fix user policy acls

controllers/ext_client.go

@@ -452,7 +452,9 @@ func createExtClient(w http.ResponseWriter, r *http.Request) {
 	extclient.OwnerID = userName
 	extclient.RemoteAccessClientID = customExtClient.RemoteAccessClientID
 	extclient.IngressGatewayID = nodeid
-
+	extclient.Tags = make(map[models.TagID]struct{})
+	extclient.Tags[models.TagID(fmt.Sprintf("%s.%s", extclient.Network,
+		models.RemoteAccessTagName))] = struct{}{}
 	// set extclient dns to ingressdns if extclient dns is not explicitly set
 	if (extclient.DNS == "") && (node.IngressDNS != "") {
 		extclient.DNS = node.IngressDNS

logic/acls.go

@@ -83,7 +83,7 @@ func CreateDefaultAclNetworkPolicies(netID models.NetworkID) {
 			Src: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				},
 			},
 			Dst: []models.AclPolicyTag{
@@ -205,10 +205,6 @@ func IsAclPolicyValid(acl models.Acl) bool {
 			if dstI.ID == "" || dstI.Value == "" {
 				return false
 			}
-			if dstI.ID == models.UserAclID ||
-				dstI.ID == models.UserGroupAclID || dstI.ID == models.UserRoleAclID {
-				return false
-			}
 			if dstI.ID != models.DeviceAclID {
 				return false
 			}

pro/controllers/users.go

@@ -995,6 +995,9 @@ func getRemoteAccessGatewayConf(w http.ResponseWriter, r *http.Request) {
 		if err == nil { // check if parent network default ACL is enabled (yes) or not (no)
 			userConf.Enabled = parentNetwork.DefaultACL == "yes"
 		}
+		userConf.Tags = make(map[models.TagID]struct{})
+		userConf.Tags[models.TagID(fmt.Sprintf("%s.%s", userConf.Network,
+			models.RemoteAccessTagName))] = struct{}{}
 		if err = logic.CreateExtClient(&userConf); err != nil {
 			slog.Error(
 				"failed to create extclient",

pro/logic/user_mgmt.go

@@ -956,7 +956,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				},
 			},
 			AllowedDirection: models.TrafficDirectionUni,
@@ -981,7 +981,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,
@@ -1006,7 +1006,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,
@@ -1031,7 +1031,7 @@ func CreateDefaultUserPolicies(netID models.NetworkID) {
 			Dst: []models.AclPolicyTag{
 				{
 					ID:    models.DeviceAclID,
-					Value: fmt.Sprintf("%s.%s", netID, "remote-access-gws"),
+					Value: fmt.Sprintf("%s.%s", netID, models.RemoteAccessTagName),
 				}},
 			AllowedDirection: models.TrafficDirectionUni,
 			Enabled:          true,