lablup
diff --git a/‎src/server/config/mod.rs‎
Lines changed: 18 additions & 0 deletions b/‎src/server/config/mod.rs‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎src/server/handler.rs‎
Lines changed: 47 additions & 0 deletions b/‎src/server/handler.rs‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎src/server/mod.rs‎
Lines changed: 54 additions & 1 deletion b/‎src/server/mod.rs‎
Lines changed: 54 additions & 1 deletion
@@ -165,6 +165,20 @@ pub struct ServerConfig {
     /// IP addresses that are never banned (whitelist).
     #[serde(default)]
     pub whitelist_ips: Vec<String>,
+
+    /// Allowed IP ranges in CIDR notation for connection filtering.
+    ///
+    /// If non-empty, only connections from these ranges are allowed.
+    /// Empty list means all IPs are allowed (subject to blocked_ips).
+    #[serde(default)]
+    pub allowed_ips: Vec<String>,
+
+    /// Blocked IP ranges in CIDR notation for connection filtering.
+    ///
+    /// Connections from these ranges are always denied.
+    /// Blocked IPs take priority over allowed IPs.
+    #[serde(default)]
+    pub blocked_ips: Vec<String>,
 }
 
 /// Serializable configuration for public key authentication.
@@ -260,6 +274,8 @@ impl Default for ServerConfig {
             auth_window_secs: default_auth_window_secs(),
             ban_time_secs: default_ban_time_secs(),
             whitelist_ips: Vec::new(),
+            allowed_ips: Vec::new(),
+            blocked_ips: Vec::new(),
         }
     }
 }
@@ -551,6 +567,8 @@ impl ServerFileConfig {
             auth_window_secs: self.security.auth_window,
             ban_time_secs: self.security.ban_time,
             whitelist_ips: self.security.whitelist_ips,
+            allowed_ips: self.security.allowed_ips,
+            blocked_ips: self.security.blocked_ips,
         }
     }
 }
 
@@ -66,6 +66,10 @@ pub struct SshHandler {
 
     /// Active channels for this connection.
     channels: HashMap<ChannelId, ChannelState>,
+
+    /// Whether this connection should be immediately rejected.
+    /// Set when IP access control denies the connection.
+    rejected: bool,
 }
 
 impl SshHandler {
@@ -90,6 +94,7 @@ impl SshHandler {
             auth_rate_limiter: None,
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
+            rejected: false,
         }
     }
 
@@ -114,6 +119,7 @@ impl SshHandler {
             auth_rate_limiter: None,
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
+            rejected: false,
         }
     }
 
@@ -140,6 +146,7 @@ impl SshHandler {
             auth_rate_limiter: Some(auth_rate_limiter),
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
+            rejected: false,
         }
     }
 
@@ -163,6 +170,32 @@ impl SshHandler {
             auth_rate_limiter: None,
             session_info: Some(SessionInfo::new(peer_addr)),
             channels: HashMap::new(),
+            rejected: false,
+        }
+    }
+
+    /// Create a handler for a rejected connection.
+    ///
+    /// This handler will immediately reject all authentication attempts.
+    /// Used when IP access control denies a connection.
+    pub fn rejected(
+        peer_addr: Option<SocketAddr>,
+        config: Arc<ServerConfig>,
+        sessions: Arc<RwLock<SessionManager>>,
+    ) -> Self {
+        let auth_provider = config.create_auth_provider();
+        let rate_limiter = RateLimiter::with_simple_config(1, 0.1);
+
+        Self {
+            peer_addr,
+            config,
+            sessions,
+            auth_provider,
+            rate_limiter,
+            auth_rate_limiter: None,
+            session_info: None, // No session for rejected connections
+            channels: HashMap::new(),
+            rejected: true,
         }
     }
 
@@ -246,6 +279,19 @@ impl russh::server::Handler for SshHandler {
             "Auth none attempt"
         );
 
+        // If connection was rejected by IP access control, immediately reject
+        if self.rejected {
+            tracing::debug!(
+                peer = ?self.peer_addr,
+                "Rejecting auth for IP-blocked connection"
+            );
+            return std::future::ready(Ok(Auth::Reject {
+                proceed_with_methods: None,
+                partial_success: false,
+            }))
+            .left_future();
+        }
+
         // Create session info if not already created
         let peer_addr = self.peer_addr;
         let sessions = Arc::clone(&self.sessions);
@@ -287,6 +333,7 @@ impl russh::server::Handler for SshHandler {
                 partial_success: false,
             })
         }
+        .right_future()
     }
 
     /// Handle public key authentication.
 
