Permission constraints for public IP addresses

[florianschendel]

Hi,

I am in the process of defining a permission based on the IP class. So RFC1918, Class A, B, C and public IP addresses.
The plan is to create a permission for public IPs. I have already tried a regex but unfortunately the netbox reports that json is invalid after a certain complexity.
Does anyone have an idea how to map this?

[koratfood]

Here is my attempt at something which could help you get started (corrections/improvements very welcome):

[
{"address__gte": "1.0.0.0/24", "address__lte": "9.255.255.255/24"},
{"address__gte": "11.0.0.0/24", "address__lte": "100.63.255.255/24"},
{"address__gte": "100.128.0.0/24", "address__lte": "126.255.255.255/24"}
]

The above constraint JSON should make an object permission apply to the following ranges:

• 1.0.0.0-9.255.255.255
• 11.0.0.0-100.63.255.255
• 100.128.0.0-126.255.255.255

..all of which are examples of public Class-A IPv4 ranges. Append as desired.

Considering that the above ranges span way larger networks, /24 may seem a rather odd prefix. However, as of Netbox 3.4.2 with my limited testing so far, this seems to work fine. I cannot quite seem to get the desired result if I change e.g. the first range to /8 on both ends.

One caveat is that, if you apply this to a read-only permission, and an applicable user tries (on the /ipam/ip-addresses/ page) to edit an IP address which is outside the constrained range(s), Netbox will say "The requested page does not exist." instead of notifying the user that they lack permission. Or so it seems. I might report it as a bug after some further testing and verification.

[jeremystretch]

You're on the right track here @koratfood, and we can simplify the logic a bit using the net_contained lookup:

[
  {"address__net_contained": "10.0.0.0/8"},
  {"address__net_contained": "172.16.0.0/12"},
  {"address__net_contained": "192.168.0.0/16"}
]

[kkthxbye-code]

Jeremy's answer is probably more correct, I guess net_host_contained ignores the netmask of the target address, not sure if that is something one wants in your scenario.

[jeremystretch]

Ha you beat me to it. It'll probably take some iteration to achieve the desired behavior, but seems like it should be possible.

[koratfood]

That certainly looks less confusing than my initial take. Thanks!

[florianschendel]

thanks for all the answers!
I tried the net_contained and host_contained and it works without any issues for the case of private (rfc1918) addresses.

I just looking for a more efficient way to define the public ip addresses. My idea was to define a negative list based on rfc1918. Allow every ip address that is not in the rfc1918 range. But I´m not sure how I can negate in the constraints.