@@ -50,6 +50,27 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
5050 // if nodeI.StaticNode.IngressGatewayID != node.ID.String() {
5151 // continue
5252 // }
53+ if IsNodeAllowedToCommunicateWithAllRsrcs (nodeI ) {
54+ if nodeI .Address .IP != nil {
55+ rules = append (rules , models.FwRule {
56+ SrcIP : net.IPNet {
57+ IP : nodeI .Address .IP ,
58+ Mask : net .CIDRMask (32 , 32 ),
59+ },
60+ Allow : true ,
61+ })
62+ }
63+ if nodeI .Address6 .IP != nil {
64+ rules = append (rules , models.FwRule {
65+ SrcIP : net.IPNet {
66+ IP : nodeI .Address6 .IP ,
67+ Mask : net .CIDRMask (128 , 128 ),
68+ },
69+ Allow : true ,
70+ })
71+ }
72+ continue
73+ }
5374 for _ , peer := range nodes {
5475 if peer .StaticNode .ClientID == nodeI .StaticNode .ClientID || peer .IsUserNode {
5576 continue
@@ -74,6 +95,37 @@ func GetFwRulesOnIngressGateway(node models.Node) (rules []models.FwRule) {
7495 }
7596 }
7697 }
98+ if len (node .RelayedNodes ) > 0 {
99+ for _ , relayedNodeID := range node .RelayedNodes {
100+ relayedNode , err := GetNodeByID (relayedNodeID )
101+ if err != nil {
102+ continue
103+ }
104+
105+ if relayedNode .Address .IP != nil {
106+ relayedFwRule := models.FwRule {
107+ AllowedProtocol : models .ALL ,
108+ AllowedPorts : []string {},
109+ Allow : true ,
110+ }
111+ relayedFwRule .DstIP = relayedNode .AddressIPNet4 ()
112+ relayedFwRule .SrcIP = node .NetworkRange
113+ rules = append (rules , relayedFwRule )
114+ }
115+
116+ if relayedNode .Address6 .IP != nil {
117+ relayedFwRule := models.FwRule {
118+ AllowedProtocol : models .ALL ,
119+ AllowedPorts : []string {},
120+ Allow : true ,
121+ }
122+ relayedFwRule .DstIP = relayedNode .AddressIPNet6 ()
123+ relayedFwRule .SrcIP = node .NetworkRange6
124+ rules = append (rules , relayedFwRule )
125+ }
126+
127+ }
128+ }
77129 return
78130}
79131
@@ -851,6 +903,60 @@ func MigrateAclPolicies() {
851903
852904}
853905
906+ func IsNodeAllowedToCommunicateWithAllRsrcs (node models.Node ) bool {
907+ // check default policy if all allowed return true
908+ defaultPolicy , err := GetDefaultPolicy (models .NetworkID (node .Network ), models .DevicePolicy )
909+ if err == nil {
910+ if defaultPolicy .Enabled {
911+ return true
912+ }
913+ }
914+ var nodeId string
915+ if node .IsStatic {
916+ nodeId = node .StaticNode .ClientID
917+ node = node .StaticNode .ConvertToStaticNode ()
918+ } else {
919+ nodeId = node .ID .String ()
920+ }
921+ nodeTags := make (map [models.TagID ]struct {})
922+
923+ nodeTags [models .TagID (nodeId )] = struct {}{}
924+ if node .IsGw {
925+ nodeTags [models .TagID (fmt .Sprintf ("%s.%s" , node .Network , models .GwTagName ))] = struct {}{}
926+ }
927+ // list device policies
928+ policies := ListDevicePolicies (models .NetworkID (node .Network ))
929+ srcMap := make (map [string ]struct {})
930+ dstMap := make (map [string ]struct {})
931+ defer func () {
932+ srcMap = nil
933+ dstMap = nil
934+ }()
935+ for _ , policy := range policies {
936+ if ! policy .Enabled {
937+ continue
938+ }
939+ srcMap = ConvAclTagToValueMap (policy .Src )
940+ dstMap = ConvAclTagToValueMap (policy .Dst )
941+ _ , srcAll := srcMap ["*" ]
942+ _ , dstAll := dstMap ["*" ]
943+
944+ for tagID := range nodeTags {
945+ if srcAll {
946+ if _ , ok := dstMap [tagID .String ()]; ok {
947+ return true
948+ }
949+ }
950+ if dstAll {
951+ if _ , ok := srcMap [tagID .String ()]; ok {
952+ return true
953+ }
954+ }
955+ }
956+ }
957+ return false
958+ }
959+
854960// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer // ADD ALLOWED DIRECTION - 0 => node -> peer, 1 => peer-> node,
855961func isNodeAllowedToCommunicate (node , peer models.Node , checkDefaultPolicy bool ) (bool , []models.Acl ) {
856962 var nodeId , peerId string
0 commit comments