From effb7eb5d735c4c0c7e8907787279024fff4a40d Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Thu, 12 Dec 2024 02:30:32 +0400
Subject: [PATCH 1/4] fix all resources rules

---
 logic/acls.go  | 4 +++-
 logic/nodes.go | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/logic/acls.go b/logic/acls.go
index d623e5c5a..bd9f40257 100644
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -844,6 +844,7 @@ func GetAclRulesForNode(targetnode *models.Node) (rules map[string]models.AclRul
 	}
 
 	acls := listDevicePolicies(models.NetworkID(targetnode.Network))
+	targetnode.Tags["*"] = struct{}{}
 	for nodeTag := range targetnode.Tags {
 		for _, acl := range acls {
 			if !acl.Enabled {
@@ -944,7 +945,8 @@ func GetAclRulesForNode(targetnode *models.Node) (rules map[string]models.AclRul
 					}
 				}
 			} else {
-				if _, ok := dstTags[nodeTag.String()]; ok {
+				_, all := dstTags["*"]
+				if _, ok := dstTags[nodeTag.String()]; ok || all {
 					// get all src tags
 					for src := range srcTags {
 						if src == nodeTag.String() {
diff --git a/logic/nodes.go b/logic/nodes.go
index 9fe96a64d..368d7d674 100644
--- a/logic/nodes.go
+++ b/logic/nodes.go
@@ -829,6 +829,7 @@ func GetTagMapWithNodesByNetwork(netID models.NetworkID, withStaticNodes bool) (
 			tagNodesMap[nodeTagID] = append(tagNodesMap[nodeTagID], nodeI)
 		}
 	}
+	tagNodesMap["*"] = nodes
 	if !withStaticNodes {
 		return
 	}
@@ -850,6 +851,10 @@ func AddTagMapWithStaticNodes(netID models.NetworkID,
 				IsStatic:   true,
 				StaticNode: extclient,
 			})
+			tagNodesMap["*"] = append(tagNodesMap["*"], models.Node{
+				IsStatic:   true,
+				StaticNode: extclient,
+			})
 		}
 
 	}

From f14d9169365cb22dc2965897bb7185c04846b13e Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Thu, 12 Dec 2024 02:32:36 +0400
Subject: [PATCH 2/4] for any service set defaults

---
 controllers/acls.go | 4 ++++
 logic/acls.go       | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/controllers/acls.go b/controllers/acls.go
index ffaa66636..2871aef55 100644
--- a/controllers/acls.go
+++ b/controllers/acls.go
@@ -207,6 +207,10 @@ func createAcl(w http.ResponseWriter, r *http.Request) {
 	acl.CreatedBy = user.UserName
 	acl.CreatedAt = time.Now().UTC()
 	acl.Default = false
+	if acl.ServiceType == models.Any {
+		acl.Port = []string{}
+		acl.Proto = models.ALL
+	}
 	// validate create acl policy
 	if !logic.IsAclPolicyValid(acl) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("invalid policy"), "badrequest"))
diff --git a/logic/acls.go b/logic/acls.go
index bd9f40257..ff9a99e16 100644
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -325,6 +325,10 @@ func UpdateAcl(newAcl, acl models.Acl) error {
 		acl.Proto = newAcl.Proto
 		acl.ServiceType = newAcl.ServiceType
 	}
+	if newAcl.ServiceType == models.Any {
+		acl.Port = []string{}
+		acl.Proto = models.ALL
+	}
 	acl.Enabled = newAcl.Enabled
 	d, err := json.Marshal(acl)
 	if err != nil {

From 98e313242bc88e95ea05d79c56ff18ae9a5e225c Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Fri, 13 Dec 2024 14:08:34 +0400
Subject: [PATCH 3/4] add allowed networks

---
 logic/peers.go | 19 +++++++++++--------
 models/mqtt.go | 14 +++++++-------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/logic/peers.go b/logic/peers.go
index 8a4fc8540..51bce8cbb 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -158,17 +158,20 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		}
 		defaultUserPolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.UserPolicy)
 		defaultDevicePolicy, _ := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
-		if node.NetworkRange.IP != nil {
-			hostPeerUpdate.FwUpdate.Networks = append(hostPeerUpdate.FwUpdate.Networks, node.NetworkRange)
-		}
-		if node.NetworkRange6.IP != nil {
-			hostPeerUpdate.FwUpdate.Networks = append(hostPeerUpdate.FwUpdate.Networks, node.NetworkRange6)
-		}
 
