resolve merge conflicts

logic/acls.go

@@ -50,6 +50,43 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 		// if nodeI.StaticNode.IngressGatewayID != node.ID.String() {
 		// 	continue
 		// }
+		if IsNodeAllowedToCommunicateWithAllRsrcs(nodeI) {
+			if nodeI.Address.IP != nil {
+				rules = append(rules, models.FwRule{
+					SrcIP: net.IPNet{
+						IP:   nodeI.Address.IP,
+						Mask: net.CIDRMask(32, 32),
+					},
+					Allow: true,
+				})
+				rules = append(rules, models.FwRule{
+					SrcIP: node.NetworkRange,
+					DstIP: net.IPNet{
+						IP:   nodeI.Address.IP,
+						Mask: net.CIDRMask(32, 32),
+					},
+					Allow: true,
+				})
+			}
+			if nodeI.Address6.IP != nil {
+				rules = append(rules, models.FwRule{
+					SrcIP: net.IPNet{
+						IP:   nodeI.Address6.IP,
+						Mask: net.CIDRMask(128, 128),
+					},
+					Allow: true,
+				})
+				rules = append(rules, models.FwRule{
+					SrcIP: node.NetworkRange6,
+					DstIP: net.IPNet{
+						IP:   nodeI.Address.IP,
+						Mask: net.CIDRMask(128, 128),
+					},
+					Allow: true,
+				})
+			}
+			continue
+		}
 		for _, peer := range nodes {
 			if peer.StaticNode.ClientID == nodeI.StaticNode.ClientID || peer.IsUserNode {
 				continue
@@ -74,6 +111,37 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 			}
 		}
 	}
+	if len(node.RelayedNodes) > 0 {
+		for _, relayedNodeID := range node.RelayedNodes {
+			relayedNode, err := GetNodeByID(relayedNodeID)
+			if err != nil {
+				continue
+			}
+
+			if relayedNode.Address.IP != nil {
+				relayedFwRule := models.FwRule{
+					AllowedProtocol: models.ALL,
+					AllowedPorts:    []string{},
+					Allow:           true,
+				}
+				relayedFwRule.DstIP = relayedNode.AddressIPNet4()
+				relayedFwRule.SrcIP = node.NetworkRange
+				rules = append(rules, relayedFwRule)
+			}
+
+			if relayedNode.Address6.IP != nil {
+				relayedFwRule := models.FwRule{
+					AllowedProtocol: models.ALL,
+					AllowedPorts:    []string{},
+					Allow:           true,
+				}
+				relayedFwRule.DstIP = relayedNode.AddressIPNet6()
+				relayedFwRule.SrcIP = node.NetworkRange6
+				rules = append(rules, relayedFwRule)
+			}
+
+		}
+	}
 	return
 }
 
@@ -851,6 +919,60 @@ func MigrateAclPolicies() {
 
 }
 
+func IsNodeAllowedToCommunicateWithAllRsrcs(node models.Node) bool {
+	// check default policy if all allowed return true
+	defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
+	if err == nil {
+		if defaultPolicy.Enabled {
+			return true
+		}
+	}
+	var nodeId string
+	if node.IsStatic {
+		nodeId = node.StaticNode.ClientID
+		node = node.StaticNode.ConvertToStaticNode()
+	} else {
+		nodeId = node.ID.String()
+	}
+	nodeTags := make(map[models.TagID]struct{})
+
+	nodeTags[models.TagID(nodeId)] = struct{}{}
+	if node.IsGw {
+		nodeTags[models.TagID(fmt.Sprintf("%s.%s", node.Network, models.GwTagName))] = struct{}{}
+	}
+	// list device policies
+	policies := ListDevicePolicies(models.NetworkID(node.Network))
+	srcMap := make(map[string]struct{})
+	dstMap := make(map[string]struct{})
+	defer func() {
+		srcMap = nil
+		dstMap = nil
+	}()
+	for _, policy := range policies {
+		if !policy.Enabled {
+			continue
+		}
+		srcMap = ConvAclTagToValueMap(policy.Src)
+		dstMap = ConvAclTagToValueMap(policy.Dst)
+		_, srcAll := srcMap["*"]
+		_, dstAll := dstMap["*"]
+
+		for tagID := range nodeTags {
+			if srcAll {
+				if _, ok := dstMap[tagID.String()]; ok {
+					return true
+				}
+			}
+			if dstAll {
+				if _, ok := srcMap[tagID.String()]; ok {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
 // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node,
 func isNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {
 	var nodeId, peerId string

