Skip to content

[ISSUE #407] Support wildcard IPs in ACL whitelist#10596

Open
itxaiohanglover wants to merge 1 commit into
apache:developfrom
itxaiohanglover:fix/acl-ip-wildcard-and-npe
Open

[ISSUE #407] Support wildcard IPs in ACL whitelist#10596
itxaiohanglover wants to merge 1 commit into
apache:developfrom
itxaiohanglover:fix/acl-ip-wildcard-and-npe

Conversation

@itxaiohanglover

Copy link
Copy Markdown

Fixes apache/rocketmq-dashboard#407. IPAddressUtils.isIPInRange did not recognize 0.0.0.0, ::, or * as wildcard addresses. When users configured 0.0.0.0 in ACL IP whitelist, it only matched the exact IP instead of all IPs.

IPAddressUtils.isIPInRange did not recognize 0.0.0.0, ::, or * as
wildcard addresses. When a user configured 0.0.0.0 in the ACL IP
whitelist, it only matched the exact IP 0.0.0.0 instead of all IPs.

Add support for:
- 0.0.0.0 and 0.0.0.0/0: match any IPv4 address
- :: and ::/0: match any IPv6 address
- *: match any address

Added test cases for all wildcard patterns.

@RockteMQ-AI RockteMQ-AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by github-manager-bot

Summary

Adds wildcard/match-all IP support to IPAddressUtils.isIPInRange() for ACL whitelist configuration. Supports *, 0.0.0.0, 0.0.0.0/0, ::, and ::/0 as universal match patterns.

Findings

  • [Warning] IPAddressUtils.java:86-89 — Treating bare 0.0.0.0 as "match all" is a semantic choice that could be surprising. In standard networking, 0.0.0.0 can mean "any address" but also "this host" depending on context. Consider documenting this behavior explicitly in the method Javadoc, or only treating CIDR forms (0.0.0.0/0, ::/0) and * as wildcards to reduce ambiguity.

  • [Info] IPAddressUtilsTest.java — The tests show cross-protocol matching: isIPInRange("192.168.1.10", "::/0") returns true and isIPInRange("2001:0db8::1", "0.0.0.0/0") returns true. This is consistent with the "match all" semantics but worth a brief comment in the test to make the intent clear.

  • [Info] Good test coverage for the new wildcard paths. The implementation is clean and the early-return pattern avoids unnecessary CIDR parsing overhead.

Suggestions

  1. Add a Javadoc note on isIPInRange() explaining which values are treated as wildcards and the cross-protocol matching behavior.
  2. Consider whether 0.0.0.0 (without /0) should really be a wildcard — this could be a footgun if someone accidentally configures a single IP of 0.0.0.0 expecting it to match only that specific address.

Automated review by github-manager-bot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

acl配置IP白名单 没权限问题

2 participants