[BUG] setACL() doesn't replaces current networks list

Question

[BUG] setACL() doesn't replaces current networks list

slavkoja opened this issue 3 years ago · 11 comments

Describe the bug
While not clean in docs, i expect that setACL() replaces current list of ACL with provided list, but this does not happen (at least not for built-in networks) and setACL() behaves exactly as addACL(), except that it adds list of networks.

To Reproduce

set eg. setACL({"127.0.0.0/8", "192.168.10.0/24"})
restart server
See result in log:

ACL allowing queries from: fe80::/10, 192.168.10.0/24, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7

Expected behavior
I expect, that setACL() will replace current ACL, including the built-in networks.

OS:

OS: Debian
Version: 11, testing, bullseye

Answer 1 · 2021-08-02T12:41:02.000Z

You are not correct. setACL() replaces the current ACL entirely. However restarting the server will reset the ACL to the default ACL, which is hardcoded to include local networks and private IP addresses only.

Answer 2 · 2021-08-02T12:41:57.000Z

Just to be clear, setting the ACL does not persist over restarts.

Answer 3 · 2021-08-02T19:02:36.000Z

Sure, it doesn't persist over restart, but after restart it have to be set again from config file:

setACL({"127.0.0.0/8", "192.168.10.0/24"})

From console:

> showACL()
::1/128
10.0.0.0/8
100.64.0.0/10
fe80::/10
169.254.0.0/16
192.168.0.0/16
172.16.0.0/12
192.168.10.0/24
127.0.0.0/8
fc00::/7

If this is expected behavior, than setACL is useless...

Answer 4 · 2021-08-02T20:25:52.000Z

Um, so I'm not sure what you mean. setACL() sets the ACL correctly. The config file is read upon start-up everytime. So if you have the correct setACL line in your config file, everything is fine. I'm not sure what your problem is?

Answer 5 · 2021-08-02T20:26:18.000Z

> setACL({"192.168.1.254/32"})
> showACL()
192.168.1.254/32
>

Answer 6 · 2021-08-02T20:59:01.000Z

I am sorry, my English is not best, perhaps i wrote it wrong.

The config file is read upon start-up everytime. So if you have the correct setACL line in your config file, everything is fine.

I have in config this (including commented attempt):

grep ACL wforce.conf 
setACL({"127.0.0.0/8", "192.168.10.0/24"})
--addACL("192.168.10.0/24")

Is it correct? I suppose that yes...

I'm not sure what your problem is?

I expect, that after daemon starts that line is read and replaces daemon's built-in ACL list, thus in output of showACL() i get only these two networks. But, as shown above, it outputs all nets, including the built-in and those added by config.

Thus either the setACL() config setting is not used at daemon start to replace built-in list or showACL() in console shows something different and not actual daemon's ACL settings.

When i try it from console, it work as expected:

> setACL({"127.0.0.0/8", "192.168.10.0/24"})
> showACL()
192.168.10.0/24
127.0.0.0/8

But no one will connect via console after any daemon restart to set this, thus i expect to use setACL() in config to do this. Are my expectations wrong?

Answer 7 · 2021-08-05T12:21:47.000Z

Ok just to be clear, this is what wforce does:

It takes the ACLs as set by the setACL() command
When it starts up it always adds a list of private IPs to whatever ACLs are defined by the setACL() command, specifically: "127.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "169.254.0.0/16", "192.168.0.0/16", "172.16.0.0/12", "::1/128", "fc00::/7", "fe80::/10"

This behaviour is expected - it's to stop people creating ACLs which accidentally lock themselves out of their own wforce servers.

Answer 8 · 2021-08-05T13:05:23.000Z

To you better understand my motivation in it:

My ISP uses 10.0.0.0/X (i do not know exact mask nor range) addresses for his clients, that is not bad at all, but it doesn't NAT them, when they are routed to my public IP, and from time to time i saw these addresses in some of my log (mostly web). In other words, i cannot believe that the private IPs are from known hosts and i need to be more strict in ACL.

While i block them on router already, i want/need a way to remove them from ACL, as this blocking prevents my "neighbors" to access my services and i afraid of time, when they decide to use another private range (eg. ULA, when they learn IPv6)...

...it's to stop people creating ACLs which accidentally lock themselves out of their own wforce servers.

and how do you prevent them do not block itself on firewall?

Answer 9 · 2021-08-05T13:51:41.000Z

I think one thing I could do is to only add the private IP ranges if no ACLs have been set. If they have been set, then I assume the admin knows what they are doing, and don't add the private IP ranges.

Answer 10 · 2021-08-05T14:05:27.000Z

I have no problem with any defaults when there is way to override it.

IMO, you can apply this logic at start:

set default ACLs list (as it is now)
if there is setACL() in config, replace current list with provided (as it does in console now)
if there is addACL() in config, add item to list
if needed, repeat from step 2.
report (log) actual items in ACLs at end of config read

Do not bother with checks of order of setACL() nor addACL() config directives/commands, simple apply as they are coming, eg. multiple replaces, replace after add, etc.

Answer 11 · 2021-08-05T14:14:21.000Z

Yes I can achieve all of the above simply by moving where the default is set to before the config is read.