extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-22 08:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove Rule index map

Browse Source
This commit is contained in:
Pascal Fischer 2023-06-28 02:50:12 +02:00
parent b39ffef22c
commit 51878659f8
1 changed files with 53 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
client/firewall/uspfilter/uspfilter.go
View File

@ -23,9 +23,8 @@ type IFaceMapper interface {
// Manager userspace firewall manager // Manager userspace firewall manager
type Manager struct { type Manager struct {
outgoingRules map[string][]Rule outgoingRules map[string]map[string]Rule
incomingRules map[string][]Rule incomingRules map[string]map[string]Rule
rulesIndex map[string]int
wgNetwork *net.IPNet wgNetwork *net.IPNet
decoders sync.Pool decoders sync.Pool
@ -48,7 +47,6 @@ type decoder struct {
// Create userspace firewall manager constructor // Create userspace firewall manager constructor
func Create(iface IFaceMapper) (*Manager, error) { func Create(iface IFaceMapper) (*Manager, error) {
m := &Manager{ m := &Manager{
rulesIndex: make(map[string]int),
decoders: sync.Pool{ decoders: sync.Pool{
New: func() any { New: func() any {
d := &decoder{ d := &decoder{
@ -62,8 +60,8 @@ func Create(iface IFaceMapper) (*Manager, error) {
return d return d
}, },
}, },
outgoingRules: make(map[string][]Rule), outgoingRules: make(map[string]map[string]Rule),
incomingRules: make(map[string][]Rule), incomingRules: make(map[string]map[string]Rule),
} }
if err := iface.SetFilter(m); err != nil { if err := iface.SetFilter(m); err != nil {
@ -126,15 +124,17 @@ func (m *Manager) AddFiltering(
} }
m.mutex.Lock() m.mutex.Lock()
var p int
if direction == fw.RuleDirectionIN { if direction == fw.RuleDirectionIN {
m.incomingRules[r.ip.String()] = append(m.incomingRules[r.ip.String()], r) if _, ok := m.incomingRules[r.ip.String()]; !ok {
p = len(m.incomingRules[r.ip.String()]) - 1 m.incomingRules[r.ip.String()] = make(map[string]Rule)
}
m.incomingRules[r.ip.String()][r.id] = r
} else { } else {
m.outgoingRules[r.ip.String()] = append(m.outgoingRules[r.ip.String()], r) if _, ok := m.outgoingRules[r.ip.String()]; !ok {
p = len(m.outgoingRules[r.ip.String()]) - 1 m.outgoingRules[r.ip.String()] = make(map[string]Rule)
}
m.outgoingRules[r.ip.String()][r.id] = r
} }
m.rulesIndex[r.id] = p
m.mutex.Unlock() m.mutex.Unlock()
return &r, nil return &r, nil
@ -150,24 +150,20 @@ func (m *Manager) DeleteRule(rule fw.Rule) error {
return fmt.Errorf("delete rule: invalid rule type: %T", rule) return fmt.Errorf("delete rule: invalid rule type: %T", rule)
} }
p, ok := m.rulesIndex[r.id]
if !ok {
return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
}
delete(m.rulesIndex, r.id)
var toUpdate []Rule
if r.direction == fw.RuleDirectionIN { if r.direction == fw.RuleDirectionIN {
m.incomingRules[r.ip.String()] = append(m.incomingRules[r.ip.String()][:p], m.incomingRules[r.ip.String()][p+1:]...) _, ok := m.incomingRules[r.ip.String()][r.id]
toUpdate = m.incomingRules[r.ip.String()] if !ok {
return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
}
delete(m.incomingRules[r.ip.String()], r.id)
} else { } else {
m.outgoingRules[r.ip.String()] = append(m.outgoingRules[r.ip.String()][:p], m.outgoingRules[r.ip.String()][p+1:]...) _, ok := m.outgoingRules[r.ip.String()][r.id]
toUpdate = m.outgoingRules[r.ip.String()] if !ok {
return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
