Merge pull request #3497 from gravitl/v0.99_fixes

abhishek9686 · web-flow · commit b86aea9d093d · 2025-06-10T09:27:44.000+05:30
v0.99: egress policy fix
diff --git a/logic/egress.go b/logic/egress.go
@@ -46,16 +46,15 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []mode
 		}
 		srcVal := ConvAclTagToValueMap(acl.Src)
 		for _, dstI := range acl.Dst {
-
-			if dstI.ID == models.NodeTagID && dstI.Value == "*" {
-				return true
-			}
-			if dstI.ID == models.EgressID && dstI.Value == e.ID {
-				e := schema.Egress{ID: dstI.Value}
-				err := e.Get(db.WithContext(context.TODO()))
-				if err != nil {
-					continue
+			if (dstI.ID == models.EgressID && dstI.Value == e.ID) || (dstI.ID == models.NodeTagID && dstI.Value == "*") {
+				if dstI.ID == models.EgressID {
+					e := schema.Egress{ID: dstI.Value}
+					err := e.Get(db.WithContext(context.TODO()))
+					if err != nil {
+						continue
+					}
 				}
+
 				if node.IsStatic {
 					if _, ok := srcVal[node.StaticNode.ClientID]; ok {
 						return true
@@ -71,8 +70,8 @@ func DoesNodeHaveAccessToEgress(node *models.Node, e *schema.Egress, acls []mode
 						return true
 					}
 				}
-
 			}
+
 		}
 	}
 	return false
diff --git a/logic/peers.go b/logic/peers.go
@@ -207,7 +207,8 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
 		if (defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled) ||
-			(!CheckIfAnyPolicyisUniDirectional(node, acls) && !CheckIfAnyActiveEgressPolicy(node, acls)) {
+			(!CheckIfAnyPolicyisUniDirectional(node, acls) &&
+				!(node.EgressDetails.IsEgressGateway && len(node.EgressDetails.EgressGatewayRanges) > 0)) {
 			aclRule := models.AclRule{
 				ID:              fmt.Sprintf("%s-allowed-network-rules", node.ID.String()),
 				AllowedProtocol: models.ALL,

Original file line number	Diff line number	Diff line change
`@@ -46,16 +46,15 @@ func DoesNodeHaveAccessToEgress(node models.Node, e schema.Egress, acls []mode`
`46`	`46`	`}`
`47`	`47`	`srcVal := ConvAclTagToValueMap(acl.Src)`
`48`	`48`	`for _, dstI := range acl.Dst {`
`49`		`-`
`50`		`- if dstI.ID == models.NodeTagID && dstI.Value == "*" {`
`51`		`- return true`
`52`		`- }`
`53`		`- if dstI.ID == models.EgressID && dstI.Value == e.ID {`
`54`		`- e := schema.Egress{ID: dstI.Value}`
`55`		`- err := e.Get(db.WithContext(context.TODO()))`
`56`		`- if err != nil {`
`57`		`- continue`
	`49`	`+ if (dstI.ID == models.EgressID && dstI.Value == e.ID) \|\| (dstI.ID == models.NodeTagID && dstI.Value == "*") {`
	`50`	`+ if dstI.ID == models.EgressID {`
	`51`	`+ e := schema.Egress{ID: dstI.Value}`
	`52`	`+ err := e.Get(db.WithContext(context.TODO()))`
	`53`	`+ if err != nil {`
	`54`	`+ continue`
	`55`	`+ }`
`58`	`56`	`}`
	`57`	`+`
`59`	`58`	`if node.IsStatic {`
`60`	`59`	`if _, ok := srcVal[node.StaticNode.ClientID]; ok {`
`61`	`60`	`return true`
`@@ -71,8 +70,8 @@ func DoesNodeHaveAccessToEgress(node models.Node, e schema.Egress, acls []mode`
`71`	`70`	`return true`
`72`	`71`	`}`
`73`	`72`	`}`
`74`		`-`
`75`	`73`	`}`
	`74`	`+`
`76`	`75`	`}`
`77`	`76`	`}`
`78`	`77`	`return false`