Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inbound: allow netmasks in LINKERD2_PROXY_INBOUND_IPS #1164

Closed
wants to merge 14 commits into from
Closed

inbound: allow netmasks in LINKERD2_PROXY_INBOUND_IPS #1164

wants to merge 14 commits into from

Conversation

hawkw
Copy link
Member

@hawkw hawkw commented Jul 23, 2021

This branch extends #1161 to support specifying netmasks in CIDR
notation in the LINKERD2_PROXY_INBOUND_IPS environment variable. This
will cause the proxy to accept connections targeting any IPs that match
that netmask. This isn't strictly necessary, since the proxy injector
only ever sets single IPs in that env variable currently, but I thought
that since we accept CIDRs in other env vars, we may as well accept them
here as well.

In order to continue accepting single IPs without prefix lengths, the
parse_nets function was extended to try parsing as an IP address when
parsing as a CIDR (the ipnet::IpNet type) fails. If this succeeds, we
construct an IpNet from the parsed IP address, with the prefix length
equal to the number of bits in an address of that type (which will match
only that address exactly). The AllowIps request filter was rewritten
to just use IpMatch internally.

In some ways, this is actually simpler, since it uses more of our
existing code for parsing CIDRs and matching IPs.

Depends on #1161

hawkw and others added 14 commits July 22, 2021 09:21
@hawkw
inbound: only forward LINKERD2_PROXY_INBOUND_IPS
f6ac171 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
test: add metrics test for invalid IP labels
0dedec9 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
move allow_ips into app-core
301f77c 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
metrics: handle invalid IP errors in app-core
d73d7b2 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
inbound: forward to target ip instead of localhost
1ad151a 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
tests: remove inbound_fuzz_addr
d1c4f02 
Previously, this was used to replace the mocked SO_ORIGINAL_DST's IP
address with a totally bogus one. We could do this without breaking
stuff because the inbound proxy would still always forward on localhost.

It doesn't do that anymore, so the IP address part of the mock
SO_ORIGINAL_DST is actually load-bearing now. This commit removes
`inbound_fuzz_addr` from the integration tests.

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
cleanup
1117893 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
fix fuzzer
b596940
@hawkw @olix0r
Update linkerd/app/core/src/transport/allow_ips.rs
eb53f25 
Co-authored-by: Oliver Gould <ver@buoyant.io>
@hawkw
move logging to env module
5c4d2f5 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
parse IP addresses, not socket addresses
b1954e6 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
remove ports from test
520b4e8 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
env: parse ips without prefix lengths as nets
4ece48e 
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw
inbound: allow netmasks as well as individual IPs
9950b55 
this isn't particularly important, but...why not!

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
@hawkw hawkw requested review from olix0r and a team July 23, 2021 18:05
@hawkw hawkw marked this pull request as draft July 23, 2021 18:05
@hawkw
Copy link
Member Author

hawkw commented Jul 23, 2021

(this is a draft because it depends on #1161, which is also a draft)

@hawkw hawkw mentioned this pull request Sep 15, 2021
Merged
Base automatically changed from eliza/inbound-ips to main September 15, 2021 21:43
@olix0r
Copy link
Member

olix0r commented Sep 16, 2021

I don't think we really need to support this.

@olix0r olix0r closed this Sep 16, 2021
@olix0r olix0r deleted the eliza/inbound-netmasks branch March 7, 2023 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olix0r olix0r Awaiting requested review from olix0r

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@hawkw @olix0r