From 6b21e9f4c2d461977f54e4bd7fb4edbc785ff8bd Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Wed, 2 Apr 2025 19:14:57 +0400
Subject: [PATCH 1/5] assign to ingress gw automatically

---
 logic/gateway.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/logic/gateway.go b/logic/gateway.go
index b07f332b..307ad568 100644
--- a/logic/gateway.go
+++ b/logic/gateway.go
@@ -190,6 +190,7 @@ func CreateIngressGateway(netid string, nodeid string, ingress models.IngressReq
 	}
 	node.IsIngressGateway = true
 	node.IsGw = true
+	node.IsRelay = true
 	if !servercfg.IsPro {
 		node.IsInternetGateway = ingress.IsInternetGateway
 	}

From 3bb843e96ecc9eb018ce2360644c75604c14178f Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Wed, 2 Apr 2025 19:18:41 +0400
Subject: [PATCH 2/5] fix openapi tag

---
 controllers/network.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controllers/network.go b/controllers/network.go
index 8508dbc3..73f92512 100644
--- a/controllers/network.go
+++ b/controllers/network.go
@@ -436,7 +436,7 @@ func getNetworkACL(w http.ResponseWriter, r *http.Request) {
 // @Security    oauth
 // @Param       networkname path string true "Network name"
 // @Produce     json
-// @Success     200 {object} acls.SuccessResponse
+// @Success     200 {object} models.SuccessResponse
 // @Failure     500 {object} models.ErrorResponse
 func getNetworkEgressRoutes(w http.ResponseWriter, r *http.Request) {
 	var params = mux.Vars(r)

From 16a816c10afe0a5bd9f51bb3f94c2c4d4bdb1bb1 Mon Sep 17 00:00:00 2001
From: abhishek9686 <32607604+abhishek9686@users.noreply.github.com>
Date: Wed, 2 Apr 2025 15:19:07 +0000
Subject: [PATCH 3/5] Update documentation 2025-04-02 15:19:06

---
 swagger.yaml | 309 ++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 206 insertions(+), 103 deletions(-)