logic/extpeers.go

@@ -729,12 +729,7 @@ func GetStaticNodesByNetwork(network models.NetworkID, onlyWg bool) (staticNode
 			if onlyWg && extI.RemoteAccessClientID != "" {
 				continue
 			}
-			n := models.Node{
-				IsStatic:   true,
-				StaticNode: extI,
-				IsUserNode: extI.RemoteAccessClientID != "",
-			}
-			staticNode = append(staticNode, n)
+			staticNode = append(staticNode, extI.ConvertToStaticNode())
 		}
 	}
 

logic/peers.go

@@ -242,7 +242,13 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 			if peer.EgressDetails.IsEgressGateway {
 				AddEgressInfoToPeerByAccess(&node, &peer, eli, acls, defaultDevicePolicy.Enabled)
 			}
+			if node.Mutex != nil {
+				node.Mutex.Lock()
+			}
 			_, isFailOverPeer := node.FailOverPeers[peer.ID.String()]
+			if node.Mutex != nil {
+				node.Mutex.Unlock()
+			}
 			if peer.EgressDetails.IsEgressGateway {
 				peerKey := peerHost.PublicKey.String()
 				if isFailOverPeer && peer.FailedOverBy.String() != node.ID.String() {

models/settings.go

@@ -19,8 +19,8 @@ type ServerSettings struct {
 	GoogleAdminEmail    string   `json:"google_admin_email"`
 	GoogleSACredsJson   string   `json:"google_sa_creds_json"`
 	AzureTenant         string   `json:"azure_tenant"`
-	OktaOrgURL                     string   `json:"okta_org_url"`
-	OktaAPIToken                   string   `json:"okta_api_token"`
+	OktaOrgURL          string   `json:"okta_org_url"`
+	OktaAPIToken        string   `json:"okta_api_token"`
 	UserFilters         []string `json:"user_filters"`
 	GroupFilters        []string `json:"group_filters"`
 	IDPSyncInterval     string   `json:"idp_sync_interval"`

pro/auth/sync.go

@@ -3,6 +3,10 @@ package auth
 import (
 	"context"
 	"fmt"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
@@ -12,9 +16,6 @@ import (
 	"github.com/gravitl/netmaker/pro/idp/google"
 	"github.com/gravitl/netmaker/pro/idp/okta"
 	proLogic "github.com/gravitl/netmaker/pro/logic"
-	"strings"
-	"sync"
-	"time"
 )
 
 var (

pro/controllers/failover.go

@@ -110,7 +110,13 @@ func resetFailOver(w http.ResponseWriter, r *http.Request) {
 	for _, node := range nodes {
 		if node.FailedOverBy != uuid.Nil {
 			node.FailedOverBy = uuid.Nil
+			if node.Mutex != nil {
+				node.Mutex.Lock()
+			}
 			node.FailOverPeers = make(map[string]struct{})
+			if node.Mutex != nil {
+				node.Mutex.Unlock()
+			}
 			logic.UpsertNode(&node)
 		}
 	}

pro/logic/acls.go

@@ -17,6 +17,27 @@ func GetFwRulesForUserNodesOnGw(node models.Node, nodes []models.Node) (rules []
 	defaultUserPolicy, _ := logic.GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 	userNodes := logic.GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
 	for _, userNodeI := range userNodes {
+		if defaultUserPolicy.Enabled {
+			if userNodeI.StaticNode.Address != "" {
+				rules = append(rules, models.FwRule{
+					SrcIP:           userNodeI.StaticNode.AddressIPNet4(),
+					DstIP:           net.IPNet{},
+					AllowedProtocol: models.ALL,
+					AllowedPorts:    []string{},
+					Allow:           true,
+				})
+			}
+			if userNodeI.StaticNode.Address6 != "" {
+				rules = append(rules, models.FwRule{
+					SrcIP:           userNodeI.StaticNode.AddressIPNet6(),
+					DstIP:           net.IPNet{},
+					AllowedProtocol: models.ALL,
+					AllowedPorts:    []string{},
+					Allow:           true,
+				})
+			}
+			continue
+		}
 		for _, peer := range nodes {
 			if peer.IsUserNode {
 				continue
@@ -26,68 +47,76 @@ func GetFwRulesForUserNodesOnGw(node models.Node, nodes []models.Node) (rules []
 				if peer.IsStatic {
 					peer = peer.StaticNode.ConvertToStaticNode()
 				}
-				if !defaultUserPolicy.Enabled {
-					for _, policy := range allowedPolicies {
-						if userNodeI.StaticNode.Address != "" {
-							rules = append(rules, models.FwRule{
-								SrcIP: userNodeI.StaticNode.AddressIPNet4(),
-								DstIP: net.IPNet{
-									IP:   peer.Address.IP,
-									Mask: net.CIDRMask(32, 32),
-								},
-								AllowedProtocol: policy.Proto,
-								AllowedPorts:    policy.Port,
-								Allow:           true,
-							})
-						}
-						if userNodeI.StaticNode.Address6 != "" {
+				for _, policy := range allowedPolicies {
+					if userNodeI.StaticNode.Address != "" {
+						rules = append(rules, models.FwRule{
+							SrcIP: userNodeI.StaticNode.AddressIPNet4(),
+							DstIP: net.IPNet{
+								IP:   peer.Address.IP,
+								Mask: net.CIDRMask(32, 32),
+							},
+							AllowedProtocol: policy.Proto,
+							AllowedPorts:    policy.Port,
+							Allow:           true,
+						})
+					}
+					if userNodeI.StaticNode.Address6 != "" {
+						rules = append(rules, models.FwRule{
+							SrcIP: userNodeI.StaticNode.AddressIPNet6(),
+							DstIP: net.IPNet{
+								IP:   peer.Address6.IP,
+								Mask: net.CIDRMask(128, 128),
+							},
+							AllowedProtocol: policy.Proto,
+							AllowedPorts:    policy.Port,
+							Allow:           true,
+						})
+					}
+
+					// add egress ranges
+					for _, dstI := range policy.Dst {
+						if dstI.Value == "*" {
 							rules = append(rules, models.FwRule{
-								SrcIP: userNodeI.StaticNode.AddressIPNet6(),
-								DstIP: net.IPNet{
-									IP:   peer.Address6.IP,
-									Mask: net.CIDRMask(128, 128),
-								},
+								SrcIP:           userNodeI.StaticNode.AddressIPNet4(),
+								DstIP:           net.IPNet{},
 								AllowedProtocol: policy.Proto,
 								AllowedPorts:    policy.Port,
 								Allow:           true,
 							})
+							break
 						}
+						if dstI.ID == models.EgressID {
 
-						// add egress ranges
-						for _, dstI := range policy.Dst {
-							if dstI.ID == models.EgressID {
+							e := schema.Egress{ID: dstI.Value}
+							err := e.Get(db.WithContext(context.TODO()))
+							if err != nil {
+								continue
+							}
+							dstI.Value = e.Range
 
-								e := schema.Egress{ID: dstI.Value}
-								err := e.Get(db.WithContext(context.TODO()))
-								if err != nil {
-									continue
-								}
-								dstI.Value = e.Range
-
-								ip, cidr, err := net.ParseCIDR(dstI.Value)
-								if err == nil {
-									if ip.To4() != nil && userNodeI.StaticNode.Address != "" {
-										rules = append(rules, models.FwRule{
-											SrcIP:           userNodeI.StaticNode.AddressIPNet4(),
-											DstIP:           *cidr,
-											AllowedProtocol: policy.Proto,
-											AllowedPorts:    policy.Port,
-											Allow:           true,
-										})
-									} else if ip.To16() != nil && userNodeI.StaticNode.Address6 != "" {
-										rules = append(rules, models.FwRule{
-											SrcIP:           userNodeI.StaticNode.AddressIPNet6(),
-											DstIP:           *cidr,
-											AllowedProtocol: policy.Proto,
-											AllowedPorts:    policy.Port,
-											Allow:           true,
-										})
-									}
+							ip, cidr, err := net.ParseCIDR(dstI.Value)
+							if err == nil {
+								if ip.To4() != nil && userNodeI.StaticNode.Address != "" {
+									rules = append(rules, models.FwRule{
+										SrcIP:           userNodeI.StaticNode.AddressIPNet4(),
+										DstIP:           *cidr,
+										AllowedProtocol: policy.Proto,
+										AllowedPorts:    policy.Port,
+										Allow:           true,
+									})
+								} else if ip.To16() != nil && userNodeI.StaticNode.Address6 != "" {
+									rules = append(rules, models.FwRule{
+										SrcIP:           userNodeI.StaticNode.AddressIPNet6(),
+										DstIP:           *cidr,
+										AllowedProtocol: policy.Proto,
+										AllowedPorts:    policy.Port,
+										Allow:           true,
+									})
 								}
 							}
 						}
-
 					}
+
 				}
 
 			}
@@ -922,6 +951,8 @@ func getEgressUserRulesForNode(targetnode *models.Node,
 	if len(egs) == 0 {
 		return rules
 	}
+	defaultPolicy, _ := logic.GetDefaultPolicy(models.NetworkID(targetnode.Network), models.UserPolicy)
+
 	for _, egI := range egs {
 		if !egI.Status {
 			continue
@@ -931,74 +962,69 @@ func getEgressUserRulesForNode(targetnode *models.Node,
 			targetNodeTags[models.TagID(egI.ID)] = struct{}{}
 		}
 	}
-	for _, acl := range acls {
-		if !acl.Enabled {
-			continue
-		}
-		dstTags := logic.ConvAclTagToValueMap(acl.Dst)
-		for _, dst := range acl.Dst {
-			if dst.ID == models.EgressID {
-				e := schema.Egress{ID: dst.Value}
-				err := e.Get(db.WithContext(context.TODO()))
-				if err == nil && e.Status {
-					for nodeID := range e.Nodes {
-						dstTags[nodeID] = struct{}{}
+	if !defaultPolicy.Enabled {
+		for _, acl := range acls {
+			if !acl.Enabled {
+				continue
+			}
+			dstTags := logic.ConvAclTagToValueMap(acl.Dst)
+			for _, dst := range acl.Dst {
+				if dst.ID == models.EgressID {
+					e := schema.Egress{ID: dst.Value}
+					err := e.Get(db.WithContext(context.TODO()))
+					if err == nil && e.Status {
+						for nodeID := range e.Nodes {
+							dstTags[nodeID] = struct{}{}
+						}
+						dstTags[e.Range] = struct{}{}
 					}
-					dstTags[e.Range] = struct{}{}
 				}
 			}
-		}
-		_, all := dstTags["*"]
-		addUsers := false
-		if !all {
-			for nodeTag := range targetNodeTags {
-				if _, ok := dstTags[nodeTag.String()]; ok {
-					addUsers = true
-					break
+			_, all := dstTags["*"]
+			addUsers := false
+			if !all {
+				for nodeTag := range targetNodeTags {
+					if _, ok := dstTags[nodeTag.String()]; ok {
+						addUsers = true
+						break
+					}
 				}
-			}
-		} else {
-			addUsers = true
-		}
-
-		if addUsers {
-			// get all src tags
-			for _, srcAcl := range acl.Src {
-				if srcAcl.ID == models.UserAclID {
-					allowedUsers[srcAcl.Value] = append(allowedUsers[srcAcl.Value], acl)
-				} else if srcAcl.ID == models.UserGroupAclID {
-					// fetch all users in the group
-					if usersMap, ok := userGrpMap[models.UserGroupID(srcAcl.Value)]; ok {
-						for userName := range usersMap {
-							allowedUsers[userName] = append(allowedUsers[userName], acl)
+			} else {
+				addUsers = true
+			}
+
+			if addUsers {
+				// get all src tags
+				for _, srcAcl := range acl.Src {
+					if srcAcl.ID == models.UserAclID {
+						allowedUsers[srcAcl.Value] = append(allowedUsers[srcAcl.Value], acl)
+					} else if srcAcl.ID == models.UserGroupAclID {
+						// fetch all users in the group
+						if usersMap, ok := userGrpMap[models.UserGroupID(srcAcl.Value)]; ok {
+							for userName := range usersMap {
+								allowedUsers[userName] = append(allowedUsers[userName], acl)
+							}
 						}
 					}
 				}
 			}
-		}
 
