2020-11-09 21:22:36 -08:00
|
|
|
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package filter
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"inet.af/netaddr"
|
|
|
|
"tailscale.com/tailcfg"
|
|
|
|
)
|
|
|
|
|
|
|
|
// MatchesFromFilterRules converts tailcfg FilterRules into Matches.
|
|
|
|
// If an error is returned, the Matches result is still valid,
|
|
|
|
// containing the rules that were successfully converted.
|
2020-11-09 21:33:41 -08:00
|
|
|
func MatchesFromFilterRules(pf []tailcfg.FilterRule) ([]Match, error) {
|
2020-11-09 21:22:36 -08:00
|
|
|
mm := make([]Match, 0, len(pf))
|
|
|
|
var erracc error
|
|
|
|
|
|
|
|
for _, r := range pf {
|
|
|
|
m := Match{}
|
|
|
|
|
|
|
|
for i, s := range r.SrcIPs {
|
|
|
|
bits := 32
|
|
|
|
if len(r.SrcBits) > i {
|
|
|
|
bits = r.SrcBits[i]
|
|
|
|
}
|
2020-11-12 14:14:11 -08:00
|
|
|
nets, err := parseIP(s, bits)
|
2020-11-09 21:22:36 -08:00
|
|
|
if err != nil && erracc == nil {
|
|
|
|
erracc = err
|
|
|
|
continue
|
|
|
|
}
|
2020-11-12 14:14:11 -08:00
|
|
|
m.Srcs = append(m.Srcs, nets...)
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, d := range r.DstPorts {
|
|
|
|
bits := 32
|
|
|
|
if d.Bits != nil {
|
|
|
|
bits = *d.Bits
|
|
|
|
}
|
2020-11-12 14:14:11 -08:00
|
|
|
nets, err := parseIP(d.IP, bits)
|
2020-11-09 21:22:36 -08:00
|
|
|
if err != nil && erracc == nil {
|
|
|
|
erracc = err
|
|
|
|
continue
|
|
|
|
}
|
2020-11-12 14:14:11 -08:00
|
|
|
for _, net := range nets {
|
|
|
|
m.Dsts = append(m.Dsts, NetPortRange{
|
|
|
|
Net: net,
|
|
|
|
Ports: PortRange{
|
|
|
|
First: d.Ports.First,
|
|
|
|
Last: d.Ports.Last,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
mm = append(mm, m)
|
|
|
|
}
|
|
|
|
return mm, erracc
|
|
|
|
}
|
|
|
|
|
2020-11-10 23:23:17 -08:00
|
|
|
var (
|
|
|
|
zeroIP4 = netaddr.IPv4(0, 0, 0, 0)
|
|
|
|
zeroIP6 = netaddr.IPFrom16([16]byte{})
|
|
|
|
)
|
|
|
|
|
2020-11-12 14:14:11 -08:00
|
|
|
func parseIP(host string, defaultBits int) ([]netaddr.IPPrefix, error) {
|
2020-11-09 21:22:36 -08:00
|
|
|
if host == "*" {
|
|
|
|
// User explicitly requested wildcard dst ip.
|
2020-11-12 14:14:11 -08:00
|
|
|
return []netaddr.IPPrefix{
|
|
|
|
{IP: zeroIP4, Bits: 0},
|
|
|
|
{IP: zeroIP6, Bits: 0},
|
|
|
|
}, nil
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
ip, err := netaddr.ParseIP(host)
|
|
|
|
if err != nil {
|
2020-11-12 14:14:11 -08:00
|
|
|
return nil, fmt.Errorf("ports=%#v: invalid IP address", host)
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
2020-11-10 23:23:17 -08:00
|
|
|
if ip == zeroIP4 {
|
2020-11-09 21:22:36 -08:00
|
|
|
// For clarity, reject 0.0.0.0 as an input
|
2020-11-12 14:14:11 -08:00
|
|
|
return nil, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
2020-11-10 23:23:17 -08:00
|
|
|
if ip == zeroIP6 {
|
|
|
|
// For clarity, reject :: as an input
|
2020-11-12 14:14:11 -08:00
|
|
|
return nil, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not [::]:port", host)
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
2020-11-10 23:23:17 -08:00
|
|
|
|
|
|
|
if defaultBits < 0 || (ip.Is4() && defaultBits > 32) || (ip.Is6() && defaultBits > 128) {
|
2020-11-12 14:14:11 -08:00
|
|
|
return nil, fmt.Errorf("invalid CIDR size %d for host %q", defaultBits, host)
|
2020-11-09 21:22:36 -08:00
|
|
|
}
|
2020-11-12 14:14:11 -08:00
|
|
|
return []netaddr.IPPrefix{
|
|
|
|
{
|
|
|
|
IP: ip,
|
|
|
|
Bits: uint8(defaultBits),
|
|
|
|
},
|
2020-11-09 21:22:36 -08:00
|
|
|
}, nil
|
|
|
|
}
|