Add config option for local_cidr control

2025-11-22 08:24:25 +01:00 · 2024-02-15 11:44:05 -06:00
parent f346cf4109
commit cc8b3cc961
2 changed files with 19 additions and 6 deletions
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -309,6 +309,13 @@ firewall:
  outbound_action: drop
  inbound_action: drop

+  # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
+  # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
+  # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
+  # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
+  # if the intention is to allow traffic to flow to an unsafe route.
+  #default_local_cidr_any: false
+
  conntrack:
    tcp_timeout: 12m
    udp_timeout: 3m
@@ -325,7 +332,8 @@ firewall:
  #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
  #   cidr: a remote CIDR, `0.0.0.0/0` is any.
  #   local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes.
-  #      Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate.
+  #      Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate
+  #      if `default_local_cidr_any` is false, otherwise its `any`.
  #   ca_name: An issuing CA name
  #   ca_sha: An issuing CA shasum