New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inbound: allow netmasks in LINKERD2_PROXY_INBOUND_IPS
#1164
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Previously, this was used to replace the mocked SO_ORIGINAL_DST's IP address with a totally bogus one. We could do this without breaking stuff because the inbound proxy would still always forward on localhost. It doesn't do that anymore, so the IP address part of the mock SO_ORIGINAL_DST is actually load-bearing now. This commit removes `inbound_fuzz_addr` from the integration tests. Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
this isn't particularly important, but...why not! Signed-off-by: Eliza Weisman <eliza@buoyant.io>
(this is a draft because it depends on #1161, which is also a draft) |
I don't think we really need to support this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This branch extends #1161 to support specifying netmasks in CIDR
notation in the
LINKERD2_PROXY_INBOUND_IPS
environment variable. Thiswill cause the proxy to accept connections targeting any IPs that match
that netmask. This isn't strictly necessary, since the proxy injector
only ever sets single IPs in that env variable currently, but I thought
that since we accept CIDRs in other env vars, we may as well accept them
here as well.
In order to continue accepting single IPs without prefix lengths, the
parse_nets
function was extended to try parsing as an IP address whenparsing as a CIDR (the
ipnet::IpNet
type) fails. If this succeeds, weconstruct an
IpNet
from the parsed IP address, with the prefix lengthequal to the number of bits in an address of that type (which will match
only that address exactly). The
AllowIps
request filter was rewrittento just use
IpMatch
internally.In some ways, this is actually simpler, since it uses more of our
existing code for parsing CIDRs and matching IPs.
Depends on #1161