-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow tmate ip addresses to firewall. #209
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, left some nitpicky comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of interest, is there a reason why this PR only addresses IPv4 and not IPv6? otherwise it LGTM
@gtrkiller Good point, added a generic type - but for concrete types - like host address, it's because we're using the command on L67: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, one nitpicky comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a minor comment
Test coverage for b386768
Static code analysis report
|
Applicable spec: N/A
Overview
To allow tmate-ssh-server IP addresses from relationdata to be excluded from denylist by filtering them if from denylist if it belongs to one of the networks defined by the denylist.
Rationale
Since many internal subnets can be blocked, including the one that the charm is related to (tmate-ssh-server), it is necessary to allow traffic between related units even though the subnet they belong in might be covered by the denylist.
Juju Events Changes
On ssh-debug relation data change, the firewall is now updated.
Module Changes
firewall.py
now splits denylist if one of the ip ranges in allowlist is found within the range of denylist. (Allowlist has priority.)charm.py
now refreshes firewall on ssh-debug relation data changed.Library Changes
None.
Checklist
src-docs
urgent
,trivial
,complex
)