From fdc8ea43201abbc902b19ad97b49edcd4f68fff7 Mon Sep 17 00:00:00 2001 From: Abhishek K Date: Fri, 6 Jun 2025 07:36:49 +0530 Subject: [PATCH] NET-2061: Fix egress user policies (#3484) * revert inet gws from acl policies * add egress range with metric for inet gw * link pro inet funcs * fix extclient comms with users * remove TODO comments * add backwards compatibility to egress ranges * remove all resources check * remove device policy check on pro --- logic/peers.go | 3 +-- pro/logic/acls.go | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/logic/peers.go b/logic/peers.go index 1f9d7238..b3c17e5a 100644 --- a/logic/peers.go +++ b/logic/peers.go @@ -207,8 +207,7 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy) defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy) if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) || - (!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) || - CheckIfNodeHasAccessToAllResources(&node, acls) { + (!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) { aclRule := models.AclRule{ ID: fmt.Sprintf("%s-allowed-network-rules", node.ID.String()), AllowedProtocol: models.ALL, diff --git a/pro/logic/acls.go b/pro/logic/acls.go index 231764e1..d418e837 100644 --- a/pro/logic/acls.go +++ b/pro/logic/acls.go @@ -1153,7 +1153,7 @@ func CheckIfAnyActiveEgressPolicy(targetNode models.Node, acls []models.Acl) boo targetNodeTags[models.TagID(targetNode.ID.String())] = struct{}{} targetNodeTags["*"] = struct{}{} for _, acl := range acls { - if !acl.Enabled || acl.RuleType != models.DevicePolicy { + if !acl.Enabled { continue } srcTags := logic.ConvAclTagToValueMap(acl.Src)