-		if !defaultDevicePolicy.Enabled || !defaultUserPolicy.Enabled {
+		if defaultDevicePolicy.Enabled && defaultUserPolicy.Enabled {
+			if node.NetworkRange.IP != nil {
+				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange)
+			}
+			if node.NetworkRange6.IP != nil {
+				hostPeerUpdate.FwUpdate.AllowedNetworks = append(hostPeerUpdate.FwUpdate.AllowedNetworks, node.NetworkRange6)
+			}
+
+		} else {
 			hostPeerUpdate.FwUpdate.AllowAll = false
+			hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node)
 		}
-		hostPeerUpdate.FwUpdate.AclRules = GetAclRulesForNode(&node)
+
 		currentPeers := GetNetworkNodesMemory(allNodes, node.Network)
 		for _, peer := range currentPeers {
 			peer := peer
diff --git a/models/mqtt.go b/models/mqtt.go
index 4a8a8c343..c5921f381 100644
--- a/models/mqtt.go
+++ b/models/mqtt.go
@@ -94,13 +94,13 @@ type KeyUpdate struct {
 
 // FwUpdate - struct for firewall updates
 type FwUpdate struct {
-	AllowAll    bool                   `json:"allow_all"`
-	Networks    []net.IPNet            `json:"networks"`
-	IsEgressGw  bool                   `json:"is_egress_gw"`
-	IsIngressGw bool                   `json:"is_ingress_gw"`
-	EgressInfo  map[string]EgressInfo  `json:"egress_info"`
-	IngressInfo map[string]IngressInfo `json:"ingress_info"`
-	AclRules    map[string]AclRule     `json:"acl_rules"`
+	AllowAll        bool                   `json:"allow_all"`
+	AllowedNetworks []net.IPNet            `json:"networks"`
+	IsEgressGw      bool                   `json:"is_egress_gw"`
+	IsIngressGw     bool                   `json:"is_ingress_gw"`
+	EgressInfo      map[string]EgressInfo  `json:"egress_info"`
+	IngressInfo     map[string]IngressInfo `json:"ingress_info"`
+	AclRules        map[string]AclRule     `json:"acl_rules"`
 }
 
 // FailOverMeReq - struct for failover req

From 0216c596cbc00485b5b00ca2c7f7fc3839d3c2ba Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Sun, 15 Dec 2024 10:41:59 +0400
Subject: [PATCH 4/4] add all networks rules

---
 logic/peers.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/logic/peers.go b/logic/peers.go
index 51bce8cbb..4afde876f 100644
--- a/logic/peers.go
+++ b/logic/peers.go
@@ -85,6 +85,24 @@ func GetPeerUpdateForHost(network string, host *models.Host, allNodes []models.N
 		HostNetworkInfo:   models.HostInfoMap{},
 		EndpointDetection: servercfg.IsEndpointDetectionEnabled(),
 	}
+	defer func() {
+		if !hostPeerUpdate.FwUpdate.AllowAll {
+			aclRule := models.AclRule{
+				ID:              "allowed-network-rules",
+				AllowedProtocol: models.ALL,
+				Direction:       models.TrafficDirectionBi,
+				Allowed:         true,
+			}
+			for _, allowedNet := range hostPeerUpdate.FwUpdate.AllowedNetworks {
+				if allowedNet.IP.To4() != nil {
+					aclRule.IPList = append(aclRule.IPList, allowedNet)
+				} else {
+					aclRule.IP6List = append(aclRule.IP6List, allowedNet)
+				}
+			}
+			hostPeerUpdate.FwUpdate.AclRules["allowed-network-rules"] = aclRule
+		}
+	}()
 
 	slog.Debug("peer update for host", "hostId", host.ID.String())
 	peerIndexMap := make(map[string]int)