nebula/allow_list.go

package nebula

import (
	"fmt"
	"net"
	"regexp"
)

type AllowList struct {
	// The values of this cidrTree are `bool`, signifying allow/deny
	cidrTree *CIDR6Tree
}

type RemoteAllowList struct {
	AllowList *AllowList

	// Inside Range Specific, keys of this tree are inside CIDRs and values
	// are *AllowList
	insideAllowLists *CIDR6Tree
}

type LocalAllowList struct {
	AllowList *AllowList

	// To avoid ambiguity, all rules must be true, or all rules must be false.
	nameRules []AllowListNameRule
}

type AllowListNameRule struct {
	Name  *regexp.Regexp
	Allow bool
}

func (al *AllowList) Allow(ip net.IP) bool {
	if al == nil {
		return true
	}

	result := al.cidrTree.MostSpecificContains(ip)
	switch v := result.(type) {
	case bool:
		return v
	default:
		panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))
	}
}

func (al *AllowList) AllowIpV4(ip uint32) bool {
	if al == nil {
		return true
	}

	result := al.cidrTree.MostSpecificContainsIpV4(ip)
	switch v := result.(type) {
	case bool:
		return v
	default:
		panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))
	}
}

func (al *AllowList) AllowIpV6(hi, lo uint64) bool {
	if al == nil {
		return true
	}

	result := al.cidrTree.MostSpecificContainsIpV6(hi, lo)
	switch v := result.(type) {
	case bool:
		return v
	default:
		panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))
	}
}

func (al *LocalAllowList) Allow(ip net.IP) bool {
	if al == nil {
		return true
	}
	return al.AllowList.Allow(ip)
}

func (al *LocalAllowList) AllowName(name string) bool {
	if al == nil || len(al.nameRules) == 0 {
		return true
	}

	for _, rule := range al.nameRules {
		if rule.Name.MatchString(name) {
			return rule.Allow
		}
	}

	// If no rules match, return the default, which is the inverse of the rules
	return !al.nameRules[0].Allow
}

func (al *RemoteAllowList) AllowUnknownVpnIp(ip net.IP) bool {
	if al == nil {
		return true
	}
	return al.AllowList.Allow(ip)
}

func (al *RemoteAllowList) Allow(vpnIp uint32, ip net.IP) bool {
	if !al.getInsideAllowList(vpnIp).Allow(ip) {
		return false
	}
	return al.AllowList.Allow(ip)
}

func (al *RemoteAllowList) AllowIpV4(vpnIp uint32, ip uint32) bool {
	if al == nil {
		return true
	}
	if !al.getInsideAllowList(vpnIp).AllowIpV4(ip) {
		return false
	}
	return al.AllowList.AllowIpV4(ip)
}

func (al *RemoteAllowList) AllowIpV6(vpnIp uint32, hi, lo uint64) bool {
	if al == nil {
		return true
	}
	if !al.getInsideAllowList(vpnIp).AllowIpV6(hi, lo) {
		return false
	}
	return al.AllowList.AllowIpV6(hi, lo)
}

func (al *RemoteAllowList) getInsideAllowList(vpnIp uint32) *AllowList {
	if al.insideAllowLists != nil {
		inside := al.insideAllowLists.MostSpecificContainsIpV4(vpnIp)
		if inside != nil {
			return inside.(*AllowList)
		}
	}
	return nil
}
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true 2020-04-08 21:36:43 +02:00			`package nebula`

			`import (`
			`"fmt"`
IPv6 support for outside (udp) (#369) 2021-03-19 02:37:24 +01:00			`"net"`
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true 2020-04-08 21:36:43 +02:00			`"regexp"`
			`)`

			`type AllowList struct {`
			// The values of this cidrTree are `bool`, signifying allow/deny
IPv6 support for outside (udp) (#369) 2021-03-19 02:37:24 +01:00			`cidrTree *CIDR6Tree`
remote_allow_ranges: allow inside CIDR specific remote_allow_lists (#540) This allows you to configure remote allow lists specific to different subnets of the inside CIDR. Example: remote_allow_ranges: 10.42.42.0/24: 192.168.0.0/16: true This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to have private IPs (and thus don't connect over public IPs). The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list. 2021-10-19 16:54:30 +02:00			`}`

			`type RemoteAllowList struct {`
			`AllowList *AllowList`

			`// Inside Range Specific, keys of this tree are inside CIDRs and values`
			`// are *AllowList`
			`insideAllowLists *CIDR6Tree`
			`}`

			`type LocalAllowList struct {`
			`AllowList *AllowList`
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true 2020-04-08 21:36:43 +02:00
			`// To avoid ambiguity, all rules must be true, or all rules must be false.`
			`nameRules []AllowListNameRule`
			`}`

			`type AllowListNameRule struct {`
			`Name *regexp.Regexp`
			`Allow bool`
			`}`

IPv6 support for outside (udp) (#369) 2021-03-19 02:37:24 +01:00			`func (al *AllowList) Allow(ip net.IP) bool {`
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true 2020-04-08 21:36:43 +02:00			`if al == nil {`
			`return true`
			`}`

			`result := al.cidrTree.MostSpecificContains(ip)`
			`switch v := result.(type) {`
			`case bool:`
			`return v`
			`default:`
			`panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))`
			`}`
			`}`

