remote_allow_ranges: allow inside CIDR specific remote_allow_lists (#540)

This allows you to configure remote allow lists specific to different subnets of the inside CIDR. Example: remote_allow_ranges: 10.42.42.0/24: 192.168.0.0/16: true This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to have private IPs (and thus don't connect over public IPs). The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list.
2025-11-22 08:24:25 +01:00 · 2021-10-19 10:54:30 -04:00
parent ae5505bc74
commit ea2c186a77
14 changed files with 223 additions and 70 deletions
--- a/remote_list_test.go
+++ b/remote_list_test.go
@@ -10,6 +10,7 @@ import (
 func TestRemoteList_Rebuild(t *testing.T) {
 	rl := NewRemoteList()
 	rl.unlockedSetV4(
+		0,
 		0,
 		[]*Ip4AndPort{
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1475}, // this is duped
@@ -23,10 +24,11 @@ func TestRemoteList_Rebuild(t *testing.T) {
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1476}, // almost dupe of 0 with a diff port
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1475}, // this is a dupe
 		},
-		func(*Ip4AndPort) bool { return true },
+		func(uint32, *Ip4AndPort) bool { return true },
 	)

 	rl.unlockedSetV6(
+		1,
 		1,
 		[]*Ip6AndPort{
 			NewIp6AndPort(net.ParseIP("1::1"), 1), // this is duped
@@ -35,7 +37,7 @@ func TestRemoteList_Rebuild(t *testing.T) {
 			NewIp6AndPort(net.ParseIP("1::1"), 1), // this is a dupe
 			NewIp6AndPort(net.ParseIP("1::1"), 2), // this is a dupe
 		},
-		func(*Ip6AndPort) bool { return true },
+		func(uint32, *Ip6AndPort) bool { return true },
 	)

 	rl.Rebuild([]*net.IPNet{})
@@ -101,6 +103,7 @@ func TestRemoteList_Rebuild(t *testing.T) {
 func BenchmarkFullRebuild(b *testing.B) {
 	rl := NewRemoteList()
 	rl.unlockedSetV4(
+		0,
 		0,
 		[]*Ip4AndPort{
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1475},
@@ -112,10 +115,11 @@ func BenchmarkFullRebuild(b *testing.B) {
 			{Ip: ip2int(net.ParseIP("172.17.1.1")), Port: 10101},   // this is a dupe
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1476}, // dupe of 0 with a diff port
 		},
-		func(*Ip4AndPort) bool { return true },
+		func(uint32, *Ip4AndPort) bool { return true },
 	)

 	rl.unlockedSetV6(
+		0,
 		0,
 		[]*Ip6AndPort{
 			NewIp6AndPort(net.ParseIP("1::1"), 1),
@@ -123,7 +127,7 @@ func BenchmarkFullRebuild(b *testing.B) {
 			NewIp6AndPort(net.ParseIP("1:100::1"), 1),
 			NewIp6AndPort(net.ParseIP("1::1"), 1), // this is a dupe
 		},
-		func(*Ip6AndPort) bool { return true },
+		func(uint32, *Ip6AndPort) bool { return true },
 	)

 	b.Run("no preferred", func(b *testing.B) {
@@ -164,6 +168,7 @@ func BenchmarkFullRebuild(b *testing.B) {
 func BenchmarkSortRebuild(b *testing.B) {
 	rl := NewRemoteList()
 	rl.unlockedSetV4(
+		0,
 		0,
 		[]*Ip4AndPort{
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1475},
@@ -175,10 +180,11 @@ func BenchmarkSortRebuild(b *testing.B) {
 			{Ip: ip2int(net.ParseIP("172.17.1.1")), Port: 10101},   // this is a dupe
 			{Ip: ip2int(net.ParseIP("70.199.182.92")), Port: 1476}, // dupe of 0 with a diff port
 		},
-		func(*Ip4AndPort) bool { return true },
+		func(uint32, *Ip4AndPort) bool { return true },
 	)

 	rl.unlockedSetV6(
+		0,
 		0,
 		[]*Ip6AndPort{
 			NewIp6AndPort(net.ParseIP("1::1"), 1),
@@ -186,7 +192,7 @@ func BenchmarkSortRebuild(b *testing.B) {
 			NewIp6AndPort(net.ParseIP("1:100::1"), 1),
 			NewIp6AndPort(net.ParseIP("1::1"), 1), // this is a dupe
 		},
-		func(*Ip6AndPort) bool { return true },
+		func(uint32, *Ip6AndPort) bool { return true },
 	)

 	b.Run("no preferred", func(b *testing.B) {