[management, client] Add access control support to network routes (#2100)

2026-04-16 07:16:38 +00:00 · 2024-10-02 14:41:00 +03:00
parent a3a479429e
commit ff7863785f
48 changed files with 4683 additions and 2444 deletions
--- a/management/server/route.go
+++ b/management/server/route.go
@@ -4,9 +4,15 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"slices"
+	"strconv"
+	"strings"
 	"unicode/utf8"

 	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"

 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/management/proto"
@@ -15,6 +21,30 @@ import (
 	"github.com/netbirdio/netbird/route"
 )

+// RouteFirewallRule a firewall rule applicable for a routed network.
+type RouteFirewallRule struct {
+	// SourceRanges IP ranges of the routing peers.
+	SourceRanges []string
+
+	// Action of the traffic when the rule is applicable
+	Action string
+
+	// Destination a network prefix for the routed traffic
+	Destination string
+
+	// Protocol of the traffic
+	Protocol string
+
+	// Port of the traffic
+	Port uint16
+
+	// PortRange represents the range of ports for a firewall rule
+	PortRange RulePortRange
+
+	// isDynamic indicates whether the rule is for DNS routing
+	IsDynamic bool
+}
+
 // GetRoute gets a route object from account and route IDs
 func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error) {
 	user, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, userID)
@@ -112,7 +142,7 @@ func getRouteDescriptor(prefix netip.Prefix, domains domain.List) string {
 }

 // CreateRoute creates and saves a new route
-func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
+func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error) {
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()

@@ -157,6 +187,13 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 		}
 	}

+	if len(accessControlGroupIDs) > 0 {
+		err = validateGroups(accessControlGroupIDs, account.Groups)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	err = am.checkRoutePrefixOrDomainsExistForPeers(account, peerID, newRoute.ID, peerGroupIDs, prefix, domains)
 	if err != nil {
 		return nil, err
@@ -187,6 +224,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 	newRoute.Enabled = enabled
 	newRoute.Groups = groups
 	newRoute.KeepRoute = keepRoute
+	newRoute.AccessControlGroups = accessControlGroupIDs

 	if account.Routes == nil {
 		account.Routes = make(map[route.ID]*route.Route)
@@ -258,6 +296,13 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 		}
 	}