More LH cleanup (#429) 2021-04-01 17:23:31 +02:00			`func (al *AllowList) AllowIpV4(ip uint32) bool {`
			`if al == nil {`
			`return true`
			`}`

			`result := al.cidrTree.MostSpecificContainsIpV4(ip)`
			`switch v := result.(type) {`
			`case bool:`
			`return v`
			`default:`
			`panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))`
			`}`
			`}`

			`func (al *AllowList) AllowIpV6(hi, lo uint64) bool {`
			`if al == nil {`
			`return true`
			`}`

			`result := al.cidrTree.MostSpecificContainsIpV6(hi, lo)`
			`switch v := result.(type) {`
			`case bool:`
			`return v`
			`default:`
			`panic(fmt.Errorf("invalid state, allowlist returned: %T %v", result, result))`
			`}`
			`}`

remote_allow_ranges: allow inside CIDR specific remote_allow_lists (#540) This allows you to configure remote allow lists specific to different subnets of the inside CIDR. Example: remote_allow_ranges: 10.42.42.0/24: 192.168.0.0/16: true This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to have private IPs (and thus don't connect over public IPs). The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list. 2021-10-19 16:54:30 +02:00			`func (al *LocalAllowList) Allow(ip net.IP) bool {`
			`if al == nil {`
			`return true`
			`}`
			`return al.AllowList.Allow(ip)`
			`}`

			`func (al *LocalAllowList) AllowName(name string) bool {`
Add lighthouse.{remoteAllowList,localAllowList} (#217) These settings make it possible to blacklist / whitelist IP addresses that are used for remote connections. `lighthouse.remoteAllowList` filters which remote IPs are allow when fetching from the lighthouse (or, if you are the lighthouse, which IPs you store and forward to querying hosts). By default, any remote IPs are allowed. You can provide CIDRs here with `true` to allow and `false` to deny. The most specific CIDR rule applies to each remote. If all rules are "allow", the default will be "deny", and vice-versa. If both "allow" and "deny" rules are present, then you MUST set a rule for "0.0.0.0/0" as the default. lighthouse: remoteAllowList: # Example to block IPs from this subnet from being used for remote IPs. "172.16.0.0/12": false # A more complicated example, allow public IPs but only private IPs from a specific subnet "0.0.0.0/0": true "10.0.0.0/8": false "10.42.42.0/24": true `lighthouse.localAllowList` has the same logic as above, but it applies to the local addresses we advertise to the lighthouse. Additionally, you can specify an `interfaces` map of regular expressions to match against interface names. The regexp must match the entire name. All interface rules must be either true or false (and the default rule will be the inverse). CIDR rules are matched after interface name rules. Default is all local IP addresses. lighthouse: localAllowList: # Example to blacklist docker interfaces. interfaces: 'docker.*': false # Example to only advertise IPs in this subnet to the lighthouse. "10.0.0.0/8": true 2020-04-08 21:36:43 +02:00			`if al == nil \|\| len(al.nameRules) == 0 {`
			`return true`
			`}`

			`for _, rule := range al.nameRules {`
			`if rule.Name.MatchString(name) {`
			`return rule.Allow`
			`}`
			`}`

			`// If no rules match, return the default, which is the inverse of the rules`
			`return !al.nameRules[0].Allow`
			`}`
remote_allow_ranges: allow inside CIDR specific remote_allow_lists (#540) This allows you to configure remote allow lists specific to different subnets of the inside CIDR. Example: remote_allow_ranges: 10.42.42.0/24: 192.168.0.0/16: true This would only allow hosts with a VPN IP in the 10.42.42.0/24 range to have private IPs (and thus don't connect over public IPs). The PR also refactors AllowList into RemoteAllowList and LocalAllowList to make it clearer which methods are allowed on which allow list. 2021-10-19 16:54:30 +02:00
			`func (al *RemoteAllowList) AllowUnknownVpnIp(ip net.IP) bool {`
			`if al == nil {`
			`return true`
			`}`
			`return al.AllowList.Allow(ip)`
			`}`

			`func (al *RemoteAllowList) Allow(vpnIp uint32, ip net.IP) bool {`
			`if !al.getInsideAllowList(vpnIp).Allow(ip) {`
			`return false`
			`}`
			`return al.AllowList.Allow(ip)`
			`}`

			`func (al *RemoteAllowList) AllowIpV4(vpnIp uint32, ip uint32) bool {`
			`if al == nil {`
			`return true`
			`}`
			`if !al.getInsideAllowList(vpnIp).AllowIpV4(ip) {`
			`return false`
			`}`
			`return al.AllowList.AllowIpV4(ip)`
			`}`

			`func (al *RemoteAllowList) AllowIpV6(vpnIp uint32, hi, lo uint64) bool {`
			`if al == nil {`
			`return true`
			`}`
			`if !al.getInsideAllowList(vpnIp).AllowIpV6(hi, lo) {`
			`return false`
			`}`
			`return al.AllowList.AllowIpV6(hi, lo)`
			`}`

			`func (al RemoteAllowList) getInsideAllowList(vpnIp uint32) AllowList {`
			`if al.insideAllowLists != nil {`
			`inside := al.insideAllowLists.MostSpecificContainsIpV4(vpnIp)`
			`if inside != nil {`
			`return inside.(*AllowList)`
			`}`
			`}`
			`return nil`
			`}`