add egress ranges to fw update

logic/acls.go

@@ -1366,7 +1366,16 @@ func getUserAclRulesForNode(targetnode *models.Node,
 }
 
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
-	targetNode.Tags[models.TagID(targetNode.ID.String())] = struct{}{}
+	var targetNodeTags = make(map[models.TagID]struct{})
+	if targetNode.Mutex != nil {
+		targetNode.Mutex.Lock()
+		targetNodeTags = maps.Clone(targetNode.Tags)
+		targetNode.Mutex.Unlock()
+	} else {
+		targetNodeTags = maps.Clone(targetNode.Tags)
+	}
+	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
+	targetNodeTags["*"] = struct{}{}
 	acls := listDevicePolicies(models.NetworkID(targetNode.Network))
 	for _, acl := range acls {
 		if !acl.Enabled {
@@ -1377,7 +1386,7 @@ func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 		}
 		srcTags := convAclTagToValueMap(acl.Src)
 		dstTags := convAclTagToValueMap(acl.Dst)
-		for nodeTag := range targetNode.Tags {
+		for nodeTag := range targetNodeTags {
 			if _, ok := srcTags[nodeTag.String()]; ok {
 				return true
 			}
@@ -1397,7 +1406,6 @@ func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRule) {
 	targetnode := *targetnodeI
-	targetnode.Tags[models.TagID(targetnode.ID.String())] = struct{}{}
 	defer func() {
 		if !targetnode.IsIngressGateway {
 			rules = getUserAclRulesForNode(&targetnode, rules)
@@ -1421,6 +1429,7 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 	} else {
 		targetNodeTags = maps.Clone(targetnode.Tags)
 	}
+	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}
 	targetNodeTags["*"] = struct{}{}
 	/*
 		 if target node is egress gateway
@@ -1621,11 +1630,3 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 	}
 	return rules
 }
-
-func GetFwRulesForEgressGw(node models.Node) (rules map[string]models.FwRule) {
-	if !node.IsEgressGateway {
-		return
-	}
-	rules = make(map[string]models.FwRule)
-	return
-}

logic/peers.go

@@ -258,6 +258,11 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			if node.NetworkRange6.IP != nil {
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
 			}
+			if node.IsEgressGateway {
+				// get egress ranges
+				hostPeerUpdate.FwUpdate.EgressNetworks = append(hostPeerUpdate.FwUpdate.EgressNetworks, node.EgressGatewayRanges...)
+
+			}
 		} else {
 			hostPeerUpdate.FwUpdate.AllowAll = false
 			rules := GetAclRulesForNode(&node)

models/mqtt.go

@@ -107,6 +107,7 @@ type KeyUpdate struct {
 type FwUpdate struct {
 	AllowAll        bool                   `json:"allow_all"`
 	AllowedNetworks []net.IPNet            `json:"networks"`
+	EgressNetworks  []string               `json:"egress_networks"`
 	IsEgressGw      bool                   `json:"is_egress_gw"`
 	IsIngressGw     bool                   `json:"is_ingress_gw"`
 	EgressInfo      map[string]EgressInfo  `json:"egress_info"`