From d55baebac5b2ca5e065d602b9edf370f3852ba61 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Thu, 27 Mar 2025 15:59:33 +0400 Subject: [PATCH] add metric route to ext client addrs --- logic/acls.go | 170 ---------------------------------------------- logic/extpeers.go | 11 ++- 2 files changed, 9 insertions(+), 172 deletions(-) diff --git a/logic/acls.go b/logic/acls.go index 0e595de3..07d7178c 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -1054,176 +1054,6 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo return false, allowedPolicies } -// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer -func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) { - var nodeId, peerId string - if node.IsStatic { - nodeId = node.StaticNode.ClientID - node = node.StaticNode.ConvertToStaticNode() - } else { - nodeId = node.ID.String() - } - if peer.IsStatic { - peerId = peer.StaticNode.ClientID - peer = peer.StaticNode.ConvertToStaticNode() - } else { - peerId = peer.ID.String() - } - - var nodeTags, peerTags map[models.TagID]struct{} - if node.Mutex != nil { - node.Mutex.Lock() - nodeTags = maps.Clone(node.Tags) - node.Mutex.Unlock() - } else { - nodeTags = node.Tags - } - if peer.Mutex != nil { - peer.Mutex.Lock() - peerTags = maps.Clone(peer.Tags) - peer.Mutex.Unlock() - } else { - peerTags = peer.Tags - } - if nodeTags == nil { - nodeTags = make(map[models.TagID]struct{}) - } - if peerTags == nil { - peerTags = make(map[models.TagID]struct{}) - } - nodeTags[models.TagID(nodeId)] = struct{}{} - peerTags[models.TagID(peerId)] = struct{}{} - if checkDefaultPolicy { - // check default policy if all allowed return true - defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) - if err == nil { - if defaultPolicy.Enabled { - return true, []models.Acl{defaultPolicy} - } - } - } - allowedPolicies := []models.Acl{} - // list device policies - policies := listDevicePolicies(models.NetworkID(peer.Network)) - srcMap := make(map[string]struct{}) - dstMap := make(map[string]struct{}) - defer func() { - srcMap = nil - dstMap = nil - }() - for _, policy := range policies { - if !policy.Enabled { - continue - } - srcMap = convAclTagToValueMap(policy.Src) - dstMap = convAclTagToValueMap(policy.Dst) - _, srcAll := srcMap["*"] - _, dstAll := dstMap["*"] - if policy.AllowedDirection == models.TrafficDirectionBi { - if _, ok := srcMap[nodeId]; ok || srcAll { - if _, ok := dstMap[peerId]; ok || dstAll { - allowedPolicies = append(allowedPolicies, policy) - continue - } - - } - if _, ok := dstMap[nodeId]; ok || dstAll { - if _, ok := srcMap[peerId]; ok || srcAll { - allowedPolicies = append(allowedPolicies, policy) - continue - } - } - } - if _, ok := dstMap[nodeId]; ok || dstAll { - if _, ok := srcMap[peerId]; ok || srcAll { - allowedPolicies = append(allowedPolicies, policy) - continue - } - } - for tagID := range nodeTags { - allowed := false - if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || dstAll { - if srcAll { - allowed = true - allowedPolicies = append(allowedPolicies, policy) - break - } - for tagID := range peerTags { - if _, ok := srcMap[tagID.String()]; ok { - allowed = true - break - } - } - } - if allowed { - allowedPolicies = append(allowedPolicies, policy) - break - } - if _, ok := srcMap[tagID.String()]; ok || srcAll { - if dstAll { - allowed = true - allowedPolicies = append(allowedPolicies, policy) - break - } - for tagID := range peerTags { - if _, ok := dstMap[tagID.String()]; ok { - allowed = true - break - } - } - } - if allowed { - allowedPolicies = append(allowedPolicies, policy) - break - } - } - for tagID := range peerTags { - allowed := false - if _, ok := dstMap[tagID.String()]; ok || dstAll { - if srcAll { - allowed = true - allowedPolicies = append(allowedPolicies, policy) - break - } - for tagID := range nodeTags { - - if _, ok := srcMap[tagID.String()]; ok || srcAll { - allowed = true - break - } - } - } - if allowed { - allowedPolicies = append(allowedPolicies, policy) - break - } - - if _, ok := srcMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || srcAll { - if dstAll { - allowed = true - allowedPolicies = append(allowedPolicies, policy) - break - } - for tagID := range nodeTags { - if _, ok := dstMap[tagID.String()]; ok { - allowed = true - break - } - } - } - if allowed { - allowedPolicies = append(allowedPolicies, policy) - break - } - } - } - - if len(allowedPolicies) > 0 { - return true, allowedPolicies - } - return false, allowedPolicies -} - // SortTagEntrys - Sorts slice of Tag entries by their id func SortAclEntrys(acls []models.Acl) { sort.Slice(acls, func(i, j int) bool { diff --git a/logic/extpeers.go b/logic/extpeers.go index 77e677e1..f58a0335 100644 --- a/logic/extpeers.go +++ b/logic/extpeers.go @@ -874,14 +874,21 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA } func getExtPeerEgressRoute(node models.Node, extPeer models.ExtClient) (egressRoutes []models.EgressNetworkRoutes) { - egressRoutes = append(egressRoutes, models.EgressNetworkRoutes{ + r := models.EgressNetworkRoutes{ PeerKey: extPeer.PublicKey, EgressGwAddr: extPeer.AddressIPNet4(), EgressGwAddr6: extPeer.AddressIPNet6(), NodeAddr: node.Address, NodeAddr6: node.Address6, EgressRanges: extPeer.ExtraAllowedIPs, - }) + } + for _, extraAllowedIP := range extPeer.ExtraAllowedIPs { + r.EgressRangesWithMetric = append(r.EgressRangesWithMetric, models.EgressRangeMetric{ + Network: extraAllowedIP, + RouteMetric: 256, + }) + } + egressRoutes = append(egressRoutes, r) return }