diff --git a/swagger.yaml b/swagger.yaml
index f60120d0..9e2e146d 100644
--- a/swagger.yaml
+++ b/swagger.yaml
@@ -1,7 +1,6 @@
 definitions:
   acls.ACL:
     additionalProperties:
-      format: int32
       type: integer
     type: object
   acls.ACLContainer:
@@ -56,15 +55,15 @@ definitions:
         type: string
       egressesLimit:
         type: integer
-      email_sender_addr:
+      emailSenderAddr:
         type: string
-      email_sender_password:
+      emailSenderPassword:
         type: string
-      email_sender_user:
+      emailSenderUser:
         type: string
       emqxRestEndpoint:
         type: string
-      endpoint_detection:
+      endpointDetection:
         type: boolean
       environment:
         type: string
@@ -91,6 +90,8 @@ definitions:
         type: string
       metricsExporter:
         type: string
+      metricsPort:
+        type: integer
       mqpassword:
         type: string
       mquserName:
@@ -115,15 +116,17 @@ definitions:
         type: string
       racAutoDisable:
         type: boolean
+      racRestrictToSingleNetwork:
+        type: boolean
       restBackend:
         type: string
       server:
         type: string
       serverBrokerEndpoint:
         type: string
-      smtp_host:
+      smtpHost:
         type: string
-      smtp_port:
+      smtpPort:
         type: integer
       sqlconn:
         type: string
@@ -200,6 +203,14 @@ definitions:
         allOf:
         - $ref: '#/definitions/models.AllowedTrafficDirection'
         description: single or two-way
+      dst:
+        items:
+          $ref: '#/definitions/net.IPNet'
+        type: array
+      dst6:
+        items:
+          $ref: '#/definitions/net.IPNet'
+        type: array
       id:
         type: string
       ip_list:
@@ -306,6 +317,10 @@ definitions:
         items:
           type: string
         type: array
+      egressgatewayranges_with_metric:
+        items:
+          $ref: '#/definitions/models.EgressRangeMetric'
+        type: array
       expdatetime:
         format: int64
         type: integer
@@ -424,9 +439,17 @@ definitions:
         items:
           type: string
         type: array
+      ranges_with_metric:
+        items:
+          $ref: '#/definitions/models.EgressRangeMetric'
+        type: array
     type: object
   models.EgressInfo:
     properties:
+      egress_fw_rules:
+        additionalProperties:
+          $ref: '#/definitions/models.AclRule'
+        type: object
       egress_gateway_cfg:
         $ref: '#/definitions/models.EgressGatewayRequest'
       egress_gw_addr:
@@ -450,10 +473,26 @@ definitions:
         items:
           type: string
         type: array
+      egress_ranges_metric:
+        items:
+          $ref: '#/definitions/models.EgressRangeMetric'
+        type: array
+      network:
+        type: string
       node_addr:
         $ref: '#/definitions/net.IPNet'
       node_addr6:
         $ref: '#/definitions/net.IPNet'
+      peer_key:
+        type: string
+    type: object
+  models.EgressRangeMetric:
+    properties:
+      network:
+        type: string
+      route_metric:
+        description: preffered range 1-999
+        type: integer
     type: object
   models.EnrollmentKey:
     properties:
@@ -687,6 +726,7 @@ definitions:
   models.HostMqAction:
     enum:
     - UPGRADE
+    - FORCE_UPGRADE
     - SIGNAL_HOST
     - UPDATE_HOST
     - DELETE_HOST
@@ -701,6 +741,7 @@ definitions:
     type: string
     x-enum-varnames:
     - Upgrade
+    - ForceUpgrade
     - SignalHost
     - UpdateHost
     - DeleteHost
@@ -724,6 +765,8 @@ definitions:
         type: boolean
       listen_port:
         type: integer
+      version:
+        type: string
     type: object
   models.HostPull:
     properties:
@@ -821,8 +864,6 @@ definitions:
     type: object
   models.IngressInfo:
     properties:
-      allow_all:
-        type: boolean
       egress_ranges:
         items:
           $ref: '#/definitions/net.IPNet'
@@ -933,6 +974,10 @@ definitions:
         type: string
       defaultudpholepunch:
         type: string
+      dns_nameservers:
+        items:
+          type: string
+        type: array
       isipv4:
         type: string
       isipv6:
@@ -1013,6 +1058,8 @@ definitions:
         type: string
       is_fail_over:
         type: boolean
+      is_gw:
+        type: boolean
       is_static:
         type: boolean
       is_user_node:
@@ -1090,6 +1137,7 @@ definitions:
     - warning
     - error
     - unknown
+    - disconnected
     type: string
     x-enum-varnames:
     - OnlineSt
@@ -1097,6 +1145,7 @@ definitions:
     - WarningSt
     - ErrorSt
     - UnKnown
+    - Disconnected
   models.PeerMap:
     additionalProperties:
       $ref: '#/definitions/models.IDandAddr'
@@ -1120,17 +1169,6 @@ definitions:
       server_config:
         $ref: '#/definitions/models.ServerConfig'
     type: object
-  models.RelayRequest:
-    properties:
-      netid:
-        type: string
-      nodeid:
-        type: string
-      relayaddrs:
-        items:
-          type: string
-        type: array
-    type: object
   models.ReturnUser:
     properties:
       auth_type:
@@ -1194,10 +1232,14 @@ definitions:
         type: string
       dnsmode:
         type: string
+      endpointDetection:
+        type: boolean
       manageDNS:
         type: boolean
       metricInterval:
         type: string
+      metricsPort:
+        type: integer
       mqpassword:
         type: string
       mqport:
@@ -1293,7 +1335,6 @@ definitions:
           type: object
         type: object
       username:
-        maxLength: 40
         minLength: 3
         type: string
     required:
@@ -1308,12 +1349,16 @@ definitions:
     type: object
   models.UserRemoteGws:
     properties:
+      addresses:
+        type: string
       allowed_endpoints:
         items:
           type: string
         type: array
       connected:
         type: boolean
+      dns_address:
+        type: string
       gw_client:
         $ref: '#/definitions/models.ExtClient'
       gw_listen_port:
@@ -1334,6 +1379,8 @@ definitions:
         type: array
       remote_access_gw_id:
         type: string
+      status:
+        $ref: '#/definitions/models.NodeStatus'
     type: object
   models.UserRoleID:
     enum:
@@ -1390,7 +1437,6 @@ definitions:
       mask:
         description: network mask
         items:
-          format: int32
           type: integer
         type: array
     type: object
@@ -1427,7 +1473,6 @@ definitions:
           for this peer, if not nil.
 
