Skip to content

ip whitelisting by CIDR #28

Description

@mrl5

Use case

As a user I want to restrict specific services only to VPN IPs, w/o relying only on DNS resolutions

Current limitations

Currently in order to achieve that I need to:

lists:
  allowed_ips:
    type: Ip
    file: /etc/pingoo/allowed_ips.csv

  restrict_internal_routes:
    expression: |
      !lists["allowed_ips"].contains(client.ip) && http_request.host == "service.private"
    actions:
      - action: block

So that I have additional protection layer, preventing sneaky bypasses like

curl -i -k https://foo.com -H "host: service.private"

The issue is that for IP addresses for range 10.2.0.0/16 I need to generate /etc/pingoo/allowed_ips.csv which contains 65536 lines that occupies additional memory.

Proposed improvement

Allow defining IP whitelist with CIDR notation, e.g. sth like this:

- lists:
-  allowed_ips:
-    type: Ip
-    file: /etc/pingoo/allowed_ips.csv

  restrict_internal_routes:
+   cidr: 10.2.0.0/16
    expression: |
-      !lists["allowed_ips"].contains(client.ip) && http_request.host == "service.private"
+      http_request.host == "service.private"
    actions:
-      - action: block
+      - action: allow

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions