首页 发现 帮助
登录
golang
/
netmaker
镜像自地址 https://github.com/gravitl/netmaker
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

fix egress policies acls comms (#3420)

Abhishek K 5 月之前
父节点
b5842b7b06
当前提交
e2a0ceccf6
共有 2 个文件被更改,包括 47 次插入2 次删除
合并视图 显示文件统计
  1. 46 1
      logic/acls.go
  2. 1 1
      logic/peers.go

+ 46 - 1
logic/acls.go
查看文件 

@@ -1334,6 +1334,51 @@ func getUserAclRulesForNode(targetnode *models.Node,
 
 	return rules
 
 	return rules
 
 }
 
 }
 
 
 
+func checkIfAnyActiveEgressPolicy(targetNode models.Node) bool {
 
+	if !targetNode.IsEgressGateway {
 
+		return false
 
+	}
 
+	var targetNodeTags = make(map[models.TagID]struct{})
 
+	if targetNode.Mutex != nil {
 
+		targetNode.Mutex.Lock()
 
+		targetNodeTags = maps.Clone(targetNode.Tags)
 
+		targetNode.Mutex.Unlock()
 
+	} else {
 
+		targetNodeTags = maps.Clone(targetNode.Tags)
 
+	}
 
+	if targetNodeTags == nil {
 
+		targetNodeTags = make(map[models.TagID]struct{})
 
+	}
 
+	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
 
+	targetNodeTags["*"] = struct{}{}
 
+	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
 
+	for _, acl := range acls {
 
+		if !acl.Enabled {
 
+			continue
 
+		}
 
+		srcTags := convAclTagToValueMap(acl.Src)
 
+		dstTags := convAclTagToValueMap(acl.Dst)
 
+		for nodeTag := range targetNodeTags {
 
+			if acl.RuleType == models.DevicePolicy {
 
+				if _, ok := srcTags[nodeTag.String()]; ok {
 
+					return true
 
+				}
 
+				if _, ok := srcTags[targetNode.ID.String()]; ok {
 
+					return true
 
+				}
 
+			}
 
+
 
+			if _, ok := dstTags[nodeTag.String()]; ok {
 
+				return true
 
+			}
 
+			if _, ok := dstTags[targetNode.ID.String()]; ok {
 
+				return true
 
+			}
 
+		}
 
+	}
 
+	return false
 
+}
 
+
 
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	var targetNodeTags = make(map[models.TagID]struct{})
 
 	if targetNode.Mutex != nil {
 
 	if targetNode.Mutex != nil {
 
@@ -1617,7 +1662,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 
 	/*
 
 	/*
 
 		 if target node is egress gateway
 
 		 if target node is egress gateway
 
 			if acl policy has egress route and it is present in target node egress ranges
 
 			if acl policy has egress route and it is present in target node egress ranges
 
-			fetches all the nodes in that policy and add rules
 
+			fetch all the nodes in that policy and add rules
 
 	*/
 
 	*/
 
 
 
 	for _, rangeI := range targetnode.EgressGatewayRanges {
 
 	for _, rangeI := range targetnode.EgressGatewayRanges {

+ 1 - 1
logic/peers.go
查看文件 

@@ -204,7 +204,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
 
 
-		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || !checkIfAnyPolicyisUniDirectional(node) {
 
+		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || (!checkIfAnyPolicyisUniDirectional(node) && !checkIfAnyActiveEgressPolicy(node)) {
 
 			if node.NetworkRange.IP != nil {
 
 			if node.NetworkRange.IP != nil {
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 
 			}
 
 			}