personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-12-31 02:58:28 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

HostInfo.remoteCidr should only be populated with the entire vpn ip address issued in the certificate

Browse Source
This commit is contained in:
Nate Brown
2025-10-07 17:11:26 -05:00
parent 22af56f156
commit d400d9a5ec
2 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
hostmap.go
View File

@@ -714,8 +714,7 @@ func (i *HostInfo) CreateRemoteCIDR(c *cert.NebulaCertificate) {
//TODO: IPV6-WORK what to do when ip is invalid? //TODO: IPV6-WORK what to do when ip is invalid?
nip, _ := netip.AddrFromSlice(ip.IP) nip, _ := netip.AddrFromSlice(ip.IP)
nip = nip.Unmap() nip = nip.Unmap()
bits, _ := ip.Mask.Size() remoteCidr.Insert(netip.PrefixFrom(nip, nip.BitLen()), struct{}{})
remoteCidr.Insert(netip.PrefixFrom(nip, bits), struct{}{})
} }
for _, n := range c.Details.Subnets { for _, n := range c.Details.Subnets {

36
hostmap_test.go
View File

@@ -1,9 +1,11 @@
package nebula package nebula
import ( import (
"net"
"net/netip" "net/netip"
"testing" "testing"
"github.com/slackhq/nebula/cert"
"github.com/slackhq/nebula/config" "github.com/slackhq/nebula/config"
"github.com/slackhq/nebula/test" "github.com/slackhq/nebula/test"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@@ -87,6 +89,40 @@ func TestHostMap_MakePrimary(t *testing.T) {
assert.Nil(t, h2.next) assert.Nil(t, h2.next)
} }
func TestHostInfo_CreateRemoteCIDR(t *testing.T) {
h := HostInfo{}
c := &cert.NebulaCertificate{
Details: cert.NebulaCertificateDetails{
Ips: []*net.IPNet{
{
IP: net.IPv4(1, 2, 3, 4),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
},
},
}
// remoteCidr should be empty with only 1 ip address present in the certificate
h.CreateRemoteCIDR(c)
assert.Empty(t, h.remoteCidr)
// remoteCidr should be populated if there is also a subnet in the certificate
c.Details.Subnets = []*net.IPNet{
{
IP: net.IPv4(9, 2, 3, 4),
Mask: net.IPv4Mask(255, 255, 255, 0),
},
}
h.CreateRemoteCIDR(c)
assert.NotEmpty(t, h.remoteCidr)
_, ok := h.remoteCidr.Lookup(netip.MustParseAddr("1.2.3.0"))
assert.False(t, ok, "An ip address within the certificates network should not be found")
_, ok = h.remoteCidr.Lookup(netip.MustParseAddr("1.2.3.4"))
assert.True(t, ok, "An exact ip address match should be found")
_, ok = h.remoteCidr.Lookup(netip.MustParseAddr("9.2.3.4"))
assert.True(t, ok, "An ip address within the subnets should be found")
}
func TestHostMap_DeleteHostInfo(t *testing.T) { func TestHostMap_DeleteHostInfo(t *testing.T) {
l := test.NewLogger() l := test.NewLogger()
hm := newHostMap( hm := newHostMap(