extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-02-08 22:39:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix Windows firewall message check (#1254)

Browse Source 
The no rules matched message is operating system language specific, and can cause errors

Now we check if firewall is reachable by the app and then if the rule is returned or not in two different calls:

isWindowsFirewallReachable

isFirewallRuleActive
This commit is contained in:
Maycon Santos 2023-10-27 10:54:26 +02:00 committed by GitHub
parent db25ca21a8
commit 76318f3f06
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 46 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
client/firewall/uspfilter/allow_netbird_windows.go
View File

@ -1,21 +1,19 @@
package uspfilter package uspfilter
import ( import (
"errors"
"fmt" "fmt"
"os/exec" "os/exec"
"strings"
"syscall" "syscall"
log "github.com/sirupsen/logrus"
) )
type action string type action string
const ( const (
addRule action = "add" addRule action = "add"
deleteRule action = "delete" deleteRule action = "delete"
firewallRuleName = "Netbird"
firewallRuleName = "Netbird"
noRulesMatchCriteria = "No rules match the specified criteria"
) )
// Reset firewall to the default state // Reset firewall to the default state
@ -26,6 +24,14 @@ func (m *Manager) Reset() error {
m.outgoingRules = make(map[string]RuleSet) m.outgoingRules = make(map[string]RuleSet)
m.incomingRules = make(map[string]RuleSet) m.incomingRules = make(map[string]RuleSet)
if !isWindowsFirewallReachable() {
return nil
}
if !isFirewallRuleActive(firewallRuleName) {
return nil
}
if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil { if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
return fmt.Errorf("couldn't remove windows firewall: %w", err) return fmt.Errorf("couldn't remove windows firewall: %w", err)
} }
@ -35,6 +41,13 @@ func (m *Manager) Reset() error {
// AllowNetbird allows netbird interface traffic // AllowNetbird allows netbird interface traffic
func (m *Manager) AllowNetbird() error { func (m *Manager) AllowNetbird() error {
if !isWindowsFirewallReachable() {
return nil
}
if isFirewallRuleActive(firewallRuleName) {
return nil
}
return manageFirewallRule(firewallRuleName, return manageFirewallRule(firewallRuleName,
addRule, addRule,
"dir=in", "dir=in",
@ -45,47 +58,37 @@ func (m *Manager) AllowNetbird() error {
) )
} }
func manageFirewallRule(ruleName string, action action, args ...string) error { func manageFirewallRule(ruleName string, action action, extraArgs ...string) error {
active, err := isFirewallRuleActive(ruleName)
if err != nil { args := []string{"advfirewall", "firewall", string(action), "rule", "name=" + ruleName}
return err if action == addRule {
args = append(args, extraArgs...)
} }
if (action == addRule && !active) || (action == deleteRule && active) { cmd := exec.Command("netsh", args...)
baseArgs := []string{"advfirewall", "firewall", string(action), "rule", "name=" + ruleName} cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
args := append(baseArgs, args...) return cmd.Run()
cmd := exec.Command("netsh", args...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
return cmd.Run()
}
return nil
} }
func isFirewallRuleActive(ruleName string) (bool, error) { func isWindowsFirewallReachable() bool {
args := []string{"advfirewall", "show", "allprofiles", "state"}
cmd := exec.Command("netsh", args...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
_, err := cmd.Output()
if err != nil {
log.Infof("Windows firewall is not reachable, skipping default rule management. Using only user space rules. Error: %s", err)
return false
}
return true
}
func isFirewallRuleActive(ruleName string) bool {
args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName} args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName}
cmd := exec.Command("netsh", args...) cmd := exec.Command("netsh", args...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true} cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
output, err := cmd.Output() _, err := cmd.Output()
if err != nil { return err == nil
var exitError *exec.ExitError
if errors.As(err, &exitError) {
// if the firewall rule is not active, we expect last exit code to be 1
exitStatus := exitError.Sys().(syscall.WaitStatus).ExitStatus()
if exitStatus == 1 {
if strings.Contains(string(output), noRulesMatchCriteria) {
return false, nil
}
}
}
return false, err
}
if strings.Contains(string(output), noRulesMatchCriteria) {
return false, nil
}
return true, nil
} }

2
client/internal/acl/manager_create.go
View File

@ -20,7 +20,7 @@ func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
return nil, err return nil, err
} }
if err := fm.AllowNetbird(); err != nil { if err := fm.AllowNetbird(); err != nil {
log.Errorf("failed to allow netbird interface traffic: %v", err) log.Warnf("failed to allow netbird interface traffic: %v", err)
} }
return newDefaultManager(fm), nil return newDefaultManager(fm), nil
} }