Cleanup route handling (#542)

* mikrotik: allow to set DNS, wip: handle routes in wg-controller * replace old route handling for local controller * cleanup route handling for local backend * implement route handling for mikrotik controller
2025-10-14 03:56:17 +00:00 · 2025-10-12 14:31:19 +02:00
parent 298c9405f6
commit cdf3a49801
19 changed files with 1116 additions and 803 deletions
--- a/internal/domain/interface.go
+++ b/internal/domain/interface.go
@@ -13,6 +13,7 @@ import (
 	"golang.org/x/sys/unix"

 	"github.com/h44z/wg-portal/internal"
+	"github.com/h44z/wg-portal/internal/config"
 )

 const (
@@ -132,17 +133,30 @@ func (i *Interface) GetConfigFileName() string {
 	return filename
 }

+// GetAllowedIPs returns the allowed IPs for the interface depending on the interface type and peers.
+// For example, if the interface type is Server, the allowed IPs are the IPs of the peers.
+// If the interface type is Client, the allowed IPs correspond to the AllowedIPsStr of the peers.
 func (i *Interface) GetAllowedIPs(peers []Peer) []Cidr {
 	var allowedCidrs []Cidr

-	for _, peer := range peers {
-		for _, ip := range peer.Interface.Addresses {
-			allowedCidrs = append(allowedCidrs, ip.HostAddr())
+	switch i.Type {
+	case InterfaceTypeServer, InterfaceTypeAny:
+		for _, peer := range peers {
+			for _, ip := range peer.Interface.Addresses {
+				allowedCidrs = append(allowedCidrs, ip.HostAddr())
+			}
+			if peer.ExtraAllowedIPsStr != "" {
+				extraIPs, err := CidrsFromString(peer.ExtraAllowedIPsStr)
+				if err == nil {
+					allowedCidrs = append(allowedCidrs, extraIPs...)
+				}
+			}
 		}
-		if peer.ExtraAllowedIPsStr != "" {
-			extraIPs, err := CidrsFromString(peer.ExtraAllowedIPsStr)
+	case InterfaceTypeClient:
+		for _, peer := range peers {
+			allowedIPs, err := CidrsFromString(peer.AllowedIPsStr.GetValue())
 			if err == nil {
-				allowedCidrs = append(allowedCidrs, extraIPs...)
+				allowedCidrs = append(allowedCidrs, allowedIPs...)
 			}
 		}
 	}
@@ -159,6 +173,7 @@ func (i *Interface) ManageRoutingTable() bool {
 //
 //	-1 if RoutingTable was set to "off" or an error occurred
 func (i *Interface) GetRoutingTable() int {
+
 	routingTableStr := strings.ToLower(i.RoutingTable)
 	switch {
 	case routingTableStr == "":
@@ -166,6 +181,9 @@ func (i *Interface) GetRoutingTable() int {
 	case routingTableStr == "off":
 		return -1
 	case strings.HasPrefix(routingTableStr, "0x"):
+		if i.Backend != config.LocalBackendName {
+			return 0 // ignore numeric routing table numbers for non-local controllers
+		}
 		numberStr := strings.ReplaceAll(routingTableStr, "0x", "")
 		routingTable, err := strconv.ParseUint(numberStr, 16, 64)
 		if err != nil {
@@ -178,6 +196,9 @@ func (i *Interface) GetRoutingTable() int {
 		}
 		return int(routingTable)
 	default:
+		if i.Backend != config.LocalBackendName {
+			return 0 // ignore numeric routing table numbers for non-local controllers
+		}
 		routingTable, err := strconv.Atoi(routingTableStr)
 		if err != nil {
 			slog.Error("failed to parse routing table number", "table", routingTableStr, "error", err)
@@ -308,12 +329,18 @@ func MergeToPhysicalInterface(pi *PhysicalInterface, i *Interface) {
 }

 type RoutingTableInfo struct {
-	FwMark uint32
-	Table  int
+	Interface  Interface
+	AllowedIps []Cidr
+	FwMark     uint32
+	Table      int
+	TableStr   string // the routing table number as string (used by mikrotik, linux uses the numeric value)
+	IsDeleted  bool   // true if the interface was deleted, false otherwise
 }

