Skip to content

Make 0.0.0.0/0 and ::/0 not mean any address family, add any for that #1538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nbrownus merged 4 commits into from
Nov 21, 2025
Merged

Make 0.0.0.0/0 and ::/0 not mean any address family, add any for that #1538

nbrownus merged 4 commits into from
Nov 21, 2025

Conversation

@nbrownus
Copy link
Collaborator

@nbrownus nbrownus commented Nov 20, 2025
edited
Loading

This scenario is only present on master since v1.9.x and prior would refuse ipv6 traffic.

Currently a cidr of 0.0.0.0/0 or ::/0 results in a short circuit any for both ipv4 or ipv6 addresses. This is unnecessary and could lead to surprises for network operators.

This change makes it so that 0.0.0.0/0 means only all ipv4 addresses and ::/0 means only all ipv6 addresses.

This also adds support for the special cidr: any and localCidr: any which actually means "any ip family and address". The main reason for this is in unsafe routes, when you desire to expose the entire localCidr networks. If we did not support localCidr: any then you would need to create 2 rules, one for ipv4 0.0.0.0/0 and another for ip6 ::/0.

@nbrownus nbrownus added this to the v1.10.0 milestone Nov 20, 2025
johnmaguire
johnmaguire previously approved these changes Nov 21, 2025
View reviewed changes
Copy link
Collaborator

@johnmaguire johnmaguire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, and test coverage looks good.

firewall.go
fr.Hosts[host] = nlc
}

if ip.IsValid() {
Copy link
Collaborator

@johnmaguire johnmaguire Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For future reviewers - this just tells you if it's a zero-value or not. This is not true validation per se. We won't return new errors we didn't return before for an "invalid" IP.

Copy link
Collaborator

@jasikpark jasikpark Nov 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://pkg.go.dev/net/netip#Addr.IsValid strange they didn't follow the pattern in https://pkg.go.dev/time#Time.IsZero which is much more clear.

@nbrownus nbrownus merged commit 64f202f into master Nov 21, 2025
9 checks passed
@nbrownus nbrownus deleted the firewall-cidr branch November 21, 2025 19:46
@nbrownus nbrownus mentioned this pull request Dec 4, 2025
Merged
63 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnmaguire johnmaguire johnmaguire approved these changes

@JackDoan JackDoan JackDoan approved these changes

+1 more reviewer

@jasikpark jasikpark jasikpark left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

v1.10.0

Development

Successfully merging this pull request may close these issues.

5 participants

@nbrownus @johnmaguire @JackDoan @jasikpark