Extend protocol and firewall manager to handle old management (#915)

* Extend protocol and firewall manager to handle old management * Send correct empty firewall rules list when delete peer * Add extra tests for firewall manager and uspfilter * Work with inconsistent state * Review note * Update comment
2026-04-18 08:16:39 +00:00 · 2023-05-31 21:04:38 +04:00
parent 45a6263adc
commit 293499c3c0
13 changed files with 362 additions and 220 deletions
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -22,7 +22,7 @@ type iFaceMapper interface {

 // Manager is a ACL rules manager
 type Manager interface {
-	ApplyFiltering(rules []*mgmProto.FirewallRule)
+	ApplyFiltering(rules []*mgmProto.FirewallRule, allowByDefault bool)
 	Stop()
 }

@@ -34,7 +34,9 @@ type DefaultManager struct {
 }

 // ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
-func (d *DefaultManager) ApplyFiltering(rules []*mgmProto.FirewallRule) {
+//
+// If allowByDefault is ture it appends allow ALL traffic rules to input and output chains.
+func (d *DefaultManager) ApplyFiltering(rules []*mgmProto.FirewallRule, allowByDefault bool) {
 	d.mutex.Lock()
 	defer d.mutex.Unlock()

@@ -47,6 +49,22 @@ func (d *DefaultManager) ApplyFiltering(rules []*mgmProto.FirewallRule) {
 		applyFailed  bool
 		newRulePairs = make(map[string][]firewall.Rule)
 	)
+	if allowByDefault {
+		rules = append(rules,
+			&mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: mgmProto.FirewallRule_IN,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+			&mgmProto.FirewallRule{
+				PeerIP:    "0.0.0.0",
+				Direction: mgmProto.FirewallRule_OUT,
+				Action:    mgmProto.FirewallRule_ACCEPT,
+				Protocol:  mgmProto.FirewallRule_ALL,
+			},
+		)
+	}
 	for _, r := range rules {
 		rules, err := d.protoRuleToFirewallRule(r)
 		if err != nil {