fix(machine): revert modifications
Using h.ListAllMachines also listed the current machine in the result. It's unnecessary (I don't know if it's harmful). Breaking the check with the `matchSourceAndDestinationWithRule` broke the tests. We have a specificity with the '*' destination that isn't symetrical. I need to think of a better way to do this. It too hard to read.
This commit is contained in:
parent
5e167cc00a
commit
b3d0fb7a93
1 changed files with 11 additions and 14 deletions
25
machine.go
25
machine.go
|
@ -142,16 +142,6 @@ func containsAddresses(inputs []string, addrs MachineAddresses) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// matchSourceAndDestinationWithRule will check if source is authorized to communicate with destination through
|
|
||||||
// the given rule.
|
|
||||||
func matchSourceAndDestinationWithRule(rule tailcfg.FilterRule, source Machine, destination Machine) bool {
|
|
||||||
var dst []string
|
|
||||||
for _, d := range rule.DstPorts {
|
|
||||||
dst = append(dst, d.IP)
|
|
||||||
}
|
|
||||||
return (containsAddresses(rule.SrcIPs, source.IPAddresses) && containsAddresses(dst, destination.IPAddresses)) || containsString(dst, "*")
|
|
||||||
}
|
|
||||||
|
|
||||||
// getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine.
|
// getFilteredByACLPeerss should return the list of peers authorized to be accessed from machine.
|
||||||
func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
|
func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
|
||||||
log.Trace().
|
log.Trace().
|
||||||
|
@ -159,9 +149,10 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
|
||||||
Str("machine", machine.Name).
|
Str("machine", machine.Name).
|
||||||
Msg("Finding peers filtered by ACLs")
|
Msg("Finding peers filtered by ACLs")
|
||||||
|
|
||||||
machines, err := h.ListAllMachines()
|
machines := Machines{}
|
||||||
if err != nil {
|
if err := h.db.Preload("Namespace").Where("machine_key <> ? AND registered",
|
||||||
log.Error().Err(err).Msg("Error retrieving list of machines")
|
machine.MachineKey).Find(&machines).Error; err != nil {
|
||||||
|
log.Error().Err(err).Msg("Error accessing db")
|
||||||
return Machines{}, err
|
return Machines{}, err
|
||||||
}
|
}
|
||||||
peers := make(map[uint64]Machine)
|
peers := make(map[uint64]Machine)
|
||||||
|
@ -185,7 +176,13 @@ func (h *Headscale) getFilteredByACLPeers(machine *Machine) (Machines, error) {
|
||||||
|
|
||||||
for _, peer := range machines {
|
for _, peer := range machines {
|
||||||
for _, rule := range h.aclRules {
|
for _, rule := range h.aclRules {
|
||||||
if matchSourceAndDestinationWithRule(rule, *machine, peer) || matchSourceAndDestinationWithRule(rule, peer, *machine) {
|
var dst []string
|
||||||
|
for _, d := range rule.DstPorts {
|
||||||
|
dst = append(dst, d.IP)
|
||||||
|
}
|
||||||
|
if (containsAddresses(rule.SrcIPs, machine.IPAddresses) && (containsAddresses(dst, peer.IPAddresses) || containsString(dst, "*"))) || (
|
||||||
|
// open return path
|
||||||
|
containsAddresses(rule.SrcIPs, peer.IPAddresses) && containsAddresses(dst, machine.IPAddresses)) {
|
||||||
peers[peer.ID] = peer
|
peers[peer.ID] = peer
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue