check acls when calc peers

go.mod

@@ -43,6 +43,7 @@ require (
 require (
 	github.com/devilcove/httpclient v0.6.0
 	github.com/guumaster/tablewriter v0.0.10
+	github.com/kr/pretty v0.3.1
 	github.com/matryer/is v1.4.1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/spf13/cobra v1.7.0
@@ -52,8 +53,9 @@ require (
 	cloud.google.com/go/compute/metadata v0.2.1 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 )
 

logic/peers.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"log"
 	"net"
 	"net/netip"
 
@@ -785,8 +786,13 @@ func GetPeerUpdate(host *models.Host) []wgtypes.PeerConfig {
 				update.AllowedIPs = append(update.AllowedIPs, getRelayAllowedIPs(&peer)...)
 			}
 			//normal peer
-			update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
-			peerUpdate = append(peerUpdate, update)
+			if nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.Node.ID.String())) {
+				log.Println("node allowed", client.Host.Name, peer.Host.Name)
+				update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
+				peerUpdate = append(peerUpdate, update)
+			} else {
+				log.Println("node not allowed", client.Host.Name, peer.Host.Name)
+			}
 		}
 	}
 	return peerUpdate

logic/relay.go

@@ -4,16 +4,20 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"net"
 
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
+	"github.com/kr/pretty"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 // CreateRelay - creates a relay
 func CreateRelay(relay models.RelayRequest) ([]models.Client, models.Node, error) {
+	pretty.Println("relay request", relay)
 	var relayedClients []models.Client
 	node, err := GetNodeByID(relay.NodeID)
 	if err != nil {
@@ -224,7 +228,12 @@ func peerUpdateForRelayedByRelay(relayed, relay *models.Client) wgtypes.PeerConf
 		if peer.Host.ID == relayed.Host.ID || peer.Host.ID == relay.Host.ID {
 			continue
 		}
-		update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
+		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(relayed.Node.Network), nodeacls.NodeID(relayed.Node.ID.String()), nodeacls.NodeID(peer.Node.ID.String())) {
+			log.Println("node allowed", relayed.Host.Name, peer.Host.Name)
+			update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
+		} else {
+			log.Println("node not allowed", relayed.Host.Name, peer.Host.Name)
+		}
 	}
 	return update
 }
@@ -250,8 +259,13 @@ func peerUpdateForRelay(relay *models.Client, peers []models.Client) []wgtypes.P
 			},
 			PersistentKeepaliveInterval: &peer.Node.PersistentKeepalive,
 		}
-		update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
-		peerConfig = append(peerConfig, update)
+		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(relay.Node.Network), nodeacls.NodeID(relay.Node.ID.String()), nodeacls.NodeID(peer.Node.ID.String())) {
+			log.Println("node allowed", relay.Host.Name, peer.Host.Name)
+			update.AllowedIPs = append(update.AllowedIPs, AddAllowedIPs(&peer)...)
+			peerConfig = append(peerConfig, update)
+		} else {
+			log.Println("node not allowed", relay.Host.Name, peer.Host.Name)
+		}
 	}
 	return peerConfig
 }

mq/relay.go

@@ -3,10 +3,12 @@ package mq
 import (
 	"encoding/json"
 	"fmt"
+	"log"
 	"net"
 
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/logic/acls/nodeacls"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -41,14 +43,19 @@ func PubPeerUpdate(client, relay *models.Client, peers []models.Client) {
 			},
 			PersistentKeepaliveInterval: &peer.Node.PersistentKeepalive,
 		}
-		update.AllowedIPs = append(update.AllowedIPs, logic.AddAllowedIPs(&peer)...)
+		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(client.Node.Network), nodeacls.NodeID(client.Node.ID.String()), nodeacls.NodeID(peer.Node.ID.String())) {
+			log.Println("node allowed", client.Host.Name, peer.Host.Name)
+			update.AllowedIPs = append(update.AllowedIPs, logic.AddAllowedIPs(&peer)...)
+		} else {
+			log.Println("node not allowed", client.Host.Name, client.Node.Address, peer.Host.Name, peer.Node.Address)
+		}
 		if relay != nil {
 			if peer.Node.IsRelayed && peer.Node.RelayedBy == relay.Node.ID.String() {
 				update.Remove = true
 			}
 		}
 		if peer.Node.IsRelay {
-			update.AllowedIPs = append(update.AllowedIPs, getRelayAllowedIPs(peer)...)
+			update.AllowedIPs = append(update.AllowedIPs, getRelayAllowedIPs(*client, peer)...)
 		}
 		p.Peers = append(p.Peers, update)
 	}
@@ -61,7 +68,7 @@ func PubPeerUpdate(client, relay *models.Client, peers []models.Client) {
 }
 
 // getRelayAllowedIPs returns the list of allowedips for a given peer that is a relay
-func getRelayAllowedIPs(peer models.Client) []net.IPNet {
+func getRelayAllowedIPs(client, peer models.Client) []net.IPNet {
 	var relayIPs []net.IPNet
 	for _, relayed := range peer.Node.RelayedNodes {
 		node, err := logic.GetNodeByID(relayed)
@@ -69,6 +76,10 @@ func getRelayAllowedIPs(peer models.Client) []net.IPNet {
 			logger.Log(0, "retrieve relayed node", err.Error())
 			continue
 		}
+		if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(client.Node.Network), nodeacls.NodeID(client.Node.ID.String()), nodeacls.NodeID(node.ID.String())) {
+			log.Println("node not allowed", client.Host.Name, node.Address.IP)
+			continue
+		}
 		if node.Address.IP != nil {
 			node.Address.Mask = net.CIDRMask(32, 32)
 			relayIPs = append(relayIPs, node.Address)
@@ -78,7 +89,7 @@ func getRelayAllowedIPs(peer models.Client) []net.IPNet {
 			relayIPs = append(relayIPs, node.Address6)
 		}
 		if node.IsRelay {
-			relayIPs = append(relayIPs, getRelayAllowedIPs(peer)...)
+			relayIPs = append(relayIPs, getRelayAllowedIPs(client, peer)...)
 		}
 		if node.IsEgressGateway {
 			relayIPs = append(relayIPs, getEgressIPs(peer)...)
@@ -192,7 +203,12 @@ func pubRelayedUpdate(client, relay *models.Client, peers []models.Client) {
 		if peer.Host.ID == relay.Host.ID || peer.Host.ID == client.Host.ID {
 			continue
 		}
-		update.AllowedIPs = append(update.AllowedIPs, logic.AddAllowedIPs(&peer)...)
+		if nodeacls.AreNodesAllowed(nodeacls.NetworkID(client.Node.Network), nodeacls.NodeID(client.Node.ID.String()), nodeacls.NodeID(peer.Node.ID.String())) {
+			log.Println("node allowed", client.Host.Name, peer.Host.Name)
+			update.AllowedIPs = append(update.AllowedIPs, logic.AddAllowedIPs(&peer)...)
+		} else {
+			log.Println("node not allowed", client.Host.Name, peer.Host.Name)
+		}
 	}
 	p.Peers = append(p.Peers, update)
 	data, err = json.Marshal(p)