Skip to content

fix rule generation for destination aliases in dual-stack scenarios#2189

Merged
wojcik91 merged 9 commits intomainfrom
acl_any_ipv6_fix
Mar 5, 2026
Merged

fix rule generation for destination aliases in dual-stack scenarios#2189
wojcik91 merged 9 commits intomainfrom
acl_any_ipv6_fix

Conversation

@wojcik91
Copy link
Contributor

@wojcik91 wojcik91 commented Mar 5, 2026
edited
Loading

Avoid generating invalid rules for destination aliases in IPv6-enabled locations when the alias has no IPv6 destination.
Do the same for IPv4.

This continues work from #1868 and aligns destination alias handling with manually specified destinations.

Also improve test coverage around the ACL functionality.

Closes #2117

@wojcik91 wojcik91 self-assigned this Mar 5, 2026
@wojcik91 wojcik91 requested a review from Copilot March 5, 2026 10:31
filipslezaklab
filipslezaklab previously approved these changes Mar 5, 2026
View reviewed changes
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes firewall rule generation for destination aliases in dual-stack locations so rules are only emitted for an IP family when the alias actually contains destinations for that family (avoiding unintended “allow any” rules). It also expands ACL/firewall test coverage for alias interactions and edge cases.

Changes:

  • Gate destination-alias rule generation by IP-family presence (v4/v6) while still supporting “no destination = any destination” semantics.
  • Add extensive SQLx-based tests covering empty aliases, mixed-family aliases, range-only aliases, and alias/manual destination interactions.
  • Ignore local .zellij_layout.kdl file in .gitignore.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File Description
crates/defguard_core/src/enterprise/firewall/mod.rs Adds IP-family checks to prevent generating rules with missing daddr for the other family when using destination aliases.
crates/defguard_core/src/enterprise/firewall/tests.rs Adds/updates ACL firewall tests for dual-stack and alias destination edge cases.
.gitignore Adds .zellij_layout.kdl to ignored files.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@wojcik91 wojcik91 requested a review from Copilot March 5, 2026 11:44
Copilot AI reviewed Mar 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@wojcik91 wojcik91 merged commit e097188 into main Mar 5, 2026
11 checks passed
@wojcik91 wojcik91 deleted the acl_any_ipv6_fix branch March 5, 2026 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@moubctez moubctez moubctez approved these changes

@filipslezaklab filipslezaklab filipslezaklab approved these changes

Assignees

@wojcik91 wojcik91

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

All IPv6 Traffic allowed when no IPv6 address/prefix defined in ACL destination

4 participants

@wojcik91 @moubctez @filipslezaklab