From dd1f7a5ab7be6f10d137d2197a85b1e40c525576 Mon Sep 17 00:00:00 2001 From: Jakob Borg Date: Thu, 13 Apr 2017 17:43:29 +0000 Subject: [PATCH] lib/connections: Allow negative ACL entries on devices (fixes #4096) Prefix an entry with "!" to make it a negative entry. First match wins. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4097 --- lib/connections/connections_test.go | 15 +++++++++++++++ lib/connections/service.go | 8 +++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/connections/connections_test.go b/lib/connections/connections_test.go index 32e2a092d..eead14431 100644 --- a/lib/connections/connections_test.go +++ b/lib/connections/connections_test.go @@ -81,6 +81,21 @@ func TestAllowedNetworks(t *testing.T) { []string{"192.168.0.0/24", "fe80::/48"}, true, }, + { + "10.20.30.40", + []string{"!10.20.30.0/24", "10.0.0.0/8"}, + false, + }, + { + "10.20.30.40", + []string{"10.0.0.0/8", "!10.20.30.0/24"}, + true, + }, + { + "[fe80::1]:4242", + []string{"192.168.0.0/24", "!fe00::/8", "fe80::/48"}, + false, + }, } for _, tc := range cases { diff --git a/lib/connections/service.go b/lib/connections/service.go index ff62396f6..1d857aa82 100644 --- a/lib/connections/service.go +++ b/lib/connections/service.go @@ -12,6 +12,7 @@ import ( "fmt" "net" "net/url" + "strings" "time" "github.com/syncthing/syncthing/lib/config" @@ -662,12 +663,17 @@ func IsAllowedNetwork(host string, allowed []string) bool { } for _, n := range allowed { + result := true + if strings.HasPrefix(n, "!") { + result = false + n = n[1:] + } _, cidr, err := net.ParseCIDR(n) if err != nil { continue } if cidr.Contains(addr.IP) { - return true + return result } }