+		}
 	}
 
-	for _, userNode := range userNodes {
-		if !userNode.StaticNode.Enabled {
-			continue
-		}
-		acls, ok := allowedUsers[userNode.StaticNode.OwnerID]
-		if !ok {
-			continue
+	if defaultPolicy.Enabled {
+		r := models.AclRule{
+			ID:              defaultPolicy.ID,
+			AllowedProtocol: defaultPolicy.Proto,
+			AllowedPorts:    defaultPolicy.Port,
+			Direction:       defaultPolicy.AllowedDirection,
+			Allowed:         true,
 		}
-		for _, acl := range acls {
-
-			if !acl.Enabled {
+		for _, userNode := range userNodes {
+			if !userNode.StaticNode.Enabled {
 				continue
 			}
-			r := models.AclRule{
-				ID:              acl.ID,
-				AllowedProtocol: acl.Proto,
-				AllowedPorts:    acl.Port,
-				Direction:       acl.AllowedDirection,
-				Allowed:         true,
-			}
+
 			// Get peers in the tags and add allowed rules
 			if userNode.StaticNode.Address != "" {
 				r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())
@@ -1006,36 +1032,70 @@ func getEgressUserRulesForNode(targetnode *models.Node,
 			if userNode.StaticNode.Address6 != "" {
 				r.IP6List = append(r.IP6List, userNode.StaticNode.AddressIPNet6())
 			}
-			for _, dstI := range acl.Dst {
-				if dstI.ID == models.EgressID {
-					e := schema.Egress{ID: dstI.Value}
-					err := e.Get(db.WithContext(context.TODO()))
-					if err != nil {
-						continue
-					}
+		}
+		rules[defaultPolicy.ID] = r
+	} else {
+		for _, userNode := range userNodes {
+			if !userNode.StaticNode.Enabled {
+				continue
+			}
+
+			acls, ok := allowedUsers[userNode.StaticNode.OwnerID]
+			if !ok {
+				continue
+			}
+			for _, acl := range acls {
+
+				if !acl.Enabled {
+					continue
+				}
+				r := models.AclRule{
+					ID:              acl.ID,
+					AllowedProtocol: acl.Proto,
+					AllowedPorts:    acl.Port,
+					Direction:       acl.AllowedDirection,
+					Allowed:         true,
+				}
+				// Get peers in the tags and add allowed rules
+				if userNode.StaticNode.Address != "" {
+					r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())
+				}
+				if userNode.StaticNode.Address6 != "" {
+					r.IP6List = append(r.IP6List, userNode.StaticNode.AddressIPNet6())
+				}
+				for _, dstI := range acl.Dst {
+					if dstI.ID == models.EgressID {
+						e := schema.Egress{ID: dstI.Value}
+						err := e.Get(db.WithContext(context.TODO()))
+						if err != nil {
+							continue
+						}
+
+						ip, cidr, err := net.ParseCIDR(e.Range)
+						if err == nil {
+							if ip.To4() != nil {
+								r.Dst = append(r.Dst, *cidr)
+							} else {
+								r.Dst6 = append(r.Dst6, *cidr)
+							}
 
-					ip, cidr, err := net.ParseCIDR(e.Range)
-					if err == nil {
-						if ip.To4() != nil {
-							r.Dst = append(r.Dst, *cidr)
-						} else {
-							r.Dst6 = append(r.Dst6, *cidr)
 						}
 
 					}
 
 				}
-
-			}
-			if aclRule, ok := rules[acl.ID]; ok {
-				aclRule.IPList = append(aclRule.IPList, r.IPList...)
-				aclRule.IP6List = append(aclRule.IP6List, r.IP6List...)
-				rules[acl.ID] = aclRule
-			} else {
-				rules[acl.ID] = r
+				if aclRule, ok := rules[acl.ID]; ok {
+					aclRule.IPList = append(aclRule.IPList, r.IPList...)
+					aclRule.IP6List = append(aclRule.IP6List, r.IP6List...)
+					rules[acl.ID] = aclRule
+				} else {
+					rules[acl.ID] = r
+				}
 			}
+
 		}
 	}
+
 	return rules
 }
 
