[Feature Request]: Exclude (private) IPs from '/alts' and '/ipban' #285
Comments
|
May I ask you for some clarification on this? On September 28 over Discord you said you had discovered the reason for private IPs appearing and that you wouldn't need a feature request. However, this issue is dated 1 November. Did you discover further information, and does this feature request reflect the most recent state of affairs? |
I thought I could fix it, then some weeks later I tried what I had in mind, only to realize it wasn't possible. The details are very complicated and all due to how Docker works but in the end I couldn't fix it as I thought I could. So yes, this feature request reflects the most recent state of affairs and is what I'd like to see implemented :) Thanks for making sure we're not wasting our time. |
I have confirmed that ...
Description
Some backstory to why I am even requesting this as it might otherwise sound ridiculous: I am using a very peculiar setup with Docker with two individual physical servers and its containers are connected through a so-called overlay network. This works beautifully BUT it has one fatal flaw which I only realized recently: It can sometimes (seemingly at random) decide to do IP masquerading which means the IPs of users get replaced by one of the so called docker_gwbridge. I already tried to disable IP masquerading but that'll render the containers useless and moving them to the host network is also a bit of a stupid idea from a security standpoint. I might find a better solution in the future but currently there is no easy solution and for complexity reasons I might never consider them.
However docker_gwbridge does use private IPs and in my opinion they should note be taken into consideration by '/alts' and '/ipban'.
There are two possible solutions here, one is hard coding private IPs and the other is to make it configurable which also means it could adjust to other use cases more easily.
The hard coded solution would exclude private IP addresses like these from Wikipedia: https://en.wikipedia.org/wiki/Private_network
The configurable solution would allow you to specify your own networks like 192.168.0.0/16 for IPv4 or fd00::/8 for IPv6 in the config file.
Both solutions would then check said networks/IP addresses and if it's part of the results of '/alts' it would be omitted or if it was used in an '/ipban' command, it would simply tell you that you can't/shouldn't ban private IPs as that should never be necessary.
Personally I'd prefer the second option where you can use your own networks so it's more flexible and can be adjusted to different use cases but I'll leave the ultimate choice up to you.
It could also be one config option for the alts command and one of the ipban to give ultimate control but that's up to you once again :)
The text was updated successfully, but these errors were encountered: