egress: allow sourceware.org and savannah IPv6 (2001:470:142::/48)#648
Conversation
sourceware.org (glibc, binutils, elfutils, etc.) resolves to 38.145.34.32 which is not covered by any existing CIDR — add a dnsName entry. savannah.gnu.org and git.savannah.nongnu.org have AAAA records in 2001:470:142::/48 (Hurricane Electric); the existing 209.51.188.0/24 only covers their IPv4 side. Add the IPv6 CIDR so either address family can reach the VCS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request updates the OpenShift tenant egress policy to allow egress to sourceware.org and adds an IPv6 CIDR rule (2001:470:142::/48) for GNU/Savannah hosts. The review feedback identifies a critical security vulnerability: enabling IPv6 egress without a catch-all IPv6 deny rule (::/0) at the end of the file allows unrestricted IPv6 egress traffic. Additionally, the reviewer suggests correcting the updated comments to resolve contradictions regarding the cluster's IPv4-only policy and to generalize the IPv6 description for GNU hosts.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| - type: Allow | ||
| to: | ||
| cidrSelector: 2001:470:142::/48 |
There was a problem hiding this comment.
Security Vulnerability: By adding an IPv6 CIDR rule (2001:470:142::/48) to allow egress to Savannah hosts over IPv6, you are enabling IPv6 egress on the cluster. However, the catch-all deny rule at the end of the file (line 121) only blocks IPv4 traffic (0.0.0.0/0). Without a corresponding deny rule for IPv6 (::/0), any other IPv6 egress traffic to any destination on the internet will be allowed by default, bypassing the egress firewall.
Please ensure that a catch-all deny rule for IPv6 is added at the end of the file (after the 0.0.0.0/0 deny rule):
- type: Deny
to:
cidrSelector: ::/0There was a problem hiding this comment.
sure though hard to tell if this is correct
There was a problem hiding this comment.
I mean… the IPv4 catch-all is there… :D
| # GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org, | ||
| # git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector | ||
| # picks AAAA records which don't match this cluster's IPv4-only egress policy, so | ||
| # use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric). |
There was a problem hiding this comment.
The comment refers to "this cluster's IPv4-only egress policy", which is now contradictory since we are adding an IPv6 CIDR rule (2001:470:142::/48). Additionally, other GNU hosts like gnu.org and ftp.gnu.org also resolve to IPv6 addresses within the same 2001:470:142::/48 range, so the IPv6 description should be generalized beyond just "savannah hosts".
# GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org,
# git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector
# picks AAAA records which don't match the IPv4 CIDR, so use CIDR instead.
# IPv6: GNU and savannah hosts use 2001:470:142::/48 (Hurricane Electric).
PR Summary by QodoAllow egress to sourceware.org and Savannah GNU IPv6 range
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
7 rules 1. Misleading IPv4-only comment
|
| # GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org, | ||
| # git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector | ||
| # picks AAAA records which don't match this cluster's IPv4-only egress policy, so | ||
| # use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric). | ||
| - type: Allow | ||
| to: | ||
| cidrSelector: 209.51.188.0/24 | ||
| - type: Allow | ||
| to: | ||
| cidrSelector: 2001:470:142::/48 |
There was a problem hiding this comment.
1. Misleading ipv4-only comment 🐞 Bug ⚙ Maintainability
The GNU hosting comment still claims this cluster has an "IPv4-only egress policy" while the same block now documents and adds an IPv6 allow rule (2001:470:142::/48), which makes the intended IP-family behavior unclear for future maintainers/operators.
Agent Prompt
### Issue description
The GNU hosting comment states the cluster uses an "IPv4-only egress policy" but the same section now adds an IPv6 CIDR allow rule. This is internally inconsistent and can confuse future changes (e.g., whether IPv6 egress is expected/supported/enforced here).
### Issue Context
This is purely a documentation/maintainability issue: the manifest includes both the IPv4-only statement and an IPv6 allowance in the same block.
### Fix Focus Areas
- openshift/tenant-egress.yml[99-108]
### Suggested change
Reword the comment to accurately describe the current intent (e.g., clarify that IPv4 required CIDR due to DNS/AAAA behavior, and separately that an IPv6 CIDR is being explicitly allowed for savannah hosts), or remove the "IPv4-only" wording if it is no longer true.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
| # GNU project hosting (gnu.org, ftp.gnu.org, savannah.gnu.org, savannah.nongnu.org, | ||
| # git.savannah.nongnu.org). IPv4: all resolve to 209.51.188.0/24; dnsName selector | ||
| # picks AAAA records which don't match this cluster's IPv4-only egress policy, so | ||
| # use CIDR instead. IPv6: savannah hosts use 2001:470:142::/48 (Hurricane Electric). |
| - type: Allow | ||
| to: | ||
| cidrSelector: 2001:470:142::/48 |
There was a problem hiding this comment.
I mean… the IPv4 catch-all is there… :D
Summary
2001:470:142::/48(Hurricane Electric) for savannah.gnu.org and related GNU project hostsdnsName: sourceware.orgegress rule — upstream git for glibc, binutils, elfutils, newlib, etc.git.savannah.nongnu.organd the IPv6 rangeTest plan
sourceware.org(e.g. clone glibc)git.savannah.nongnu.orgover IPv6🤖 Generated with Claude Code