fix extclients egress comms

logic/acls.go

@@ -679,7 +679,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil {
+				if err == nil && e.Status {
 					for nodeID := range e.Nodes {
 						dstMap[nodeID] = struct{}{}
 					}
@@ -782,7 +782,7 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool {
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil {
+				if err == nil && e.Status {
 					for nodeID := range e.Nodes {
 						dstMap[nodeID] = struct{}{}
 					}
@@ -1054,7 +1054,7 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil {
+				if err == nil && e.Status {
 					for nodeID := range e.Nodes {
 						dstMap[nodeID] = struct{}{}
 					}
@@ -1256,7 +1256,7 @@ func getEgressUserRulesForNode(targetnode *models.Node,
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil {
+				if err == nil && e.Status {
 					for nodeID := range e.Nodes {
 						dstTags[nodeID] = struct{}{}
 					}
@@ -1491,7 +1491,7 @@ func checkIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil {
+				if err == nil && e.Status {
 					for nodeID := range e.Nodes {
 						dstTags[nodeID] = struct{}{}
 					}
@@ -1500,7 +1500,7 @@ func checkIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 			}
 		}
 		for nodeTag := range targetNodeTags {
-			if acl.RuleType == models.DevicePolicy {
+			if acl.RuleType == models.DevicePolicy && acl.AllowedDirection == models.TrafficDirectionBi {
 				if _, ok := srcTags[nodeTag.String()]; ok {
 					return true
 				}
@@ -1603,6 +1603,17 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 		}
 		srcTags := convAclTagToValueMap(acl.Src)
 		dstTags := convAclTagToValueMap(acl.Dst)
+		for _, dst := range acl.Dst {
+			if dst.ID == models.EgressID {
+				e := schema.Egress{ID: dst.Value}
+				err := e.Get(db.WithContext(context.TODO()))
+				if err == nil && e.Status {
+					for nodeID := range e.Nodes {
+						dstTags[nodeID] = struct{}{}
+					}
+				}
+			}
+		}
 		_, srcAll := srcTags["*"]
 		_, dstAll := dstTags["*"]
 		aclRule := models.AclRule{
@@ -1810,6 +1821,9 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 		return
 	}
 	for _, egI := range egs {
+		if !egI.Status {
+			continue
+		}
 		if _, ok := egI.Nodes[targetnode.ID.String()]; ok {
 			if egI.Range == "*" {
 				targetNodeTags[models.TagID("0.0.0.0/0")] = struct{}{}
@@ -1820,14 +1834,12 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 			targetNodeTags[models.TagID(egI.ID)] = struct{}{}
 		}
 	}
-	fmt.Println("CHECKING EGRESS TAGS: ", targetNodeTags)
 	for _, acl := range acls {
 		if !acl.Enabled {
 			continue
 		}
 		srcTags := convAclTagToValueMap(acl.Src)
 		dstTags := convAclTagToValueMap(acl.Dst)
-		fmt.Println("ACL POLICY: ", acl.Name, srcTags, dstTags)
 		_, srcAll := srcTags["*"]
 		_, dstAll := dstTags["*"]
 		aclRule := models.AclRule{
@@ -1848,20 +1860,10 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 						aclRule.Dst6 = append(aclRule.Dst6, *cidr)
 					}
 				}
-			} else {
-				aclRule.Dst = append(aclRule.Dst, net.IPNet{
-					IP:   net.IPv4zero,        // 0.0.0.0
-					Mask: net.CIDRMask(0, 32), // /0 means match all IPv4
-				})
-				aclRule.Dst6 = append(aclRule.Dst6, net.IPNet{
-					IP:   net.IPv6zero,         // ::
-					Mask: net.CIDRMask(0, 128), // /0 means match all IPv6
-				})
 			}
 			if acl.AllowedDirection == models.TrafficDirectionBi {
 				var existsInSrcTag bool
 				var existsInDstTag bool
-				fmt.Println("CHECKING TAG: ", nodeTag.String())
 				if _, ok := srcTags[nodeTag.String()]; ok || srcAll {
 					existsInSrcTag = true
 				}
@@ -1877,7 +1879,6 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 					}
 					break
 				}
-				fmt.Println("EXISTS ACL: ", existsInSrcTag, existsInDstTag)
 				if existsInSrcTag && !existsInDstTag {
 					// get all dst tags
 					for dst := range dstTags {

