From cc8b3cc961cf0068bcbac3c7e6b0efbbd4fbacd7 Mon Sep 17 00:00:00 2001 From: Nate Brown Date: Thu, 15 Feb 2024 11:44:05 -0600 Subject: [PATCH] Add config option for local_cidr control --- examples/config.yml | 10 +++++++++- firewall.go | 15 ++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/examples/config.yml b/examples/config.yml index d4ef0fd36..ff5b40315 100644 --- a/examples/config.yml +++ b/examples/config.yml @@ -309,6 +309,13 @@ firewall: outbound_action: drop inbound_action: drop + # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false. + # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an + # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless + # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr` + # if the intention is to allow traffic to flow to an unsafe route. + #default_local_cidr_any: false + conntrack: tcp_timeout: 12m udp_timeout: 3m @@ -325,7 +332,8 @@ firewall: # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass # cidr: a remote CIDR, `0.0.0.0/0` is any. # local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes. - # Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate. + # Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate + # if `default_local_cidr_any` is false, otherwise its `any`. # ca_name: An issuing CA name # ca_sha: An issuing CA shasum diff --git a/firewall.go b/firewall.go index c3cf7cf4c..cf2bc5282 100644 --- a/firewall.go +++ b/firewall.go @@ -65,10 +65,11 @@ type Firewall struct { rules string rulesVersion uint16 - trackTCPRTT bool - metricTCPRTT metrics.Histogram - incomingMetrics firewallMetrics - outgoingMetrics firewallMetrics + defaultLocalCIDRAny bool + trackTCPRTT bool + metricTCPRTT metrics.Histogram + incomingMetrics firewallMetrics + outgoingMetrics firewallMetrics l *logrus.Logger } @@ -206,6 +207,9 @@ func NewFirewallFromConfig(l *logrus.Logger, nc *cert.NebulaCertificate, c *conf //TODO: max_connections ) + //TODO: Flip to false after v1.9 release + fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", true) + inboundAction := c.GetString("firewall.inbound_action", "drop") switch inboundAction { case "reject": @@ -873,10 +877,11 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error { if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) { - if !f.hasSubnets { + if !f.hasSubnets || f.defaultLocalCIDRAny { flc.Any = true return nil } + localIp = f.assignedCIDR }