Document named IP lists (wafList) — Firewall page, permissions, transform fix#66
Open
acoshift wants to merge 2 commits into
Open
Document named IP lists (wafList) — Firewall page, permissions, transform fix#66acoshift wants to merge 2 commits into
acoshift wants to merge 2 commits into
Conversation
Adds a "Named IP lists" section: creating lists via the CLI, the
ipInList(<field>, "<list-name>") macro in rule expressions and limit
filters, expansion semantics (round-trip storage, bare-IP /32//128,
empty list never matches, re-materialization fan-out), the caps table
with the WAF_COST_LIMIT >= 10000 operator note, and the
delete-while-referenced error. Cross-links the macro from the
expression reference as a platform macro distinct from the engine
surface.
Also corrects the expression reference to the real engine field
request.remote_ip (the page said request.ip, which the engine does not
define) and documents ipInCidr, which the new section builds on.
Note: apiserver#238 (waf-test) adds server-side CEL compile validation
to waf.set; per the lists design that validation runs on the expanded
expression, which is exactly the behavior documented here ("stores what
you wrote", expansion at apply time). No merge conflict expected — this
change touches only the docs repo.
…rm request.ip - roles.md: add the wafList.* permission row (camelCase, not covered by waf.*) and correct the "always lowercase" claim to exact/case-sensitive matching, since wafList.* is the first mixed-case permission family. - waf.md: note the wafList.* permission gap next to the feature, add the list-name constraint (3-26 chars, lowercase/digits/hyphens) to the caps table, and point at the console lists page (Firewall page > IP lists). - transform.md: request.ip -> request.remote_ip; the engine surface has no ip key, so a copied filter eval-errors and silently never applies. Same fix waf.md already got on this branch. Docs-only change; no code path shared with apiserver#238 (waf.set CEL compile validation), which validates the expanded expression exactly as the "How expansion works" section here describes - no conflict expected.
Preview
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the WAF named IP lists feature per
SPEC-waf-ip-lists.md§10:content/networking/waf.md— new Named IP lists section: concept,deploys wafList set/get/list/deleteCLI examples,ipInList(request.remote_ip, "name")reference syntax, exact expansion semantics (platform macro →ipInCidrchain; empty list never matches; macro form round-trips throughwaf.get/console), caps table (incl. list-name constraint and theWAF_COST_LIMIT >= 10000self-hosted note), re-materialization on list edit, delete-while-referenced error (verbatim server format), performance guidance, console lists page pointer, and thewafList.*permission gap callout.content/networking/waf.md— corrects the expression surface:request.ip→request.remote_ip(the engine key isremote_ip;ipdoes not exist) and documentsipInCidr.content/networking/transform.md— samerequest.ip→request.remote_ipfix on the sibling page (transform filters compile over the identicalrequest.*surface; a copiedrequest.ipfilter eval-errors and silently never applies).content/access/roles.md— adds thewafList.list/get/set/deleterow (camelCase; not covered by existingwaf.*grants — spec §7) and corrects the "permissions are always lowercase" claim to exact/case-sensitive matching, sincewafList.*is the first mixed-case permission family.All values (five caps, name constraint 3–26 chars
^[a-z][a-z0-9\-]*[a-z0-9]$, error wording, CLI flags, console operator labels) were checked against the implementation branches (api/apiserver/console/deployswaf-ip-lists) and parapet v0.18.4pkg/waf.Test evidence
hugo --minifybuilds clean (59 pages, no warnings).grep -rn 'request\.ip\b' content/— no remaining stale references.Rollout / cross-feature notes
wafList.*migration before binary, then api re-pin in apiserver/console/deploys/mcp per the spec's rollout gates.waf.set): different repo, and #238 validates the expanded expression — exactly the behavior the "How expansion works" section documents.Spec:
SPEC-waf-ip-lists.md