[management, client] Add API to change the network range (#4177)

2026-04-18 08:16:39 +00:00 · 2025-08-04 16:45:49 +02:00
parent 58eb3c8cc2
commit beb66208a0
20 changed files with 606 additions and 27 deletions
--- a/management/server/types/config.go
+++ b/management/server/types/config.go
@@ -53,7 +53,7 @@ type Config struct {
 	StoreConfig StoreConfig

 	ReverseProxy ReverseProxy
-	
+
 	// disable default all-to-all policy
 	DisableDefaultPolicy bool
 }
--- a/management/server/types/network.go
+++ b/management/server/types/network.go
@@ -163,7 +163,10 @@ func (n *Network) Copy() *Network {
 // E.g. if ipNet=100.30.0.0/16 and takenIps=[100.30.0.1, 100.30.0.4] then the result would be 100.30.0.2 or 100.30.0.3
 func AllocatePeerIP(ipNet net.IPNet, takenIps []net.IP) (net.IP, error) {
 	baseIP := ipToUint32(ipNet.IP.Mask(ipNet.Mask))
-	totalIPs := uint32(1 << SubnetSize)
+
+	ones, bits := ipNet.Mask.Size()
+	hostBits := bits - ones
+	totalIPs := uint32(1 << hostBits)

 	taken := make(map[uint32]struct{}, len(takenIps)+1)
 	taken[baseIP] = struct{}{}            // reserve network IP
--- a/management/server/types/network_test.go
+++ b/management/server/types/network_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestNewNetwork(t *testing.T) {
@@ -38,6 +39,107 @@ func TestAllocatePeerIP(t *testing.T) {
 	}
 }

+func TestAllocatePeerIPSmallSubnet(t *testing.T) {
+	// Test /27 network (10.0.0.0/27) - should only have 30 usable IPs (10.0.0.1 to 10.0.0.30)
+	ipNet := net.IPNet{IP: net.ParseIP("10.0.0.0"), Mask: net.IPMask{255, 255, 255, 224}}
+	var ips []net.IP
+
+	// Allocate all available IPs in the /27 network
+	for i := 0; i < 30; i++ {
+		ip, err := AllocatePeerIP(ipNet, ips)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Verify IP is within the correct range
+		if !ipNet.Contains(ip) {
+			t.Errorf("allocated IP %s is not within network %s", ip.String(), ipNet.String())
+		}
+
+		ips = append(ips, ip)
+	}
+
+	assert.Len(t, ips, 30)
+
+	// Verify all IPs are unique
+	uniq := make(map[string]struct{})
+	for _, ip := range ips {
+		if _, ok := uniq[ip.String()]; !ok {
+			uniq[ip.String()] = struct{}{}
+		} else {
+			t.Errorf("found duplicate IP %s", ip.String())
+		}
+	}
+
+	// Try to allocate one more IP - should fail as network is full
+	_, err := AllocatePeerIP(ipNet, ips)
+	if err == nil {
+		t.Error("expected error when network is full, but got none")
+	}
+}
+
+func TestAllocatePeerIPVariousCIDRs(t *testing.T) {
+	testCases := []struct {
+		name           string
+		cidr           string
+		expectedUsable int
+	}{
+		{"/30 network", "192.168.1.0/30", 2},   // 4 total - 2 reserved = 2 usable
+		{"/29 network", "192.168.1.0/29", 6},   // 8 total - 2 reserved = 6 usable
+		{"/28 network", "192.168.1.0/28", 14},  // 16 total - 2 reserved = 14 usable
+		{"/27 network", "192.168.1.0/27", 30},  // 32 total - 2 reserved = 30 usable
+		{"/26 network", "192.168.1.0/26", 62},  // 64 total - 2 reserved = 62 usable
+		{"/25 network", "192.168.1.0/25", 126}, // 128 total - 2 reserved = 126 usable
+		{"/16 network", "10.0.0.0/16", 65534},  // 65536 total - 2 reserved = 65534 usable
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, ipNet, err := net.ParseCIDR(tc.cidr)
+			require.NoError(t, err)
+
+			var ips []net.IP
+
+			// For larger networks, test only a subset to avoid long test runs
+			testCount := tc.expectedUsable
+			if testCount > 1000 {
+				testCount = 1000
+			}
+
+			// Allocate IPs and verify they're within the correct range
+			for i := 0; i < testCount; i++ {
+				ip, err := AllocatePeerIP(*ipNet, ips)
+				require.NoError(t, err, "failed to allocate IP %d", i)
+
+				// Verify IP is within the correct range
+				assert.True(t, ipNet.Contains(ip), "allocated IP %s is not within network %s", ip.String(), ipNet.String())
+
+				// Verify IP is not network or broadcast address
+				networkIP := ipNet.IP.Mask(ipNet.Mask)
+				ones, bits := ipNet.Mask.Size()
+				hostBits := bits - ones
+				broadcastInt := uint32(ipToUint32(networkIP)) + (1 << hostBits) - 1
+				broadcastIP := uint32ToIP(broadcastInt)
+
+				assert.False(t, ip.Equal(networkIP), "allocated network address %s", ip.String())
+				assert.False(t, ip.Equal(broadcastIP), "allocated broadcast address %s", ip.String())
+
+				ips = append(ips, ip)
+			}
+
+			assert.Len(t, ips, testCount)
+
+			// Verify all IPs are unique
+			uniq := make(map[string]struct{})
+			for _, ip := range ips {
+				ipStr := ip.String()
+				assert.NotContains(t, uniq, ipStr, "found duplicate IP %s", ipStr)
+				uniq[ipStr] = struct{}{}
+			}
+		})
+	}
+}
+
 func TestGenerateIPs(t *testing.T) {
 	ipNet := net.IPNet{IP: net.ParseIP("100.64.0.0"), Mask: net.IPMask{255, 255, 255, 0}}
 	ips, ipsLen := generateIPs(&ipNet, map[string]struct{}{"100.64.0.0": {}})
--- a/management/server/types/settings.go
+++ b/management/server/types/settings.go
@@ -1,6 +1,7 @@
 package types

 import (
+	"net/netip"
 	"time"
 )

@@ -42,6 +43,9 @@ type Settings struct {
 	// DNSDomain is the custom domain for that account
 	DNSDomain string

+	// NetworkRange is the custom network range for that account
+	NetworkRange netip.Prefix `gorm:"serializer:json"`
+
 	// Extra is a dictionary of Account settings
 	Extra *ExtraSettings `gorm:"embedded;embeddedPrefix:extra_"`

@@ -66,6 +70,7 @@ func (s *Settings) Copy() *Settings {
 		RoutingPeerDNSResolutionEnabled: s.RoutingPeerDNSResolutionEnabled,
 		LazyConnectionEnabled:           s.LazyConnectionEnabled,
 		DNSDomain:                       s.DNSDomain,
+		NetworkRange:                    s.NetworkRange,
 	}
 	if s.Extra != nil {
 		settings.Extra = s.Extra.Copy()