ResiLien/nebula
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

subnet support

Browse Source
This commit is contained in:
Ryan Huber
2019-12-12 16:34:17 +00:00
parent 2f77dfa703
commit 9333a8e3b7
16 changed files with 225 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
firewall.go
View File

@ -343,12 +343,17 @@ func AddFirewallRulesFromConfig(inbound bool, config *Config, fw FirewallInterfa
return nil
}
func (f *Firewall) Drop(packet []byte, fp FirewallPacket, incoming bool, c *cert.NebulaCertificate, caPool *cert.NebulaCAPool) bool {
func (f *Firewall) Drop(packet []byte, fp FirewallPacket, incoming bool, h *HostInfo, caPool *cert.NebulaCAPool) bool {
// Check if we spoke to this tuple, if we did then allow this packet
if f.inConns(packet, fp, incoming) {
return false
}
// Make sure remote address matches nebula certificate
if h.remoteCidr.Contains(fp.RemoteIP) == nil {
return true
}
// Make sure we are supposed to be handling this local ip address
if f.localIps.Contains(fp.LocalIP) == nil {
return true
@ -360,7 +365,7 @@ func (f *Firewall) Drop(packet []byte, fp FirewallPacket, incoming bool, c *cert
}
// We now know which firewall table to check against
if !table.match(fp, incoming, c, caPool) {
if !table.match(fp, incoming, h.ConnectionState.peerCert, caPool) {
return true
}