fix(connlib): match exact domains before wildcard ones#6809
fix(connlib): match exact domains before wildcard ones#6809thomaseizinger merged 6 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
thomaseizinger
force-pushed
the
fix/prioritise-non-wildcard-dns-matching
branch
from
9606e12 to
c7c0a7e
Compare
ReactorScram
left a comment
ReactorScram
left a comment
There was a problem hiding this comment.
LGTM just suggested a brief explanation of the reverse iteration trick
| (Some(self_char), Some(other_char)) => { | ||
| break self_char.cmp(&other_char).reverse(); // Reverse because we compare from right to left. | ||
| } |
There was a problem hiding this comment.
Does this mean this will return the ordering of the first non-wildcard character where they differ?
I guess we're fine with that because that means they're non overlapping
There was a problem hiding this comment.
Does this mean this will return the ordering of the first non-wildcard character where they differ?
Yes.
|
@thomaseizinger lets merge this? Want to ship it to the client that hit this issue. |
jamilbk
left a comment
jamilbk
left a comment
There was a problem hiding this comment.
Apologies for the Changelog conflicts, but LGTM.
@AndrewDryga I'll be at my desk for standup, if you want it earlier, feel free to jump and merge it :) |
thomaseizinger
force-pushed
the
fix/prioritise-non-wildcard-dns-matching
branch
from
c7c0a7e to
22fec29
Compare
Co-authored-by: Reactor Scram <ReactorScram@users.noreply.github.com> Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
thomaseizinger
force-pushed
the
fix/prioritise-non-wildcard-dns-matching
branch
from
8371363 to
fa3a4ad
Compare
Bump gui/headless clients for #6809
Documents how overlapping addresses are matched. Draft until #6809 is merged and published. --------- Signed-off-by: Jamil <jamilbk@users.noreply.github.com> Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
5 participants
Currently, the order in which connlib matches against the patterns of DNS resources is not specified. We simply iterate over all patterns and take the first one that matches. Due to the iteration order of
HashMaps, this also isn't deterministic.With this patch, we introduce a defined order in which we attempt to match a particular domain against the defined DNS resources:
?) take priority over label wildcards (*)*) take priority over catch-all wildcards (**)By matching against the DNS resources in a defined order, we ensure that DNS resources that overlap always resolve to the most specific resource.