@@ -1056,63 +1116,58 @@ func getUserAclRulesForNode(targetnode *models.Node,
 	if targetNodeTags == nil {
 		targetNodeTags = make(map[models.TagID]struct{})
 	}
+	defaultPolicy, _ := logic.GetDefaultPolicy(models.NetworkID(targetnode.Network), models.UserPolicy)
 	targetNodeTags[models.TagID(targetnode.ID.String())] = struct{}{}
-	for _, acl := range acls {
-		if !acl.Enabled {
-			continue
-		}
-		dstTags := logic.ConvAclTagToValueMap(acl.Dst)
-		_, all := dstTags["*"]
-		addUsers := false
-		if !all {
-			for nodeTag := range targetNodeTags {
-				if _, ok := dstTags[nodeTag.String()]; ok {
-					addUsers = true
-					break
-				}
+	if !defaultPolicy.Enabled {
+		for _, acl := range acls {
+			if !acl.Enabled {
+				continue
 			}
-		} else {
-			addUsers = true
-		}
-
-		if addUsers {
-			// get all src tags
-			for _, srcAcl := range acl.Src {
-				if srcAcl.ID == models.UserAclID {
-					allowedUsers[srcAcl.Value] = append(allowedUsers[srcAcl.Value], acl)
-				} else if srcAcl.ID == models.UserGroupAclID {
-					// fetch all users in the group
-					if usersMap, ok := userGrpMap[models.UserGroupID(srcAcl.Value)]; ok {
-						for userName := range usersMap {
-							allowedUsers[userName] = append(allowedUsers[userName], acl)
+			dstTags := logic.ConvAclTagToValueMap(acl.Dst)
+			_, all := dstTags["*"]
+			addUsers := false
+			if !all {
+				for nodeTag := range targetNodeTags {
+					if _, ok := dstTags[nodeTag.String()]; ok {
+						addUsers = true
+						break
+					}
+				}
+			} else {
+				addUsers = true
+			}
+
+			if addUsers {
+				// get all src tags
+				for _, srcAcl := range acl.Src {
+					if srcAcl.ID == models.UserAclID {
+						allowedUsers[srcAcl.Value] = append(allowedUsers[srcAcl.Value], acl)
+					} else if srcAcl.ID == models.UserGroupAclID {
+						// fetch all users in the group
+						if usersMap, ok := userGrpMap[models.UserGroupID(srcAcl.Value)]; ok {
+							for userName := range usersMap {
+								allowedUsers[userName] = append(allowedUsers[userName], acl)
+							}
 						}
 					}
 				}
 			}
-		}
 
-	}
-
-	for _, userNode := range userNodes {
-		if !userNode.StaticNode.Enabled {
-			continue
 		}
-		acls, ok := allowedUsers[userNode.StaticNode.OwnerID]
-		if !ok {
-			continue
+	}
+	if defaultPolicy.Enabled {
+		r := models.AclRule{
+			ID:              defaultPolicy.ID,
+			AllowedProtocol: defaultPolicy.Proto,
+			AllowedPorts:    defaultPolicy.Port,
+			Direction:       defaultPolicy.AllowedDirection,
+			Allowed:         true,
 		}
-		for _, acl := range acls {
-
-			if !acl.Enabled {
+		for _, userNode := range userNodes {
+			if !userNode.StaticNode.Enabled {
 				continue
 			}
-			r := models.AclRule{
-				ID:              acl.ID,
-				AllowedProtocol: acl.Proto,
-				AllowedPorts:    acl.Port,
-				Direction:       acl.AllowedDirection,
-				Allowed:         true,
-			}
+
 			// Get peers in the tags and add allowed rules
 			if userNode.StaticNode.Address != "" {
 				r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())
@@ -1120,16 +1175,47 @@ func getUserAclRulesForNode(targetnode *models.Node,
 			if userNode.StaticNode.Address6 != "" {
 				r.IP6List = append(r.IP6List, userNode.StaticNode.AddressIPNet6())
 			}
-			if aclRule, ok := rules[acl.ID]; ok {
-				aclRule.IPList = append(aclRule.IPList, r.IPList...)
-				aclRule.IP6List = append(aclRule.IP6List, r.IP6List...)
-				aclRule.IPList = logic.UniqueIPNetList(aclRule.IPList)
-				aclRule.IP6List = logic.UniqueIPNetList(aclRule.IP6List)
-				rules[acl.ID] = aclRule
-			} else {
-				r.IPList = logic.UniqueIPNetList(r.IPList)
-				r.IP6List = logic.UniqueIPNetList(r.IP6List)
-				rules[acl.ID] = r
+		}
+		rules[defaultPolicy.ID] = r
+	} else {
+		for _, userNode := range userNodes {
+			if !userNode.StaticNode.Enabled {
+				continue
+			}
+			acls, ok := allowedUsers[userNode.StaticNode.OwnerID]
+			if !ok {
+				continue
+			}
+			for _, acl := range acls {
+
+				if !acl.Enabled {
+					continue
+				}
+				r := models.AclRule{
+					ID:              acl.ID,
+					AllowedProtocol: acl.Proto,
+					AllowedPorts:    acl.Port,
+					Direction:       acl.AllowedDirection,
+					Allowed:         true,
+				}
+				// Get peers in the tags and add allowed rules
+				if userNode.StaticNode.Address != "" {
+					r.IPList = append(r.IPList, userNode.StaticNode.AddressIPNet4())
+				}
+				if userNode.StaticNode.Address6 != "" {
+					r.IP6List = append(r.IP6List, userNode.StaticNode.AddressIPNet6())
+				}
+				if aclRule, ok := rules[acl.ID]; ok {
+					aclRule.IPList = append(aclRule.IPList, r.IPList...)
+					aclRule.IP6List = append(aclRule.IP6List, r.IP6List...)
+					aclRule.IPList = logic.UniqueIPNetList(aclRule.IPList)
+					aclRule.IP6List = logic.UniqueIPNetList(aclRule.IP6List)
+					rules[acl.ID] = aclRule
+				} else {
+					r.IPList = logic.UniqueIPNetList(r.IPList)
+					r.IP6List = logic.UniqueIPNetList(r.IP6List)
+					rules[acl.ID] = r
+				}
 			}
 		}
 	}
@@ -1228,9 +1314,9 @@ func CheckIfAnyPolicyisUniDirectional(targetNode models.Node, acls []models.Acl)
 func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRule) {
 	targetnode := *targetnodeI
 	defer func() {
-		if !targetnode.IsIngressGateway {
-			rules = getUserAclRulesForNode(&targetnode, rules)
-		}
+		//if !targetnode.IsIngressGateway {
+		rules = getUserAclRulesForNode(&targetnode, rules)
+		//}
 	}()
 	rules = make(map[string]models.AclRule)
 	var taggedNodes map[models.TagID][]models.Node

