enh: 35% faster is_valid_ip() when fast=1

bin/plugin/group-aclkeeper/groupAddServer

@@ -16,7 +16,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
     options            => {
         "group=s"          => \my $group,
         "protocol=s"       => \my $protocol,
-        "force"            => \my $force,           # for slashes, and/or for servers that are down (no connection test)
+        "force"            => \my $force,           # for subnets, and/or for servers that are down (no connection test)
         "force-key=s"      => \my $forceKey,
         "force-password=s" => \my $forcePassword,
         "ttl=s"            => \my $ttl,
@@ -34,8 +34,8 @@ Add an IP or IP block to a group's servers list
 Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER|* --port PORT|* [OPTIONS]
 
   --group GROUP            Specify which group this machine should be added to
-  --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/plugin/group-aclkeeper/groupDelServer

@@ -30,8 +30,8 @@ Remove an IP or IP block from a group's server list
 Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER --port PORT [OPTIONS]
 
   --group GROUP            Specify which group this machine should be removed from
-  --host HOST|IP|NET/CIDR  Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/plugin/group-aclkeeper/groupSetServers

@@ -115,9 +115,9 @@ while (my $line = <STDIN>) {
         $acl_user = $fnret->value;
     }
 
-    # resolve host, unless it looks like a prefix
+    # resolve host, unless it looks like a subnet
     if ($acl_host =~ m{/}) {
-        $fnret = OVH::Bastion::is_valid_ip(ip => $acl_host, allowPrefixes => 1);
+        $fnret = OVH::Bastion::is_valid_ip(ip => $acl_host, allowSubnets => 1);
     }
     else {
         $fnret = OVH::Bastion::get_ip(host => $acl_host);

bin/plugin/group-gatekeeper/groupAddGuestAccess

@@ -35,8 +35,8 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
   --account ACCOUNT        Name of the other bastion account to add access to, they'll be given access to the GROUP key
   --group GROUP            Group to add the guest access to, note that this group should already have access
                              to the USER/HOST/PORT tuple you'll specify with the options below.
-  --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/plugin/group-gatekeeper/groupDelGuestAccess

@@ -32,8 +32,8 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
 
   --account ACCOUNT        Bastion account remove the guest access from
   --group GROUP            Specify which group to remove the guest access to ACCOUNT from
-  --host HOST|IP|NET/CIDR  Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/plugin/open/alive

@@ -53,7 +53,7 @@ if (not $host) {
 
 if ($host =~ m{/}) {
     help();
-    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a netblock";
+    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a subnet";
 }
 
 osh_info "Waiting for $host to be alive...";

bin/plugin/open/mtr

@@ -44,7 +44,7 @@ if (not $host) {
 
 if ($host =~ m{/}) {
     help();
-    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a netblock";
+    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a subnet";
 }
 
 my @command = qw{ mtr --show-ips --aslookup -n };

bin/plugin/open/nc

@@ -61,7 +61,7 @@ if (!$fnret) {
 
 if ($host =~ m{/}) {
     help();
-    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a netblock";
+    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a subnet";
 }
 
 osh_info "Checking whether TCP port $port of $host is reachable...";

bin/plugin/open/ping

@@ -55,7 +55,7 @@ if (not $host) {
 
 if ($host =~ m{/}) {
     help();
-    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a netblock";
+    osh_exit 'ERR_INVALID_PARAMETER', "Please use a single IP, not a subnet";
 }
 
 my @command = qw{ ping };

bin/plugin/restricted/accountAddPersonalAccess

@@ -34,8 +34,8 @@ Add a personal server access to an account
 Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [OPTIONS]
 
   --account                Bastion account to add the access to
-  --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
@@ -66,8 +66,8 @@ EOF
 
 =head2 widest_v4_prefix (optional, integer, between 0 and 32)
 
-When specified, this limits the size of prefixes that can be added to an ACL, e.g. 24 would not allow
-prefixes wider than /24 (such as /20 or /16).
+When specified, this limits the size of subnets that can be added to an ACL, e.g. 24 would not allow
+prefix lengths wider than /24 (such as /20 or /16).
 
