fixed default ACLs and peer update deletion logic

controllers/node.go

@@ -908,7 +908,7 @@ func updateNode(w http.ResponseWriter, r *http.Request) {
 		relayedUpdate = true
 	}
 	ifaceDelta := logic.IfaceDelta(&currentNode, newNode)
-
+	aclUpdate := currentNode.DefaultACL != newNode.DefaultACL
 	if ifaceDelta && servercfg.Is_EE {
 		if err = logic.EnterpriseResetAllPeersFailovers(currentNode.ID, currentNode.Network); err != nil {
 			logger.Log(0, "failed to reset failover lists during node update for node", currentNode.ID.String(), currentNode.Network)
@@ -941,13 +941,17 @@ func updateNode(w http.ResponseWriter, r *http.Request) {
 	logger.Log(1, r.Header.Get("user"), "updated node", currentNode.ID.String(), "on network", currentNode.Network)
 	w.WriteHeader(http.StatusOK)
 	json.NewEncoder(w).Encode(apiNode)
-
 	runUpdates(newNode, ifaceDelta)
-	go func() {
+	go func(aclUpdate bool, newNode *models.Node) {
+		if aclUpdate {
+			if err := mq.PublishPeerUpdate(); err != nil {
+				logger.Log(0, "error during node ACL update for node", newNode.ID.String())
+			}
+		}
 		if err := mq.PublishReplaceDNS(&currentNode, newNode, host); err != nil {
 			logger.Log(1, "failed to publish dns update", err.Error())
 		}
-	}()
+	}(aclUpdate, newNode)
 }
 
 // swagger:route DELETE /api/nodes/{network}/{nodeid} nodes deleteNode

logic/peers.go

@@ -3,7 +3,6 @@ package logic
 import (
 	"errors"
 	"fmt"
-	"log"
 	"net"
 	"net/netip"
 
@@ -137,10 +136,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 		Peers:      []wgtypes.PeerConfig{},
 		NodePeers:  []wgtypes.PeerConfig{},
 	}
-	var deletedNodes = []models.Node{} // used to track deleted nodes
-	if deletedNode != nil {
-		deletedNodes = append(deletedNodes, *deletedNode)
-	}
+
 	logger.Log(1, "peer update for host", host.ID.String())
 	peerIndexMap := make(map[string]int)
 	for _, nodeID := range host.Nodes {
@@ -154,7 +150,6 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 		}
 		currentPeers, err := GetNetworkNodes(node.Network)
 		if err != nil {
-			log.Println("no network nodes")
 			return models.HostPeerUpdate{}, err
 		}
 		var nodePeerMap map[string]models.PeerRouteInfo
@@ -168,10 +163,6 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 				//skip yourself
 				continue
 			}
-			if peer.Action == models.NODE_DELETE || peer.PendingDelete {
-				deletedNodes = append(deletedNodes, peer) // track deleted node for peer update
-				continue
-			}
 			var peerConfig wgtypes.PeerConfig
 			peerHost, err := GetHost(peer.HostID.String())
 			if err != nil {
@@ -179,16 +170,6 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 				return models.HostPeerUpdate{}, err
 			}
 
-			if !peer.Connected {
-				logger.Log(2, "peer update, skipping unconnected node", peer.ID.String())
-				//skip unconnected nodes
-				continue
-			}
-			if !nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) {
-				logger.Log(2, "peer update, skipping node for acl")
-				//skip if not permitted by acl
-				continue
-			}
 			peerConfig.PublicKey = peerHost.PublicKey
 			peerConfig.PersistentKeepaliveInterval = &peer.PersistentKeepalive
 			peerConfig.ReplaceAllowedIPs = true
@@ -225,7 +206,14 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 			if peer.IsEgressGateway {
 				allowedips = append(allowedips, getEgressIPs(&node, &peer)...)
 			}
-			peerConfig.AllowedIPs = allowedips
+			if peer.Action != models.NODE_DELETE &&
+				!peer.PendingDelete &&
+				peer.Connected &&
+				nodeacls.AreNodesAllowed(nodeacls.NetworkID(node.Network), nodeacls.NodeID(node.ID.String()), nodeacls.NodeID(peer.ID.String())) &&
+				(deletedNode == nil || (deletedNode != nil && peer.ID.String() != deletedNode.ID.String())) {
+				peerConfig.AllowedIPs = allowedips // only append allowed IPs if valid connection
+			}
+
 			if node.IsIngressGateway || node.IsEgressGateway {
 				if peer.IsIngressGateway {
 					_, extPeerIDAndAddrs, err := getExtPeers(&peer)
@@ -354,27 +342,22 @@ func GetPeerUpdateForHost(network string, host *models.Host, deletedNode *models
 			}
 		}
 	}
+	// == post peer calculations ==
+	// indicate removal if no allowed IPs were calculated
+	for i := range hostPeerUpdate.Peers {
+		peer := hostPeerUpdate.Peers[i]
+		if len(peer.AllowedIPs) == 0 {
+			peer.Remove = true
+		}
+		hostPeerUpdate.Peers[i] = peer
+	}
 
-	// run through delete nodes
-	if len(deletedNodes) > 0 {
-		for i := range deletedNodes {
-			delNode := deletedNodes[i]
-			delHost, err := GetHost(delNode.HostID.String())
-			if err != nil {
-				continue
-			}
-			if _, ok := hostPeerUpdate.HostPeerIDs[delHost.PublicKey.String()]; !ok {
-				var peerConfig = wgtypes.PeerConfig{}
-				peerConfig.PublicKey = delHost.PublicKey
-				peerConfig.Endpoint = &net.UDPAddr{
-					IP:   delHost.EndpointIP,
-					Port: GetPeerListenPort(delHost),
-				}
-				peerConfig.Remove = true
-				peerConfig.AllowedIPs = []net.IPNet{delNode.Address, delNode.Address6}
-				hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, peerConfig)
-			}
+	for i := range hostPeerUpdate.NodePeers {
+		peer := hostPeerUpdate.NodePeers[i]
+		if len(peer.AllowedIPs) == 0 {
+			peer.Remove = true
 		}
+		hostPeerUpdate.NodePeers[i] = peer
 	}
 
 	return hostPeerUpdate, nil