Improve fileshare monitoring job

Author: devzbysiu

daemon/jobs_test.go

@@ -36,6 +36,7 @@ func (failingLoginChecker) IsMFAEnabled() (bool, error) { return false, nil }
 func (failingLoginChecker) IsVPNExpired() (bool, error) {
 	return true, errors.New("IsVPNExpired error")
 }
+
 func (failingLoginChecker) GetDedicatedIPServices() ([]auth.DedicatedIPService, error) {
 	return nil, fmt.Errorf("Not implemented")
 }
@@ -128,6 +129,10 @@ func (n *meshNetworker) AllowFileshare(address meshnet.UniqueAddress) error {
 	return nil
 }
 
+func (n *meshNetworker) PermitFileshare() error {
+	return nil
+}
+
 func (n *meshNetworker) AllowIncoming(address meshnet.UniqueAddress, lanAllowed bool) error {
 	n.allowedIncoming = append(n.allowedIncoming, address)
 	return nil
@@ -138,6 +143,10 @@ func (n *meshNetworker) BlockIncoming(address meshnet.UniqueAddress) error {
 	return nil
 }
 
+func (n *meshNetworker) ForbidFileshare() error {
+	return nil
+}
+
 func (n *meshNetworker) BlockFileshare(address meshnet.UniqueAddress) error {
 	n.blockedFileshare = append(n.blockedFileshare, address)
 	return nil

go.sum

@@ -12,8 +12,6 @@ github.com/NordSecurity/gopenvpn v0.0.0-20230117114932-2252c52984b4 h1:2ozEjYEw4
 github.com/NordSecurity/gopenvpn v0.0.0-20230117114932-2252c52984b4/go.mod h1:tguhorMSnkMcQExNIHWBX6TRhFeGYlERzbeAWZ4j9Uw=
 github.com/NordSecurity/libdrop-go/v8 v8.0.0-20241017064027-670787595588 h1:L/nAbQXJGCOFqw1eTTRYEBKmiuaQQeS7b863+0Ifevw=
 github.com/NordSecurity/libdrop-go/v8 v8.0.0-20241017064027-670787595588/go.mod h1:SRYI0D0K6hSMBskvcB2/t/5ktSTNLPGbOvLaQ5p/sAE=
-github.com/NordSecurity/libtelio-go/v5 v5.1.4 h1:o2JbYad8sdRsljFAMZRVmkXGQ7kTVbS32P6TTDOTuL0=
-github.com/NordSecurity/libtelio-go/v5 v5.1.4/go.mod h1:mnoTGgXOu8dBQgPxG8MBju4d9C+ljKIT2p8OX5GFom4=
 github.com/NordSecurity/libtelio-go/v5 v5.1.5 h1:lwP7m2GJ+GkO1EDaRqm5ymDT/CtjIBC/1bN2CL55mnY=
 github.com/NordSecurity/libtelio-go/v5 v5.1.5/go.mod h1:mnoTGgXOu8dBQgPxG8MBju4d9C+ljKIT2p8OX5GFom4=
 github.com/NordSecurity/systray v0.0.0-20240327004800-3e3b59c1b83d h1:oUEFXgFRa9Svcjr+O1stzR3vEXZ5OfQxLUcDjqFcOuo=

meshnet/jobs.go

@@ -15,7 +15,7 @@ func (s *Server) StartJobs() {
 	}
 
 	if _, err := s.scheduler.NewJob(
-		gocron.DurationJob(5*time.Second),
+		gocron.DurationJob(500*time.Millisecond),
 		gocron.NewTask(JobMonitorFileshareProcess(s)),
 		gocron.WithName("job monitor fileshare process")); err != nil {
 		log.Println(internal.WarningPrefix, "job monitor fileshare process schedule error:", err)
@@ -39,32 +39,16 @@ func JobRefreshMeshnet(s *Server) func() error {
 }
 
 func JobMonitorFileshareProcess(s *Server) func() error {
-	oldState := false
 	return func() error {
 		if !s.isMeshOn() {
 			return nil
 		}
-		newState := internal.IsProcessRunning(internal.FileshareBinaryPath)
-		if newState == oldState {
-			// only state change triggers the modifications
-			return nil
-		}
-
-		log.Println(internal.InfoPrefix, "fileshare change to running", newState)
-		peers, err := s.listPeers()
-		if err != nil {
-			return err
-		}
 
-		isFileshareUp := newState
-		for _, peer := range peers {
-			if !isFileshareUp {
-				s.netw.BlockFileshare(UniqueAddress{UID: peer.PublicKey, Address: peer.Address})
-			} else {
-				s.netw.AllowFileshare(UniqueAddress{UID: peer.PublicKey, Address: peer.Address})
-			}
+		if internal.IsProcessRunning(internal.FileshareBinaryPath) {
+			s.netw.PermitFileshare()
+		} else {
+			s.netw.ForbidFileshare()
 		}
-		oldState = newState
 
 		return nil
 	}

meshnet/networker.go

@@ -28,8 +28,12 @@ type Networker interface {
 	BlockIncoming(UniqueAddress) error
 	// AllowFileshare creates a rule enabling fileshare port for the given address
 	AllowFileshare(UniqueAddress) error
+	// PermitFileshare creates a rules enabling fileshare port for all available peers and sets fileshare as permitted
+	PermitFileshare() error
 	// BlockFileshare removes a rule enabling fileshare port for the given address if it exists
 	BlockFileshare(UniqueAddress) error
+	// ForbidFileshare removes a rules enabling fileshare port for all available peers and sets fileshare as forbidden
+	ForbidFileshare() error
 	// ResetRouting is used when there are routing setting changes,
 	// except when routing is denied - then BlockRouting must be used. changedPeer is the peer whose routing settings
 	// changed, peers is the map of all the machine peers(including the changed peer).

