fix: merge CoreDNS ACL per-service and add reload plugin; add peer/cell e2e tests
- _build_acl_block: put all blocked IPs for a service in ONE acl block instead of one block per peer — the first block's allow-all was silently granting access to every peer after the first blocked one (first-match semantics) - generate_corefile: add 'reload' plugin so SIGUSR1 triggers Corefile reload in newer CoreDNS builds (without it the signal was a no-op) - tests/test_firewall_manager.py: new tests for single merged ACL block and the reload directive - tests/e2e/api/test_peer_access_update.py: e2e tests for service_access, internet_access, and peer_access updates persisting live to iptables/CoreDNS - tests/e2e/api/test_cell_to_cell.py: e2e tests for cell-to-cell connection management, permissions API, and cross-cell service access restrictions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -542,12 +542,15 @@ def _build_acl_block(blocked_peers_by_service: Dict[str, List[str]],
|
||||
if not peer_ips:
|
||||
continue
|
||||
host = f'{service}.{domain}.'
|
||||
# All blocked IPs for this service in ONE block — separate blocks would
|
||||
# cause the first block's allow-all to match before the second block's
|
||||
# block rule, silently granting access to all but the first blocked peer.
|
||||
lines.append(f' acl {host} {{')
|
||||
for ip in peer_ips:
|
||||
lines.append(f' acl {host} {{')
|
||||
lines.append(f' block net {ip}/32')
|
||||
lines.append(f' allow net 0.0.0.0/0')
|
||||
lines.append(f' allow net ::/0')
|
||||
lines.append(f' }}')
|
||||
lines.append(f' allow net 0.0.0.0/0')
|
||||
lines.append(f' allow net ::/0')
|
||||
lines.append(f' }}')
|
||||
return '\n'.join(lines)
|
||||
|
||||
|
||||
@@ -586,6 +589,7 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
|
||||
cache
|
||||
log
|
||||
health
|
||||
reload
|
||||
}}
|
||||
|
||||
{primary_zone_block}"""
|
||||
|
||||
Reference in New Issue
Block a user