@@ -70,7 +70,9 @@ pub use self::config::{ServerConfig, ServerConfigBuilder};
 pub use self::exec::{CommandExecutor, ExecConfig};
 pub use self::handler::SshHandler;
 pub use self::pty::{PtyConfig as PtyMasterConfig, PtyMaster};
-pub use self::security::{AuthRateLimitConfig, AuthRateLimiter};
+pub use self::security::{
+    AccessPolicy, AuthRateLimitConfig, AuthRateLimiter, IpAccessControl, SharedIpAccessControl,
+};
 pub use self::session::{
     ChannelMode, ChannelState, PtyConfig, SessionId, SessionInfo, SessionManager,
 };
@@ -247,6 +249,15 @@ impl BsshServer {
             "Auth rate limiter configured"
         );
 
+        // Create IP access control from configuration
+        let ip_access_control = IpAccessControl::from_config(
+            &self.config.allowed_ips,
+            &self.config.blocked_ips,
+        )
+        .context("Failed to configure IP access control")?;
+
+        let shared_ip_access = SharedIpAccessControl::new(ip_access_control);
+
         // Start background cleanup task for auth rate limiter
         let cleanup_limiter = auth_rate_limiter.clone();
         tokio::spawn(async move {
@@ -262,6 +273,7 @@ impl BsshServer {
             sessions: Arc::clone(&self.sessions),
             rate_limiter,
             auth_rate_limiter,
+            ip_access_control: shared_ip_access,
         };
 
         // Use run_on_socket which handles the server loop
@@ -294,12 +306,53 @@ struct BsshServerRunner {
     rate_limiter: RateLimiter<String>,
     /// Auth rate limiter with ban support (fail2ban-like)
     auth_rate_limiter: AuthRateLimiter,
+    /// IP-based access control
+    ip_access_control: SharedIpAccessControl,
 }
 
 impl russh::server::Server for BsshServerRunner {
     type Handler = SshHandler;
 
     fn new_client(&mut self, peer_addr: Option<SocketAddr>) -> Self::Handler {
+        // Check IP access control before creating handler
+        if let Some(addr) = peer_addr {
+            let ip = addr.ip();
+
+            // Check IP access control (synchronous to avoid blocking)
+            if self.ip_access_control.check_sync(&ip) == AccessPolicy::Deny {
+                tracing::info!(
+                    ip = %ip,
+                    "Connection rejected by IP access control"
+                );
+                // Return a handler that will immediately reject
+                // We can't return None here due to trait constraints,
+                // so we'll mark it for rejection in the handler
+                return SshHandler::rejected(
+                    peer_addr,
+                    Arc::clone(&self.config),
+                    Arc::clone(&self.sessions),
+                );
+            }
+
+            // Check if banned by auth rate limiter
+            // Use try_read to avoid blocking in sync context
+            if let Ok(is_banned) = tokio::runtime::Handle::try_current()
+                .map(|h| h.block_on(self.auth_rate_limiter.is_banned(&ip)))
+            {
+                if is_banned {
+                    tracing::info!(
+                        ip = %ip,
+                        "Connection rejected from banned IP"
+                    );
+                    return SshHandler::rejected(
+                        peer_addr,
+                        Arc::clone(&self.config),
+                        Arc::clone(&self.sessions),
+                    );
+                }
+            }
+        }
+
         tracing::info!(
             peer = ?peer_addr,
             "New client connection"
Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,20 @@ pub struct ServerConfig {`
`165`	`165`	`/// IP addresses that are never banned (whitelist).`
`166`	`166`	`#[serde(default)]`
`167`	`167`	`pub whitelist_ips: Vec<String>,`
	`168`	`+`
	`169`	`+ /// Allowed IP ranges in CIDR notation for connection filtering.`
	`170`	`+ ///`
	`171`	`+ /// If non-empty, only connections from these ranges are allowed.`
	`172`	`+ /// Empty list means all IPs are allowed (subject to blocked_ips).`
	`173`	`+ #[serde(default)]`
	`174`	`+ pub allowed_ips: Vec<String>,`
	`175`	`+`
	`176`	`+ /// Blocked IP ranges in CIDR notation for connection filtering.`
	`177`	`+ ///`
	`178`	`+ /// Connections from these ranges are always denied.`
	`179`	`+ /// Blocked IPs take priority over allowed IPs.`
	`180`	`+ #[serde(default)]`
	`181`	`+ pub blocked_ips: Vec<String>,`
`168`	`182`	`}`
`169`	`183`
`170`	`184`	`/// Serializable configuration for public key authentication.`
`@@ -260,6 +274,8 @@ impl Default for ServerConfig {`
`260`	`274`	`auth_window_secs: default_auth_window_secs(),`
`261`	`275`	`ban_time_secs: default_ban_time_secs(),`
`262`	`276`	`whitelist_ips: Vec::new(),`
	`277`	`+ allowed_ips: Vec::new(),`
	`278`	`+ blocked_ips: Vec::new(),`
`263`	`279`	`}`
`264`	`280`	`}`
`265`	`281`	`}`
`@@ -551,6 +567,8 @@ impl ServerFileConfig {`
`551`	`567`	`auth_window_secs: self.security.auth_window,`
`552`	`568`	`ban_time_secs: self.security.ban_time,`
`553`	`569`	`whitelist_ips: self.security.whitelist_ips,`
	`570`	`+ allowed_ips: self.security.allowed_ips,`
	`571`	`+ blocked_ips: self.security.blocked_ips,`
`554`	`572`	`}`
`555`	`573`	`}`
`556`	`574`	`}`