remove userips usage, add allow all to fwupdate

2025-09-08 22:24:17 +08:00 · 2024-10-23 14:15:13 +04:00 · 2024-10-23 14:15:13 +04:00 · c0f107b302
commit c0f107b302
parent ffb75fa6c1
5 changed files with 24 additions and 16 deletions
--- a/logic/acls.go
+++ b/logic/acls.go
@ -457,6 +457,9 @@ func IsUserAllowedToCommunicate(userName string, peer models.Node) bool {
 			continue
 		}
 		dstMap := convAclTagToValueMap(policy.Dst)
+		if _, ok := dstMap["*"]; ok {
+			return true
+		}
 		for tagID := range peer.Tags {
 			if _, ok := dstMap[tagID.String()]; ok {
 				return true
--- a/logic/extpeers.go
+++ b/logic/extpeers.go
@ -417,6 +417,7 @@ func GetStaticNodeIps(node models.Node) (ips []net.IP) {

 func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 	// fetch user access to static clients via policies
+
 	nodes, _ := GetNetworkNodes(node.Network)
 	nodes = append(nodes, GetStaticNodesByNetwork(models.NetworkID(node.Network), true)...)
 	userNodes := GetStaticUserNodesByNetwork(models.NetworkID(node.Network))
@ -521,18 +522,18 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
 	return
 }

-func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, []net.IP, error) {
+func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandAddr, []models.EgressNetworkRoutes, error) {
 	var peers []wgtypes.PeerConfig
 	var idsAndAddr []models.IDandAddr
 	var egressRoutes []models.EgressNetworkRoutes
 	var extUserIps []net.IP
 	extPeers, err := GetNetworkExtClients(node.Network)
 	if err != nil {
-		return peers, idsAndAddr, egressRoutes, extUserIps, err
+		return peers, idsAndAddr, egressRoutes, err
 	}
 	host, err := GetHost(node.HostID.String())
 	if err != nil {
-		return peers, idsAndAddr, egressRoutes, extUserIps, err
+		return peers, idsAndAddr, egressRoutes, err
 	}
 	for _, extPeer := range extPeers {
 		extPeer := extPeer
@ -613,7 +614,7 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
 			IsExtClient: true,
 		})
 	}
-	return peers, idsAndAddr, egressRoutes, extUserIps, nil
+	return peers, idsAndAddr, egressRoutes, nil

 }

--- a/logic/peers.go
+++ b/logic/peers.go
@ -288,19 +288,23 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		var extPeers []wgtypes.PeerConfig
 		var extPeerIDAndAddrs []models.IDandAddr
 		var egressRoutes []models.EgressNetworkRoutes
-		var extUserIps []net.IP
 		if node.IsIngressGateway {
 			hostPeerUpdate.FwUpdate.IsIngressGw = true
-			extPeers, extPeerIDAndAddrs, egressRoutes, extUserIps, err = GetExtPeers(&node, &node)
+			extPeers, extPeerIDAndAddrs, egressRoutes, err = GetExtPeers(&node, &node)
 			if err == nil {
-				hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = models.IngressInfo{
-					IngressID:     node.ID.String(),
-					UserIps:       extUserIps,
-					Network:       node.NetworkRange,
-					Network6:      node.NetworkRange6,
-					Rules:         GetFwRulesOnIngressGateway(node),
-					StaticNodeIps: GetStaticNodeIps(node),
+				defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
+				defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
+				ingFwUpdate := models.IngressInfo{
+					IngressID: node.ID.String(),
+					Network:   node.NetworkRange,
+					Network6:  node.NetworkRange6,
+					AllowAll:  defaultDevicePolicy.Enabled && defaultUserPolicy.Default,
 				}
+				if !ingFwUpdate.AllowAll {
+					ingFwUpdate.StaticNodeIps = GetStaticNodeIps(node)
+					ingFwUpdate.Rules = GetFwRulesOnIngressGateway(node)
+				}
+				hostPeerUpdate.FwUpdate.IngressInfo[node.ID.String()] = ingFwUpdate
 				hostPeerUpdate.EgressRoutes = append(hostPeerUpdate.EgressRoutes, egressRoutes...)
 				hostPeerUpdate.Peers = append(hostPeerUpdate.Peers, extPeers...)
 				for _, extPeerIdAndAddr := range extPeerIDAndAddrs {
@ -432,7 +436,7 @@ func GetAllowedIPs(node, peer *models.Node, metrics *models.Metrics) []net.IPNet

 	// handle ingress gateway peers
 	if peer.IsIngressGateway {
-		extPeers, _, _, _, err := GetExtPeers(peer, node)
+		extPeers, _, _, err := GetExtPeers(peer, node)
 		if err != nil {
 			logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
 		}
--- a/models/mqtt.go
+++ b/models/mqtt.go
@ -37,9 +37,9 @@ type IngressInfo struct {
 	IngressID     string    `json:"ingress_id"`
 	Network       net.IPNet `json:"network"`
 	Network6      net.IPNet `json:"network6"`
-	UserIps       []net.IP  `json:"user_ips"`
 	StaticNodeIps []net.IP  `json:"static_node_ips"`
 	Rules         []FwRule  `json:"rules"`
+	AllowAll      bool      `json:"allow_all"`
 }

 // EgressInfo - struct for egress info
--- a/pro/logic/failover.go
+++ b/pro/logic/failover.go
@ -148,7 +148,7 @@ func GetFailOverPeerIps(peer, node *models.Node) []net.IPNet {
 			}
 			// handle ingress gateway peers
 			if failOverpeer.IsIngressGateway {
-				extPeers, _, _, _, err := logic.GetExtPeers(&failOverpeer, node)
+				extPeers, _, _, err := logic.GetExtPeers(&failOverpeer, node)
 				if err != nil {
 					logger.Log(2, "could not retrieve ext peers for ", peer.ID.String(), err.Error())
 				}