mirror of
https://github.com/fosrl/pangolin.git
synced 2026-02-10 20:02:26 +00:00
Disable icmp packets over private resources
This commit is contained in:
Owen
@@ -215,7 +215,8 @@ export const siteResources = pgTable("siteResources", {
|
||||
alias: varchar("alias"),
|
||||
aliasAddress: varchar("aliasAddress"),
|
||||
tcpPortRangeString: varchar("tcpPortRangeString"),
|
||||
udpPortRangeString: varchar("udpPortRangeString")
|
||||
udpPortRangeString: varchar("udpPortRangeString"),
|
||||
disableIcmp: boolean("disableIcmp").notNull().default(false)
|
||||
});
|
||||
|
||||
export const clientSiteResources = pgTable("clientSiteResources", {
|
||||
|
||||
@@ -236,7 +236,8 @@ export const siteResources = sqliteTable("siteResources", {
|
||||
alias: text("alias"),
|
||||
aliasAddress: text("aliasAddress"),
|
||||
tcpPortRangeString: text("tcpPortRangeString"),
|
||||
udpPortRangeString: text("udpPortRangeString")
|
||||
udpPortRangeString: text("udpPortRangeString"),
|
||||
disableIcmp: integer("disableIcmp", { mode: "boolean" })
|
||||
});
|
||||
|
||||
export const clientSiteResources = sqliteTable("clientSiteResources", {
|
||||
|
||||
@@ -466,6 +466,7 @@ export function generateAliasConfig(allSiteResources: SiteResource[]): Alias[] {
|
||||
export type SubnetProxyTarget = {
|
||||
sourcePrefix: string; // must be a cidr
|
||||
destPrefix: string; // must be a cidr
|
||||
disableIcmp?: boolean;
|
||||
rewriteTo?: string; // must be a cidr
|
||||
portRange?: {
|
||||
min: number;
|
||||
@@ -504,6 +505,7 @@ export function generateSubnetProxyTargets(
|
||||
...parsePortRangeString(siteResource.tcpPortRangeString, "tcp"),
|
||||
...parsePortRangeString(siteResource.udpPortRangeString, "udp")
|
||||
];
|
||||
const disableIcmp = siteResource.disableIcmp ?? false;
|
||||
|
||||
if (siteResource.mode == "host") {
|
||||
let destination = siteResource.destination;
|
||||
@@ -515,7 +517,8 @@ export function generateSubnetProxyTargets(
|
||||
targets.push({
|
||||
sourcePrefix: clientPrefix,
|
||||
destPrefix: destination,
|
||||
portRange
|
||||
portRange,
|
||||
disableIcmp
|
||||
});
|
||||
}
|
||||
|
||||
@@ -525,14 +528,16 @@ export function generateSubnetProxyTargets(
|
||||
sourcePrefix: clientPrefix,
|
||||
destPrefix: `${siteResource.aliasAddress}/32`,
|
||||
rewriteTo: destination,
|
||||
portRange
|
||||
portRange,
|
||||
disableIcmp
|
||||
});
|
||||
}
|
||||
} else if (siteResource.mode == "cidr") {
|
||||
targets.push({
|
||||
sourcePrefix: clientPrefix,
|
||||
destPrefix: siteResource.destination,
|
||||
portRange
|
||||
portRange,
|
||||
disableIcmp
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@@ -47,7 +47,8 @@ const createSiteResourceSchema = z
|
||||
roleIds: z.array(z.int()),
|
||||
clientIds: z.array(z.int()),
|
||||
tcpPortRangeString: portRangeStringSchema,
|
||||
udpPortRangeString: portRangeStringSchema
|
||||
udpPortRangeString: portRangeStringSchema,
|
||||
disableIcmp: z.boolean().optional()
|
||||
})
|
||||
.strict()
|
||||
.refine(
|
||||
@@ -158,7 +159,8 @@ export async function createSiteResource(
|
||||
roleIds,
|
||||
clientIds,
|
||||
tcpPortRangeString,
|
||||
udpPortRangeString
|
||||
udpPortRangeString,
|
||||
disableIcmp
|
||||
} = parsedBody.data;
|
||||
|
||||
// Verify the site exists and belongs to the org
|
||||
@@ -245,7 +247,8 @@ export async function createSiteResource(
|
||||
alias,
|
||||
aliasAddress,
|
||||
tcpPortRangeString,
|
||||
udpPortRangeString
|
||||
udpPortRangeString,
|
||||
disableIcmp
|
||||
})
|
||||
.returning();
|
||||
|
||||
|
||||
@@ -99,6 +99,7 @@ export async function listAllSiteResourcesByOrg(
|
||||
alias: siteResources.alias,
|
||||
tcpPortRangeString: siteResources.tcpPortRangeString,
|
||||
udpPortRangeString: siteResources.udpPortRangeString,
|
||||
disableIcmp: siteResources.disableIcmp,
|
||||
siteName: sites.name,
|
||||
siteNiceId: sites.niceId,
|
||||
siteAddress: sites.address
|
||||
|
||||
@@ -58,7 +58,8 @@ const updateSiteResourceSchema = z
|
||||
roleIds: z.array(z.int()),
|
||||
clientIds: z.array(z.int()),
|
||||
tcpPortRangeString: portRangeStringSchema,
|
||||
udpPortRangeString: portRangeStringSchema
|
||||
udpPortRangeString: portRangeStringSchema,
|
||||
disableIcmp: z.boolean().optional()
|
||||
})
|
||||
.strict()
|
||||
.refine(
|
||||
@@ -165,7 +166,8 @@ export async function updateSiteResource(
|
||||
roleIds,
|
||||
clientIds,
|
||||
tcpPortRangeString,
|
||||
udpPortRangeString
|
||||
udpPortRangeString,
|
||||
disableIcmp
|
||||
} = parsedBody.data;
|
||||
|
||||
const [site] = await db
|
||||
@@ -233,7 +235,8 @@ export async function updateSiteResource(
|
||||
enabled: enabled,
|
||||
alias: alias && alias.trim() ? alias : null,
|
||||
tcpPortRangeString: tcpPortRangeString,
|
||||
udpPortRangeString: udpPortRangeString
|
||||
udpPortRangeString: udpPortRangeString,
|
||||
disableIcmp: disableIcmp
|
||||
})
|
||||
.where(
|
||||
and(
|
||||
@@ -357,8 +360,12 @@ export async function handleMessagingForUpdatedSiteResource(
|
||||
existingSiteResource.alias !== updatedSiteResource.alias;
|
||||
const portRangesChanged =
|
||||
existingSiteResource &&
|
||||
(existingSiteResource.tcpPortRangeString !== updatedSiteResource.tcpPortRangeString ||
|
||||
existingSiteResource.udpPortRangeString !== updatedSiteResource.udpPortRangeString);
|
||||
(existingSiteResource.tcpPortRangeString !==
|
||||
updatedSiteResource.tcpPortRangeString ||
|
||||
existingSiteResource.udpPortRangeString !==
|
||||
updatedSiteResource.udpPortRangeString ||
|
||||
existingSiteResource.disableIcmp !==
|
||||
updatedSiteResource.disableIcmp);
|
||||
|
||||
// if the existingSiteResource is undefined (new resource) we don't need to do anything here, the rebuild above handled it all
|
||||
|
||||
|
||||
Reference in New Issue
Block a user