personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-08 23:53:58 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add config option for local_cidr control

Browse Source
This commit is contained in:
Nate Brown 2024-02-15 11:44:05 -06:00
parent f346cf4109
commit cc8b3cc961
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
examples/config.yml
View File

@ -309,6 +309,13 @@ firewall:
outbound_action: drop outbound_action: drop
inbound_action: drop inbound_action: drop
# Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
# This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
# unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
# of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
# if the intention is to allow traffic to flow to an unsafe route.
#default_local_cidr_any: false
conntrack: conntrack:
tcp_timeout: 12m tcp_timeout: 12m
udp_timeout: 3m udp_timeout: 3m
@ -325,7 +332,8 @@ firewall:
# groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
# cidr: a remote CIDR, `0.0.0.0/0` is any. # cidr: a remote CIDR, `0.0.0.0/0` is any.
# local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes. # local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes.
# Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate. # Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate
# if `default_local_cidr_any` is false, otherwise its `any`.
# ca_name: An issuing CA name # ca_name: An issuing CA name
# ca_sha: An issuing CA shasum # ca_sha: An issuing CA shasum

15
firewall.go
View File

@ -65,10 +65,11 @@ type Firewall struct {
rules string rules string
rulesVersion uint16 rulesVersion uint16
trackTCPRTT bool defaultLocalCIDRAny bool
metricTCPRTT metrics.Histogram trackTCPRTT bool
incomingMetrics firewallMetrics metricTCPRTT metrics.Histogram
outgoingMetrics firewallMetrics incomingMetrics firewallMetrics
outgoingMetrics firewallMetrics
l *logrus.Logger l *logrus.Logger
} }
@ -206,6 +207,9 @@ func NewFirewallFromConfig(l *logrus.Logger, nc *cert.NebulaCertificate, c *conf
//TODO: max_connections //TODO: max_connections
) )
//TODO: Flip to false after v1.9 release
fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", true)
inboundAction := c.GetString("firewall.inbound_action", "drop") inboundAction := c.GetString("firewall.inbound_action", "drop")
switch inboundAction { switch inboundAction {
case "reject": case "reject":
@ -873,10 +877,11 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool
func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error { func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error {
if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) { if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) {
if !f.hasSubnets { if !f.hasSubnets || f.defaultLocalCIDRAny {
flc.Any = true flc.Any = true
return nil return nil
} }
localIp = f.assignedCIDR localIp = f.assignedCIDR
} }