From 35edcd01de53afe7d58947552f7572eea6e51dce Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Tue, 22 Apr 2025 12:33:04 +0400 Subject: [PATCH 1/3] bypass acl policy --- logic/acls.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/logic/acls.go b/logic/acls.go index 58d89fba..1217587d 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -647,6 +647,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode // IsPeerAllowed - checks if peer needs to be added to the interface func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool { var nodeId, peerId string + if peer.IsFailOver && node.FailedOverBy == peer.ID { + return true + } if node.IsStatic { nodeId = node.StaticNode.ClientID node = node.StaticNode.ConvertToStaticNode() From 134b525ea675ab7d9151bc71dfa84546a6f811cb Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Tue, 22 Apr 2025 12:55:53 +0400 Subject: [PATCH 2/3] bypass acl policy for failover peer --- logic/acls.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/logic/acls.go b/logic/acls.go index 1217587d..54116023 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -10,6 +10,7 @@ import ( "sync" "time" + "github.com/google/uuid" "github.com/gravitl/netmaker/database" "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/servercfg" @@ -647,7 +648,7 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) (bool, []mode // IsPeerAllowed - checks if peer needs to be added to the interface func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool { var nodeId, peerId string - if peer.IsFailOver && node.FailedOverBy == peer.ID { + if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID { return true } if node.IsStatic { @@ -901,6 +902,9 @@ func uniquePolicies(items []models.Acl) []models.Acl { // IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node, func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) { var nodeId, peerId string + if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID { + return true, []models.Acl{} + } if node.IsStatic { nodeId = node.StaticNode.ClientID node = node.StaticNode.ConvertToStaticNode() From fc32e324b3bfb70b44c15f266cc076649436aa27 Mon Sep 17 00:00:00 2001 From: abhishek9686 Date: Tue, 22 Apr 2025 12:58:47 +0400 Subject: [PATCH 3/3] check if node is getting failedovered --- logic/acls.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/logic/acls.go b/logic/acls.go index 54116023..2f350ae9 100644 --- a/logic/acls.go +++ b/logic/acls.go @@ -651,6 +651,9 @@ func IsPeerAllowed(node, peer models.Node, checkDefaultPolicy bool) bool { if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID { return true } + if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID { + return true + } if node.IsStatic { nodeId = node.StaticNode.ClientID node = node.StaticNode.ConvertToStaticNode() @@ -905,6 +908,9 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo if peer.IsFailOver && node.FailedOverBy != uuid.Nil && node.FailedOverBy == peer.ID { return true, []models.Acl{} } + if node.IsFailOver && peer.FailedOverBy != uuid.Nil && peer.FailedOverBy == node.ID { + return true, []models.Acl{} + } if node.IsStatic { nodeId = node.StaticNode.ClientID node = node.StaticNode.ConvertToStaticNode()