Skip to content

egress: allow sourceware.org and savannah IPv6 (2001:470:142::/48)#648

Merged
TomasTomecek merged 1 commit into
packit:mainfrom
TomasTomecek:more-domains-gnu-sourcesomething
Jul 1, 2026
Merged

egress: allow sourceware.org and savannah IPv6 (2001:470:142::/48)#648
TomasTomecek merged 1 commit into
packit:mainfrom
TomasTomecek:more-domains-gnu-sourcesomething

Conversation

@TomasTomecek

Copy link
Copy Markdown
Member

Summary

  • Add IPv6 CIDR 2001:470:142::/48 (Hurricane Electric) for savannah.gnu.org and related GNU project hosts
  • Add dnsName: sourceware.org egress rule — upstream git for glibc, binutils, elfutils, newlib, etc.
  • Update comment to mention git.savannah.nongnu.org and the IPv6 range

Test plan

  • Verify agents can reach sourceware.org (e.g. clone glibc)
  • Verify agents can reach git.savannah.nongnu.org over IPv6

🤖 Generated with Claude Code

sourceware.org (glibc, binutils, elfutils, etc.) resolves to 38.145.34.32
which is not covered by any existing CIDR — add a dnsName entry.

savannah.gnu.org and git.savannah.nongnu.org have AAAA records in
2001:470:142::/48 (Hurricane Electric); the existing 209.51.188.0/24
only covers their IPv4 side. Add the IPv6 CIDR so either address
family can reach the VCS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the OpenShift tenant egress policy to allow egress to sourceware.org and adds an IPv6 CIDR rule (2001:470:142::/48) for GNU/Savannah hosts. The review feedback identifies a critical security vulnerability: enabling IPv6 egress without a catch-all IPv6 deny rule (::/0) at the end of the file allows unrestricted IPv6 egress traffic. Additionally, the reviewer suggests correcting the updated comments to resolve contradictions regarding the cluster's IPv4-only policy and to generalize the IPv6 description for GNU hosts.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +106 to +108
- type: Allow
to:
cidrSelector: 2001:470:142::/48

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Security Vulnerability: By adding an IPv6 CIDR rule (2001:470:142::/48) to allow egress to Savannah hosts over IPv6, you are enabling IPv6 egress on the cluster. However, the catch-all deny rule at the end of the file (line 121) only blocks IPv4 traffic (0.0.0.0/0). Without a corresponding deny rule for IPv6 (::/0), any other IPv6 egress traffic to any destination on the internet will be allowed by default, bypassing the egress firewall.

Please ensure that a catch-all deny rule for IPv6 is added at the end of the file (after the 0.0.0.0/0 deny rule):

    - type: Deny
      to:
        cidrSelector: ::/0

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure though hard to tell if this is correct

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean… the IPv4 catch-all is there… :D

Comment on lines +99 to +102
# GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
# git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
# picks AAAA records which don't match this cluster's IPv4-only egress policy, so
# use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comment refers to "this cluster's IPv4-only egress policy", which is now contradictory since we are adding an IPv6 CIDR rule (2001:470:142::/48). Additionally, other GNU hosts like gnu.org and ftp.gnu.org also resolve to IPv6 addresses within the same 2001:470:142::/48 range, so the IPv6 description should be generalized beyond just "savannah hosts".

    # GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
    # git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
    # picks AAAA records which don't match the IPv4 CIDR, so use CIDR instead.
    # IPv6: GNU and savannah hosts use 2001:470:142::/48 (Hurricane Electric).

@qodo-for-packit

Copy link
Copy Markdown

PR Summary by Qodo

Allow egress to sourceware.org and Savannah GNU IPv6 range

⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Grey Divider

AI Description

• Allow outbound access to GNU Savannah over IPv6 via 2001:470:142::/48.
• Permit egress to sourceware.org for upstream toolchain/glibc git traffic.
• Clarify GNU hosting comment with IPv4/IPv6 rationale and covered hosts.
Diagram

graph TD
  W["Tenant workloads"] --> P["TenantEgress policy"] --> S{{"Savannah GNU hosts"}}
  P --> R{{"sourceware.org"}}
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Use a /32 cidrSelector for sourceware.org (38.145.34.32/32)
  • ➕ Tighter, fully deterministic allowlist (no DNS-based expansion)
  • ➕ Avoids surprises if DNS starts returning additional IPs
  • ➖ Brittle if sourceware.org IP changes or adds additional A records
  • ➖ Requires ongoing maintenance and risk of unexpected breakage

Recommendation: Current approach is appropriate: keep Savannah as CIDR-based to avoid AAAA-selection issues, and use dnsName for sourceware.org to reduce maintenance burden. If policy strictness becomes a concern, consider switching sourceware.org to a /32 CIDR with a clear maintenance plan.

