Skip to content

Commit

Permalink
Add config option for local_cidr control
Browse files Browse the repository at this point in the history
  • Loading branch information
nbrownus committed Feb 15, 2024
1 parent f346cf4 commit cc8b3cc
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 6 deletions.
10 changes: 9 additions & 1 deletion examples/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,13 @@ firewall:
outbound_action: drop
inbound_action: drop

# Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
# This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
# unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
# of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
# if the intention is to allow traffic to flow to an unsafe route.
#default_local_cidr_any: false

conntrack:
tcp_timeout: 12m
udp_timeout: 3m
Expand All @@ -325,7 +332,8 @@ firewall:
# groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
# cidr: a remote CIDR, `0.0.0.0/0` is any.
# local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes.
# Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate.
# Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate
# if `default_local_cidr_any` is false, otherwise its `any`.
# ca_name: An issuing CA name
# ca_sha: An issuing CA shasum

Expand Down
15 changes: 10 additions & 5 deletions firewall.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,11 @@ type Firewall struct {
rules string
rulesVersion uint16

trackTCPRTT bool
metricTCPRTT metrics.Histogram
incomingMetrics firewallMetrics
outgoingMetrics firewallMetrics
defaultLocalCIDRAny bool
trackTCPRTT bool
metricTCPRTT metrics.Histogram
incomingMetrics firewallMetrics
outgoingMetrics firewallMetrics

l *logrus.Logger
}
Expand Down Expand Up @@ -206,6 +207,9 @@ func NewFirewallFromConfig(l *logrus.Logger, nc *cert.NebulaCertificate, c *conf
//TODO: max_connections
)

//TODO: Flip to false after v1.9 release
fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", true)

inboundAction := c.GetString("firewall.inbound_action", "drop")
switch inboundAction {
case "reject":
Expand Down Expand Up @@ -873,10 +877,11 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool

func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error {
if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) {
if !f.hasSubnets {
if !f.hasSubnets || f.defaultLocalCIDRAny {
flc.Any = true
return nil
}

localIp = f.assignedCIDR
}

Expand Down

0 comments on commit cc8b3cc

Please sign in to comment.