-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathfilter.go
192 lines (181 loc) · 5.83 KB
/
filter.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
package trafpol
import (
"context"
"errors"
"net/netip"
log "github.com/sirupsen/logrus"
"github.com/telekom-mms/oc-daemon/internal/cmdtmpl"
"github.com/telekom-mms/oc-daemon/internal/daemoncfg"
)
// setFilterRules sets the filter rules.
func setFilterRules(ctx context.Context, config *daemoncfg.Config) {
cmds, err := cmdtmpl.GetCmds("TrafPolSetFilterRules", config)
if err != nil {
log.WithError(err).Error("TrafPol could not get set filter rules commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run set filter rules command")
}
}
}
// unsetFilterRules unsets the filter rules.
func unsetFilterRules(ctx context.Context, config *daemoncfg.Config) {
cmds, err := cmdtmpl.GetCmds("TrafPolUnsetFilterRules", config)
if err != nil {
log.WithError(err).Error("TrafPol could not get unset filter rules commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run unset filter rules command")
}
}
}
// setAllowedDevices sets devices as allowed devices.
func setAllowedDevices(ctx context.Context, conf *daemoncfg.Config, devices []string) {
data := &struct {
daemoncfg.Config
Devices []string
}{
Config: *conf,
Devices: devices,
}
cmds, err := cmdtmpl.GetCmds("TrafPolSetAllowedDevices", data)
if err != nil {
log.WithError(err).Error("TrafPol could not get set allowed devices commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"devices": devices,
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run set allowed devices command")
}
}
}
// setAllowedIPs set the allowed hosts.
func setAllowedIPs(ctx context.Context, conf *daemoncfg.Config, ips []netip.Prefix) {
// we perform all nft commands separately here and not as one atomic
// operation to avoid issues where the whole update fails because nft
// runs into "file exists" errors even though we remove duplicates from
// ips before calling this function and we flush the existing entries
// flush allowed hosts
cmds, err := cmdtmpl.GetCmds("TrafPolFlushAllowedHosts", conf)
if err != nil {
log.WithError(err).Error("TrafPol could not get flush allowed hosts commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run flush allowed hosts command")
}
}
// add allowed hosts
for _, ip := range ips {
data := &struct {
daemoncfg.Config
AllowedIP netip.Prefix
}{
Config: *conf,
AllowedIP: ip,
}
cmds, err := cmdtmpl.GetCmds("TrafPolAddAllowedHost", data)
if err != nil {
log.WithError(err).Error("TrafPol could not get add allowed host commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"host": ip,
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run add allowed host command")
}
}
}
}
// addPortalPorts adds ports for a captive portal to the allowed ports.
func addPortalPorts(ctx context.Context, conf *daemoncfg.Config) {
cmds, err := cmdtmpl.GetCmds("TrafPolAddPortalPorts", conf)
if err != nil {
log.WithError(err).Error("TrafPol could not get add portal ports commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"ports": conf.TrafficPolicing.PortalPorts,
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run add portal ports command")
}
}
}
// removePortalPorts removes ports for a captive portal from the allowed ports.
func removePortalPorts(ctx context.Context, conf *daemoncfg.Config) {
cmds, err := cmdtmpl.GetCmds("TrafPolRemovePortalPorts", conf)
if err != nil {
log.WithError(err).Error("TrafPol could not get remove portal ports commands")
}
for _, c := range cmds {
if stdout, stderr, err := c.Run(ctx); err != nil && !errors.Is(err, context.Canceled) {
log.WithFields(log.Fields{
"ports": conf.TrafficPolicing.PortalPorts,
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
"stdout": string(stdout),
"stderr": string(stderr),
"error": err,
}).Error("TrafPol could not run remove portal ports command")
}
}
}
// cleanupFilterRules cleans up the filter rules after a failed shutdown.
func cleanupFilterRules(ctx context.Context, conf *daemoncfg.Config) {
cmds, err := cmdtmpl.GetCmds("TrafPolCleanup", conf)
if err != nil {
log.WithError(err).Error("TrafPol could not get cleanup commands")
}
for _, c := range cmds {
if _, _, err := c.Run(ctx); err == nil {
log.WithFields(log.Fields{
"command": c.Cmd,
"args": c.Args,
"stdin": c.Stdin,
}).Warn("TrafPol cleaned up configuration")
}
}
}