From adc4d7f3ddc6c5a6576de78bbbc593d4200ea0b8 Mon Sep 17 00:00:00 2001
From: Abhishek K <abhishek@netmaker.io>
Date: Fri, 6 Jun 2025 13:10:36 +0530
Subject: [PATCH] NET-2061: fix egress policies (#3485)

* revert inet gws from acl policies

* add egress range with metric for inet gw

* link pro inet funcs

* fix extclient comms with users

* remove TODO comments

* add backwards compatibility to egress ranges

* remove all resources check

* remove device policy check on pro

* fix egress policies for users groups

* add default forwarding rule for inet gw
---
 logic/acls.go     |  3 +++
 logic/peers.go    |  6 +++++-
 pro/initialize.go |  1 +
 pro/logic/acls.go | 46 +++++++++++++++++++++++++++++++++++++---------
 4 files changed, 46 insertions(+), 10 deletions(-)

diff --git a/logic/acls.go b/logic/acls.go
index 891fd3f7..116318ea 100644
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -545,6 +545,9 @@ var GetAclRulesForNode = func(targetnodeI *models.Node) (rules map[string]models
 var GetEgressRulesForNode = func(targetnode models.Node) (rules map[string]models.AclRule) {
 	return
 }
+var GetAclRuleForInetGw = func(targetnode models.Node) (rules map[string]models.AclRule) {
+	return
+}
 
 // Compare two IPs and return true if ip1 < ip2
 func lessIP(ip1, ip2 net.IP) bool {
diff --git a/logic/peers.go b/logic/peers.go
index b3c17e5a..39373d69 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -494,7 +494,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 					Nat:         true,
 				})
 			}
-			hostPeerUpdate.FwUpdate.EgressInfo[fmt.Sprintf("%s-%s", node.ID.String(), "inet")] = models.EgressInfo{
+			inetEgressInfo := models.EgressInfo{
 				EgressID: fmt.Sprintf("%s-%s", node.ID.String(), "inet"),
 				Network:  node.PrimaryAddressIPNet(),
 				EgressGwAddr: net.IPNet{
@@ -514,6 +514,10 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 					RangesWithMetric: rangeWithMetric,
 				},
 			}
+			if !networkAllowAll {
+				inetEgressInfo.EgressFwRules = GetAclRuleForInetGw(node)
+			}
+			hostPeerUpdate.FwUpdate.EgressInfo[fmt.Sprintf("%s-%s", node.ID.String(), "inet")] = inetEgressInfo
 		}
 	}
 	// == post peer calculations ==
diff --git a/pro/initialize.go b/pro/initialize.go
index 5f581fd1..aae64eab 100644
--- a/pro/initialize.go
+++ b/pro/initialize.go
@@ -154,6 +154,7 @@ func InitPro() {
 	logic.IsPeerAllowed = proLogic.IsPeerAllowed
 	logic.IsAclPolicyValid = proLogic.IsAclPolicyValid
 	logic.GetEgressRulesForNode = proLogic.GetEgressRulesForNode
+	logic.GetAclRuleForInetGw = proLogic.GetAclRuleForInetGw
 	logic.GetAclRulesForNode = proLogic.GetAclRulesForNode
 	logic.CheckIfAnyActiveEgressPolicy = proLogic.CheckIfAnyActiveEgressPolicy
 	logic.CheckIfAnyPolicyisUniDirectional = proLogic.CheckIfAnyPolicyisUniDirectional
diff --git a/pro/logic/acls.go b/pro/logic/acls.go
index d418e837..abc29277 100644
--- a/pro/logic/acls.go
+++ b/pro/logic/acls.go
@@ -3,6 +3,7 @@ package logic
 import (
 	"context"
 	"errors"
+	"fmt"
 	"maps"
 	"net"
 
@@ -1455,6 +1456,31 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 	return rules
 }
 
+func GetAclRuleForInetGw(targetnode models.Node) (rules map[string]models.AclRule) {
+	rules = make(map[string]models.AclRule)
+	if targetnode.IsInternetGateway {
+		aclRule := models.AclRule{
+			ID:              fmt.Sprintf("%s-inet-gw-internal-rule", targetnode.ID.String()),
+			AllowedProtocol: models.ALL,
+			AllowedPorts:    []string{},
+			Direction:       models.TrafficDirectionBi,
+			Allowed:         true,
+		}
+		if targetnode.NetworkRange.IP != nil {
+			aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
+			_, allIpv4, _ := net.ParseCIDR(IPv4Network)
+			aclRule.Dst = append(aclRule.Dst, *allIpv4)
+		}
+		if targetnode.NetworkRange6.IP != nil {
+			aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
+			_, allIpv6, _ := net.ParseCIDR(IPv6Network)
+			aclRule.Dst6 = append(aclRule.Dst6, *allIpv6)
+		}
+		rules[aclRule.ID] = aclRule
+	}
+	return
+}
+
 func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclRule) {
 	rules = make(map[string]models.AclRule)
 	defer func() {
@@ -1471,6 +1497,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 			if acl policy has egress route and it is present in target node egress ranges
 			fetch all the nodes in that policy and add rules
 	*/
+
 	egs, _ := (&schema.Egress{Network: targetnode.Network}).ListByNetwork(db.WithContext(context.TODO()))
 	if len(egs) == 0 {
 		return
@@ -1520,15 +1547,15 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
 					existsInDstTag = true
 				}
-				if srcAll || dstAll {
-					if targetnode.NetworkRange.IP != nil {
-						aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
-					}
-					if targetnode.NetworkRange6.IP != nil {
-						aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
-					}
-					break
-				}
+				// if srcAll || dstAll {
+				// 	if targetnode.NetworkRange.IP != nil {
+				// 		aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
+				// 	}
+				// 	if targetnode.NetworkRange6.IP != nil {
+				// 		aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
+				// 	}
+				// 	break
+				// }
 				if existsInSrcTag && !existsInDstTag {
 					// get all dst tags
 					for dst := range dstTags {
@@ -1697,6 +1724,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 		}
 
 	}
+
 	return
 }