sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-19 00:36:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

[management] allow local routing peer resource (#5814)

Browse Source
This commit is contained in:
Pascal Fischer
2026-04-10 13:08:21 +02:00
committed by GitHub
parent 15709bc666
commit 2a8aacc5c9
7 changed files with 134 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
management/server/types/networkmap_components.go
View File

@@ -2,7 +2,6 @@ package types
import (
"context"
"maps"
"net"
"net/netip"
"slices"
@@ -17,6 +16,7 @@ import (
nbpeer "github.com/netbirdio/netbird/management/server/peer"
"github.com/netbirdio/netbird/route"
"github.com/netbirdio/netbird/shared/management/domain"
"golang.org/x/exp/maps"
)
const EnvNewNetworkMapCompacted = "NB_NETWORK_MAP_COMPACTED"
@@ -119,9 +119,10 @@ func (c *NetworkMapComponents) Calculate(ctx context.Context) *NetworkMap {
routesUpdate := c.getRoutesToSync(targetPeerID, peersToConnect, peerGroups)
routesFirewallRules := c.getPeerRoutesFirewallRules(ctx, targetPeerID)
isRouter, networkResourcesRoutes, sourcePeers := c.getNetworkResourcesRoutesToSync(targetPeerID)
isRouter, networkResourcesRoutes, sourcePeers, peerFirewallRules := c.getNetworkResourcesRoutesToSync(targetPeerID)
var networkResourcesFirewallRules []*RouteFirewallRule
if isRouter {
firewallRules = append(firewallRules, peerFirewallRules...)
networkResourcesFirewallRules = c.getPeerNetworkResourceFirewallRules(ctx, targetPeerID, networkResourcesRoutes)
}
@@ -526,7 +527,6 @@ func (c *NetworkMapComponents) getRoutingPeerRoutes(peerID string) (enabledRoute
return enabledRoutes, disabledRoutes
}
func (c *NetworkMapComponents) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
var filteredRoutes []*route.Route
for _, r := range routes {
@@ -692,10 +692,11 @@ func (c *NetworkMapComponents) getRulePeers(rule *PolicyRule, postureChecks []st
return distributionGroupPeers
}
func (c *NetworkMapComponents) getNetworkResourcesRoutesToSync(peerID string) (bool, []*route.Route, map[string]struct{}) {
func (c *NetworkMapComponents) getNetworkResourcesRoutesToSync(peerID string) (bool, []*route.Route, map[string]struct{}, []*FirewallRule) {
var isRoutingPeer bool
var routes []*route.Route
allSourcePeers := make(map[string]struct{})
localResourceFwRule := make([]*FirewallRule, 0)
for _, resource := range c.NetworkResources {
if !resource.Enabled {
@@ -714,6 +715,9 @@ func (c *NetworkMapComponents) getNetworkResourcesRoutesToSync(peerID string) (b
addedResourceRoute := false
for _, policy := range c.ResourcePoliciesMap[resource.ID] {
if isRoutingPeer && resource.OnRoutingPeer {
localResourceFwRule = append(localResourceFwRule, c.getLocalResourceFirewallRules(policy)...)
}
var peers []string
if policy.Rules[0].SourceResource.Type == ResourceTypePeer && policy.Rules[0].SourceResource.ID != "" {
peers = []string{policy.Rules[0].SourceResource.ID}
@@ -736,7 +740,63 @@ func (c *NetworkMapComponents) getNetworkResourcesRoutesToSync(peerID string) (b
}
}
return isRoutingPeer, routes, allSourcePeers
return isRoutingPeer, routes, allSourcePeers, localResourceFwRule
}
func (c *NetworkMapComponents) getLocalResourceFirewallRules(policy *Policy) []*FirewallRule {
sourcePeerIDs := c.getPoliciesSourcePeers([]*Policy{policy})
postureValidatedPeerIDs := c.getPostureValidPeers(maps.Keys(sourcePeerIDs), policy.SourcePostureChecks)
rules := make([]*FirewallRule, 0)
for _, rule := range policy.Rules {
if !rule.Enabled {
continue
}
protocol := rule.Protocol
if protocol == PolicyRuleProtocolNetbirdSSH {
continue
}
for _, peerID := range postureValidatedPeerIDs {
peer := c.GetPeerInfo(peerID)
if peer == nil {
continue
}
peerIP := peer.IP.String()
fr := FirewallRule{
PolicyID: rule.ID,
PeerIP: peerIP,
Direction: FirewallRuleDirectionIN,
Action: string(rule.Action),
Protocol: string(protocol),
}
if len(rule.Ports) == 0 && len(rule.PortRanges) == 0 {
rules = append(rules, &fr)
continue
}
for _, port := range rule.Ports {
portRule := fr
portRule.Port = port
rules = append(rules, &portRule)
}
for _, portRange := range rule.PortRanges {
if len(rule.Ports) > 0 {
break
}
rangeRule := fr
rangeRule.PortRange = portRange
rules = append(rules, &rangeRule)
}
}
}
return rules
}
func (c *NetworkMapComponents) getNetworkResourcesRoutes(resource *resourceTypes.NetworkResource, peerID string, router *routerTypes.NetworkRouter) []*route.Route {