sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-16 15:26:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix direction for firewall rule

Browse Source
This commit is contained in:
Givi Khojanashvili
2023-03-20 17:55:35 +04:00
parent 559cf2862f
commit 0abd05d51e
2 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
client/firewall/iptables/manager_linux.go
View File

@@ -74,17 +74,27 @@ func (m *Manager) AddFiltering(
}
}
var pv string
var portValue, protocolValue string
if port != nil && port.Values != nil {
// TODO: we support only one port per rule in current implementation of ACLs
pv = strconv.Itoa(port.Values[0])
portValue = strconv.Itoa(port.Values[0])
switch port.Proto {
case fw.PortProtocolTCP:
protocolValue = "tcp"
case fw.PortProtocolUDP:
protocolValue = "udp"
default:
return nil, fmt.Errorf("unsupported protocol: %s", port.Proto)
}
}
ruleID := uuid.New().String()
if comment == "" {
comment = ruleID
}
specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
specs := m.filterRuleSpecs(
"filter", ChainFilterName, ip, protocolValue,
portValue, direction, action, comment)
if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
return nil, err
}
@@ -137,13 +147,16 @@ func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
// filterRuleSpecs returns the specs of a filtering rule
func (m *Manager) filterRuleSpecs(
table string, chain string, ip net.IP, port string,
table string, chain string, ip net.IP, protocol string, port string,
direction fw.Direction, action fw.Action, comment string,
) (specs []string) {
if direction == fw.DirectionSrc {
switch direction {
case fw.DirectionSrc:
specs = append(specs, "-s", ip.String())
case fw.DirectionDst:
specs = append(specs, "-d", ip.String())
}
specs = append(specs, "-p", "tcp")
specs = append(specs, "-p", protocol)
if port != "" {
specs = append(specs, "--dport", port)
}

4
client/internal/engine.go
View File

@@ -225,7 +225,7 @@ func (e *Engine) Start() error {
e.firewallManager, err = buildFirewallManager()
if err != nil {
log.Error("failed to create firewall manager, ACL policy will not work: %s", err.Error())
log.Errorf("failed to create firewall manager, ACL policy will not work: %s", err.Error())
}
e.firewallRules = make(map[string]firewall.Rule)
@@ -1070,7 +1070,7 @@ func (e *Engine) applyFirewallRules(rules []*mgmProto.FirewallRule) error {
}
if rule, ok := e.firewallRules[ruleID]; ok {
if err := e.firewallManager.DeleteRule(rule); err != nil {
log.Debug("failed to delete firewall rule: %v", err)
log.Debugf("failed to delete firewall rule: %v", err)
continue
}
delete(e.firewallRules, ruleID)