From 599a9c6f4a90758eafdb02b679a63619246ae765 Mon Sep 17 00:00:00 2001
From: Abhishek K <abhishek@netmaker.io>
Date: Wed, 4 Jun 2025 08:04:40 +0530
Subject: [PATCH] NET-1932: handle non-inet egress ranges on inet gw (#3479)

* move relevant acl and tag code to CE and Pro pkgs

* intialise pro acl funcs

* list gateways by user access

* check user gw access by policies

* filter out user policies on CE

* filter out tagged policies on CE

* fix ce acl comms

* allow gateways tag

* allow gateway tag  on CE, remove failover and gw check on acl policy

* add gw rules func to pro

* add inet gw support on CE

* add egress acl API

* add egress acl API

* fix(go): set is_gw when converting api node to server node;

* fix(go): set is_gw when converting api node to server node;

* fix policy validity checker for inet gws

* move dns option to host model

* fix node removal from egress policy on delete

* add migration logic for ManageDNS

* fix dns json field

* fix nil error on node tags

* add egress info to relayed nodes

* fix default network user policy

* fix egress migration

* fix egress migration

* add failover inet gw check

* optiomise egress calls

* auto create gw on inet egress node

* optimise egress calls

* add global user role check

* fix egress on inet gw

---------

Co-authored-by: Vishal Dalwadi <dalwadivishal26@gmail.com>
---
 controllers/middleware.go |  5 ++++-
 logic/extpeers.go         | 15 +++++++++++----
 logic/peers.go            |  7 ++-----
 models/user_mgmt.go       |  1 +
 pro/logic/user_mgmt.go    |  1 -
 5 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/controllers/middleware.go b/controllers/middleware.go
index 98cb8571..abc22611 100644
--- a/controllers/middleware.go
+++ b/controllers/middleware.go
@@ -50,8 +50,11 @@ func userMiddleWare(handler http.Handler) http.Handler {
 		if strings.Contains(route, "createrelay") || strings.Contains(route, "deleterelay") {
 			r.Header.Set("TARGET_RSRC", models.RelayRsrc.String())
 		}
-
 		if strings.Contains(route, "gateway") {
+			r.Header.Set("TARGET_RSRC", models.GatewayRsrc.String())
+		}
+
+		if strings.Contains(route, "egress") {
 			r.Header.Set("TARGET_RSRC", models.EgressGwRsrc.String())
 		}
 		if strings.Contains(route, "networks") {
diff --git a/logic/extpeers.go b/logic/extpeers.go
index 4b621672..ea571054 100644
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@@ -81,12 +81,19 @@ func GetEgressRangesOnNetwork(client *models.ExtClient) ([]string, error) {
 			continue
 		}
 		GetNodeEgressInfo(&currentNode, eli)
-		if currentNode.EgressDetails.IsInternetGateway && client.IngressGatewayID != currentNode.ID.String() {
-			continue
-		}
 		if currentNode.EgressDetails.IsEgressGateway { // add the egress gateway range(s) to the result
 			if len(currentNode.EgressDetails.EgressGatewayRanges) > 0 {
-				result = append(result, currentNode.EgressDetails.EgressGatewayRanges...)
+				if currentNode.EgressDetails.IsInternetGateway && client.IngressGatewayID != currentNode.ID.String() {
+					for _, rangeI := range currentNode.EgressDetails.EgressGatewayRanges {
+						if rangeI == "0.0.0.0/0" || rangeI == "::/0" {
+							continue
+						} else {
+							result = append(result, rangeI)
+						}
+					}
+				} else {
+					result = append(result, currentNode.EgressDetails.EgressGatewayRanges...)
+				}
 			}
 		}
 	}
diff --git a/logic/peers.go b/logic/peers.go
index db919ece..bc388184 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -186,12 +186,9 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		}
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
-		anyActiveEgressPolicy := CheckIfAnyActiveEgressPolicy(node)
-		nodeHasAccessToAllRsrcs := CheckIfNodeHasAccessToAllResources(&node)
-		anyUniDirectionPolicy := CheckIfAnyPolicyisUniDirectional(node)
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
-			(!anyUniDirectionPolicy && !anyActiveEgressPolicy) ||
-			nodeHasAccessToAllRsrcs {
+			(!CheckIfAnyPolicyisUniDirectional(node) && !CheckIfAnyActiveEgressPolicy(node)) ||
+			CheckIfNodeHasAccessToAllResources(&node) {
 			aclRule := models.AclRule{
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 				AllowedProtocol: models.ALL,
diff --git a/models/user_mgmt.go b/models/user_mgmt.go
index 94fa9595..2a09b13a 100644
--- a/models/user_mgmt.go
+++ b/models/user_mgmt.go
@@ -65,6 +65,7 @@ const (
 	HostRsrc           RsrcType = "hosts"
 	RelayRsrc          RsrcType = "relays"
 	RemoteAccessGwRsrc RsrcType = "remote_access_gw"
+	GatewayRsrc        RsrcType = "gateways"
 	ExtClientsRsrc     RsrcType = "extclients"
 	InetGwRsrc         RsrcType = "inet_gw"
 	EgressGwRsrc       RsrcType = "egress"
diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
index 119f9735..389b1bb8 100644
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -761,7 +761,6 @@ func GetUserRAGNodes(user models.User) (gws map[string]models.Node) {
 					}
 				}
 			}
-
 		}
 	}
 	return