}
delete(m.outgoingRules[r.ip.String()], r.id)
} }
for i := 0; i < len(toUpdate); i++ {
m.rulesIndex[toUpdate[i].id] = i
}
return nil return nil
} }
@ -176,9 +172,8 @@ func (m *Manager) Reset() error {
m.mutex.Lock() m.mutex.Lock()
defer m.mutex.Unlock() defer m.mutex.Unlock()
m.outgoingRules = make(map[string][]Rule) m.outgoingRules = make(map[string]map[string]Rule)
m.incomingRules = make(map[string][]Rule) m.incomingRules = make(map[string]map[string]Rule)
m.rulesIndex = make(map[string]int)
return nil return nil
} }
@ -194,7 +189,7 @@ func (m *Manager) DropIncoming(packetData []byte) bool {
} }
// dropFilter imlements same logic for booth direction of the traffic // dropFilter imlements same logic for booth direction of the traffic
func (m *Manager) dropFilter(packetData []byte, rules map[string][]Rule, isIncomingPacket bool) bool { func (m *Manager) dropFilter(packetData []byte, rules map[string]map[string]Rule, isIncomingPacket bool) bool {
m.mutex.RLock() m.mutex.RLock()
defer m.mutex.RUnlock() defer m.mutex.RUnlock()
@ -226,41 +221,39 @@ func (m *Manager) dropFilter(packetData []byte, rules map[string][]Rule, isIncom
log.Errorf("unknown layer: %v", d.decoded[0]) log.Errorf("unknown layer: %v", d.decoded[0])
return true return true
} }
payloadLayer := d.decoded[1]
var srcIP, dstIP net.IP var ip net.IP
var ipRules []Rule
switch ipLayer { switch ipLayer {
case layers.LayerTypeIPv4: case layers.LayerTypeIPv4:
if isIncomingPacket { if isIncomingPacket {
srcIP = d.ip4.SrcIP ip = d.ip4.SrcIP
ipRules = append(rules[srcIP.String()], rules["0.0.0.0"]...)
} else { } else {
dstIP = d.ip4.DstIP ip = d.ip4.DstIP
ipRules = append(rules[dstIP.String()], rules["0.0.0.0"]...)
} }
case layers.LayerTypeIPv6: case layers.LayerTypeIPv6:
if isIncomingPacket { if isIncomingPacket {
srcIP = d.ip6.SrcIP ip = d.ip6.SrcIP
ipRules = append(rules[srcIP.String()], rules["::"]...)
} else { } else {
dstIP = d.ip6.DstIP ip = d.ip6.DstIP
ipRules = append(rules[dstIP.String()], rules["::"]...)
} }
} }
_, ok := rules["0.0.0.0"]
if ok {
return false
}
_, ok = rules["::"]
if ok {
return false
}
payloadLayer := d.decoded[1]
// check if IP address match by IP // check if IP address match by IP
for _, rule := range ipRules { for _, rule := range rules[ip.String()] {
if rule.matchByIP { if rule.matchByIP && !ip.Equal(rule.ip) {
if isIncomingPacket { continue
if !srcIP.Equal(rule.ip) {
continue
}
} else {
if !dstIP.Equal(rule.ip) {
continue
}
}
} }
if rule.protoLayer == layerTypeAll { if rule.protoLayer == layerTypeAll {
@ -335,19 +328,19 @@ func (m *Manager) AddUDPPacketHook(
} }
m.mutex.Lock() m.mutex.Lock()
var toUpdate []Rule
if in { if in {
r.direction = fw.RuleDirectionIN r.direction = fw.RuleDirectionIN
m.incomingRules[r.ip.String()] = append([]Rule{r}, m.incomingRules[r.ip.String()]...) if _, ok := m.incomingRules[r.ip.String()]; !ok {
toUpdate = m.incomingRules[r.ip.String()] m.incomingRules[r.ip.String()] = make(map[string]Rule)
}
m.incomingRules[r.ip.String()][r.id] = r
} else { } else {
m.outgoingRules[r.ip.String()] = append([]Rule{r}, m.outgoingRules[r.ip.String()]...) if _, ok := m.outgoingRules[r.ip.String()]; !ok {
toUpdate = m.outgoingRules[r.ip.String()] m.outgoingRules[r.ip.String()] = make(map[string]Rule)
}
m.outgoingRules[r.ip.String()][r.id] = r
} }
for i := range toUpdate {
m.rulesIndex[toUpdate[i].id] = i
}
m.mutex.Unlock() m.mutex.Unlock()
return r.id return r.id