mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 10:18:54 +00:00
e901d51550
At the moment, the mapping of proxy IPs to the resolved IPs of a DNS resource happens at the same time as the "authorisation" that the client is allowed to talk to that resource. This is somewhat convoluted because: - Mapping proxy IPs to resolved IPs only needs to happen for DNS resources, yet it is called for all resources (and internally skipped). - Wildcard DNS resources only need to be authorised once, after which the client is allowed to communicate with any domain matching the wildcard address. - The code that models resources within `ClientOnGateway` doesn't differentiate between resource types at all. With #6461, the authorisation of a resource will be completely decoupled from the domain resolution for a particular domain of a DNS resource. To make that easier to implement, we re-model the internals of `ClientOnGateway` to differentiate the various resource types. Instead of holding a single vec of addresses, the IPs are now indexed by the respective domain. For CIDR resources, we only hold a single address anyway and for the Internet Resource, the IP networks are static. This new model now implies that allowing a resource that has already been allowed essentially implies an update and the filters get re-calculated.