 func (r RoutingTableInfo) String() string {
-	return fmt.Sprintf("%d -> %d", r.FwMark, r.Table)
+	v4, v6 := CidrsPerFamily(r.AllowedIps)
+	return fmt.Sprintf("%s: fwmark=%d; table=%d; routes_4=%d; routes_6=%d", r.Interface.Identifier, r.FwMark, r.Table,
+		len(v4), len(v6))
 }

 func (r RoutingTableInfo) ManagementEnabled() bool {
--- a/internal/domain/interface_controller.go
+++ b/internal/domain/interface_controller.go
@@ -0,0 +1,27 @@
+package domain
+
+import "context"
+
+type InterfaceController interface {
+	GetId() InterfaceBackend
+	GetInterfaces(_ context.Context) ([]PhysicalInterface, error)
+	GetInterface(_ context.Context, id InterfaceIdentifier) (*PhysicalInterface, error)
+	GetPeers(_ context.Context, deviceId InterfaceIdentifier) ([]PhysicalPeer, error)
+	SaveInterface(
+		_ context.Context,
+		id InterfaceIdentifier,
+		updateFunc func(pi *PhysicalInterface) (*PhysicalInterface, error),
+	) error
+	DeleteInterface(_ context.Context, id InterfaceIdentifier) error
+	SavePeer(
+		_ context.Context,
+		deviceId InterfaceIdentifier,
+		id PeerIdentifier,
+		updateFunc func(pp *PhysicalPeer) (*PhysicalPeer, error),
+	) error
+	DeletePeer(_ context.Context, deviceId InterfaceIdentifier, id PeerIdentifier) error
+	PingAddresses(
+		ctx context.Context,
+		addr string,
+	) (*PingerResult, error)
+}
--- a/internal/domain/interface_test.go
+++ b/internal/domain/interface_test.go
@@ -5,6 +5,8 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
+
+	"github.com/h44z/wg-portal/internal/config"
 )

 func TestInterface_IsDisabledReturnsTrueWhenDisabled(t *testing.T) {
@@ -37,8 +39,9 @@ func TestInterface_GetConfigFileNameReturnsCorrectFileName(t *testing.T) {
 	assert.Equal(t, expected, iface.GetConfigFileName())
 }

-func TestInterface_GetAllowedIPsReturnsCorrectCidrs(t *testing.T) {
+func TestInterface_GetAllowedIPsReturnsCorrectCidrsServerMode(t *testing.T) {
 	peer1 := Peer{
+		AllowedIPsStr: ConfigOption[string]{Value: "192.168.2.2/32"},
 		Interface: PeerInterfaceConfig{
 			Addresses: []Cidr{
 				{Cidr: "192.168.1.2/32", Addr: "192.168.1.2", NetLength: 32},
@@ -46,16 +49,45 @@ func TestInterface_GetAllowedIPsReturnsCorrectCidrs(t *testing.T) {
 		},
 	}
 	peer2 := Peer{
+		AllowedIPsStr:      ConfigOption[string]{Value: "10.0.2.2/32"},
+		ExtraAllowedIPsStr: "10.20.2.2/32",
 		Interface: PeerInterfaceConfig{
 			Addresses: []Cidr{
 				{Cidr: "10.0.0.2/32", Addr: "10.0.0.2", NetLength: 32},
 			},
 		},
 	}
-	iface := &Interface{}
+	iface := &Interface{Type: InterfaceTypeServer}
 	expected := []Cidr{
 		{Cidr: "192.168.1.2/32", Addr: "192.168.1.2", NetLength: 32},
 		{Cidr: "10.0.0.2/32", Addr: "10.0.0.2", NetLength: 32},
+		{Cidr: "10.20.2.2/32", Addr: "10.20.2.2", NetLength: 32},
+	}
+	assert.Equal(t, expected, iface.GetAllowedIPs([]Peer{peer1, peer2}))
+}
+
+func TestInterface_GetAllowedIPsReturnsCorrectCidrsClientMode(t *testing.T) {
+	peer1 := Peer{
+		AllowedIPsStr: ConfigOption[string]{Value: "192.168.2.2/32"},
+		Interface: PeerInterfaceConfig{
+			Addresses: []Cidr{
+				{Cidr: "192.168.1.2/32", Addr: "192.168.1.2", NetLength: 32},
+			},
+		},
+	}
+	peer2 := Peer{
+		AllowedIPsStr:      ConfigOption[string]{Value: "10.0.2.2/32"},
+		ExtraAllowedIPsStr: "10.20.2.2/32",
+		Interface: PeerInterfaceConfig{
+			Addresses: []Cidr{
+				{Cidr: "10.0.0.2/32", Addr: "10.0.0.2", NetLength: 32},
+			},
+		},
+	}
+	iface := &Interface{Type: InterfaceTypeClient}
+	expected := []Cidr{
+		{Cidr: "192.168.2.2/32", Addr: "192.168.2.2", NetLength: 32},
+		{Cidr: "10.0.2.2/32", Addr: "10.0.2.2", NetLength: 32},
 	}
 	assert.Equal(t, expected, iface.GetAllowedIPs([]Peer{peer1, peer2}))
 }
@@ -66,10 +98,22 @@ func TestInterface_ManageRoutingTableReturnsCorrectValue(t *testing.T) {