+	if len(routeToSave.AccessControlGroups) > 0 {
+		err = validateGroups(routeToSave.AccessControlGroups, account.Groups)
+		if err != nil {
+			return err
+		}
+	}
+
 	err = am.checkRoutePrefixOrDomainsExistForPeers(account, routeToSave.Peer, routeToSave.ID, routeToSave.Copy().PeerGroups, routeToSave.Network, routeToSave.Domains)
 	if err != nil {
 		return err
@@ -351,3 +396,248 @@ func getPlaceholderIP() netip.Prefix {
 	// Using an IP from the documentation range to minimize impact in case older clients try to set a route
 	return netip.PrefixFrom(netip.AddrFrom4([4]byte{192, 0, 2, 0}), 32)
 }
+
+// getPeerRoutesFirewallRules gets the routes firewall rules associated with a routing peer ID for the account.
+func (a *Account) getPeerRoutesFirewallRules(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) []*RouteFirewallRule {
+	routesFirewallRules := make([]*RouteFirewallRule, 0, len(a.Routes))
+
+	enabledRoutes, _ := a.getRoutingPeerRoutes(ctx, peerID)
+	for _, route := range enabledRoutes {
+		// If no access control groups are specified, accept all traffic.
+		if len(route.AccessControlGroups) == 0 {
+			defaultPermit := getDefaultPermit(route)
+			routesFirewallRules = append(routesFirewallRules, defaultPermit...)
+			continue
+		}
+
+		policies := getAllRoutePoliciesFromGroups(a, route.AccessControlGroups)
+		for _, policy := range policies {
+			if !policy.Enabled {
+				continue
+			}
+
+			for _, rule := range policy.Rules {
+				if !rule.Enabled {
+					continue
+				}
+
+				distributionGroupPeers, _ := a.getAllPeersFromGroups(ctx, route.Groups, peerID, nil, validatedPeersMap)
+				rules := generateRouteFirewallRules(ctx, route, rule, distributionGroupPeers, firewallRuleDirectionIN)
+				routesFirewallRules = append(routesFirewallRules, rules...)
+			}
+		}
+	}
+
+	return routesFirewallRules
+}
+
+func getDefaultPermit(route *route.Route) []*RouteFirewallRule {
+	var rules []*RouteFirewallRule
+
+	sources := []string{"0.0.0.0/0"}
+	if route.Network.Addr().Is6() {
+		sources = []string{"::/0"}
+	}
+	rule := RouteFirewallRule{
+		SourceRanges: sources,
+		Action:       string(PolicyTrafficActionAccept),
+		Destination:  route.Network.String(),
+		Protocol:     string(PolicyRuleProtocolALL),
+		IsDynamic:    route.IsDynamic(),
+	}
+
+	rules = append(rules, &rule)
+
+	// dynamic routes always contain an IPv4 placeholder as destination, hence we must add IPv6 rules additionally
+	if route.IsDynamic() {
+		ruleV6 := rule
+		ruleV6.SourceRanges = []string{"::/0"}
+		rules = append(rules, &ruleV6)
+	}
+
+	return rules
+}
+
+// getAllRoutePoliciesFromGroups retrieves route policies associated with the specified access control groups
+// and returns a list of policies that have rules with destinations matching the specified groups.
+func getAllRoutePoliciesFromGroups(account *Account, accessControlGroups []string) []*Policy {
+	routePolicies := make([]*Policy, 0)
+	for _, groupID := range accessControlGroups {
+		group, ok := account.Groups[groupID]
+		if !ok {
+			continue
+		}
+
+		for _, policy := range account.Policies {
+			for _, rule := range policy.Rules {
+				exist := slices.ContainsFunc(rule.Destinations, func(groupID string) bool {
+					return groupID == group.ID
+				})
+				if exist {
+					routePolicies = append(routePolicies, policy)
+					continue
+				}
+			}
+		}
+	}
+
+	return routePolicies
+}
+
+// generateRouteFirewallRules generates a list of firewall rules for a given route.
+func generateRouteFirewallRules(ctx context.Context, route *route.Route, rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) []*RouteFirewallRule {
+	rulesExists := make(map[string]struct{})
+	rules := make([]*RouteFirewallRule, 0)
+
+	sourceRanges := make([]string, 0, len(groupPeers))
+	for _, peer := range groupPeers {
+		if peer == nil {
+			continue
+		}
+		sourceRanges = append(sourceRanges, fmt.Sprintf(AllowedIPsFormat, peer.IP))
+	}
+
+	baseRule := RouteFirewallRule{
+		SourceRanges: sourceRanges,
+		Action:       string(rule.Action),
+		Destination:  route.Network.String(),
+		Protocol:     string(rule.Protocol),
+		IsDynamic:    route.IsDynamic(),
+	}
+
