zenoh unifies data in motion, data in-use, data at rest and computations. It carefully blends traditional pub/sub with geo-distributed storages, queries and computations, while retaining a level of time and space efficiency that is well beyond any of the mainstream stacks.
When the listener locator matches multiple interfaces, ACL rules can allow traffic which should be denied on a specific interface in certain edge-cases. This is because the current code logic loops on interfaces looking for at least one explicit allow without checking the message's destination interface.
To reproduce
Run z_sub example with listener on all interfaces: cargo run --example z_sub -- -c config.json5 -l tcp/0.0.0.0:7447 --no-multicast-scouting with following config file:
Describe the bug
When the listener locator matches multiple interfaces, ACL rules can allow traffic which should be denied on a specific interface in certain edge-cases. This is because the current code logic loops on interfaces looking for at least one explicit
allow
without checking the message's destination interface.To reproduce
z_sub
example with listener on all interfaces:cargo run --example z_sub -- -c config.json5 -l tcp/0.0.0.0:7447 --no-multicast-scouting
with following config file:z_pub
example with localhost endpoint:cargo run --example z_pub -- -e tcp/127.0.0.1:7447 --no-multicast-scouting
lo0
through thedefault_permission="deny"
configlo0
interface.System info