From e136d1d47a630c9ac2de01949f3f3286fa110c23 Mon Sep 17 00:00:00 2001 From: John Maguire Date: Tue, 1 Apr 2025 17:08:03 -0400 Subject: [PATCH] Update example config with default_local_cidr_any changes (#1373) --- CHANGELOG.md | 7 +++++++ examples/config.yml | 18 ++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad17147..1de3c19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- `default_local_cidr_any` now defaults to false, meaning that any firewall rule + intended to target an `unsafe_routes` entry must explicitly declare it via the + `local_cidr` field. This is almost always the intended behavior. This flag is + deprecated and will be removed in a future release. + ## [1.9.4] - 2024-09-09 ### Added diff --git a/examples/config.yml b/examples/config.yml index 3b7c38b..534608d 100644 --- a/examples/config.yml +++ b/examples/config.yml @@ -346,11 +346,11 @@ firewall: outbound_action: drop inbound_action: drop - # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false. - # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an - # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless - # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr` - # if the intention is to allow traffic to flow to an unsafe route. + # THIS FLAG IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE. (Defaults to false.) + # This setting only affects nebula hosts exposing unsafe_routes. When set to false, each inbound rule must contain a + # `local_cidr` if the intention is to allow traffic to flow to an unsafe route. When set to true, every firewall rule + # will apply to all configured unsafe_routes regardless of the actual destination of the packet, unless `local_cidr` + # is explicitly defined. This is usually not the desired behavior and should be avoided! #default_local_cidr_any: false conntrack: @@ -368,11 +368,9 @@ firewall: # group: `any` or a literal group name, ie `default-group` # groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass # cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. - # local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This could be used to filter destinations when using unsafe_routes. - # If no unsafe networks are present in the certificate(s) or `default_local_cidr_any` is true then the default is any ipv4 or ipv6 network. - # Otherwise the default is any vpn network assigned to via the certificate. - # `default_local_cidr_any` defaults to false and is deprecated, it will be removed in a future release. - # If there are unsafe routes present its best to set `local_cidr` to whatever best fits the situation. + # local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This can be used to filter destinations when using unsafe_routes. + # By default, this is set to only the VPN (overlay) networks assigned via the certificate networks field unless `default_local_cidr_any` is set to true. + # If there are unsafe_routes present in this config file, `local_cidr` should be set appropriately for the intended us case. # ca_name: An issuing CA name # ca_sha: An issuing CA shasum