-
Notifications
You must be signed in to change notification settings - Fork 269
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(connlib): deterministically route packets in case of overlap (#5082)
Currently, we only consult the IP ranges of our configured resources for the initial connection to a gateway. Once a connection is established, packets are routed based on an IP range associated with that gateway. This is inconsistent and actually causes problems in case the user configures overlapping resources. In particular, adding a resource with an overlapping but narrower IP network range to a client that is already connected to a gateway with an overlapping but wider range will cause all packets for the newly added resource to be routed to the already connected gateway. To fix this, we consult the IP network table of resources for each packet to figure out, which resource is the most appropriate one. Then, we pick the gateway that is configured for this resource. If we aren't connected to that gateway or if we don't know about a gateway for this resource, we emit a connection intent. In case the portal wants to use an already connected gateway for that resource, we handle that using the "reuse connection" message to the portal. In fixing this, I also realised that I think this has (positive) audit consequences. In particular, this will now correctly report access to a resource if it is overlapping as described above (i.e. a narrower overlapping resource is added whilst being connected to one with a wider range). I believe that previously, this access would have not been reported because we would have simply routed the packet to the already connected gateway. Fixes: #5054.
- Loading branch information
1 parent
9b085ea
commit 97ae522
Showing
5 changed files
with
112 additions
and
118 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.