+	// generate rule for port range
+	if len(rule.Ports) == 0 {
+		rules = append(rules, generateRulesWithPortRanges(baseRule, rule, rulesExists)...)
+	} else {
+		rules = append(rules, generateRulesWithPorts(ctx, baseRule, rule, rulesExists)...)
+
+	}
+
+	// TODO: generate IPv6 rules for dynamic routes
+
+	return rules
+}
+
+// generateRuleIDBase generates the base rule ID for checking duplicates.
+func generateRuleIDBase(rule *PolicyRule, baseRule RouteFirewallRule) string {
+	return rule.ID + strings.Join(baseRule.SourceRanges, ",") + strconv.Itoa(firewallRuleDirectionIN) + baseRule.Protocol + baseRule.Action
+}
+
+// generateRulesForPeer generates rules for a given peer based on ports and port ranges.
+func generateRulesWithPortRanges(baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
+	if len(rule.Ports) == 0 {
+		if len(rule.PortRanges) == 0 {
+			if _, ok := rulesExists[ruleIDBase]; !ok {
+				rulesExists[ruleIDBase] = struct{}{}
+				rules = append(rules, &baseRule)
+			}
+		} else {
+			for _, portRange := range rule.PortRanges {
+				ruleID := fmt.Sprintf("%s%d-%d", ruleIDBase, portRange.Start, portRange.End)
+				if _, ok := rulesExists[ruleID]; !ok {
+					rulesExists[ruleID] = struct{}{}
+					pr := baseRule
+					pr.PortRange = portRange
+					rules = append(rules, &pr)
+				}
+			}
+		}
+		return rules
+	}
+
+	return rules
+}
+
+// generateRulesWithPorts generates rules when specific ports are provided.
+func generateRulesWithPorts(ctx context.Context, baseRule RouteFirewallRule, rule *PolicyRule, rulesExists map[string]struct{}) []*RouteFirewallRule {
+	rules := make([]*RouteFirewallRule, 0)
+	ruleIDBase := generateRuleIDBase(rule, baseRule)
+
+	for _, port := range rule.Ports {
+		ruleID := ruleIDBase + port
+		if _, ok := rulesExists[ruleID]; ok {
+			continue
+		}
+		rulesExists[ruleID] = struct{}{}
+
+		pr := baseRule
+		p, err := strconv.ParseUint(port, 10, 16)
+		if err != nil {
+			log.WithContext(ctx).Errorf("failed to parse port %s for rule: %s", port, rule.ID)
+			continue
+		}
+
+		pr.Port = uint16(p)
+		rules = append(rules, &pr)
+	}
+
+	return rules
+}
+
+func toProtocolRoutesFirewallRules(rules []*RouteFirewallRule) []*proto.RouteFirewallRule {
+	result := make([]*proto.RouteFirewallRule, len(rules))
+	for i := range rules {
+		rule := rules[i]
+		result[i] = &proto.RouteFirewallRule{
+			SourceRanges: rule.SourceRanges,
+			Action:       getProtoAction(rule.Action),
+			Destination:  rule.Destination,
+			Protocol:     getProtoProtocol(rule.Protocol),
+			PortInfo:     getProtoPortInfo(rule),
+			IsDynamic:    rule.IsDynamic,
+		}
+	}
+
+	return result
+}
+
+// getProtoDirection converts the direction to proto.RuleDirection.
+func getProtoDirection(direction int) proto.RuleDirection {
+	if direction == firewallRuleDirectionOUT {
+		return proto.RuleDirection_OUT
+	}
+	return proto.RuleDirection_IN
+}
+
+// getProtoAction converts the action to proto.RuleAction.
+func getProtoAction(action string) proto.RuleAction {
+	if action == string(PolicyTrafficActionDrop) {
+		return proto.RuleAction_DROP
+	}
+	return proto.RuleAction_ACCEPT
+}
+
+// getProtoProtocol converts the protocol to proto.RuleProtocol.
+func getProtoProtocol(protocol string) proto.RuleProtocol {
+	switch PolicyRuleProtocolType(protocol) {
+	case PolicyRuleProtocolALL:
+		return proto.RuleProtocol_ALL
+	case PolicyRuleProtocolTCP:
+		return proto.RuleProtocol_TCP
+	case PolicyRuleProtocolUDP:
+		return proto.RuleProtocol_UDP
+	case PolicyRuleProtocolICMP:
+		return proto.RuleProtocol_ICMP
+	default:
+		return proto.RuleProtocol_UNKNOWN
+	}
+}
+
+// getProtoPortInfo converts the port info to proto.PortInfo.
+func getProtoPortInfo(rule *RouteFirewallRule) *proto.PortInfo {
+	var portInfo proto.PortInfo
+	if rule.Port != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Port{Port: uint32(rule.Port)}
+	} else if portRange := rule.PortRange; portRange.Start != 0 && portRange.End != 0 {
+		portInfo.PortSelection = &proto.PortInfo_Range_{
+			Range: &proto.PortInfo_Range{
+				Start: uint32(portRange.Start),
+				End:   uint32(portRange.End),
+			},
+		}
+	}
+	return &portInfo
+}