3 сар өмнө · e136d1d47a
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
				 
			
 
				 ## [Unreleased]
			
 
				 
			
 
				+### Changed
			
 
				+
			
 
				+- `default_local_cidr_any` now defaults to false, meaning that any firewall rule
			
 
				+  intended to target an `unsafe_routes` entry must explicitly declare it via the
			
 
				+  `local_cidr` field. This is almost always the intended behavior. This flag is
			
 
				+  deprecated and will be removed in a future release.
			
 
				+
			
 
				 ## [1.9.4] - 2024-09-09
			
 
				 
			
 
				 ### Added
			
--- a/examples/config.yml
+++ b/examples/config.yml
@@ -346,11 +346,11 @@ firewall:
 
				   outbound_action: drop
			
 
				   inbound_action: drop
			
 
				 
			
 
				-  # Controls the default value for local_cidr. Default is true, will be deprecated after v1.9 and defaulted to false.
			
 
				-  # This setting only affects nebula hosts with subnets encoded in their certificate. A nebula host acting as an
			
 
				-  # unsafe router with `default_local_cidr_any: true` will expose their unsafe routes to every inbound rule regardless
			
 
				-  # of the actual destination for the packet. Setting this to false requires each inbound rule to contain a `local_cidr`
			
 
				-  # if the intention is to allow traffic to flow to an unsafe route.
			
 
				+  # THIS FLAG IS DEPRECATED AND WILL BE REMOVED IN A FUTURE RELEASE. (Defaults to false.)
			
 
				+  # This setting only affects nebula hosts exposing unsafe_routes. When set to false, each inbound rule must contain a
			
 
				+  # `local_cidr` if the intention is to allow traffic to flow to an unsafe route. When set to true, every firewall rule
			
 
				+  # will apply to all configured unsafe_routes regardless of the actual destination of the packet, unless `local_cidr`
			
 
				+  # is explicitly defined. This is usually not the desired behavior and should be avoided!
			
 
				   #default_local_cidr_any: false
			
 
				 
			
 
				   conntrack:
			
@@ -368,11 +368,9 @@ firewall:
 
				   #   group: `any` or a literal group name, ie `default-group`
			
 
				   #   groups: Same as group but accepts a list of values. Multiple values are AND'd together and a certificate would have to contain all groups to pass
			
 
				   #   cidr: a remote CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6.
			
 
				-  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This could be used to filter destinations when using unsafe_routes.
			
 
				-  #     If no unsafe networks are present in the certificate(s) or `default_local_cidr_any` is true then the default is any ipv4 or ipv6 network.
			
 
				-  #     Otherwise the default is any vpn network assigned to via the certificate.
			
 
				-  #     `default_local_cidr_any` defaults to false and is deprecated, it will be removed in a future release.
			
 
				-  #     If there are unsafe routes present its best to set `local_cidr` to whatever best fits the situation.
			
 
				+  #   local_cidr: a local CIDR, `0.0.0.0/0` is any ipv4 and `::/0` is any ipv6. This can be used to filter destinations when using unsafe_routes.
			
 
				+  #     By default, this is set to only the VPN (overlay) networks assigned via the certificate networks field unless `default_local_cidr_any` is set to true.
			
 
				+  #     If there are unsafe_routes present in this config file, `local_cidr` should be set appropriately for the intended us case.
			
 
				   #   ca_name: An issuing CA name
			
 
				   #   ca_sha: An issuing CA shasum