1
0
mirror of https://github.com/juanfont/headscale.git synced 2024-12-20 19:09:07 +01:00

Load ACL policy on headscale startup

This commit is contained in:
Juan Font 2021-07-04 13:24:05 +02:00
parent 401e6aec32
commit 202d6b506f
4 changed files with 18 additions and 3 deletions

View File

@ -22,7 +22,7 @@ const errorInvalidTag = Error("invalid tag")
const errorInvalidNamespace = Error("invalid namespace") const errorInvalidNamespace = Error("invalid namespace")
const errorInvalidPortFormat = Error("invalid port format") const errorInvalidPortFormat = Error("invalid port format")
func (h *Headscale) LoadPolicy(path string) error { func (h *Headscale) LoadAclPolicy(path string) error {
policyFile, err := os.Open(path) policyFile, err := os.Open(path)
if err != nil { if err != nil {
return err return err
@ -40,7 +40,12 @@ func (h *Headscale) LoadPolicy(path string) error {
} }
h.aclPolicy = &policy h.aclPolicy = &policy
return err rules, err := h.generateACLRules()
if err != nil {
return err
}
h.aclRules = rules
return nil
} }
func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) { func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {

2
api.go
View File

@ -373,7 +373,7 @@ func (h *Headscale) getMapResponse(mKey wgkey.Key, req tailcfg.MapRequest, m Mac
DNS: []netaddr.IP{}, DNS: []netaddr.IP{},
SearchPaths: []string{}, SearchPaths: []string{},
Domain: "foobar@example.com", Domain: "foobar@example.com",
PacketFilter: tailcfg.FilterAllowAll, PacketFilter: *h.aclRules,
DERPMap: h.cfg.DerpMap, DERPMap: h.cfg.DerpMap,
UserProfiles: []tailcfg.UserProfile{}, UserProfiles: []tailcfg.UserProfile{},
} }

3
app.go
View File

@ -50,6 +50,7 @@ type Headscale struct {
privateKey *wgkey.Private privateKey *wgkey.Private
aclPolicy *ACLPolicy aclPolicy *ACLPolicy
aclRules *[]tailcfg.FilterRule
pollMu sync.Mutex pollMu sync.Mutex
clientsPolling map[uint64]chan []byte // this is by all means a hackity hack clientsPolling map[uint64]chan []byte // this is by all means a hackity hack
@ -84,7 +85,9 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
dbString: dbString, dbString: dbString,
privateKey: privKey, privateKey: privKey,
publicKey: &pubKey, publicKey: &pubKey,
aclRules: &tailcfg.FilterAllowAll, // default allowall
} }
err = h.initDB() err = h.initDB()
if err != nil { if err != nil {
return nil, err return nil, err

View File

@ -119,6 +119,13 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
// We are doing this here, as in the future could be cool to have it also hot-reload
err = h.LoadAclPolicy(absPath(viper.GetString("acl_policy_path")))
if err != nil {
log.Printf("Could not load the ACL policy: %s", err)
}
return h, nil return h, nil
} }