 Note that this doesn't prevent users from adding thousands of ACLs to cover a wide range of networks,
 but this helps ensuring ACLs such as 0.0.0.0/0 can't be added in a single command.

bin/plugin/restricted/accountDelPersonalAccess

@@ -29,8 +29,8 @@ Remove a personal server access from an account
 Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [OPTIONS]
 
   --account                Bastion account to remove access from
-  --host HOST|IP|NET/CIDR  Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/plugin/restricted/assetForgetHostKey

@@ -27,10 +27,10 @@ if (!$ip) {
     osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter --host (or host didn't resolve correctly)";
 }
 
-# IP can't be a prefix
+# IP can't be a subnet
 if ($ip =~ m{/}) {
     help();
-    osh_exit 'ERR_INVALID_PARAMETER', "Specified IP must not be a prefix ($ip)";
+    osh_exit 'ERR_INVALID_PARAMETER', "Specified IP must not be a subnet ($ip)";
 }
 
 osh_info "Removing $ip host key from accounts...";

bin/plugin/restricted/selfAddPersonalAccess

@@ -33,8 +33,8 @@ Add a personal server access to your account
 
 Usage: --osh SCRIPT_NAME --host HOST --user USER --port PORT [OPTIONS]
 
-  --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
@@ -63,8 +63,8 @@ EOF
 
 =head2 widest_v4_prefix (optional, integer, between 0 and 32)
 
-When specified, this limits the size of prefixes that can be added to an ACL, e.g. 24 would not allow
-prefixes wider than /24 (such as /20 or /16).
+When specified, this limits the size of subnets that can be added to an ACL, e.g. 24 would not allow
+prefix lengths wider than /24 (such as /20 or /16).
 
 Note that this doesn't prevent users from adding thousands of ACLs to cover a wide range of networks,
 but this helps ensuring ACLs such as 0.0.0.0/0 can't be added in a single command.

bin/plugin/restricted/selfDelPersonalAccess

@@ -27,8 +27,8 @@ Remove a personal server access from your account
 
 Usage: --osh SCRIPT_NAME --host HOST --user USER --port PORT [OPTIONS]
 
-  --host HOST|IP|NET/CIDR  Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
-                             or an IP, or a whole network using the NET/CIDR notation
+  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

bin/shell/osh.pl

@@ -610,16 +610,16 @@ sub main_exit {
 # if: avoid loading Net::IP and BigInt if there's no host specified
 if ($host) {
 
-    # can be an IP (v4 or v6), hostname, or netblock (with a /)
+    # can be an IP (v4 or v6), hostname, or subnet (with a /)
     if ($host !~ m{^\[?[a-zA-Z0-9._/:-]+\]?$}) {
         main_exit OVH::Bastion::EXIT_INVALID_REMOTE_HOST, 'invalid_remote_host',
           "Remote host name '$host' seems invalid";
     }
 
-    # netblocks are only allowed for plugins
+    # subnets are only allowed for plugins
     if (index($host, '/') != -1 && !$osh_command) {
         main_exit OVH::Bastion::EXIT_INVALID_REMOTE_HOST, 'invalid_remote_host',
-          "Remote host '$host' looks like a netblock, can't connect to that";
+          "Remote host '$host' looks like a subnet, can't connect to that";
     }
 
     # probably this "host" is in fact an option, but we didn't parse it because it's an unknown one,
@@ -630,12 +630,12 @@ sub main_exit {
     }
 
     # otherwise, resolve the host
-    $fnret = OVH::Bastion::get_ip(host => $host, allowPrefixes => ($osh_command ? 1 : 0));
+    $fnret = OVH::Bastion::get_ip(host => $host, allowSubnets => ($osh_command ? 1 : 0));
 
-    # if it's a netblock but get_ip() sends an error, it's an invalid netblock
+    # if it's a subnet but get_ip() sends an error, it's an invalid subnet
     if (!$fnret && index($host, '/') != -1) {
         main_exit OVH::Bastion::EXIT_INVALID_REMOTE_HOST, 'invalid_remote_host',
-          "Remote host '$host' looks like a netblock, but with an invalid prefix";
+          "Remote host '$host' looks like a subnet, but with an invalid prefix";
     }
 }
 

doc/sphinx/administration/configuration/bastion_conf.rst

@@ -366,7 +366,7 @@ If set to 0, The Bastion will never attempt to do DNS or reverse-DNS resolutions
 allowedNetworks
 ***************
 
-:Type: ``array of strings (IPs and/or prefixes)``
+:Type: ``array of strings (IPs and/or subnets)``
 