pro/logic/failover.go

@@ -51,8 +51,20 @@ func CheckFailOverCtx(failOverNode, victimNode, peerNode models.Node) error {
 	if victimNode.FailOverPeers == nil {
 		return nil
 	}
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Lock()
+	}
 	_, peerHasFailovered := peerNode.FailOverPeers[victimNode.ID.String()]
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Unlock()
+	}
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Lock()
+	}
 	_, victimHasFailovered := victimNode.FailOverPeers[peerNode.ID.String()]
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Unlock()
+	}
 	if peerHasFailovered && victimHasFailovered &&
 		victimNode.FailedOverBy == failOverNode.ID && peerNode.FailedOverBy == failOverNode.ID {
 		return errors.New("failover ctx is already set")
@@ -68,14 +80,38 @@ func SetFailOverCtx(failOverNode, victimNode, peerNode models.Node) error {
 	if victimNode.FailOverPeers == nil {
 		victimNode.FailOverPeers = make(map[string]struct{})
 	}
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Lock()
+	}
 	_, peerHasFailovered := peerNode.FailOverPeers[victimNode.ID.String()]
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Unlock()
+	}
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Lock()
+	}
 	_, victimHasFailovered := victimNode.FailOverPeers[peerNode.ID.String()]
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Unlock()
+	}
 	if peerHasFailovered && victimHasFailovered &&
 		victimNode.FailedOverBy == failOverNode.ID && peerNode.FailedOverBy == failOverNode.ID {
 		return errors.New("failover ctx is already set")
 	}
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Lock()
+	}
 	peerNode.FailOverPeers[victimNode.ID.String()] = struct{}{}
+	if peerNode.Mutex != nil {
+		peerNode.Mutex.Unlock()
+	}
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Lock()
+	}
 	victimNode.FailOverPeers[peerNode.ID.String()] = struct{}{}
+	if victimNode.Mutex != nil {
+		victimNode.Mutex.Unlock()
+	}
 	victimNode.FailedOverBy = failOverNode.ID
 	peerNode.FailedOverBy = failOverNode.ID
 	if err := logic.UpsertNode(&victimNode); err != nil {

pro/util.go

@@ -5,6 +5,7 @@ package pro
 
 import (
 	"encoding/base64"
+
 	"github.com/gravitl/netmaker/models"
 
 	"github.com/gravitl/netmaker/logic"