           A non-nil value of 0 will clear the persistent keepalive interval.
-        format: int64
         type: integer
       presharedKey:
         description: |-
@@ -1826,6 +1871,28 @@ paths:
       summary: Get the current public IP address.
       tags:
       - IP Service
+  /api/host/{hostid}/peer_info:
+    get:
+      parameters:
+      - description: Host ID
+        in: path
+        name: hostid
+        required: true
+        type: string
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/models.SuccessResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/models.ErrorResponse'
+      security:
+      - oauth: []
+      summary: Fetches host peerinfo
+      tags:
+      - Hosts
   /api/hosts:
     get:
       responses:
@@ -2006,6 +2073,10 @@ paths:
         name: hostid
         required: true
         type: string
+      - description: Force upgrade
+        in: query
+        name: force
+        type: boolean
       responses:
         "200":
           description: passed message to upgrade host
@@ -2067,6 +2138,35 @@ paths:
       summary: Update keys for all hosts
       tags:
       - Hosts
+  /api/hosts/sync:
+    post:
+      responses:
+        "200":
+          description: sync all hosts request received
+          schema:
+            type: string
+      security:
+      - oauth: []
+      summary: Requests all the hosts to pull
+      tags:
+      - Hosts
+  /api/hosts/upgrade:
+    post:
+      parameters:
+      - description: Force upgrade
+        in: query
+        name: force
+        type: boolean
+      responses:
+        "200":
+          description: upgrade all hosts request received
+          schema:
+            type: string
+      security:
+      - oauth: []
+      summary: Requests all the hosts to upgrade their version
+      tags:
+      - Hosts
   /api/networks:
     get:
       produces:
@@ -2117,6 +2217,10 @@ paths:
         name: networkname
         required: true
         type: string
+      - description: Force Delete
+        in: query
+        name: force
+        type: boolean
       produces:
       - application/json
       responses:
@@ -2280,6 +2384,30 @@ paths:
       summary: Update a network ACL (Access Control List)
       tags:
       - Networks
+  /api/networks/{networkname}/egress_routes:
+    get:
+      parameters:
+      - description: Network name
+        in: path
+        name: networkname
+        required: true
+        type: string
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/models.SuccessResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/models.ErrorResponse'
+      security:
+      - oauth: []
+      summary: Get a network Egress routes
+      tags:
+      - Networks
   /api/nodes:
     get:
       responses:
@@ -2358,61 +2486,6 @@ paths:
       summary: Create an egress gateway
       tags:
       - Nodes
-  /api/nodes/{network}/{nodeid}/createingress:
-    post:
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/models.ApiNode'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/models.ErrorResponse'
-      security:
-      - oauth2: []
-      summary: Create an remote access gateway
-      tags:
-      - Nodes
-  /api/nodes/{network}/{nodeid}/createrelay:
-    post:
-      consumes:
-      - application/json
-      parameters:
-      - description: Network ID
-        in: path
-        name: network
-        required: true
-        type: string
-      - description: Node ID
-        in: path
-        name: nodeid
-        required: true
-        type: string
-      - description: Relay request parameters
-        in: body
-        name: body
-        required: true
-        schema:
-          $ref: '#/definitions/models.RelayRequest'
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/models.ApiNode'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/models.ErrorResponse'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/models.ErrorResponse'
-      summary: Create a relay
-      tags:
-      - PRO
   /api/nodes/{network}/{nodeid}/deletegateway:
     delete:
       responses:
@@ -2429,7 +2502,7 @@ paths:
       summary: Delete an egress gateway
       tags:
       - Nodes
-  /api/nodes/{network}/{nodeid}/deleteingress:
+  /api/nodes/{network}/{nodeid}/gateway:
     delete:
       responses:
         "200":
@@ -2442,42 +2515,24 @@ paths:
             $ref: '#/definitions/models.ErrorResponse'
       security:
       - oauth2: []
-      summary: Delete an remote access gateway
+      summary: Delete a gateway
       tags:
       - Nodes
-  /api/nodes/{network}/{nodeid}/deleterelay:
-    delete:
-      consumes:
-      - application/json
-      parameters:
-      - description: Network ID
-        in: path
-        name: network
-        required: true
-        type: string
-      - description: Node ID
-        in: path
-        name: nodeid
-        required: true
-        type: string
-      produces:
-      - application/json
+    post:
       responses:
         "200":
           description: OK
           schema:
             $ref: '#/definitions/models.ApiNode'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/models.ErrorResponse'
         "500":
           description: Internal Server Error
           schema:
             $ref: '#/definitions/models.ErrorResponse'
-      summary: Remove a relay
+      security:
+      - oauth2: []
+      summary: Create a gateway
       tags:
-      - PRO
+      - Nodes
   /api/nodes/{network}/{nodeid}/inet_gw:
     delete:
       parameters:
@@ -3425,6 +3480,38 @@ paths:
       summary: Create failover node
       tags:
       - PRO
+  /api/v1/node/{nodeid}/failover_check:
+    get:
+      consumes:
+      - application/json
+      parameters:
+      - description: Node ID
+        in: path
+        name: nodeid
+        required: true
+        type: string
+      - description: Failover request
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/models.FailOverMeReq'
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/models.SuccessResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/models.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/models.ErrorResponse'
+      summary: checkfailOverCtx
+      tags:
+      - PRO
   /api/v1/node/{nodeid}/failover_me:
     post:
       consumes:
@@ -3457,6 +3544,22 @@ paths:
       summary: Failover me
       tags:
       - PRO
+  /api/v1/nodes/{network}/status:
+    get:
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              $ref: '#/definitions/models.ApiNode'
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/models.ErrorResponse'
+      summary: Get all nodes status on the network
+      tags:
+      - Nodes
   /api/v1/tags:
     delete:
       consumes:

