From 2a777a970cf5fde01893340d3281214839e622d6 Mon Sep 17 00:00:00 2001 From: Steve Kemp Date: Sat, 5 Sep 2015 10:00:13 +0300 Subject: [PATCH] Allow whitelisting by CIDR range, not just literally. This allows you to write something like this: /usr/local/bin/weed master -mdir /srv/weed/master -whiteList=192.168.0.0/24,127.0.0.1 This will whitelist all the 192.168.0.XX hosts, as well as localhost. --- go/security/guard.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/go/security/guard.go b/go/security/guard.go index bde938dba..b93845448 100644 --- a/go/security/guard.go +++ b/go/security/guard.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "net" + "regexp" "net/http" "github.com/chrislusf/seaweedfs/go/glog" @@ -88,6 +89,26 @@ func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error { host, _, err := net.SplitHostPort(r.RemoteAddr) if err == nil { for _, ip := range g.whiteList { + + // If the whitelist entry contains a "/" it + // is a CIDR range, and we should check the + // remote host is within it + match, _ := regexp.MatchString("/", ip) + if ( match ) { + _, cidrnet, err := net.ParseCIDR(ip) + if err != nil { + panic(err) + } + remote := net.ParseIP(host) + if cidrnet.Contains(remote) { + return nil + } + } + + + // + // Otherwise we're looking for a literal match. + // if ip == host { return nil }