diff options
author | Henning Baldersheim <balder@yahoo-inc.com> | 2023-01-16 18:46:54 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-16 18:46:54 +0100 |
commit | 09f909cb7f2c8468236e1403a094696801ea7518 (patch) | |
tree | 8224dad91c21ba7b897e5936eb3a4a8359d0a48f /node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java | |
parent | c18caefd28001e38c49b3ba2f1cbd1ca030062c5 (diff) | |
parent | 2dd2e2b0be165492d1609f3a84eab29b3f1d2324 (diff) |
Merge pull request #25590 from vespa-engine/revert-25588-revert-25586-andreer/wg-wip-3v8.111.27
Reapply "open wireguard port for config servers"
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java')
-rw-r--r-- | node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java | 32 |
1 files changed, 24 insertions, 8 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java index 87dd42d8008..311a95e1a12 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/configserver/noderepository/Acl.java @@ -23,25 +23,28 @@ import java.util.stream.Collectors; */ public class Acl { - public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of()); + public static final Acl EMPTY = new Acl(Set.of(), Set.of(), Set.of(), Set.of()); private final Set<Node> trustedNodes; private final Set<Integer> trustedPorts; + private final Set<Integer> trustedUdpPorts; private final Set<String> trustedNetworks; /** - * @param trustedPorts Ports to trust + * @param trustedPorts TCP Ports to trust + * @param trustedUdpPorts UDP ports to trust * @param trustedNodes Nodes to trust * @param trustedNetworks Networks (in CIDR notation) to trust */ - public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) { + public Acl(Set<Integer> trustedPorts, Set<Integer> trustedUdpPorts, Set<Node> trustedNodes, Set<String> trustedNetworks) { this.trustedNodes = copyOfNullable(trustedNodes); this.trustedPorts = copyOfNullable(trustedPorts); + this.trustedUdpPorts = copyOfNullable(trustedUdpPorts); this.trustedNetworks = copyOfNullable(trustedNetworks); } public Acl(Set<Integer> trustedPorts, Set<Node> trustedNodes) { - this(trustedPorts, trustedNodes, Set.of()); + this(trustedPorts, Set.of(), trustedNodes, Set.of()); } public List<String> toRules(IPVersion ipVersion) { @@ -66,6 +69,11 @@ public class Acl { rules.add("-A INPUT -p tcp -m multiport --dports " + joinPorts(trustedPorts) + " -j ACCEPT"); } + // Allow trusted UDP ports if any + if (!trustedUdpPorts.isEmpty()) { + rules.add("-A INPUT -p udp -m multiport --dports " + joinPorts(trustedUdpPorts) + " -j ACCEPT"); + } + // Allow traffic from trusted nodes, limited to specific ports, if any getTrustedNodes(ipVersion).stream() .map(node -> { @@ -113,8 +121,8 @@ public class Acl { return trustedPorts; } - public Set<Integer> getTrustedPorts(IPVersion ipVersion) { - return trustedPorts; + public Set<Integer> getTrustedUdpPorts() { + return trustedUdpPorts; } @Override @@ -124,12 +132,13 @@ public class Acl { Acl acl = (Acl) o; return trustedNodes.equals(acl.trustedNodes) && trustedPorts.equals(acl.trustedPorts) && + trustedUdpPorts.equals(acl.trustedUdpPorts) && trustedNetworks.equals(acl.trustedNetworks); } @Override public int hashCode() { - return Objects.hash(trustedNodes, trustedPorts, trustedNetworks); + return Objects.hash(trustedNodes, trustedPorts, trustedUdpPorts, trustedNetworks); } @Override @@ -137,6 +146,7 @@ public class Acl { return "Acl{" + "trustedNodes=" + trustedNodes + ", trustedPorts=" + trustedPorts + + ", trustedUdpPorts=" + trustedUdpPorts + ", trustedNetworks=" + trustedNetworks + '}'; } @@ -175,6 +185,7 @@ public class Acl { private final Set<Node> trustedNodes = new HashSet<>(); private final Set<Integer> trustedPorts = new HashSet<>(); + private final Set<Integer> trustedUdpPorts = new HashSet<>(); private final Set<String> trustedNetworks = new HashSet<>(); public Builder() { } @@ -207,13 +218,18 @@ public class Acl { return this; } + public Builder withTrustedUdpPorts(Integer... ports) { + trustedUdpPorts.addAll(List.of(ports)); + return this; + } + public Builder withTrustedNetworks(Set<String> networks) { trustedNetworks.addAll(networks); return this; } public Acl build() { - return new Acl(trustedPorts, trustedNodes, trustedNetworks); + return new Acl(trustedPorts, trustedUdpPorts, trustedNodes, trustedNetworks); } } |