nebula
nebula copied to clipboard
slackhq
Add destination CIDR checking
Currently, if a node has unsafe_routes behind it, they can't be firewalled granularly, e.g. opening tcp/443 port will open it for all hosts.
This PR adds new config option, local_cidr which is interpreted the same way as cidr, but packet's local IP is checked instead of remote IP.
I know that you are not planning to implement general-purpose firewall as per this comment, however offloading unsafe_route firewalling to iptables will inevitably lose some perks like checking node groups (or require some additional automation to keep them in sync). This commit however does not add any significant performance penalties (local_cidr is checked last, hence it will only impact packets that will be dropped otherwise) and has pretty simple implementation.
cc @nbrownus @wadey
