extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-22 08:03:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

seems to work but delete fails

Browse Source
This commit is contained in:
Pascal Fischer 2023-06-27 17:26:15 +02:00
parent ed075bc9b9
commit d96f882acb
1 changed files with 55 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
client/firewall/uspfilter/uspfilter.go
View File

@ -23,8 +23,8 @@ type IFaceMapper interface {
// Manager userspace firewall manager // Manager userspace firewall manager
type Manager struct { type Manager struct {
outgoingRules []Rule outgoingRules map[string][]Rule
incomingRules []Rule incomingRules map[string][]Rule
rulesIndex map[string]int rulesIndex map[string]int
wgNetwork *net.IPNet wgNetwork *net.IPNet
decoders sync.Pool decoders sync.Pool
@ -62,6 +62,8 @@ func Create(iface IFaceMapper) (*Manager, error) {
return d return d
}, },
}, },
outgoingRules: make(map[string][]Rule),
incomingRules: make(map[string][]Rule),
} }
if err := iface.SetFilter(m); err != nil { if err := iface.SetFilter(m); err != nil {
@ -126,10 +128,10 @@ func (m *Manager) AddFiltering(
m.mutex.Lock() m.mutex.Lock()
var p int var p int
if direction == fw.RuleDirectionIN { if direction == fw.RuleDirectionIN {
m.incomingRules = append(m.incomingRules, r) m.incomingRules[r.ip.String()] = append(m.incomingRules[r.ip.String()], r)
p = len(m.incomingRules) - 1 p = len(m.incomingRules) - 1
} else { } else {
m.outgoingRules = append(m.outgoingRules, r) m.outgoingRules[r.ip.String()] = append(m.outgoingRules[r.ip.String()], r)
p = len(m.outgoingRules) - 1 p = len(m.outgoingRules) - 1
} }
m.rulesIndex[r.id] = p m.rulesIndex[r.id] = p
@ -156,11 +158,11 @@ func (m *Manager) DeleteRule(rule fw.Rule) error {
var toUpdate []Rule var toUpdate []Rule
if r.direction == fw.RuleDirectionIN { if r.direction == fw.RuleDirectionIN {
m.incomingRules = append(m.incomingRules[:p], m.incomingRules[p+1:]...) m.incomingRules[r.ip.String()] = append(m.incomingRules[r.ip.String()][:p], m.incomingRules[r.ip.String()][p+1:]...)
toUpdate = m.incomingRules toUpdate = m.incomingRules[r.ip.String()]
} else { } else {
m.outgoingRules = append(m.outgoingRules[:p], m.outgoingRules[p+1:]...) m.outgoingRules[r.ip.String()] = append(m.outgoingRules[r.ip.String()][:p], m.outgoingRules[r.ip.String()][p+1:]...)
toUpdate = m.outgoingRules toUpdate = m.outgoingRules[r.ip.String()]
} }
for i := 0; i < len(toUpdate); i++ { for i := 0; i < len(toUpdate); i++ {
@ -174,8 +176,8 @@ func (m *Manager) Reset() error {
m.mutex.Lock() m.mutex.Lock()
defer m.mutex.Unlock() defer m.mutex.Unlock()
m.outgoingRules = m.outgoingRules[:0] m.outgoingRules = make(map[string][]Rule)
m.incomingRules = m.incomingRules[:0] m.incomingRules = make(map[string][]Rule)
m.rulesIndex = make(map[string]int) m.rulesIndex = make(map[string]int)
return nil return nil
@ -192,7 +194,7 @@ func (m *Manager) DropIncoming(packetData []byte) bool {
} }
// dropFilter imlements same logic for booth direction of the traffic // dropFilter imlements same logic for booth direction of the traffic
func (m *Manager) dropFilter(packetData []byte, rules []Rule, isIncomingPacket bool) bool { func (m *Manager) dropFilter(packetData []byte, rules map[string][]Rule, isIncomingPacket bool) bool {
m.mutex.RLock() m.mutex.RLock()
defer m.mutex.RUnlock() defer m.mutex.RUnlock()
@ -226,29 +228,37 @@ func (m *Manager) dropFilter(packetData []byte, rules []Rule, isIncomingPacket b
} }
payloadLayer := d.decoded[1] payloadLayer := d.decoded[1]
var srcIP, dstIP net.IP
var ipRules []Rule
switch ipLayer {
case layers.LayerTypeIPv4:
if isIncomingPacket {
srcIP = d.ip4.SrcIP
ipRules = rules[srcIP.String()]
} else {
dstIP = d.ip4.DstIP
ipRules = rules[dstIP.String()]
}
case layers.LayerTypeIPv6:
if isIncomingPacket {
srcIP = d.ip6.SrcIP
ipRules = rules[srcIP.String()]
} else {
dstIP = d.ip6.DstIP
ipRules = rules[dstIP.String()]
}
}
// check if IP address match by IP // check if IP address match by IP
for _, rule := range rules { for _, rule := range ipRules {
if rule.matchByIP { if rule.matchByIP {
switch ipLayer { if isIncomingPacket {
case layers.LayerTypeIPv4: if !srcIP.Equal(rule.ip) {
if isIncomingPacket { continue
if !d.ip4.SrcIP.Equal(rule.ip) {
continue
}
} else {
if !d.ip4.DstIP.Equal(rule.ip) {
continue
}
} }
case layers.LayerTypeIPv6: } else {
if isIncomingPacket { if !dstIP.Equal(rule.ip) {
if !d.ip6.SrcIP.Equal(rule.ip) { continue
continue
}
} else {
if !d.ip6.DstIP.Equal(rule.ip) {
continue
}
} }
} }
} }
@ -328,11 +338,11 @@ func (m *Manager) AddUDPPacketHook(
var toUpdate []Rule var toUpdate []Rule
if in { if in {
r.direction = fw.RuleDirectionIN r.direction = fw.RuleDirectionIN
m.incomingRules = append([]Rule{r}, m.incomingRules...) m.incomingRules[r.ip.String()] = append([]Rule{r}, m.incomingRules[r.ip.String()]...)
toUpdate = m.incomingRules toUpdate = m.incomingRules[r.ip.String()]
} else { } else {
m.outgoingRules = append([]Rule{r}, m.outgoingRules...) m.outgoingRules[r.ip.String()] = append([]Rule{r}, m.outgoingRules[r.ip.String()]...)
toUpdate = m.outgoingRules toUpdate = m.outgoingRules[r.ip.String()]
} }
for i := range toUpdate { for i := range toUpdate {
@ -345,14 +355,18 @@ func (m *Manager) AddUDPPacketHook(
// RemovePacketHook removes packet hook by given ID // RemovePacketHook removes packet hook by given ID
func (m *Manager) RemovePacketHook(hookID string) error { func (m *Manager) RemovePacketHook(hookID string) error {
for _, r := range m.incomingRules { for _, arr := range m.incomingRules {
if r.id == hookID { for _, r := range arr {
return m.DeleteRule(&r) if r.id == hookID {
return m.DeleteRule(&r)
}
} }
} }
for _, r := range m.outgoingRules { for _, arr := range m.outgoingRules {
if r.id == hookID { for _, r := range arr {
return m.DeleteRule(&r) if r.id == hookID {
return m.DeleteRule(&r)
}
} }
} }
return fmt.Errorf("hook with given id not found") return fmt.Errorf("hook with given id not found")