meshnet/server_test.go

@@ -44,6 +44,7 @@ type meshRenewChecker struct {
 func (m meshRenewChecker) IsLoggedIn() bool {
 	return !m.IsNotLoggedIn
 }
+
 func (m meshRenewChecker) IsMFAEnabled() (bool, error) {
 	return false, nil
 }
@@ -92,6 +93,10 @@ func (n *workingNetworker) AllowFileshare(address UniqueAddress) error {
 	return nil
 }
 
+func (n *workingNetworker) PermitFileshare() error {
+	return nil
+}
+
 func (n *workingNetworker) AllowIncoming(address UniqueAddress, lanAllowed bool) error {
 	n.allowedIncoming = append(n.allowedIncoming, allowedIncoming{
 		address:    address,
@@ -111,6 +116,10 @@ func (n *workingNetworker) BlockFileshare(address UniqueAddress) error {
 	return nil
 }
 
+func (n *workingNetworker) ForbidFileshare() error {
+	return nil
+}
+
 func (n *workingNetworker) ResetRouting(changedPeer mesh.MachinePeer, peer mesh.MachinePeers) error {
 	n.resetPeers = append(n.resetPeers, changedPeer.PublicKey)
 

networker/networker.go

@@ -168,7 +168,8 @@ type Combined struct {
 	enableLocalTraffic bool
 	// list with the existing OS interfaces when VPN was connected.
 	// This is used at network changes to know when a new interface was inserted
-	interfaces mapset.Set[string]
+	interfaces           mapset.Set[string]
+	isFilesharePermitted bool
 }
 
 // NewCombined returns a ready made version of
@@ -1509,6 +1510,11 @@ func (netw *Combined) AllowFileshare(uniqueAddress meshnet.UniqueAddress) error
 }
 
 func (netw *Combined) allowFileshare(publicKey string, address netip.Addr) error {
+	if !netw.isFilesharePermitted {
+		log.Println(internal.WarningPrefix, "fileshare is not permitted, can't add allow rules")
+		return nil
+	}
+
 	ruleName := publicKey + "-allow-fileshare-rule-" + address.String()
 	rules := []firewall.Rule{{
 		Name:           ruleName,
@@ -1537,6 +1543,27 @@ func (netw *Combined) allowFileshare(publicKey string, address netip.Addr) error
 	return nil
 }
 
+func (netw *Combined) PermitFileshare() error {
+	netw.mu.Lock()
+	defer netw.mu.Unlock()
+	if netw.isFilesharePermitted {
+		return nil
+	}
+	netw.isFilesharePermitted = true
+	return netw.allowFileshareAll()
+}
+
+func (netw *Combined) allowFileshareAll() error {
+	var allErrors []error
+	for _, peer := range netw.cfg.Peers {
+		if peer.DoIAllowFileshare {
+			err := netw.allowFileshare(peer.PublicKey, peer.Address)
+			allErrors = append(allErrors, err)
+		}
+	}
+	return errors.Join(allErrors...)
+}
+
 func (netw *Combined) undenyDNS() error {
 	ruleName := "deny-private-dns"
 
@@ -1608,7 +1635,15 @@ func (netw *Combined) blockIncoming(uniqueAddress meshnet.UniqueAddress) error {
 func (netw *Combined) BlockFileshare(uniqueAddress meshnet.UniqueAddress) error {
 	netw.mu.Lock()
 	defer netw.mu.Unlock()
-	ruleName := uniqueAddress.UID + "-allow-fileshare-rule-" + uniqueAddress.Address.String()
+	return netw.blockFileshare(uniqueAddress.UID, uniqueAddress.Address)
+}
+
+func (netw *Combined) blockFileshare(publicKey string, address netip.Addr) error {
+	if !netw.isFilesharePermitted {
+		log.Println(internal.WarningPrefix, "fileshare is already forbidden")
+		return nil
+	}
+	ruleName := publicKey + "-allow-fileshare-rule-" + address.String()
 	return netw.removeRule(ruleName)
 }
 
@@ -1627,6 +1662,25 @@ func (netw *Combined) removeRule(ruleName string) error {
 	return nil
 }
 
+func (netw *Combined) ForbidFileshare() error {
+	netw.mu.Lock()
+	defer netw.mu.Unlock()
+	if !netw.isFilesharePermitted {
+		return nil
+	}
+	defer func() { netw.isFilesharePermitted = false }()
+	return netw.blockFileshareAll()
+}
+
+func (netw *Combined) blockFileshareAll() error {
+	var allErrors []error
+	for _, peer := range netw.cfg.Peers {
+		err := netw.blockFileshare(peer.PublicKey, peer.Address)
+		allErrors = append(allErrors, err)
+	}
+	return errors.Join(allErrors...)
+}
+
 func getHostsFromConfig(peers mesh.MachinePeers) dns.Hosts {
 	hosts := make(dns.Hosts, 0, len(peers))
 	for _, peer := range peers {