[PR #666] [MERGED] Allow CIDR ranges in Allowed IPs #759

New Issue

Closed

opened 2025-10-31 15:21:03 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-10-31 15:21:03 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/moghtech/komodo/pull/666
Author: @bpbradley
Created: 7/15/2025
Status: ✅ Merged
Merged: 7/28/2025
Merged by: @mbecker20

Base: 1.18.5 ← Head: support_cidr

---

📝 Commits (2)

• 3444d8c Allow CIDR ranges in Allowed IPs
• fdd2982 Catch mixed IPv4/IPv6 mappings that are probably intended to match

📊 Changes

5 files changed (+28 additions, -14 deletions)

View changed files

📝 Cargo.toml (+1 -0)
📝 bin/periphery/Cargo.toml (+1 -0)
📝 bin/periphery/src/api/router.rs (+19 -8)
📝 client/core/rs/Cargo.toml (+2 -1)
📝 client/core/rs/src/entities/config/periphery.rs (+5 -5)

📄 Description

Attempt to implement #631

Changes allowed_ips from IpAddr to IpNetwork. The default serde will accept IP addresses and convert them to a /32 or /128 prefix if needed (depending on if the IP is v4 or v6).

For example

  periphery:
    environment:
      PERIPHERY_ALLOWED_IPS: "172.25.3.0/24,172.25.0.4,::ffff:172.25.55.3/64,::ffff:172.25.55.4"

Turns into

allowed_ips: [V4(Ipv4Network { addr: 172.25.3.0, prefix: 24 }), V4(Ipv4Network { addr: 172.25.0.4, prefix: 32 }), V6(Ipv6Network { addr: ::ffff:172.25.55.3, prefix: 64 }), V6(Ipv6Network { addr: ::ffff:172.25.55.4, prefix: 128 })]

I also added a check to the matching function in guard_request_by_ip that will check the ip network type, and when the network is IPv4, it will convert the address to its canonical form. This way, you can use a standard IPv4 address without IPv6 mapping, even if your bind IP is [::]

Will test some more tonight with more corner cases, but working for me with basic tests.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/moghtech/komodo/pull/666 **Author:** [@bpbradley](https://github.com/bpbradley) **Created:** 7/15/2025 **Status:** ✅ Merged **Merged:** 7/28/2025 **Merged by:** [@mbecker20](https://github.com/mbecker20) **Base:** `1.18.5` ← **Head:** `support_cidr` --- ### 📝 Commits (2) - [`3444d8c`](https://github.com/moghtech/komodo/commit/3444d8cfc8b4319ef528235c79de76d8981823e3) Allow CIDR ranges in Allowed IPs - [`fdd2982`](https://github.com/moghtech/komodo/commit/fdd2982fb34663dfb7295f6f9514c4b666728575) Catch mixed IPv4/IPv6 mappings that are probably intended to match ### 📊 Changes **5 files changed** (+28 additions, -14 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.toml` (+1 -0) 📝 `bin/periphery/Cargo.toml` (+1 -0) 📝 `bin/periphery/src/api/router.rs` (+19 -8) 📝 `client/core/rs/Cargo.toml` (+2 -1) 📝 `client/core/rs/src/entities/config/periphery.rs` (+5 -5) </details> ### 📄 Description Attempt to implement #631 Changes `allowed_ips` from `IpAddr` to `IpNetwork`. The default serde will accept IP addresses and convert them to a /32 or /128 prefix if needed (depending on if the IP is v4 or v6). For example ```yaml periphery: environment: PERIPHERY_ALLOWED_IPS: "172.25.3.0/24,172.25.0.4,::ffff:172.25.55.3/64,::ffff:172.25.55.4" ``` Turns into ``` allowed_ips: [V4(Ipv4Network { addr: 172.25.3.0, prefix: 24 }), V4(Ipv4Network { addr: 172.25.0.4, prefix: 32 }), V6(Ipv6Network { addr: ::ffff:172.25.55.3, prefix: 64 }), V6(Ipv6Network { addr: ::ffff:172.25.55.4, prefix: 128 })] ``` I also added a check to the matching function in `guard_request_by_ip` that will check the ip network type, and when the network is IPv4, it will convert the address to its canonical form. This way, you can use a standard IPv4 address without IPv6 mapping, even if your bind IP is `[::]` Will test some more tonight with more corner cases, but working for me with basic tests. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2025-10-31 15:21:03 -05:00

GiteaMirror closed this issue 2025-10-31 15:21:03 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

2.0.0

legacy-v1-frontend

copilot/secure-local-authentication

gh-pages-docs

v0

legacy

v2.0.0-dev-123

v2.0.0-dev-120

v2.0.0-dev-118

v2.0.0-dev-114

v2.0.0-dev-112

v2.0.0-dev-111

v2.0.0-dev-102

v2.0.0-dev-98

v2.0.0-dev-90

v2.0.0-dev-86

v2.0.0-dev-72

v2.0.0-dev-59

v2.0.0-dev-53

v2.0.0-dev-50

v2.0.0-dev-36

v1.19.5

v2.0.0-dev-35

v1.19.4

v1.19.3

v1.19.2

v1.19.1

v1.19.1-dev-14

v1.19.0

v1.19.0-dev-9

v1.18.4

1.18.5-dev-5

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.5

v1.17.4

v1.17.3

v1.17.4-dev-1

v1.17.2

v1.17.2-dev-1

v1.17.1

v1.17.0

v1.17.0-dev-7

v1.17.0-dev-4

v1.17.0-dev-3

v1.17.0-dev-5

v1.17.0-dev-6

v1.17.0-dev-2

v1.17.0-dev-1

v1.16.12

v1.16.11

v1.16.10

v1.16.9

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.12

v1.15.11

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.14.0-rc1

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.0

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.3

v1.7.0

v1.6.0

v1.5.0

v1.4.0

v1.2.0

v1.1.0

v1.0.0

v0.3.4

v0.3.3

v0.3.2

v0.3.0

v0.2.14

v0.2.13

v0.2.12

v0.2.11

v0.2.10

v0.2.9

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.1

v0.2.0

v0.1.17

v0.1.16

v0.1.15

v0.1.11

v0.1.10

v0.1.9

Labels

Clear labels

1.19.0

1.19.1

1.19.2

1.19.3

1.19.4

bug

documentation

done

enhancement

help wanted

info

pull-request

Mirrored from GitHub Pull Request

question

security

seen 👀

setup

thinking 🤔

ui

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/komodo#759