From 0a5981c657728cbefcc824f59dbe4338825cadda Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Fri, 9 Aug 2019 17:16:56 +0200
Subject: [PATCH] Improve api firewall bypass

---
 firewall/api.go      | 11 ++++++-----
 firewall/firewall.go |  4 ++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/firewall/api.go b/firewall/api.go
index eee01be7..3803126c 100644
--- a/firewall/api.go
+++ b/firewall/api.go
@@ -23,9 +23,8 @@ import (
 var (
 	dataRoot *utils.DirStructure
 
-	apiAddressSet bool
-	apiIP         net.IP
-	apiPort       uint16
+	apiPortSet bool
+	apiPort    uint16
 )
 
 func prepAPIAuth() error {
@@ -35,11 +34,13 @@ func prepAPIAuth() error {
 
 func startAPIAuth() {
 	var err error
-	apiIP, apiPort, err = parseHostPort(apiListenAddress())
+	_, apiPort, err = parseHostPort(apiListenAddress())
 	if err != nil {
 		log.Warningf("firewall: failed to parse API address for improved api auth mechanism: %s", err)
+		return
 	}
-	apiAddressSet = true
+	apiPortSet = true
+	log.Tracef("firewall: api port set to %d", apiPort)
 }
 
 func apiAuthenticator(s *http.Server, r *http.Request) (grantAccess bool, err error) {
diff --git a/firewall/firewall.go b/firewall/firewall.go
index 96620eda..e8675455 100644
--- a/firewall/firewall.go
+++ b/firewall/firewall.go
@@ -111,8 +111,8 @@ func handlePacket(pkt packet.Packet) {
 	}
 
 	// allow api access, if address was parsed successfully
-	if apiAddressSet {
-		if (pkt.Info().DstPort == apiPort && pkt.Info().Dst.Equal(apiIP)) || (pkt.Info().SrcPort == apiPort && pkt.Info().Src.Equal(apiIP)) {
+	if apiPortSet {
+		if (pkt.Info().DstPort == apiPort || pkt.Info().SrcPort == apiPort) && pkt.Info().Src.Equal(pkt.Info().Dst) {
 			log.Debugf("accepting api connection: %s", pkt)
 			pkt.PermanentAccept()
 			return