From b5842b7b063326ee9b9b11ad4869f4d6e8033714 Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Thu, 3 Apr 2025 21:47:41 +0400
Subject: [PATCH 4/5] fix create gateway req

---
 controllers/network.go | 4 ++++
 logic/gateway.go       | 1 -
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/controllers/network.go b/controllers/network.go
index 73f92512..3e0c9fde 100644
--- a/controllers/network.go
+++ b/controllers/network.go
@@ -627,6 +627,10 @@ func createNetwork(w http.ResponseWriter, r *http.Request) {
 			logic.CreateFailOver(*newNode)
 			// make host remote access gateway
 			logic.CreateIngressGateway(network.NetID, newNode.ID.String(), models.IngressRequest{})
+			logic.CreateRelay(models.RelayRequest{
+				NodeID: newNode.ID.String(),
+				NetID:  network.NetID,
+			})
 		}
 		// send peer updates
 		if err = mq.PublishPeerUpdate(false); err != nil {
diff --git a/logic/gateway.go b/logic/gateway.go
index 307ad568..b07f332b 100644
--- a/logic/gateway.go
+++ b/logic/gateway.go
@@ -190,7 +190,6 @@ func CreateIngressGateway(netid string, nodeid string, ingress models.IngressReq
 	}
 	node.IsIngressGateway = true
 	node.IsGw = true
-	node.IsRelay = true
 	if !servercfg.IsPro {
 		node.IsInternetGateway = ingress.IsInternetGateway
 	}

From e2a0ceccf6ee91c5bed2732721405f98af71006d Mon Sep 17 00:00:00 2001
From: Abhishek K <abhishek@netmaker.io>
Date: Mon, 14 Apr 2025 15:21:06 +0400
Subject: [PATCH 5/5] fix egress policies acls comms (#3420)

---
 logic/acls.go  | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 logic/peers.go |  2 +-
 2 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/logic/acls.go b/logic/acls.go
index c971967e..58d89fba 100644
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -1334,6 +1334,51 @@ func getUserAclRulesForNode(targetnode *models.Node,
 	return rules
 }
 
+func checkIfAnyActiveEgressPolicy(targetNode models.Node) bool {
+	if !targetNode.IsEgressGateway {
+		return false
+	}
+	var targetNodeTags = make(map[models.TagID]struct{})
+	if targetNode.Mutex != nil {
+		targetNode.Mutex.Lock()
+		targetNodeTags = maps.Clone(targetNode.Tags)
+		targetNode.Mutex.Unlock()
+	} else {
+		targetNodeTags = maps.Clone(targetNode.Tags)
+	}
+	if targetNodeTags == nil {
+		targetNodeTags = make(map[models.TagID]struct{})
+	}
+	targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{}
+	targetNodeTags["*"] = struct{}{}
+	acls, _ := ListAclsByNetwork(models.NetworkID(targetNode.Network))
+	for _, acl := range acls {
+		if !acl.Enabled {
+			continue
+		}
+		srcTags := convAclTagToValueMap(acl.Src)
+		dstTags := convAclTagToValueMap(acl.Dst)
+		for nodeTag := range targetNodeTags {
+			if acl.RuleType == models.DevicePolicy {
+				if _, ok := srcTags[nodeTag.String()]; ok {
+					return true
+				}
+				if _, ok := srcTags[targetNode.ID.String()]; ok {
+					return true
+				}
+			}
+
+			if _, ok := dstTags[nodeTag.String()]; ok {
+				return true
+			}
+			if _, ok := dstTags[targetNode.ID.String()]; ok {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func checkIfAnyPolicyisUniDirectional(targetNode models.Node) bool {
 	var targetNodeTags = make(map[models.TagID]struct{})
 	if targetNode.Mutex != nil {
@@ -1617,7 +1662,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 	/*
 		 if target node is egress gateway
 			if acl policy has egress route and it is present in target node egress ranges
-			fetches all the nodes in that policy and add rules
+			fetch all the nodes in that policy and add rules
 	*/
 
 	for _, rangeI := range targetnode.EgressGatewayRanges {
diff --git a/logic/peers.go b/logic/peers.go
index f36146a7..e41d0592 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -204,7 +204,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 
-		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || !checkIfAnyPolicyisUniDirectional(node) {
+		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || (!checkIfAnyPolicyisUniDirectional(node) && !checkIfAnyActiveEgressPolicy(node)) {
 			if node.NetworkRange.IP != nil {
 				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
 			}