 	iface.RoutingTable = "100"
 	assert.True(t, iface.ManageRoutingTable())
+
+	iface = &Interface{RoutingTable: "off", Backend: config.LocalBackendName}
+	assert.False(t, iface.ManageRoutingTable())
+
+	iface.RoutingTable = "100"
+	assert.True(t, iface.ManageRoutingTable())
+
+	iface = &Interface{RoutingTable: "off", Backend: "mikrotik-xxx"}
+	assert.False(t, iface.ManageRoutingTable())
+
+	iface.RoutingTable = "100"
+	assert.True(t, iface.ManageRoutingTable())
 }

 func TestInterface_GetRoutingTableReturnsCorrectValue(t *testing.T) {
-	iface := &Interface{RoutingTable: ""}
+	iface := &Interface{RoutingTable: "", Backend: config.LocalBackendName}
 	assert.Equal(t, 0, iface.GetRoutingTable())

 	iface.RoutingTable = "off"
@@ -81,3 +125,17 @@ func TestInterface_GetRoutingTableReturnsCorrectValue(t *testing.T) {
 	iface.RoutingTable = "200"
 	assert.Equal(t, 200, iface.GetRoutingTable())
 }
+
+func TestInterface_GetRoutingTableNonLocal(t *testing.T) {
+	iface := &Interface{RoutingTable: "off", Backend: "something different"}
+	assert.Equal(t, -1, iface.GetRoutingTable())
+
+	iface.RoutingTable = "0"
+	assert.Equal(t, 0, iface.GetRoutingTable())
+
+	iface.RoutingTable = "100"
+	assert.Equal(t, 0, iface.GetRoutingTable())
+
+	iface.RoutingTable = "abc"
+	assert.Equal(t, 0, iface.GetRoutingTable())
+}
--- a/internal/domain/ip.go
+++ b/internal/domain/ip.go
@@ -26,6 +26,10 @@ func (c Cidr) IsValid() bool {
 	return c.Prefix().IsValid()
 }

+func (c Cidr) EqualPrefix(other Cidr) bool {
+	return c.Addr == other.Addr && c.NetLength == other.NetLength
+}
+
 func CidrFromString(str string) (Cidr, error) {
 	prefix, err := netip.ParsePrefix(strings.TrimSpace(str))
 	if err != nil {
@@ -199,3 +203,26 @@ func (c Cidr) Contains(other Cidr) bool {

 	return subnet.Contains(otherIP)
 }
+
+// ContainsDefaultRoute returns true if the given CIDRs contain a default route.
+func ContainsDefaultRoute(cidrs []Cidr) bool {
+	for _, allowedIP := range cidrs {
+		if allowedIP.Prefix().Bits() == 0 {
+			return true
+		}
+	}
+
+	return false
+}
+
+// CidrsPerFamily returns a slice of CIDRs, one for each family (IPv4 and IPv6).
+func CidrsPerFamily(cidrs []Cidr) (ipv4, ipv6 []Cidr) {
+	for _, cidr := range cidrs {
+		if cidr.IsV4() {
+			ipv4 = append(ipv4, cidr)
+		} else {
+			ipv6 = append(ipv6, cidr)
+		}
+	}
+	return
+}