A direct quote from the documentation of allowedNetwork reads (my emphasis):
By setting this to a comma separated list of networks, connections to the given device will be limited to those networks.
Are we sure that really is the case?
I’m no golang developer, but the following patch sure seems to both make multiple allowed networks work and add some debug output to clarify why it fails unpatched. Where the added loop is for the actual functionality.
diff --git a/lib/connections/service.go b/lib/connections/service.go
index 1aaf3633c..75b8a5739 100644
--- a/lib/connections/service.go
+++ b/lib/connections/service.go
@@ -1119,7 +1119,10 @@ func IsAllowedNetwork(host string, allowed []string) bool {
return false
}
- for _, n := range allowed {
+ for _, p := range allowed {
+ l.Warnf("p: ", p)
+ for _, n := range strings.Split(p, ",") {
+ l.Warnf("n: ", p)
result := true
if strings.HasPrefix(n, "!") {
result = false
@@ -1133,6 +1136,7 @@ func IsAllowedNetwork(host string, allowed []string) bool {
return result
}
}
+ }
return false
}
Without the split+loop the range allowed
appears to return a string still containing the comma. E.g. “0.0.0.0/0,192.168.1.0/24”. I fail to see how the code in that function is supposed to work with such a string.
Maybe there is a more appropriate place to fix this bug. It seems from the existing loop that the input ought to already have been split. The datatype probably gets constructed from proto/lib/config/deviceconfiguration.proto, but how that works and where the actual parsed XML gets transformed into protobuf is beyond my understanding.
Do we agree this is a bug? Would someone be keen on either fixing it properly, or be holding my hand through the likely long journey of getting me up to speed with golang?