NET-2061: fix egress policies (#3485)

* revert inet gws from acl policies * add egress range with metric for inet gw * link pro inet funcs * fix extclient comms with users * remove TODO comments * add backwards compatibility to egress ranges * remove all resources check * remove device policy check on pro * fix egress policies for users groups * add default forwarding rule for inet gw
2025-09-06 05:04:27 +08:00 · 2025-06-06 13:10:36 +05:30 · 2025-06-06 13:10:36 +05:30 · adc4d7f3dd
commit adc4d7f3dd
parent fdc8ea4320
4 changed files with 46 additions and 10 deletions
--- a/logic/acls.go
+++ b/logic/acls.go
@ -545,6 +545,9 @@ var GetAclRulesForNode = func(targetnodeI *models.Node) (rules map[string]models
 var GetEgressRulesForNode = func(targetnode models.Node) (rules map[string]models.AclRule) {
 	return
 }
+var GetAclRuleForInetGw = func(targetnode models.Node) (rules map[string]models.AclRule) {
+	return
+}

 // Compare two IPs and return true if ip1 < ip2
 func lessIP(ip1, ip2 net.IP) bool {
--- a/logic/peers.go
+++ b/logic/peers.go
@ -494,7 +494,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 					Nat:         true,
 				})
 			}
-			hostPeerUpdate.FwUpdate.EgressInfo[fmt.Sprintf("%s-%s", node.ID.String(), "inet")] = models.EgressInfo{
+			inetEgressInfo := models.EgressInfo{
 				EgressID: fmt.Sprintf("%s-%s", node.ID.String(), "inet"),
 				Network:  node.PrimaryAddressIPNet(),
 				EgressGwAddr: net.IPNet{
@ -514,6 +514,10 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 					RangesWithMetric: rangeWithMetric,
 				},
 			}
+			if !networkAllowAll {
+				inetEgressInfo.EgressFwRules = GetAclRuleForInetGw(node)
+			}
+			hostPeerUpdate.FwUpdate.EgressInfo[fmt.Sprintf("%s-%s", node.ID.String(), "inet")] = inetEgressInfo
 		}
 	}
 	// == post peer calculations ==
--- a/pro/initialize.go
+++ b/pro/initialize.go
@ -154,6 +154,7 @@ func InitPro() {
 	logic.IsPeerAllowed = proLogic.IsPeerAllowed
 	logic.IsAclPolicyValid = proLogic.IsAclPolicyValid
 	logic.GetEgressRulesForNode = proLogic.GetEgressRulesForNode
+	logic.GetAclRuleForInetGw = proLogic.GetAclRuleForInetGw
 	logic.GetAclRulesForNode = proLogic.GetAclRulesForNode
 	logic.CheckIfAnyActiveEgressPolicy = proLogic.CheckIfAnyActiveEgressPolicy
 	logic.CheckIfAnyPolicyisUniDirectional = proLogic.CheckIfAnyPolicyisUniDirectional
--- a/pro/logic/acls.go
+++ b/pro/logic/acls.go
@ -3,6 +3,7 @@ package logic
 import (
 	"context"
 	"errors"
+	"fmt"
 	"maps"
 	"net"

@ -1455,6 +1456,31 @@ func GetAclRulesForNode(targetnodeI *models.Node) (rules map[string]models.AclRu
 	return rules
 }

+func GetAclRuleForInetGw(targetnode models.Node) (rules map[string]models.AclRule) {
+	rules = make(map[string]models.AclRule)
+	if targetnode.IsInternetGateway {
+		aclRule := models.AclRule{
+			ID:              fmt.Sprintf("%s-inet-gw-internal-rule", targetnode.ID.String()),
+			AllowedProtocol: models.ALL,
+			AllowedPorts:    []string{},
+			Direction:       models.TrafficDirectionBi,
+			Allowed:         true,
+		}
+		if targetnode.NetworkRange.IP != nil {
+			aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
+			_, allIpv4, _ := net.ParseCIDR(IPv4Network)
+			aclRule.Dst = append(aclRule.Dst, *allIpv4)
+		}
+		if targetnode.NetworkRange6.IP != nil {
+			aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
+			_, allIpv6, _ := net.ParseCIDR(IPv6Network)
+			aclRule.Dst6 = append(aclRule.Dst6, *allIpv6)
+		}
+		rules[aclRule.ID] = aclRule
+	}
+	return
+}
+
 func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclRule) {
 	rules = make(map[string]models.AclRule)
 	defer func() {
@ -1471,6 +1497,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 			if acl policy has egress route and it is present in target node egress ranges
 			fetch all the nodes in that policy and add rules
 	*/
+
 	egs, _ := (&schema.Egress{Network: targetnode.Network}).ListByNetwork(db.WithContext(context.TODO()))
 	if len(egs) == 0 {
 		return
@ -1520,15 +1547,15 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 				if _, ok := dstTags[nodeTag.String()]; ok || dstAll {
 					existsInDstTag = true
 				}
-				if srcAll || dstAll {
-					if targetnode.NetworkRange.IP != nil {
-						aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
-					}
-					if targetnode.NetworkRange6.IP != nil {
-						aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
-					}
-					break
-				}
+				// if srcAll || dstAll {
+				// 	if targetnode.NetworkRange.IP != nil {
+				// 		aclRule.IPList = append(aclRule.IPList, targetnode.NetworkRange)
+				// 	}
+				// 	if targetnode.NetworkRange6.IP != nil {
+				// 		aclRule.IP6List = append(aclRule.IP6List, targetnode.NetworkRange6)
+				// 	}
+				// 	break
+				// }
 				if existsInSrcTag && !existsInDstTag {
 					// get all dst tags
 					for dst := range dstTags {
@ -1697,6 +1724,7 @@ func GetEgressRulesForNode(targetnode models.Node) (rules map[string]models.AclR
 		}

 	}
+
 	return
 }