Skip to content

Commit

Permalink
Fix opening on TCP ports on GCE for inlets-pro
Browse files Browse the repository at this point in the history
This PR will now allow for all TCP traffic through
the inlets-pro exit node
If a firewall-rule for inlets or inlets-pro named 'inlets' already
exists, then it will update the firewall-rule with the
required rules depending on the user using the `--remote-tcp`
flag (inlets-pro) or not in `inletsctl create` command

Fixes inlets#44
Fixes inlets#56

Signed-off-by: Utsav Anand <[email protected]>
  • Loading branch information
utsavanand2 authored and zechen0 committed Feb 25, 2020
1 parent 58be8c3 commit 13bb005
Show file tree
Hide file tree
Showing 4 changed files with 49 additions and 36 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/inletsctl
/bin/**
.idea/
.DS_Store
1 change: 1 addition & 0 deletions cmd/create.go
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,7 @@ func createHost(provider, name, region, zone, projectID, userData, inletsPort st
"zone": zone,
"firewall-name": "inlets",
"firewall-port": inletsPort,
"pro": fmt.Sprint(pro),
},
}, nil
} else if provider == "ec2" {
Expand Down
1 change: 0 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ require (
github.com/spf13/cobra v0.0.5
github.com/spf13/pflag v1.0.5
go.opencensus.io v0.22.2 // indirect
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5 // indirect
golang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirect
golang.org/x/oauth2 v0.0.0-20191122200657-5d9234df094c
golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9 // indirect
Expand Down
82 changes: 47 additions & 35 deletions pkg/provision/gce.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,17 +93,9 @@ func (p *GCEProvisioner) Provision(host BasicHost) (*ProvisionedHost, error) {
},
}

exists, _ := p.gceFirewallExists(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"])

if !exists {
err := p.createInletsFirewallRule(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"])
log.Println("inlets firewallRule does not exist")
if err != nil {
return nil, fmt.Errorf("could not create inlets firewall rule: %v", err)
}
log.Printf("Creating inlets firewallRule opening port: %s\n", host.Additional["firewall-port"])
} else {
log.Println("inlets firewallRule exists")
err := p.createInletsFirewallRule(host.Additional["projectid"], host.Additional["firewall-name"], host.Additional["firewall-port"], host.Additional["pro"])
if err != nil {
return nil, err
}

op, err := p.gceProvisioner.Instances.Insert(host.Additional["projectid"], host.Additional["zone"], instance).Do()
Expand All @@ -116,53 +108,73 @@ func (p *GCEProvisioner) Provision(host BasicHost) (*ProvisionedHost, error) {
if op.Status == gceHostRunning {
status = ActiveStatus
}

return &ProvisionedHost{
ID: toGCEID(host.Name, host.Additional["zone"], host.Additional["projectid"]),
Status: status,
}, nil
}

// gceFirewallExists checks if the inlets firewall rule exists or not
func (p *GCEProvisioner) gceFirewallExists(projectID string, firewallRuleName string, controlPort string) (bool, error) {
func (p *GCEProvisioner) gceFirewallExists(projectID string, firewallRuleName string) (bool, error) {
op, err := p.gceProvisioner.Firewalls.Get(projectID, firewallRuleName).Do()
if err != nil {
return false, fmt.Errorf("could not get inlets firewall rule: %v", err)
}
if op.Name == firewallRuleName {
for _, firewallRule := range op.Allowed {
for _, port := range firewallRule.Ports {
if port == controlPort {
return true, nil
}
}
}
return true, nil
}
return false, nil
}

// createInletsFirewallRule creates a firewall rule opening up the control port for inlets
func (p *GCEProvisioner) createInletsFirewallRule(projectID string, firewallRuleName string, controlPort string) error {
firewallRule := &compute.Firewall{
Name: firewallRuleName,
Description: "Firewall rule created by inlets-operator",
Network: fmt.Sprintf("projects/%s/global/networks/default", projectID),
Allowed: []*compute.FirewallAllowed{
{
IPProtocol: "tcp",
Ports: []string{controlPort},
func (p *GCEProvisioner) createInletsFirewallRule(projectID string, firewallRuleName string, controlPort string, pro string) error {
var firewallRule *compute.Firewall
if pro == "true" {
firewallRule = &compute.Firewall{
Name: firewallRuleName,
Description: "Firewall rule created by inlets-operator",
Network: fmt.Sprintf("projects/%s/global/networks/default", projectID),
Allowed: []*compute.FirewallAllowed{
{
IPProtocol: "tcp",
},
},
},
SourceRanges: []string{"0.0.0.0/0"},
Direction: "INGRESS",
TargetTags: []string{"inlets"},
SourceRanges: []string{"0.0.0.0/0"},
Direction: "INGRESS",
TargetTags: []string{"inlets"},
}
} else {
firewallRule = &compute.Firewall{
Name: firewallRuleName,
Description: "Firewall rule created by inlets-operator",
Network: fmt.Sprintf("projects/%s/global/networks/default", projectID),
Allowed: []*compute.FirewallAllowed{
{
IPProtocol: "tcp",
Ports: []string{controlPort, "80", "443"},
},
},
SourceRanges: []string{"0.0.0.0/0"},
Direction: "INGRESS",
TargetTags: []string{"inlets"},
}
}

exists, _ := p.gceFirewallExists(projectID, firewallRuleName)
if exists {
log.Println("inlets firewallRule exists, updating firewall-rules")
_, err := p.gceProvisioner.Firewalls.Update(projectID, firewallRuleName, firewallRule).Do()
if err != nil {
return fmt.Errorf("could not update inlets firewall rule: %v", err)
}
return nil
}

_, err := p.gceProvisioner.Firewalls.Insert(projectID, firewallRule).Do()
log.Println("creating inlets firewallRule")
if err != nil {
return fmt.Errorf("could not create firewall rule: %v", err)
return fmt.Errorf("could not create inlets firewall rule: %v", err)
}

return nil
}

Expand Down

0 comments on commit 13bb005

Please sign in to comment.