Merge pull request #3497 from gravitl/v0.99_fixes

v0.99: egress policy fix

logic/egress.go

@@ -46,16 +46,15 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []mode
 		}
 		srcVal := ConvAclTagToValueMap(acl.Src)
 		for _, dstI := range acl.Dst {
-
-			if dstI.ID == models.NodeTagID && dstI.Value == "*" {
-				return true
-			}
-			if dstI.ID == models.EgressID && dstI.Value == e.ID {
-				e := schema.Egress{ID: dstI.Value}
-				err := e.Get(db.WithContext(context.TODO()))
-				if err != nil {
-					continue
+			if (dstI.ID == models.EgressID && dstI.Value == e.ID) || (dstI.ID == models.NodeTagID && dstI.Value == "*") {
+				if dstI.ID == models.EgressID {
+					e := schema.Egress{ID: dstI.Value}
+					err := e.Get(db.WithContext(context.TODO()))
+					if err != nil {
+						continue
+					}
 				}
+
 				if node.IsStatic {
 					if _, ok := srcVal[node.StaticNode.ClientID]; ok {
 						return true
@@ -71,8 +70,8 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []mode
 						return true
 					}
 				}
-
 			}
+
 		}
 	}
 	return false

logic/peers.go

@@ -207,7 +207,8 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
-			(!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) {
+			(!CheckIfAnyPolicyisUniDirectional(node, acls) &&
+				!(node.EgressDetails.IsEgressGateway && len(node.EgressDetails.EgressGatewayRanges) > 0)) {
 			aclRule := models.AclRule{
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 				AllowedProtocol: models.ALL,