Skip to content

Commit

Permalink
fix ip access rules within tcp proxy - fixes #576 (#577)
Browse files Browse the repository at this point in the history
* add debug logging to ip access checks
* properly format remote connection address prior to verification
  • Loading branch information
aaronhurt authored Nov 27, 2018
1 parent 1f3ad2e commit 261a4a4
Showing 1 changed file with 23 additions and 5 deletions.
28 changes: 23 additions & 5 deletions route/access_rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,16 @@ func (t *Target) AccessDeniedHTTP(r *http.Request) bool {

// AccessDeniedTCP checks rules on the target for TCP proxy routes.
func (t *Target) AccessDeniedTCP(c net.Conn) bool {
ip := net.ParseIP(c.RemoteAddr().String())
if t.denyByIP(ip) {
return true
var addr *net.TCPAddr
var ok bool
// validate remote address assertion
if addr, ok = c.RemoteAddr().(*net.TCPAddr); !ok {
log.Printf("[ERROR] failed to assert remote connection address for %s", t.Service)
return false
}
// check remote connection address
if t.denyByIP(addr.IP) {
return true
}
// default allow
return false
Expand All @@ -82,10 +89,15 @@ func (t *Target) denyByIP(ip net.IP) bool {
var block *net.IPNet
for _, x := range t.accessRules[ipAllowTag] {
if block, ok = x.(*net.IPNet); !ok {
log.Print("[ERROR] failed to assert ip block while checking allow rule for ", t.Service)
log.Printf("[ERROR] failed to assert ip block while checking allow rule for %s", t.Service)
continue
}
// debug logging
log.Printf("[DEBUG] checking %s against ip allow rule %s", ip.String(), block.String())
// check block
if block.Contains(ip) {
// debug logging
log.Printf("[DEBUG] allowing request from %s via %s", ip.String(), block.String())
// specific allow matched - allow this request
return false
}
Expand All @@ -101,9 +113,12 @@ func (t *Target) denyByIP(ip net.IP) bool {
var block *net.IPNet
for _, x := range t.accessRules[ipDenyTag] {
if block, ok = x.(*net.IPNet); !ok {
log.Print("[INFO] failed to assert ip block while checking deny rule for ", t.Service)
log.Printf("[INFO] failed to assert ip block while checking deny rule for %s", t.Service)
continue
}
// debug logging
log.Printf("[DEBUG] checking %s against ip deny rule %s", ip.String(), block.String())
// check block
if block.Contains(ip) {
// specific deny matched - deny this request
log.Printf("[INFO] route rules denied access from %s to %s",
Expand All @@ -113,6 +128,9 @@ func (t *Target) denyByIP(ip net.IP) bool {
}
}

// debug logging
log.Printf("[DEBUG] default allowing request from %s that was not denied", ip.String())

// default - do not deny
return false
}
Expand Down

0 comments on commit 261a4a4

Please sign in to comment.