Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET-1252: Restrict inetGws, Relays from getting failedOver #2937

Merged
merged 12 commits into from
Jun 3, 2024
Merged

NET-1252: Restrict inetGws, Relays from getting failedOver #2937

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
ecc2c20
add additional checks to avoid failovers
abhishek9686 May 15, 2024
eeb196e
add failover defence check on signal handler
abhishek9686 May 15, 2024
e602e35
only add check for victim node
abhishek9686 May 17, 2024
64fe327
avoid failover reset on pull
abhishek9686 May 18, 2024
42a58f1
add relayed for failoverme
yabinma May 24, 2024
cee92f9
misc changes for failover
yabinma May 28, 2024
b057ff6
remove resetfailoverpeers for InetNode
yabinma May 28, 2024
4a27d7d
add egress route back to allowedip list if relayed is egressGW
yabinma May 31, 2024
b04b4ac
add extclient back to allowedip list if peer is ingressGW
yabinma May 31, 2024
d526b2a
Merge branch 'develop' of https://github.com/gravitl/netmaker into NE…
abhishek9686 Jun 3, 2024
a02ea4f
reset failover on pull
abhishek9686 Jun 3, 2024
d188e21
Merge branch 'NET-1252' of https://github.com/gravitl/netmaker into N…
abhishek9686 Jun 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion logic/extpeers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,7 @@ func ToggleExtClientConnectivity(client *models.ExtClient, enable bool) (models.
return newClient, nil
}

func getExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) {
func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) {
var peers []wgtypes.PeerConfig
var idsAndAddr []models.IDandAddr
var egressRoutes []models.EgressNetworkRoutes
Expand Down
4 changes: 2 additions & 2 deletions logic/peers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
var extPeerIDAndAddrs []models.IDandAddr
var egressRoutes []models.EgressNetworkRoutes
if node.IsIngressGateway {
extPeers, extPeerIDAndAddrs, egressRoutes, err = getExtPeers(&node, &node)
extPeers, extPeerIDAndAddrs, egressRoutes, err = GetExtPeers(&node, &node)
if err == nil {
hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...)
hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...)
Expand Down Expand Up @@ -415,7 +415,7 @@ func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet

// handle ingress gateway peers
if peer.IsIngressGateway {
extPeers, _, _, err := getExtPeers(peer, node)
extPeers, _, _, err := GetExtPeers(peer, node)
if err != nil {
logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
}
Expand Down
15 changes: 1 addition & 14 deletions mq/handlers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,20 +201,7 @@ func signalPeer(signal models.Signal) {
slog.Error("failed to signal, peer host not found", "error", err)
return
}
peerNode, err := logic.GetNodeByID(signal.ToNodeID)
if err != nil {
slog.Error("failed to signal, node not found", "error", err)
return
}
node, err := logic.GetNodeByID(signal.FromNodeID)
if err != nil {
slog.Error("failed to signal, peer node not found", "error", err)
return
}
if peerNode.IsIngressGateway || node.IsIngressGateway || peerNode.IsInternetGateway || node.IsInternetGateway {
signal.Action = ""
return
}

err = HostUpdate(&models.HostUpdate{
Action: models.SignalHost,
Host: *peerHost,
Expand Down
20 changes: 16 additions & 4 deletions pro/controllers/failover.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,12 +159,24 @@ func failOverME(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("peer not found"), "badrequest"))
return
}
if node.IsRelayed || node.IsFailOver {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node is relayed or acting as failover"), "badrequest"))
if node.IsFailOver {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node is acting as failover"), "badrequest"))
return
}
if peerNode.IsRelayed || peerNode.IsFailOver {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("peer node is relayed or acting as failover"), "badrequest"))
if node.IsRelayed && node.RelayedBy == peerNode.ID.String() {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node is relayed by peer node"), "badrequest"))
return
}
if node.IsRelay && peerNode.RelayedBy == node.ID.String() {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node acting as relay for the peer node"), "badrequest"))
return
}
if node.IsInternetGateway && peerNode.InternetGwID == node.ID.String() {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node acting as internet gw for the peer node"), "badrequest"))
return
}
if node.InternetGwID != "" && node.InternetGwID == peerNode.ID.String() {
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("node using a internet gw by the peer node"), "badrequest"))
return
}

Expand Down
38 changes: 34 additions & 4 deletions pro/logic/failover.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,14 @@ import (
"net"

"github.com/google/uuid"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
"golang.org/x/exp/slog"
)

func SetFailOverCtx(failOverNode, victimNode, peerNode models.Node) error {
if victimNode.IsIngressGateway || peerNode.IsIngressGateway || victimNode.IsInternetGateway || peerNode.IsInternetGateway {
return nil
}

if peerNode.FailOverPeers == nil {
peerNode.FailOverPeers = make(map[string]struct{})
}
Expand Down Expand Up @@ -125,7 +124,38 @@ func GetFailOverPeerIps(peer, node *models.Node) []net.IPNet {
if failOverpeer.IsEgressGateway {
allowedips = append(allowedips, logic.GetEgressIPs(&failOverpeer)...)
}

if failOverpeer.IsRelay {
for _, id := range failOverpeer.RelayedNodes {
rNode, _ := logic.GetNodeByID(id)
if rNode.Address.IP != nil {
allowed := net.IPNet{
IP: rNode.Address.IP,
Mask: net.CIDRMask(32, 32),
}
allowedips = append(allowedips, allowed)
}
if rNode.Address6.IP != nil {
allowed := net.IPNet{
IP: rNode.Address6.IP,
Mask: net.CIDRMask(128, 128),
}
allowedips = append(allowedips, allowed)
}
if rNode.IsEgressGateway {
allowedips = append(allowedips, logic.GetEgressIPs(&rNode)...)
}
}
}
// handle ingress gateway peers
if failOverpeer.IsIngressGateway {
extPeers, _, _, err := logic.GetExtPeers(&failOverpeer, node)
if err != nil {
logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
}
for _, extPeer := range extPeers {
allowedips = append(allowedips, extPeer.AllowedIPs...)
}
}
}
}
return allowedips
Expand Down
5 changes: 5 additions & 0 deletions pro/logic/nodes.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"net"

"github.com/google/uuid"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
"golang.org/x/exp/slog"
Expand All @@ -29,6 +30,7 @@ func ValidateInetGwReq(inetNode models.Node, req models.InetNodeReq, update bool
if inetNode.IsRelayed {
return fmt.Errorf("node %s is being relayed", inetHost.Name)
}

for _, clientNodeID := range req.InetNodeClientIDs {
clientNode, err := logic.GetNodeByID(clientNodeID)
if err != nil {
Expand All @@ -53,6 +55,9 @@ func ValidateInetGwReq(inetNode models.Node, req models.InetNodeReq, update bool
return fmt.Errorf("node %s is already using a internet gateway", clientHost.Name)
}
}
if clientNode.FailedOverBy != uuid.Nil {
ResetFailedOverPeer(&clientNode)
}

if clientNode.IsRelayed {
return fmt.Errorf("node %s is being relayed", clientHost.Name)
Expand Down
4 changes: 4 additions & 0 deletions pro/logic/relays.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"fmt"
"net"

"github.com/google/uuid"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/logic/acls/nodeacls"
Expand Down Expand Up @@ -122,6 +123,9 @@ func ValidateRelay(relay models.RelayRequest, update bool) error {
if relayedNode.IsInternetGateway {
return errors.New("cannot relay an internet gateway (" + relayedNodeID + ")")
}
if relayedNode.FailedOverBy != uuid.Nil {
ResetFailedOverPeer(&relayedNode)
}
}
return err
}
Expand Down
Loading