TUN-5362: Adjust route ip commands to be aware of virtual networks

2025-07-28 19:59:57 +00:00 · 2021-11-29 12:00:31 +00:00
parent eec6b87eea
commit 571380b3f5
7 changed files with 305 additions and 104 deletions
--- a/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
+++ b/cmd/cloudflared/tunnel/subcommand_context_teamnet.go
@@ -1,8 +1,6 @@
 package tunnel

 import (
-	"net"
-
 	"github.com/pkg/errors"

 	"github.com/cloudflare/cloudflared/teamnet"
@@ -26,18 +24,18 @@ func (sc *subcommandContext) addRoute(newRoute teamnet.NewRoute) (teamnet.Route,
 	return client.AddRoute(newRoute)
 }

-func (sc *subcommandContext) deleteRoute(network net.IPNet) error {
+func (sc *subcommandContext) deleteRoute(params teamnet.DeleteRouteParams) error {
 	client, err := sc.client()
 	if err != nil {
 		return errors.Wrap(err, noClientMsg)
 	}
-	return client.DeleteRoute(network)
+	return client.DeleteRoute(params)
 }

-func (sc *subcommandContext) getRouteByIP(ip net.IP) (teamnet.DetailedRoute, error) {
+func (sc *subcommandContext) getRouteByIP(params teamnet.GetRouteByIpParams) (teamnet.DetailedRoute, error) {
 	client, err := sc.client()
 	if err != nil {
 		return teamnet.DetailedRoute{}, errors.Wrap(err, noClientMsg)
 	}
-	return client.GetByIP(ip)
+	return client.GetByIP(params)
 }
--- a/cmd/cloudflared/tunnel/teamnet_subcommands.go
+++ b/cmd/cloudflared/tunnel/teamnet_subcommands.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"text/tabwriter"

+	"github.com/google/uuid"
 	"github.com/pkg/errors"

 	"github.com/cloudflare/cloudflared/cmd/cloudflared/cliutil"
@@ -15,26 +16,45 @@ import (
 	"github.com/urfave/cli/v2"
 )

