fix component alias ranges being ignored#2247
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Updates enterprise firewall rule generation to include component-alias destination ranges when computing destination addresses, and adds regression tests for mixed IPv4/IPv6 and range-merging behavior. Also bumps defguard_common crate version and refreshes Rust/Nix lockfiles.
Changes:
- Merge component alias destination ranges into ACL rule destination range processing during firewall rule generation.
- Refactor destination address processing to share range-handling logic between ACL rules and aliases.
- Add SQLx tests covering IPv6 range + IPv4 manual destination and merging of rule/alias destination ranges.
Reviewed changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
crates/defguard_core/src/enterprise/firewall/mod.rs |
Merges alias destination ranges into destination processing; refactors range handling into a shared helper. |
crates/defguard_core/src/enterprise/firewall/tests.rs |
Adds helper to insert rule destination ranges and adds regression tests for mixed-stack/range merging. |
crates/defguard_common/Cargo.toml |
Bumps internal crate version to 1.6.5. |
Cargo.toml |
Updates workspace dependency version for defguard_common to 1.6.5. |
Cargo.lock |
Dependency lock refresh consistent with version bump and updated crates. |
flake.lock |
Updates pinned nixpkgs and rust-overlay revisions/hashes. |
Comments suppressed due to low confidence (1)
crates/defguard_core/src/enterprise/firewall/mod.rs:500
ipv4_dest_ranges/ipv6_dest_rangesareVec<RangeInclusive<IpAddr>>, butIterator::chainexpects an iterator. As written,.chain(ipv4_dest_ranges)/.chain(ipv6_dest_ranges)will not compile; use.into_iter()(or keep them as iterators) when chaining.
// combine iterators
let ipv4_dest_addrs = ipv4_dest_net_addrs.chain(ipv4_dest_ranges).collect();
let ipv6_dest_addrs = ipv6_dest_net_addrs.chain(ipv6_dest_ranges).collect();
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
j-chmielewski
previously approved these changes
Mar 10, 2026
j-chmielewski
approved these changes
Mar 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Address ranges in component aliases are not being processed correctly - they are collected, but then ignored when generating a firewall rule.
Also bump version and dependencies in preparation for a bugfix release
Resolves #2261