From 32987c5d31cf37d8d28d6e2fcd5fea770c65b0be Mon Sep 17 00:00:00 2001
From: Bartosz Oleaczek <bartosz.oleaczek@nordsec.com>
Date: Tue, 17 Dec 2024 09:11:06 +0100
Subject: [PATCH] Make ip addresses/prefixes mutually exclusive

---
 daemon/vpn/nordlynx/kernel_space.go      |  2 +-
 daemon/vpn/nordlynx/libtelio/libtelio.go |  4 +--
 daemon/vpn/nordlynx/user_space.go        |  2 +-
 daemon/vpn/quench/libquench.go           |  2 +-
 tunnel/tunnel.go                         | 37 +++++++++++-------------
 5 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/daemon/vpn/nordlynx/kernel_space.go b/daemon/vpn/nordlynx/kernel_space.go
index bc2aa347..a9ed13ea 100644
--- a/daemon/vpn/nordlynx/kernel_space.go
+++ b/daemon/vpn/nordlynx/kernel_space.go
@@ -95,7 +95,7 @@ func (k *KernelSpace) Start(
 		interfaceIps = append(interfaceIps, ipv6)
 	}
 
-	tun := tunnel.New(*iface, interfaceIps, nil)
+	tun := tunnel.New(*iface, interfaceIps, netip.Prefix{})
 	k.tun = tun
 	if err := pushConfig(tun.Interface(), conf); err != nil {
 		if err := k.stop(); err != nil {
diff --git a/daemon/vpn/nordlynx/libtelio/libtelio.go b/daemon/vpn/nordlynx/libtelio/libtelio.go
index 09bf05b8..f531ace5 100644
--- a/daemon/vpn/nordlynx/libtelio/libtelio.go
+++ b/daemon/vpn/nordlynx/libtelio/libtelio.go
@@ -592,7 +592,7 @@ func (l *Libtelio) openTunnel(ip netip.Addr, privateKey string) (err error) {
 		return fmt.Errorf("retrieving the interface: %w", err)
 	}
 
-	tun := tunnel.New(*iface, []netip.Addr{ip}, nil)
+	tun := tunnel.New(*iface, []netip.Addr{ip}, netip.Prefix{})
 
 	err = tun.AddAddrs()
 	if err != nil {
@@ -628,7 +628,7 @@ func (l *Libtelio) updateTunnel(privateKey string, ip netip.Addr) error {
 	if err := l.tun.DelAddrs(); err != nil {
 		return fmt.Errorf("deleting interface addrs: %w", err)
 	}
-	tun := tunnel.New(l.tun.Interface(), []netip.Addr{ip}, nil)
+	tun := tunnel.New(l.tun.Interface(), []netip.Addr{ip}, netip.Prefix{})
 	if err := tun.AddAddrs(); err != nil {
 		return fmt.Errorf("adding interface addrs: %w", err)
 	}
diff --git a/daemon/vpn/nordlynx/user_space.go b/daemon/vpn/nordlynx/user_space.go
index add745fb..245cc4b4 100644
--- a/daemon/vpn/nordlynx/user_space.go
+++ b/daemon/vpn/nordlynx/user_space.go
@@ -128,7 +128,7 @@ func (u *UserSpace) Start(
 
 	u.conn = conn
 
-	tun := tunnel.New(*iface, interfaceIps, nil)
+	tun := tunnel.New(*iface, interfaceIps, netip.Prefix{})
 	u.tun = tun
 	if err := tun.AddAddrs(); err != nil {
 		if err := u.stop(); err != nil {
diff --git a/daemon/vpn/quench/libquench.go b/daemon/vpn/quench/libquench.go
index 8f384f50..91aeaf76 100644
--- a/daemon/vpn/quench/libquench.go
+++ b/daemon/vpn/quench/libquench.go
@@ -137,7 +137,7 @@ func (q *Quench) Start(ctx context.Context, creds vpn.Credentials, server vpn.Se
 	}
 
 	ip := netip.MustParsePrefix(quenchInterfaceAddr)
-	tun := tunnel.New(*iface, []netip.Addr{}, []netip.Prefix{ip})
+	tun := tunnel.New(*iface, []netip.Addr{}, ip)
 
 	if err := tun.AddAddrs(); err != nil {
 		return fmt.Errorf("setting up vinc: %w", err)
diff --git a/tunnel/tunnel.go b/tunnel/tunnel.go
index a7f705e0..cada20d0 100644
--- a/tunnel/tunnel.go
+++ b/tunnel/tunnel.go
@@ -33,13 +33,13 @@ type Tunnel struct {
 	// might be a good idea to change this to a pointer now
 	// so that we could see changes to the interface at real time
 	// but this would need testing first to check if it actually works
-	iface    net.Interface
-	ips      []netip.Addr
-	prefixes []netip.Prefix
+	iface  net.Interface
+	ips    []netip.Addr
+	prefix netip.Prefix
 }
 
-func New(iface net.Interface, ips []netip.Addr, prefixes []netip.Prefix) *Tunnel {
-	return &Tunnel{iface: iface, ips: ips, prefixes: prefixes}
+func New(iface net.Interface, ips []netip.Addr, prefix netip.Prefix) *Tunnel {
+	return &Tunnel{iface: iface, ips: ips, prefix: prefix}
 }
 
 // Interface returns the underlying network interface.
@@ -106,22 +106,19 @@ func addDelAddr(cmd string, ifaceName string, addr string) ([]byte, error) {
 }
 
 func (t *Tunnel) cmdAddrs(cmd string) error {
-	for _, ip := range t.ips {
-		mask := 10 // unify with other platforms
-		if ip.BitLen() > 32 {
-			mask = ip.BitLen() // ipv6
-		}
-		out, err := addDelAddr(cmd, t.iface.Name, fmt.Sprintf("%s/%d", ip.String(), mask))
-		if err != nil {
-			return fmt.Errorf("%s IP address to interface: %s : %w", cmd, string(out), err)
-		}
-	}
-
-	for _, prefix := range t.prefixes {
-		out, err := addDelAddr(cmd, t.iface.Name, prefix.String())
-		if err != nil {
-			return fmt.Errorf("%s IP address to interface: %s : %w", cmd, string(out), err)
+	if len(t.ips) > 0 {
+		for _, ip := range t.ips {
+			mask := 10 // unify with other platforms
+			if ip.BitLen() > 32 {
+				mask = ip.BitLen() // ipv6
+			}
+			out, err := addDelAddr(cmd, t.iface.Name, fmt.Sprintf("%s/%d", ip.String(), mask))
+			if err != nil {
+				return fmt.Errorf("%s IP address to interface: %s : %w", cmd, string(out), err)
+			}
 		}
+	} else {
+		addDelAddr(cmd, t.iface.Name, t.prefix.String())
 	}
 	return nil
 }