Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Add addition network CIDR builtins #1289

Closed
patrick-east opened this issue Mar 26, 2019 · 0 comments
Closed

Enhancement: Add addition network CIDR builtins #1289

patrick-east opened this issue Mar 26, 2019 · 0 comments
Assignees
@patrick-east

Comments

@patrick-east
Copy link
Contributor

patrick-east commented Mar 26, 2019
edited
Loading

Enhancement Description

We currently support some initial CIDR builtins from #897 but it would be useful to add some additional helpers for checking if two ranges overlap and if one is fully contained inside another for use in whitelist and blacklist checks.

Proposal

Add in two new methods:

net.cidr_intersects(a, b)   # checks if a and b share any addresses
net.cidr_contains(a, b)  # checks if b is contained in a, b can be an ip or cidr

We can then deprecate the net.cidr_overlap built-in and replace it with the net.cidr_contains. The reasoning behind this being that its less confusing since "overlap" kind of sounds like what the intersects call would be doing, but its really checking if the IP is inside the subnet.

Ex:

Whitelist CIDR use-case.

You could add a check to ensure some other CIDR was inside of it

net.cidr_contains("10.0.0.0/8", "10.1.2.0/24")

would evaluate to true, while something like:

net.cidr_contains("10.0.0.0/8", "1.2.3.0/24")

would evaluate to false

Blacklist or "in-use" use-case

With a blacklist CIDR like "10.1.2.0/24" you can check if some other CIDR overlaps with it:

net.cidr_intersects("10.1.2.0/25", "10.1.2.64/26")

would evaluate to true since they intersect from 10.1.2.64 through 10.1.2.127, and something like:

net.cidr_intersects("10.1.2.0/25", "10.1.2.128/25")

would evaluate to false since they don't overlap at all.
@patrick-east patrick-east mentioned this issue Mar 27, 2019
Merged
patrick-east added a commit to patrick-east/opa that referenced this issue Mar 28, 2019
@patrick-east
Add additional net CIDR builtins
fcd9d73 
This adds two new builtin CIDR helpers:

`net.cidr_intersects(cidr1, cidr2)` -- Returns true if cidr1 overlaps at all with cidr2
`net.cidr_contains(cidr, cidr_or_ip)` -- Returns true if cidr_or_ip is contained entirely inside cidr

Both support IPv4 and IPv6.

The `net.cidr_contains` is replacing the `net.cidr_overlap` function (now deprecated) that checked if
an ip was in a given cidr. This function is still available for backwards compatibility but is now
implemented via the same underlying code as `net.cidr_contains`.

Fixes: open-policy-agent#1289
Signed-off-by: Patrick East <[email protected]>
tsandall pushed a commit that referenced this issue Mar 28, 2019
@patrick-east @tsandall
Add additional net CIDR builtins
e59e58c 
This adds two new builtin CIDR helpers:

`net.cidr_intersects(cidr1, cidr2)` -- Returns true if cidr1 overlaps at all with cidr2
`net.cidr_contains(cidr, cidr_or_ip)` -- Returns true if cidr_or_ip is contained entirely inside cidr

Both support IPv4 and IPv6.

The `net.cidr_contains` is replacing the `net.cidr_overlap` function (now deprecated) that checked if
an ip was in a given cidr. This function is still available for backwards compatibility but is now
implemented via the same underlying code as `net.cidr_contains`.

Fixes: #1289
Signed-off-by: Patrick East <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrick-east patrick-east

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @patrick-east