Allow whitelisting by CIDR range, not just literally.
This allows you to write something like this:
/usr/local/bin/weed master -mdir /srv/weed/master -whiteList=192.168.0.0/24,127.0.0.1
This will whitelist all the 192.168.0.XX hosts, as well as localhost.
This commit is contained in:
Steve Kemp
@@ -4,6 +4,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"regexp"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/chrislusf/seaweedfs/go/glog"
|
"github.com/chrislusf/seaweedfs/go/glog"
|
||||||
@@ -88,6 +89,26 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
|
|||||||
host, _, err := net.SplitHostPort(r.RemoteAddr)
|
host, _, err := net.SplitHostPort(r.RemoteAddr)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
for _, ip := range g.whiteList {
|
for _, ip := range g.whiteList {
|
||||||
|
|
||||||
|
// If the whitelist entry contains a "/" it
|
||||||
|
// is a CIDR range, and we should check the
|
||||||
|
// remote host is within it
|
||||||
|
match, _ := regexp.MatchString("/", ip)
|
||||||
|
if ( match ) {
|
||||||
|
_, cidrnet, err := net.ParseCIDR(ip)
|
||||||
|
if err != nil {
|
||||||
|
panic(err)
|
||||||
|
}
|
||||||
|
remote := net.ParseIP(host)
|
||||||
|
if cidrnet.Contains(remote) {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
//
|
||||||
|
// Otherwise we're looking for a literal match.
|
||||||
|
//
|
||||||
if ip == host {
|
if ip == host {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user