||||||
if tpeer == nil {
|
if tpeer == nil {
|
||||||
continue
|
continue
|
||||||
@@ -415,8 +435,6 @@ func (a *Account) GetProxyConnectionResources(exposedServices map[string][]*reve
|
|||||||
Protocol: string(PolicyRuleProtocolTCP),
|
Protocol: string(PolicyRuleProtocolTCP),
|
||||||
PortRange: RulePortRange{Start: uint16(target.Port), End: uint16(target.Port)},
|
PortRange: RulePortRange{Start: uint16(target.Port), End: uint16(target.Port)},
|
||||||
})
|
})
|
||||||
case reverseproxy.TargetTypeResource:
|
|
||||||
// TODO: handle resource type targets
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -438,17 +456,6 @@ func (a *Account) GetPeerProxyResources(services []*reverseproxy.ReverseProxy, p
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
aclPeers = proxyPeers
|
aclPeers = proxyPeers
|
||||||
for _, peer := range aclPeers {
|
|
||||||
firewallRules = append(firewallRules, &FirewallRule{
|
|
||||||
PolicyID: "proxy-" + service.ID,
|
|
||||||
PeerIP: peer.IP.String(),
|
|
||||||
Direction: FirewallRuleDirectionIN,
|
|
||||||
Action: "allow",
|
|
||||||
Protocol: string(PolicyRuleProtocolTCP),
|
|
||||||
PortRange: RulePortRange{Start: uint16(target.Port), End: uint16(target.Port)},
|
|
||||||
})
|
|
||||||
}
|
|
||||||
// TODO: handle routes
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1895,6 +1902,71 @@ func (a *Account) GetExposedServicesMap() map[string][]*reverseproxy.ReverseProx
|
|||||||
return services
|
return services
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (a *Account) GetPeerProxyRoutes(ctx context.Context, peer *nbpeer.Peer, proxies map[string][]*reverseproxy.ReverseProxy, resourcesMap map[string]*resourceTypes.NetworkResource, routers map[string]map[string]*routerTypes.NetworkRouter, proxyPeers []*nbpeer.Peer) ([]*route.Route, []*RouteFirewallRule, []*nbpeer.Peer) {
|
||||||
|
sourceRanges := make([]string, 0, len(proxyPeers))
|
||||||
|
for _, proxyPeer := range proxyPeers {
|
||||||
|
sourceRanges = append(sourceRanges, fmt.Sprintf(AllowedIPsFormat, proxyPeer.IP))
|
||||||
|
}
|
||||||
|
peers := make(map[string]*nbpeer.Peer, len(resourcesMap))
|
||||||
|
|
||||||
|
var routes []*route.Route
|
||||||
|
var firewallRules []*RouteFirewallRule
|
||||||
|
for _, proxyPerResource := range proxies {
|
||||||
|
for _, proxy := range proxyPerResource {
|
||||||
|
for _, target := range proxy.Targets {
|
||||||
|
if target.TargetType == reverseproxy.TargetTypeResource {
|
||||||
|
resource, ok := resourcesMap[target.TargetId]
|
||||||
|
if !ok {
|
||||||
|
log.WithContext(ctx).Warnf("proxy target %s not found in resources map", target.TargetId)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
networkRouters, ok := routers[resource.NetworkID]
|
||||||
|
if !ok {
|
||||||
|
log.WithContext(ctx).Warnf("proxy target %s not found in routers map", target.TargetId)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
for peerID, router := range networkRouters {
|
||||||
|
routePeer := a.GetPeer(peerID)
|
||||||
|
route := resource.ToRoute(routePeer, router)
|
||||||
|
routes = append(routes, route)
|
||||||
|
rule := RouteFirewallRule{
|
||||||
|
PolicyID: fmt.Sprintf("proxy-%s-%s", proxy.ID, route.ID),
|
||||||
|
RouteID: route.ID,
|
||||||
|
SourceRanges: sourceRanges,
|
||||||
|
Action: string(PolicyTrafficActionAccept),
|
||||||
|
Destination: route.Network.String(),
|
||||||
|
Protocol: string(PolicyRuleProtocolTCP),
|
||||||
|
Domains: route.Domains,
|
||||||
|
IsDynamic: route.IsDynamic(),
|
||||||
|
PortRange: RulePortRange{
|
||||||
|
Start: uint16(target.Port),
|
||||||
|
End: uint16(target.Port),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
firewallRules = append(firewallRules, &rule)
|
||||||
|
peers[peerID] = routePeer
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resultPeers := make([]*nbpeer.Peer, 0, len(peers))
|
||||||
|
for _, peer := range peers {
|
||||||
|
resultPeers = append(resultPeers, peer)
|
||||||
|
}
|
||||||
|
|
||||||
|
return routes, firewallRules, resultPeers
|
||||||
|
}
|
||||||
|
|
||||||
|
func (a *Account) GetResourcesMap() map[string]*resourceTypes.NetworkResource {
|
||||||
|
resourcesMap := make(map[string]*resourceTypes.NetworkResource, len(a.NetworkResources))
|
||||||
|
for _, resource := range a.NetworkResources {
|
||||||
|
resourcesMap[resource.ID] = resource
|
||||||
|
}
|
||||||
|
return resourcesMap
|
||||||
|
}
|
||||||
|
|
||||||
// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
|
// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
|
||||||
func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
|
func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
|
||||||
features := peerSupportedFirewallFeatures(peer.Meta.WtVersion)
|
features := peerSupportedFirewallFeatures(peer.Meta.WtVersion)
|
||||||
|
|||||||
Reference in New Issue
Block a user