sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 08:16:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix direction for firewall rule

Browse Source
This commit is contained in:
Givi Khojanashvili
2023-03-20 17:55:35 +04:00
parent 559cf2862f
commit 0abd05d51e
2 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
client/firewall/iptables/manager_linux.go
View File

@@ -74,17 +74,27 @@ func (m *Manager) AddFiltering(
} }
} }
var pv string var portValue, protocolValue string
if port != nil && port.Values != nil { if port != nil && port.Values != nil {
// TODO: we support only one port per rule in current implementation of ACLs // TODO: we support only one port per rule in current implementation of ACLs
pv = strconv.Itoa(port.Values[0]) portValue = strconv.Itoa(port.Values[0])
switch port.Proto {
case fw.PortProtocolTCP:
protocolValue = "tcp"
case fw.PortProtocolUDP:
protocolValue = "udp"
default:
return nil, fmt.Errorf("unsupported protocol: %s", port.Proto)
}
} }
ruleID := uuid.New().String() ruleID := uuid.New().String()
if comment == "" { if comment == "" {
comment = ruleID comment = ruleID
} }
specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment) specs := m.filterRuleSpecs(
"filter", ChainFilterName, ip, protocolValue,
portValue, direction, action, comment)
if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil { if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
return nil, err return nil, err
} }
@@ -137,13 +147,16 @@ func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
// filterRuleSpecs returns the specs of a filtering rule // filterRuleSpecs returns the specs of a filtering rule
func (m *Manager) filterRuleSpecs( func (m *Manager) filterRuleSpecs(
table string, chain string, ip net.IP, port string, table string, chain string, ip net.IP, protocol string, port string,
direction fw.Direction, action fw.Action, comment string, direction fw.Direction, action fw.Action, comment string,
) (specs []string) { ) (specs []string) {
if direction == fw.DirectionSrc { switch direction {
case fw.DirectionSrc:
specs = append(specs, "-s", ip.String()) specs = append(specs, "-s", ip.String())
case fw.DirectionDst:
specs = append(specs, "-d", ip.String())
} }
specs = append(specs, "-p", "tcp") specs = append(specs, "-p", protocol)
if port != "" { if port != "" {
specs = append(specs, "--dport", port) specs = append(specs, "--dport", port)
} }

4
client/internal/engine.go
View File

@@ -225,7 +225,7 @@ func (e *Engine) Start() error {
e.firewallManager, err = buildFirewallManager() e.firewallManager, err = buildFirewallManager()
if err != nil { if err != nil {
log.Error("failed to create firewall manager, ACL policy will not work: %s", err.Error()) log.Errorf("failed to create firewall manager, ACL policy will not work: %s", err.Error())
} }
e.firewallRules = make(map[string]firewall.Rule) e.firewallRules = make(map[string]firewall.Rule)
@@ -1070,7 +1070,7 @@ func (e *Engine) applyFirewallRules(rules []*mgmProto.FirewallRule) error {
} }
if rule, ok := e.firewallRules[ruleID]; ok { if rule, ok := e.firewallRules[ruleID]; ok {
if err := e.firewallManager.DeleteRule(rule); err != nil { if err := e.firewallManager.DeleteRule(rule); err != nil {
log.Debug("failed to delete firewall rule: %v", err) log.Debugf("failed to delete firewall rule: %v", err)
continue continue
} }
delete(e.firewallRules, ruleID) delete(e.firewallRules, ruleID)