|
|
@@ -263,17 +263,22 @@ CheckIPs:
|
|
|
}
|
|
|
}
|
|
|
// Check if allowed location IPs intersect with the allowed IPs.
|
|
|
+ // If the allowed location IP strictly contains an allowed IP, that's
|
|
|
+ // fine - the more specific route will be used. Reject if the allowed
|
|
|
+ // IP contains or equals the allowed location IP.
|
|
|
for _, i := range s.allowedIPs {
|
|
|
- if intersect(ip, i) {
|
|
|
+ if i.Contains(ip.IP) {
|
|
|
_ = level.Warn(t.logger).Log("msg", "overlapping allowed location IPnet with allowed IPnets", "IP", ip.String(), "IP2", i.String(), "segment-location", s.location)
|
|
|
continue CheckIPs
|
|
|
}
|
|
|
}
|
|
|
// Check if allowed location IPs intersect with the private IPs of the segment.
|
|
|
+ // If the allowed location IP fully contains a private IP, that's fine.
|
|
|
for _, i := range s.privateIPs {
|
|
|
if ip.Contains(i) {
|
|
|
- _ = level.Warn(t.logger).Log("msg", "overlapping allowed location IPnet with privateIP", "IP", ip.String(), "IP2", i.String(), "segment-location", s.location)
|
|
|
- continue CheckIPs
|
|
|
+ // This is OK - the allowed location IP contains the private IP,
|
|
|
+ // so the more specific route to the private IP will still work.
|
|
|
+ _ = level.Debug(t.logger).Log("msg", "allowed location IPnet contains privateIP", "IP", ip.String(), "IP2", i.String(), "segment-location", s.location)
|
|
|
}
|
|
|
}
|
|
|
}
|
Lucas Servén Marín