lib/connections: Allow negative ACL entries on devices (fixes #4096)

Prefix an entry with "!" to make it a negative entry. First match wins. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4097
2017-04-13 17:43:29 +00:00 · 2017-04-13 17:43:29 +00:00 · dd1f7a5ab7
parent d48e46a29c
commit dd1f7a5ab7
2 changed files with 22 additions and 1 deletions
--- a/lib/connections/connections_test.go
+++ b/lib/connections/connections_test.go
@ -81,6 +81,21 @@ func TestAllowedNetworks(t *testing.T) {
 			[]string{"192.168.0.0/24", "fe80::/48"},
 			true,
 		},
+		{
+			"10.20.30.40",
+			[]string{"!10.20.30.0/24", "10.0.0.0/8"},
+			false,
+		},
+		{
+			"10.20.30.40",
+			[]string{"10.0.0.0/8", "!10.20.30.0/24"},
+			true,
+		},
+		{
+			"[fe80::1]:4242",
+			[]string{"192.168.0.0/24", "!fe00::/8", "fe80::/48"},
+			false,
+		},
 	}

 	for _, tc := range cases {
--- a/lib/connections/service.go
+++ b/lib/connections/service.go
@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"strings"
 	"time"

 	"github.com/syncthing/syncthing/lib/config"
@ -662,12 +663,17 @@ func IsAllowedNetwork(host string, allowed []string) bool {
 	}

 	for _, n := range allowed {
+		result := true
+		if strings.HasPrefix(n, "!") {
+			result = false
+			n = n[1:]
+		}
 		_, cidr, err := net.ParseCIDR(n)
 		if err != nil {
 			continue
 		}
 		if cidr.Contains(addr.IP) {
-			return true
+			return result
 		}
 	}