Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix egress policies acls comms

abhishek9686 5 months ago
parent
b5842b7b06
commit
d4a08d04b5
2 changed files with 47 additions and 2 deletions
Unified View Show Diff Stats
  1. 46 1
      logic/acls.go
  2. 1 1
      logic/peers.go

+ 46 - 1
logic/acls.go
View File 

@@ -1334,6 +1334,51 @@ func getUserAclRulesForNode(targetnode *models.Node,
 
 	return rules
 
 	return rules
 
 }
 
 }
 
 
 
+func checkIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 
+	if !targetNode.IsEgressGateway {
 
+		return false
 
+	}
 
+	var targetNodeTags = make(map[models.TagID]struct{})
 
+	if targetNode.Mutex != nil {
 
+		targetNode.Mutex.Lock()
 
+		targetNodeTags = maps.Clone(targetNode.Tags)
 
+		targetNode.Mutex.Unlock()
 
+	} else {
 
+		targetNodeTags = maps.Clone(targetNode.Tags)
 
+	}
 
+	if targetNodeTags == nil {
 
+		targetNodeTags = make(map[models.TagID]struct{})
 
+	}
 
+	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 
+	targetNodeTags["*"] = struct{}{}
 
+	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
+	for _, acl := range acls {
 
+		if !acl.Enabled {
 
+			continue
 
+		}
 
+		srcTags := convAclTagToValueMap(acl.Src)
 
+		dstTags := convAclTagToValueMap(acl.Dst)
 
+		for nodeTag := range targetNodeTags {
 
+			if acl.RuleType == models.DevicePolicy {
 
+				if _, ok := srcTags[nodeTag.String()]; ok {
 
+					return true
 
+				}
 
+				if _, ok := srcTags[targetNode.ID.String()]; ok {
 
+					return true
 
+				}
 
+			}
 
+
 
+			if _, ok := dstTags[nodeTag.String()]; ok {
 
+				return true
 
+			}
 
+			if _, ok := dstTags[targetNode.ID.String()]; ok {
 
+				return true
 
+			}
 
+		}
 
+	}
 
+	return false
 
+}
 
+
 
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	if targetNode.Mutex != nil {
 
 	if targetNode.Mutex != nil {
 
@@ -1617,7 +1662,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 	/*
 
 	/*
 
 		 if target node is egress gateway
 
 		 if target node is egress gateway
 
 			if acl policy has egress route and it is present in target node egress ranges
 
 			if acl policy has egress route and it is present in target node egress ranges
 
-			fetches all the nodes in that policy and add rules
 
+			fetch all the nodes in that policy and add rules
 
 	*/
 
 	*/
 
 
 
 	for _, rangeI := range targetnode.EgressGatewayRanges {
 
 	for _, rangeI := range targetnode.EgressGatewayRanges {

+ 1 - 1
logic/peers.go
View File 

@@ -204,7 +204,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 
 
-		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || !checkIfAnyPolicyisUniDirectional(node) {
 
+		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || (!checkIfAnyPolicyisUniDirectional(node) && !checkIfAnyActiveEgressPolicy(node)) {
 
 			if node.NetworkRange.IP != nil {
 
 			if node.NetworkRange.IP != nil {
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 			}
 
 			}