1 year ago · cc8b3cc961
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -309,6 +309,13 @@ firewall:
 
				   outbound_action: drop
			
 
				   inbound_action: drop
			
 
				 
			
 
				+  # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
			
 
				+  # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
			
 
				+  # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
			
 
				+  # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
			
 
				+  # if the intention is to allow traffic to flow to an unsafe route.
			
 
				+  #default_local_cidr_any: false
			
 
				+
			
 
				   conntrack:
			
 
				     tcp_timeout: 12m
			
 
				     udp_timeout: 3m
			
@@ -325,7 +332,8 @@ firewall:
 
				   #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
			
 
				   #   cidr: a remote CIDR, `0.0.0.0/0` is any.
			
 
				   #   local_cidr: a local CIDR, `0.0.0.0/0` is any. This could be used to filter destinations when using unsafe_routes.
			
 
				-  #      Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate.
			
 
				+  #      Default is `any` unless the certificate contains subnets and then the default is the ip issued in the certificate
			
 
				+  #      if `default_local_cidr_any` is false, otherwise its `any`.
			
 
				   #   ca_name: An issuing CA name
			
 
				   #   ca_sha: An issuing CA shasum
			
 
				 
			
--- a/firewall.go
+++ b/firewall.go
@@ -65,10 +65,11 @@ type Firewall struct {
 
				 	rules        string
			
 
				 	rulesVersion uint16
			
 
				 
			
 
				-	trackTCPRTT     bool
			
 
				-	metricTCPRTT    metrics.Histogram
			
 
				-	incomingMetrics firewallMetrics
			
 
				-	outgoingMetrics firewallMetrics
			
 
				+	defaultLocalCIDRAny bool
			
 
				+	trackTCPRTT         bool
			
 
				+	metricTCPRTT        metrics.Histogram
			
 
				+	incomingMetrics     firewallMetrics
			
 
				+	outgoingMetrics     firewallMetrics
			
 
				 
			
 
				 	l *logrus.Logger
			
 
				 }
			
@@ -206,6 +207,9 @@ func NewFirewallFromConfig(l *logrus.Logger, nc *cert.NebulaCertificate, c *conf
 
				 		//TODO: max_connections
			
 
				 	)
			
 
				 
			
 
				+	//TODO: Flip to false after v1.9 release
			
 
				+	fw.defaultLocalCIDRAny = c.GetBool("firewall.default_local_cidr_any", true)
			
 
				+
			
 
				 	inboundAction := c.GetString("firewall.inbound_action", "drop")
			
 
				 	switch inboundAction {
			
 
				 	case "reject":
			
@@ -873,10 +877,11 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool
 
				 
			
 
				 func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error {
			
 
				 	if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) {
			
 
				-		if !f.hasSubnets {
			
 
				+		if !f.hasSubnets || f.defaultLocalCIDRAny {
			
 
				 			flc.Any = true
			
 
				 			return nil
			
 
				 		}
			
 
				+
			
 
				 		localIp = f.assignedCIDR
			
 
				 	}