logic/egress.go

@@ -151,12 +151,10 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 	if !e.IsInetGw {
 		nodeTags[models.TagID("*")] = struct{}{}
 	}
-	fmt.Println("=====> CHECKING FOR EGRESS ", e.Name)
 	acls, _ := ListAclsByNetwork(models.NetworkID(node.Network))
 	if !e.IsInetGw {
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 		if defaultDevicePolicy.Enabled {
-			fmt.Println("hereee 1")
 			return true
 		}
 	}
@@ -165,41 +163,34 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress) bool {
 			continue
 		}
 		srcVal := convAclTagToValueMap(acl.Src)
-		fmt.Println("ACL SRC: ", acl.Src, acl.Name)
 		if !e.IsInetGw && acl.AllowedDirection == models.TrafficDirectionBi {
 			if _, ok := srcVal["*"]; ok {
-				fmt.Println("hereee 2")
 				return true
 			}
 		}
 		for _, dstI := range acl.Dst {
 
 			if !e.IsInetGw && dstI.ID == models.NodeTagID && dstI.Value == "*" {
-				fmt.Println("hereee 3")
 				return true
 			}
 			if dstI.ID == models.EgressID && dstI.Value == e.ID {
 				e := schema.Egress{ID: dstI.Value}
 				err := e.Get(db.WithContext(context.TODO()))
-				if err != nil || !e.Status {
-					fmt.Println("hereee 4")
+				if err != nil {
 					continue
 				}
 				if node.IsStatic {
 					if _, ok := srcVal[node.StaticNode.ClientID]; ok {
-						fmt.Println("hereee 5")
 						return true
 					}
 				} else {
 					if _, ok := srcVal[node.ID.String()]; ok {
-						fmt.Println("hereee 6")
 						return true
 					}
 				}
 
 				for tagID := range nodeTags {
 					if _, ok := srcVal[tagID.String()]; ok {
-						fmt.Println("hereee 7")
 						return true
 					}
 				}
@@ -223,7 +214,6 @@ func AddEgressInfoToPeerByAccess(node, targetNode *models.Node) {
 	defer func() {
 		isNodeUsingInternetGw(targetNode)
 	}()
-
 	for _, e := range eli {
 		if !e.Status || e.Network != targetNode.Network {
 			continue
@@ -269,8 +259,6 @@ func AddEgressInfoToPeerByAccess(node, targetNode *models.Node) {
 		targetNode.EgressDetails.IsEgressGateway = true
 		targetNode.EgressDetails.EgressGatewayRanges = req.Ranges
 		targetNode.EgressDetails.EgressGatewayRequest = req
-		targetHost, _ := GetHost(targetNode.HostID.String())
-		fmt.Println("TARGET NODE: ", targetHost.Name, targetNode.EgressDetails.EgressGatewayRanges, targetNode.EgressDetails.EgressGatewayRequest)
 	}
 }
 

logic/extpeers.go

@@ -74,16 +74,18 @@ func GetEgressRangesOnNetwork(client *models.ExtClient) ([]string, error) {
 	if err != nil {
 		return []string{}, err
 	}
-	clientNode := client.ConvertToStaticNode()
+	// clientNode := client.ConvertToStaticNode()
 	for _, currentNode := range networkNodes {
 		if currentNode.Network != client.Network {
 			continue
 		}
-		AddEgressInfoToPeerByAccess(&clientNode, &currentNode)
+		GetNodeEgressInfo(&currentNode)
+		if currentNode.IsInternetGateway && client.IngressGatewayID != currentNode.ID.String() {
+			continue
+		}
 		if currentNode.EgressDetails.IsEgressGateway { // add the egress gateway range(s) to the result
 			fmt.Println("EGRESSS EXTCLEINT: ", currentNode.EgressDetails)
 			if len(currentNode.EgressDetails.EgressGatewayRanges) > 0 {
-
 				result = append(result, currentNode.EgressDetails.EgressGatewayRanges...)
 			}
 		}

logic/peers.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/netip"
 
