Move blocking of invalid IPs behind rules

2025-09-01 18:19:12 +00:00 · 2023-09-19 10:04:26 +02:00 · 2023-09-19 10:04:26 +02:00 · 81c801237d
commit 81c801237d
parent efc0a015f8
1 changed files with 19 additions and 1 deletions
--- a/firewall/master.go
+++ b/firewall/master.go
@ -33,6 +33,7 @@ var defaultDeciders = []deciderFn{
 	checkConnectionType,
 	checkConnectionScope,
 	checkEndpointLists,
+	checkInvalidIP,
 	checkResolverScope,
 	checkConnectivityDomain,
 	checkBypassPrevention,
@ -371,7 +372,8 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 			return true
 		}
 	case netutils.Undefined, netutils.Invalid:
-		fallthrough
+		// Block Invalid / Undefined IPs _after_ the rules.
+		return false
 	default:
 		conn.Deny("invalid IP", noReasonOptionKey) // Block Outbound / Drop Inbound
 		return true
@ -380,6 +382,22 @@ func checkConnectionScope(_ context.Context, conn *network.Connection, p *profil
 	return false
 }

+func checkInvalidIP(_ context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
+	// Only applies to IP connections.
+	if conn.Type != network.IPConnection {
+		return false
+	}
+
+	// Block Invalid / Undefined IPs.
+	switch conn.Entity.IPScope { //nolint:exhaustive // Only looking for specific values.
+	case netutils.Undefined, netutils.Invalid:
+		conn.Deny("invalid IP", noReasonOptionKey) // Block Outbound / Drop Inbound
+		return true
+	}
+
+	return false
+}
+
 func checkBypassPrevention(ctx context.Context, conn *network.Connection, p *profile.LayeredProfile, _ packet.Packet) bool {
 	if p.PreventBypassing() {
 		// check for bypass protection