get rules for node

logic/acls.go

@@ -651,3 +651,147 @@ func RemoveDeviceTagFromAclPolicies(tagID models.TagID, netID models.NetworkID)
 	}
 	return nil
 }
+
+func GetAclRulesForNode(node *models.Node) (rules map[string][]models.AclRule) {
+	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
+	if err == nil && defaultPolicy.Enabled {
+
+		return map[string][]models.AclRule{
+			defaultPolicy.ID: []models.AclRule{
+				{
+					SrcIP:     node.NetworkRange,
+					SrcIP6:    node.NetworkRange6,
+					Proto:     []models.Protocol{models.ALL},
+					Direction: models.TrafficDirectionBi,
+					Allowed:   true,
+				},
+			},
+		}
+	}
+	taggedNodes := GetTagMapWithNodesByNetwork(models.NetworkID(node.Network))
+	acls := listDevicePolicies(models.NetworkID(node.Network))
+	//allowedNodeUniqueMap := make(map[string]struct{})
+	for nodeTag := range node.Tags {
+		for _, acl := range acls {
+			if acl.Default || !acl.Enabled {
+				continue
+			}
+			srcTags := convAclTagToValueMap(acl.Src)
+			dstTags := convAclTagToValueMap(acl.Dst)
+
+			if acl.AllowedDirection == models.TrafficDirectionBi {
+				var existsInSrcTag bool
+				var existsInDstTag bool
+				// if contains all resources, return entire cidr
+				if _, ok := srcTags["*"]; ok {
+					return []models.AclRule{
+						{
+							SrcIP:     node.NetworkRange,
+							SrcIP6:    node.NetworkRange6,
+							Proto:     []models.Protocol{models.ALL},
+							Port:      acl.Port,
+							Direction: acl.AllowedDirection,
+							Allowed:   true,
+						},
+					}
+				}
+				if _, ok := dstTags["*"]; ok {
+					return []models.AclRule{
+						{
+							SrcIP:     node.NetworkRange,
+							SrcIP6:    node.NetworkRange6,
+							Proto:     []models.Protocol{models.ALL},
+							Port:      acl.Port,
+							Direction: acl.AllowedDirection,
+							Allowed:   true,
+						},
+					}
+				}
+				if _, ok := srcTags[nodeTag.String()]; ok {
+					existsInSrcTag = true
+				}
+				if _, ok := dstTags[nodeTag.String()]; ok {
+					existsInDstTag = true
+				}
+				if existsInSrcTag {
+					// get all dst tags
+					for dst := range dstTags {
+						if dst == nodeTag.String() {
+							continue
+						}
+						// Get peers in the tags and add allowed rules
+						nodes := taggedNodes[models.TagID(dst)]
+						for _, node := range nodes {
+							rules = append(rules, models.AclRule{
+								SrcIP:     node.Address,
+								SrcIP6:    node.Address6,
+								Proto:     acl.Proto,
+								Port:      acl.Port,
+								Direction: acl.AllowedDirection,
+								Allowed:   true,
+							})
+						}
+					}
+
+				}
+				if existsInDstTag {
+					// get all src tags
+					for src := range srcTags {
+						if src == nodeTag.String() {
+							continue
+						}
+						// Get peers in the tags and add allowed rules
+						nodes := taggedNodes[models.TagID(src)]
+						for _, node := range nodes {
+							rules = append(rules, models.AclRule{
+								SrcIP:     node.Address,
+								SrcIP6:    node.Address6,
+								Proto:     acl.Proto,
+								Port:      acl.Port,
+								Direction: acl.AllowedDirection,
+								Allowed:   true,
+							})
+						}
+					}
+				}
+				if existsInDstTag && existsInSrcTag {
+					nodes := taggedNodes[nodeTag]
+					for _, node := range nodes {
+						rules = append(rules, models.AclRule{
+							SrcIP:     node.Address,
+							SrcIP6:    node.Address6,
+							Proto:     acl.Proto,
+							Port:      acl.Port,
+							Direction: acl.AllowedDirection,
+							Allowed:   true,
+						})
+					}
+				}
+			} else {
+				if _, ok := dstTags[nodeTag.String()]; ok {
+					// get all src tags
+					for src := range srcTags {
+						if src == nodeTag.String() {
+							continue
+						}
+						// Get peers in the tags and add allowed rules
+						nodes := taggedNodes[models.TagID(src)]
+						for _, node := range nodes {
+							rules = append(rules, models.AclRule{
+								SrcIP:     node.Address,
+								SrcIP6:    node.Address6,
+								Proto:     acl.Proto,
+								Port:      acl.Port,
+								Direction: acl.AllowedDirection,
+								Allowed:   true,
+							})
+						}
+					}
+				}
+			}
+
+		}
+	}
+
+	return
+}

logic/peers.go

@@ -76,6 +76,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		FwUpdate: models.FwUpdate{
 			EgressInfo:  make(map[string]models.EgressInfo),
 			IngressInfo: make(map[string]models.IngressInfo),
+			AclRules:    make(map[string]models.AclRule),
 		},
 		PeerIDs:           make(models.PeerMap, 0),
 		Peers:             []wgtypes.PeerConfig{},

models/acl.go

@@ -94,8 +94,8 @@ type ProtocolType struct {
 
 type AclRule struct {
 	SrcIP     net.IPNet
-	DstIP     net.IPNet
-	Proto     Protocol // tcp, udp, etc.
+	SrcIP6    net.IPNet
+	Proto     []Protocol // tcp, udp, etc.
 	Port      []int
 	Direction AllowedTrafficDirection // inbound or outbound
 	Allowed   bool

models/mqtt.go

@@ -94,7 +94,7 @@ type FwUpdate struct {
 	IsIngressGw bool                   `json:"is_ingress_gw"`
 	EgressInfo  map[string]EgressInfo  `json:"egress_info"`
 	IngressInfo map[string]IngressInfo `json:"ingress_info"`
-	AclRules    []AclRule              `json:"acl_rules"`
+	AclRules    map[string]AclRule     `json:"acl_rules"`
 }
 
 // FailOverMeReq - struct for failover req