NM-296: acls policies for individual egress IPs, site-to-site egress Acls

[abhishek9686]

Describe your changes

Provide Issue ticket number if applicable/not in title

Provide testing steps

Checklist before requesting a review

• My changes affect only 10 files or less.
• I have performed a self-review of my code and tested it.
• If it is a new feature, I have added thorough tests, my code is <= 1450 lines.
• If it is a bugfix, my code is <= 200 lines.
• My functions are <= 80 lines.
• I have had my code reviewed by a peer.
• My unit tests pass locally.
• Netmaker is awesome.

[tenki-reviewer]

Tenki Code Review - Complete

Files Reviewed: 5
Findings: 1

By Severity:

• 🟠 Medium: 1

---

This PR adds egress-to-egress ACL routing policies and per-IP/CIDR destination filtering for egress rules. Two issues were found: a validation gap where NetmakerIPAclID entries in Src tags are not range-checked against the associated src egress CIDR, and a redundant double-validation causing unnecessary DB round-trips on every ACL create/update.

Files Reviewed (5 files)

controllers/acls.go
logic/acls.go
logic/acls_selected_ips_test.go
logic/egress.go
pro/logic/acls.go

[tenki-reviewer]

Overview

This PR introduces significant new functionality across logic/acls.go, logic/egress.go, controllers/acls.go, and pro/logic/acls.go:

• Egress-to-egress routing policies: A new policy type that allows two egress gateways on the same network to route traffic between each other, with NAT-aware IP substitution.
• Selected IPs for egress ACLs: Users can pin specific IPs or CIDRs within an egress range (via the NetmakerIPAclID tag type) rather than allowing the full egress range.
• Validation: NormalizeAndValidateAclEgressIPs ensures selected IPs fall within the referenced egress CIDR, and normalizes bare IPs to host-prefix CIDRs.
• Peer connectivity: IsPeerAllowed and IsNodeAllowedToCommunicate now short-circuit via IsEgressRoutingPolicyAllowedForNodes before falling through to tag-based checks.

The test file (logic/acls_selected_ips_test.go) provides good coverage of the new logic paths including NAT-aware mesh IP substitution.

Issues Found

Validation Gap: NetmakerIPAclID in Src not range-validated

logic/acls.go — NormalizeAndValidateAclEgressIPs only iterates acl.Dst to both collect egress CIDRs and validate selected IP containment. However, getEgressAclRulesForTargetNode calls getSelectedEgressIPNets(acl.Src) at line 172 — meaning NetmakerIPAclID entries in Src are used to construct firewall rules but are never validated against the source egress range. An administrator can include an arbitrary IP in Src (e.g., 192.0.2.99) alongside a src egress covering 10.10.0.0/24, and it will silently be applied as a firewall source override.

Redundant DB Queries: Double-call to NormalizeAndValidateAclEgressIPs

controllers/acls.go — Both createAcl and updateAcl call logic.NormalizeAndValidateAclEgressIPs explicitly, then immediately call logic.IsAclPolicyValid, which also calls NormalizeAndValidateAclEgressIPs internally (CE: logic/acls.go:1497, Pro: pro/logic/acls.go:529). The second call is on a value copy so mutation is lost, but it still queries the database for every egress ID in the policy. This doubles DB round-trips on every ACL save operation.