+	"github.com/google/uuid"
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic/acls/nodeacls"
@@ -164,26 +165,18 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 	}
 	defer func() {
 		if !hostPeerUpdate.FwUpdate.AllowAll {
-			aclRule := models.AclRule{
-				ID:              "allowed-network-rules",
-				AllowedProtocol: models.ALL,
-				Direction:       models.TrafficDirectionBi,
-				Allowed:         true,
-			}
-			for _, allowedNet := range hostPeerUpdate.FwUpdate.AllowedNetworks {
-				if allowedNet.IP.To4() != nil {
-					aclRule.IPList = append(aclRule.IPList, allowedNet)
-				} else {
-					aclRule.IP6List = append(aclRule.IP6List, allowedNet)
-				}
-			}
-			hostPeerUpdate.FwUpdate.AclRules["allowed-network-rules"] = aclRule
+
 			hostPeerUpdate.FwUpdate.EgressInfo["allowed-network-rules"] = models.EgressInfo{
-				EgressID: "allowed-network-rules",
-				EgressFwRules: map[string]models.AclRule{
-					"allowed-network-rules": aclRule,
-				},
+				EgressID:      "allowed-network-rules",
+				EgressFwRules: make(map[string]models.AclRule),
 			}
+			fmt.Printf("ALLOWED NETWORK RULES:%s,  %+v\n", host.Name, hostPeerUpdate.FwUpdate.AllowedNetworks)
+			for _, aclRule := range hostPeerUpdate.FwUpdate.AllowedNetworks {
+
+				hostPeerUpdate.FwUpdate.AclRules[aclRule.ID] = aclRule
+				hostPeerUpdate.FwUpdate.EgressInfo["allowed-network-rules"].EgressFwRules[aclRule.ID] = aclRule
+			}
+
 		}
 	}()
 
@@ -192,11 +185,13 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 	for _, nodeID := range host.Nodes {
 		networkAllowAll := true
 		nodeID := nodeID
+		if nodeID == uuid.Nil.String() {
+			continue
+		}
 		node, err := GetNodeByID(nodeID)
 		if err != nil {
 			continue
 		}
-
 		if !node.Connected || node.PendingDelete || node.Action == models.NODE_DELETE {
 			continue
 		}
@@ -208,13 +203,21 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
-		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || (!checkIfAnyPolicyisUniDirectional(node) && !checkIfAnyActiveEgressPolicy(node)) {
-			if node.NetworkRange.IP != nil {
-				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
+		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
+			(!checkIfAnyPolicyisUniDirectional(node) && !checkIfAnyActiveEgressPolicy(node)) {
+			aclRule := models.AclRule{
+				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
+				AllowedProtocol: models.ALL,
+				Direction:       models.TrafficDirectionBi,
+				Allowed:         true,
+				IPList:          []net.IPNet{node.NetworkRange},
+				IP6List:         []net.IPNet{node.NetworkRange6},
 			}
-			if node.NetworkRange6.IP != nil {
-				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
+			if !(defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) {
+				aclRule.Dst = []net.IPNet{node.NetworkRange}
+				aclRule.Dst6 = []net.IPNet{node.NetworkRange6}
 			}
+			hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, aclRule)
 		} else {
 			networkAllowAll = false
 			hostPeerUpdate.FwUpdate.AllowAll = false

models/mqtt.go

@@ -107,7 +107,7 @@ type KeyUpdate struct {
 // FwUpdate - struct for firewall updates
 type FwUpdate struct {
 	AllowAll        bool                   `json:"allow_all"`
-	AllowedNetworks []net.IPNet            `json:"networks"`
+	AllowedNetworks []AclRule              `json:"networks"`
 	IsEgressGw      bool                   `json:"is_egress_gw"`
 	IsIngressGw     bool                   `json:"is_ingress_gw"`
 	EgressInfo      map[string]EgressInfo  `json:"egress_info"`

models/node.go

@@ -128,6 +128,9 @@ type EgressDetails struct {
 	EgressGatewayRequest    EgressGatewayRequest
 	IsEgressGateway         bool
 	EgressGatewayRanges     []string
+	IsInternetGateway       bool        `json:"isinternetgateway"                                      yaml:"isinternetgateway"`
+	InetNodeReq             InetNodeReq `json:"inet_node_req"                                          yaml:"inet_node_req"`
+	InternetGwID            string      `json:"internetgw_node_id"                                     yaml:"internetgw_node_id"`
 }
 
 // LegacyNode - legacy struct for node model