lib/connections, lib/model, gui: Specify allowed networks per device (fixes #219)

This adds a new config AllowedNetworks per device, which when set should contain a list of network prefixes (192.168.0.0/126 etc) that are allowed for the given device. The connection service will not attempt connections to addresses outside of the given networks and incoming connections will be rejected as well. I've added the config to the normal device editor and shown it (when set) in the device summary on the main screen. There's a unit test for the IsAllowedNetwork method, I've done some manual sanity testing on top of that. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4073
2017-04-01 09:52:31 +00:00
parent 4253f22680
commit c5e0c47989
8 changed files with 199 additions and 63 deletions
--- a/lib/connections/connections_test.go
+++ b/lib/connections/connections_test.go
@@ -24,3 +24,69 @@ func TestFixupPort(t *testing.T) {
 		}
 	}
 }
+
+func TestAllowedNetworks(t *testing.T) {
+	cases := []struct {
+		host    string
+		allowed []string
+		ok      bool
+	}{
+		{
+			"192.168.0.1",
+			nil,
+			false,
+		},
+		{
+			"192.168.0.1",
+			[]string{},
+			false,
+		},
+		{
+			"fe80::1",
+			nil,
+			false,
+		},
+		{
+			"fe80::1",
+			[]string{},
+			false,
+		},
+		{
+			"192.168.0.1",
+			[]string{"fe80::/48", "192.168.0.0/24"},
+			true,
+		},
+		{
+			"fe80::1",
+			[]string{"192.168.0.0/24", "fe80::/48"},
+			true,
+		},
+		{
+			"192.168.0.1",
+			[]string{"192.168.1.0/24", "fe80::/48"},
+			false,
+		},
+		{
+			"fe80::1",
+			[]string{"fe82::/48", "192.168.1.0/24"},
+			false,
+		},
+		{
+			"192.168.0.1:4242",
+			[]string{"fe80::/48", "192.168.0.0/24"},
+			true,
+		},
+		{
+			"[fe80::1]:4242",
+			[]string{"192.168.0.0/24", "fe80::/48"},
+			true,
+		},
+	}
+
+	for _, tc := range cases {
+		res := IsAllowedNetwork(tc.host, tc.allowed)
+		if res != tc.ok {
+			t.Errorf("allowedNetwork(%q, %q) == %v, want %v", tc.host, tc.allowed, res, tc.ok)
+		}
+	}
+}