add egress ranges to DST

logic/acls.go

@@ -446,11 +446,23 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 		}
 		srcTags := ConvAclTagToValueMap(acl.Src)
 		dstTags := ConvAclTagToValueMap(acl.Dst)
+		egressRanges4 := []net.IPNet{}
+		egressRanges6 := []net.IPNet{}
 		for _, dst := range acl.Dst {
 			if dst.ID == models.EgressID {
 				e := schema.Egress{ID: dst.Value}
 				err := e.Get(db.WithContext(context.TODO()))
 				if err == nil && e.Status {
+					if e.Range != "" {
+						_, cidr, err := net.ParseCIDR(e.Range)
+						if err == nil {
+							if cidr.IP.To4() != nil {
+								egressRanges4 = append(egressRanges4, *cidr)
+							} else {
+								egressRanges6 = append(egressRanges6, *cidr)
+							}
+						}
+					}
 					for nodeID := range e.Nodes {
 						dstTags[nodeID] = struct{}{}
 					}
@@ -468,6 +480,12 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 			Dst:             []net.IPNet{targetnode.AddressIPNet4()},
 			Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 		}
+		if len(egressRanges4) > 0 {
+			aclRule.Dst = append(aclRule.Dst, egressRanges4...)
+		}
+		if len(egressRanges6) > 0 {
+			aclRule.Dst6 = append(aclRule.Dst6, egressRanges6...)
+		}
 		for nodeTag := range targetNodeTags {
 			if acl.AllowedDirection == models.TrafficDirectionBi {
 				var existsInSrcTag bool

pro/logic/acls.go

@@ -968,6 +968,17 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 			_, all := dstTags["*"]
 			addUsers := false
 			if !all {
+				for _, dst := range acl.Dst {
+					if dst.ID == models.EgressID {
+						e := schema.Egress{ID: dst.Value}
+						err := e.Get(db.WithContext(context.TODO()))
+						if err == nil && e.Status {
+							for nodeID := range e.Nodes {
+								dstTags[nodeID] = struct{}{}
+							}
+						}
+					}
+				}
 				for nodeTag := range targetNodeTags {
 					if _, ok := dstTags[nodeTag.String()]; ok {
 						addUsers = true
@@ -1002,8 +1013,6 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 			AllowedProtocol: defaultPolicy.Proto,
 			AllowedPorts:    defaultPolicy.Port,
 			Direction:       defaultPolicy.AllowedDirection,
-			Dst:             []net.IPNet{targetnode.AddressIPNet4()},
-			Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 			Allowed:         true,
 		}
 		for _, userNode := range userNodes {
@@ -1034,6 +1043,26 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 				if !acl.Enabled {
 					continue
 				}
+				egressRanges4 := []net.IPNet{}
+				egressRanges6 := []net.IPNet{}
+				for _, dst := range acl.Dst {
+					if dst.ID == models.EgressID {
+						e := schema.Egress{ID: dst.Value}
+						err := e.Get(db.WithContext(context.TODO()))
+						if err == nil && e.Status {
+							if e.Range != "" {
+								_, cidr, err := net.ParseCIDR(e.Range)
+								if err == nil {
+									if cidr.IP.To4() != nil {
+										egressRanges4 = append(egressRanges4, *cidr)
+									} else {
+										egressRanges6 = append(egressRanges6, *cidr)
+									}
+								}
+							}
+						}
+					}
+				}
 				r := models.AclRule{
 					ID:              acl.ID,
 					AllowedProtocol: acl.Proto,
@@ -1043,6 +1072,12 @@ func GetUserAclRulesForNode(targetnode *models.Node,
 					Dst6:            []net.IPNet{targetnode.AddressIPNet6()},
 					Allowed:         true,
 				}
+				if len(egressRanges4) > 0 {
+					r.Dst = append(r.Dst, egressRanges4...)
+				}
+				if len(egressRanges6) > 0 {
+					r.Dst6 = append(r.Dst6, egressRanges6...)
+				}
 				// Get peers in the tags and add allowed rules
 				if userNode.StaticNode.Address != "" {
 					r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())