Files changed (1) +12 / -3

Other (1) +12 / -3
tenant-egress.ymlExpand TenantEgress allowlist for Savannah IPv6 and sourceware.org +12/-3

Expand TenantEgress allowlist for Savannah IPv6 and sourceware.org

• Adds an IPv6 CIDR allow rule (2001:470:142::/48) for Savannah GNU hosts in addition to the existing IPv4 CIDR. Introduces a dnsName-based allow rule for sourceware.org and updates the surrounding comment to explain IPv4/IPv6 behavior and included hosts.

openshift/tenant-egress.yml

@qodo-for-packit

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Context used
✅ Compliance rules (platform): 7 rules

Grey Divider


Informational

1. Misleading IPv4-only comment 🐞 Bug ⚙ Maintainability
Description
The GNU hosting comment still claims this cluster has an "IPv4-only egress policy" while the same
block now documents and adds an IPv6 allow rule (2001:470:142::/48), which makes the intended
IP-family behavior unclear for future maintainers/operators.
Code

openshift/tenant-egress.yml[R99-108]

+    # GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
+    # git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
+    # picks AAAA records which don't match this cluster's IPv4-only egress policy, so
+    # use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric).
    - type: Allow
      to:
        cidrSelector: 209.51.188.0/24
+    - type: Allow
+      to:
+        cidrSelector: 2001:470:142::/48
Relevance

⭐⭐ Medium

Mixed history: wording-clarity comment fix accepted (#309) but misleading/comment rewording rejected
elsewhere (#395).

PR-#309
PR-#395

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The file comment explicitly mentions an "IPv4-only egress policy" and immediately follows it with an
IPv6-specific explanation and an IPv6 CIDR allow rule, creating an internal inconsistency in the
manifest documentation.

openshift/tenant-egress.yml[99-108]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The GNU hosting comment states the cluster uses an "IPv4-only egress policy" but the same section now adds an IPv6 CIDR allow rule. This is internally inconsistent and can confuse future changes (e.g., whether IPv6 egress is expected/supported/enforced here).

### Issue Context
This is purely a documentation/maintainability issue: the manifest includes both the IPv4-only statement and an IPv6 allowance in the same block.

### Fix Focus Areas
- openshift/tenant-egress.yml[99-108]

### Suggested change
Reword the comment to accurately describe the current intent (e.g., clarify that IPv4 required CIDR due to DNS/AAAA behavior, and separately that an IPv6 CIDR is being explicitly allowed for savannah hosts), or remove the "IPv4-only" wording if it is no longer true.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +99 to +108
# GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
# git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
# picks AAAA records which don't match this cluster's IPv4-only egress policy, so
# use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric).
- type: Allow
to:
cidrSelector: 209.51.188.0/24
- type: Allow
to:
cidrSelector: 2001:470:142::/48

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Informational

1. Misleading ipv4-only comment 🐞 Bug ⚙ Maintainability

The GNU hosting comment still claims this cluster has an "IPv4-only egress policy" while the same
block now documents and adds an IPv6 allow rule (2001:470:142::/48), which makes the intended
IP-family behavior unclear for future maintainers/operators.
Agent Prompt
### Issue description
The GNU hosting comment states the cluster uses an "IPv4-only egress policy" but the same section now adds an IPv6 CIDR allow rule. This is internally inconsistent and can confuse future changes (e.g., whether IPv6 egress is expected/supported/enforced here).

### Issue Context
This is purely a documentation/maintainability issue: the manifest includes both the IPv4-only statement and an IPv6 allowance in the same block.

### Fix Focus Areas
- openshift/tenant-egress.yml[99-108]

### Suggested change
Reword the comment to accurately describe the current intent (e.g., clarify that IPv4 required CIDR due to DNS/AAAA behavior, and separately that an IPv6 CIDR is being explicitly allowed for savannah hosts), or remove the "IPv4-only" wording if it is no longer true.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

@TomasTomecek TomasTomecek merged commit 35ee067 into packit:main Jul 1, 2026
11 checks passed
# GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
# git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
# picks AAAA records which don't match this cluster's IPv4-only egress policy, so
# use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They tunnel the IPv6???? wtf :D

Comment on lines +106 to +108
- type: Allow
to:
cidrSelector: 2001:470:142::/48

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean… the IPv4 catch-all is there… :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants