fix(net): catch IPv4-mapped blocked ranges in is_always_blocked_net#1032
Merged
johntmyers merged 2 commits intoNVIDIA:mainfrom Apr 29, 2026
Merged
Conversation
The IPv6 branch only checked whether the network address itself mapped to a blocked IPv4 address. A broader prefix like ::ffff:168.0.0.0/103 has a public network address but spans ::ffff:169.254.0.0, so the old code accepted it at policy load time while is_always_blocked_ip silently rejected every connection at runtime. Add three containment checks for the IPv4-mapped loopback, link-local, and unspecified representatives. The existing network-address check is kept because it handles single-host entries (/128) whose network address is already in a blocked range. Five new tests cover: single-host loopback and link-local mapped addresses, broad prefixes that span each blocked range without starting there, and a public single-host address that must not be blocked.
Use Ipv4Addr::LOCALHOST instead of Ipv4Addr::new(127, 0, 0, 1) and collapse the nested if let / if into is_some_and.
|
All contributors have signed the DCO ✍️ ✅ |
Contributor
Author
|
I have read the DCO document and I hereby sign the DCO. |
Contributor
Author
|
recheck |
johntmyers
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
is_always_blocked_netonly checked whether the network address of an IPv6 prefix mapped to a blocked IPv4 address. That misses cases where the network address is public but the range extends into a blocked zone. For example,::ffff:168.0.0.0/103starts at168.0.0.0so the old check passes it, but the range covers up to169.255.255.255and includes::ffff:169.254.0.0. The result is thatparse_allowed_ipsaccepts the CIDR at policy load time while every connection to it fails silently at runtime.The fix adds containment checks for the three IPv4-mapped blocked representatives: loopback, link-local, and unspecified. The existing network-address check stays because it still handles
/128entries whose first address is already in a blocked range.Related Issue
N/A
Changes
v6net.contains()checks for::ffff:127.0.0.1,::ffff:169.254.0.0, and::ffff:0.0.0.0after the network-address check in the IPv6 branch ofis_always_blocked_netIpv4Addr::LOCALHOSTinstead ofIpv4Addr::new(127, 0, 0, 1)and collapse nestedif let / ifintois_some_andto satisfy clippy/128that must not be blockedTesting
cargo test -p openshell-core --lib netpasses (38 tests)cargo clippy -p openshell-corepasses, no new warningscargo fmt --check -p openshell-corepassesmise run pre-commitpassesChecklist