Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

local_cidr moved to always be evaluated #1071

Merged
merged 3 commits into from
Feb 26, 2024
Merged

local_cidr moved to always be evaluated #1071

merged 3 commits into from
Feb 26, 2024

Conversation

nbrownus
Copy link
Collaborator

@nbrownus nbrownus commented Feb 5, 2024

local_cidr was added to firewall rules recently and the current implementation only looks at local_cidr if the host, groups, and cidr do not already match. This greatly limits the ability to control what an unsafe router allows for traffic flows.

This change moves local_cidr to its own evaluation group that will be checked after doing host identity matching (host, groups, or cidr). If the local certificate has any subnets then all rules will have the local certificates ip address as the local_cidr by default to block any unintended exposure via an unsafe route.

This is a breaking change and will require anyone that uses unsafe routes to change their firewall rules to include a local_cidr for the traffic they want to allow.

@nbrownus nbrownus marked this pull request as ready for review February 15, 2024 17:44
@nbrownus nbrownus changed the title WIP: localcidr moved to always be evaluated localcidr moved to always be evaluated Feb 15, 2024
@johnmaguire johnmaguire changed the title localcidr moved to always be evaluated local_cidr moved to always be evaluated Feb 16, 2024
@johnmaguire johnmaguire mentioned this pull request Feb 16, 2024
Closed
brad-defined
brad-defined approved these changes Feb 21, 2024
View reviewed changes
firewall_test.go
}
})
//
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

intentionally commented out?

cidr/tree4.go

// EachContains will call a function, passing the value, for each entry until the function returns true or the search is complete
// The final return value will be true if the provided function returned true
func (tree *Tree4[T]) EachContains(ip iputil.VpnIp, each eachFunc[T]) bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: EachContains sounds like each and every element must contain. I would call this one AnyContains, FWIW.

@johnmaguire johnmaguire merged commit cc8b3cc into master Feb 26, 2024
13 checks passed
@johnmaguire johnmaguire deleted the localcidr-mid branch February 26, 2024 18:57
@wadey wadey added this to the v1.9.0 milestone Mar 4, 2024
johnmaguire added a commit to DefinedNet/nebula-docs that referenced this pull request May 1, 2024
@johnmaguire
Document FW evaluation and default_local_cidr_any
76ea1da 
slackhq/nebula#1071
johnmaguire added a commit to DefinedNet/nebula-docs that referenced this pull request May 1, 2024
@johnmaguire
Document FW evaluation and default_local_cidr_any
3489333 
slackhq/nebula#1071
johnmaguire added a commit to DefinedNet/nebula-docs that referenced this pull request May 1, 2024
@johnmaguire
Document FW evaluation and default_local_cidr_any
8168cc4 
slackhq/nebula#1071
@wadey wadey mentioned this pull request May 6, 2024
Merged
28 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brad-defined brad-defined brad-defined approved these changes

Assignees
No one assigned
Labels
cla:signed
Projects
None yet
Milestone
v1.9.0
Development

Successfully merging this pull request may close these issues.
4 participants
@nbrownus @brad-defined @wadey @johnmaguire