+var (
+	vnetFlag = &cli.StringFlag{
+		Name:    "virtual-network",
+		Aliases: []string{"vn"},
+		Usage:   "The ID or name of the virtual network to which the route is associated to.",
+	}
+)
+
 func buildRouteIPSubcommand() *cli.Command {
 	return &cli.Command{
 		Name:      "ip",
-		Usage:     "Configure and query Cloudflare WARP routing to services or private networks available through this tunnel.",
+		Usage:     "Configure and query Cloudflare WARP routing to private IP networks made available through Cloudflare Tunnels.",
 		UsageText: "cloudflared tunnel [--config FILEPATH] route COMMAND [arguments...]",
-		Description: `cloudflared can provision private routes from any IP space to origins in your corporate network.
-Users enrolled in your Cloudflare for Teams organization can reach those routes through the
-Cloudflare WARP client. You can also build rules to determine who can reach certain routes.`,
+		Description: `cloudflared can provision routes for any IP space in your corporate network. Users enrolled in
+your Cloudflare for Teams organization can reach those IPs through the Cloudflare WARP
+client. You can then configure L7/L4 filtering on https://dash.teams.cloudflare.com to
+determine who can reach certain routes.
+By default IP routes all exist within a single virtual network. If you use the same IP
+space(s) in different physical private networks, all meant to be reachable via IP routes,
+then you have to manage the ambiguous IP routes by associating them to virtual networks.
+See "cloudflared tunnel network --help" for more information.`,
 		Subcommands: []*cli.Command{
 			{
 				Name:      "add",
 				Action:    cliutil.ConfiguredAction(addRouteCommand),
-				Usage:     "Add any new network to the routing table reachable via the tunnel",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip add [CIDR] [TUNNEL] [COMMENT?]",
-				Description: `Adds any network route space (represented as a CIDR) to your routing table.
-That network space becomes reachable for requests egressing from a user's machine
+				Usage:     "Add a new network to the routing table reachable via a Tunnel",
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip add [flags] [CIDR] [TUNNEL] [COMMENT?]",
+				Description: `Adds a network IP route space (represented as a CIDR) to your routing table.
+That network IP space becomes reachable for requests egressing from a user's machine
 as long as it is using Cloudflare WARP client and is enrolled in the same account
-that is running the tunnel chosen here. Further, those requests will be proxied to
-the specified tunnel, and reach an IP in the given CIDR, as long as that IP is
-reachable from the tunnel.`,
+that is running the Tunnel chosen here. Further, those requests will be proxied to
+the specified Tunnel, and reach an IP in the given CIDR, as long as that IP is
+reachable from cloudflared.
+If the CIDR exists in more than one private network, to be connected with Cloudflare
+Tunnels, then you have to manage those IP routes with virtual networks (see
+"cloudflared tunnel network --help)". In those cases, you then have to tell
+which virtual network's routing table you want to add the route to with:
+"cloudflared tunnel route ip add --virtual-network [ID/name] [CIDR] [TUNNEL]".`,
+				Flags: []cli.Flag{vnetFlag},
 			},
 			{
 				Name:        "show",
@@ -49,17 +69,22 @@ reachable from the tunnel.`,
 				Name:      "delete",
 				Action:    cliutil.ConfiguredAction(deleteRouteCommand),
 				Usage:     "Delete a row from your organization's private routing table",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [CIDR]",
-				Description: `Deletes the row for a given CIDR from your routing table. That portion
-of your network will no longer be reachable by the WARP clients.`,
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip delete [flags] [CIDR]",
+				Description: `Deletes the row for a given CIDR from your routing table. That portion of your network
+will no longer be reachable by the WARP clients. Note that if you use virtual
+networks, then you have to tell which virtual network whose routing table you
+have a row deleted from.`,
+				Flags: []cli.Flag{vnetFlag},
 			},
 			{
 				Name:      "get",
 				Action:    cliutil.ConfiguredAction(getRouteByIPCommand),
 				Usage:     "Check which row of the routing table matches a given IP.",
-				UsageText: "cloudflared tunnel [--config FILEPATH] route ip get [IP]",
-				Description: `Checks which row of the routing table will be used to proxy a given IP.
-				This helps check and validate your config.`,
+				UsageText: "cloudflared tunnel [--config FILEPATH] route ip get [flags] [IP]",
+				Description: `Checks which row of the routing table will be used to proxy a given IP. This helps check
+and validate your config. Note that if you use virtual networks, then you have
+to tell which virtual network whose routing table you want to use.`,
+				Flags: []cli.Flag{vnetFlag},
 			},
 		},
 	}
@@ -112,7 +137,9 @@ func addRouteCommand(c *cli.Context) error {
 	if c.NArg() < 2 {
 		return errors.New("You must supply at least 2 arguments, first the network you wish to route (in CIDR form e.g. 1.2.3.4/32) and then the tunnel ID to proxy with")
 	}
+
 	args := c.Args()
+
 	_, network, err := net.ParseCIDR(args.Get(0))
 	if err != nil {
 		return errors.Wrap(err, "Invalid network CIDR")
@@ -120,19 +147,32 @@ func addRouteCommand(c *cli.Context) error {
 	if network == nil {
 		return errors.New("Invalid network CIDR")
 	}
+
 	tunnelRef := args.Get(1)
 	tunnelID, err := sc.findID(tunnelRef)
 	if err != nil {
 		return errors.Wrap(err, "Invalid tunnel")
 	}
+
 	comment := ""
 	if c.NArg() >= 3 {
 		comment = args.Get(2)
 	}
+
+	var vnetId *uuid.UUID
+	if c.IsSet(vnetFlag.Name) {
+		id, err := getVnetId(sc, c.String(vnetFlag.Name))
+		if err != nil {
+			return err
+		}
+		vnetId = &id
+	}
+
 	_, err = sc.addRoute(teamnet.NewRoute{
 		Comment:  comment,
 		Network:  *network,
 		TunnelID: tunnelID,
+		VNetID:   vnetId,
 	})
 	if err != nil {
 		return errors.Wrap(err, "API error")
@@ -146,9 +186,11 @@ func deleteRouteCommand(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
+
 	if c.NArg() != 1 {
 		return errors.New("You must supply exactly one argument, the network whose route you want to delete (in CIDR form e.g. 1.2.3.4/32)")
 	}
+
 	_, network, err := net.ParseCIDR(c.Args().First())
 	if err != nil {
 		return errors.Wrap(err, "Invalid network CIDR")
@@ -156,7 +198,20 @@ func deleteRouteCommand(c *cli.Context) error {
 	if network == nil {
 		return errors.New("Invalid network CIDR")
 	}
-	if err := sc.deleteRoute(*network); err != nil {
+
+	params := teamnet.DeleteRouteParams{
+		Network: *network,
+	}
+
+	if c.IsSet(vnetFlag.Name) {
+		vnetId, err := getVnetId(sc, c.String(vnetFlag.Name))
+		if err != nil {
+			return err
+		}
+		params.VNetID = &vnetId
+	}
+
+	if err := sc.deleteRoute(params); err != nil {
 		return errors.Wrap(err, "API error")
 	}
 	fmt.Printf("Successfully deleted route for %s\n", network)
@@ -177,7 +232,20 @@ func getRouteByIPCommand(c *cli.Context) error {
 	if ip == nil {
 		return fmt.Errorf("Invalid IP %s", ipInput)
 	}
-	route, err := sc.getRouteByIP(ip)
+
+	params := teamnet.GetRouteByIpParams{
+		Ip: ip,
+	}
+
+	if c.IsSet(vnetFlag.Name) {
+		vnetId, err := getVnetId(sc, c.String(vnetFlag.Name))
+		if err != nil {
+			return err
+		}
+		params.VNetID = &vnetId
+	}
+
+	route, err := sc.getRouteByIP(params)
 	if err != nil {
 		return errors.Wrap(err, "API error")
 	}
@@ -202,7 +270,7 @@ func formatAndPrintRouteList(routes []*teamnet.DetailedRoute) {
 	defer writer.Flush()

 	// Print column headers with tabbed columns
-	_, _ = fmt.Fprintln(writer, "NETWORK\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")
+	_, _ = fmt.Fprintln(writer, "NETWORK\tVIRTUAL NET ID\tCOMMENT\tTUNNEL ID\tTUNNEL NAME\tCREATED\tDELETED\t")

 	// Loop through routes, create formatted string for each, and print using tabwriter
 	for _, route := range routes {