 :Default: ``[]``
 
@@ -379,13 +379,13 @@ Restricts egress connection attempts to those listed networks only. This is enfo
 forbiddenNetworks
 *****************
 
-:Type: ``array of strings (IPs and/or prefixes)``
+:Type: ``array of strings (IPs and/or subnets)``
 
 :Default: ``[]``
 
 :Example: ``["10.42.42.0/24"]``
 
-Prevents egress connection to the listed networks, this takes precedence over ``allowedNetworks``. This can be used to prevent connection to some hosts or subnets in a broadly allowed prefix. This is enforced at all times and can NOT be overridden by users.
+Prevents egress connection to the listed networks, this takes precedence over ``allowedNetworks``. This can be used to prevent connection to some hosts or subnets in a broadly allowed subnet. This is enforced at all times and can NOT be overridden by users.
 
 .. _ingressToEgressRules:
 
@@ -575,11 +575,11 @@ Other ingress policies
 ingressKeysFrom
 ***************
 
-:Type: ``array of strings (list of IPs and/or prefixes)``
+:Type: ``array of strings (list of IPs and/or subnets)``
 
 :Default: ``[]``
 
-This array of IPs (or prefixes, such as ``10.20.30.0/24``) will be used to build the ``from="..."`` in front of the ingress account public keys used to connect to the bastion (in ``accountCreate`` or ``selfAddIngressKey``). If the array is empty, then **NO** ``from="..."`` is added (this lowers the security).
+This array of IPs (or subnets, such as ``10.20.30.0/24``) will be used to build the ``from="..."`` in front of the ingress account public keys used to connect to the bastion (in ``accountCreate`` or ``selfAddIngressKey``). If the array is empty, then **NO** ``from="..."`` is added (this lowers the security).
 
 .. _ingressKeysFromAllowOverride:
 
@@ -613,7 +613,7 @@ The default remote user to use for egress ssh connections where no user has been
 egressKeysFrom
 **************
 
-:Type: ``array of strings (IPs and/or prefixes)``
+:Type: ``array of strings (IPs and/or subnets)``
 
 :Default: ``[]``
 
@@ -864,7 +864,7 @@ List of system groups to add a new account to when its created (see ``accountCre
 accountCreateDefaultPersonalAccesses
 ************************************
 
-:Type: ``array of strings (list of IPs and/or prefixes)``
+:Type: ``array of strings (list of IPs and/or subnets)``
 
 :Default: ``[]``
 

doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst

@@ -18,11 +18,11 @@ Add an IP or IP block to a group's servers list
 
    Specify which group this machine should be added to
 
-.. option:: --host HOST|IP|NET/CIDR
+.. option:: --host HOST|IP|SUBNET
 
    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
 
-                             or an IP, or a whole network using the NET/CIDR notation
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

doc/sphinx/plugins/group-aclkeeper/groupDelServer.rst

@@ -18,11 +18,11 @@ Remove an IP or IP block from a group's server list
 
    Specify which group this machine should be removed from
 
-.. option:: --host HOST|IP|NET/CIDR
+.. option:: --host HOST|IP|SUBNET
 
    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
 
-                             or an IP, or a whole network using the NET/CIDR notation
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

doc/sphinx/plugins/group-gatekeeper/groupAddGuestAccess.rst

@@ -23,11 +23,11 @@ Add a specific group server access to an account
    Group to add the guest access to, note that this group should already have access
 
                              to the USER/HOST/PORT tuple you'll specify with the options below.
-.. option:: --host HOST|IP|NET/CIDR
+.. option:: --host HOST|IP|SUBNET
 
    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
 
-                             or an IP, or a whole network using the NET/CIDR notation
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

doc/sphinx/plugins/group-gatekeeper/groupDelGuestAccess.rst

@@ -22,11 +22,11 @@ Remove a specific group server access from an account
 
    Specify which group to remove the guest access to ACCOUNT from
 
-.. option:: --host HOST|IP|NET/CIDR
+.. option:: --host HOST|IP|SUBNET
 
    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
 
-                             or an IP, or a whole network using the NET/CIDR notation
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.

doc/sphinx/plugins/restricted/accountAddPersonalAccess.rst

@@ -18,11 +18,11 @@ Add a personal server access to an account
 
    Bastion account to add the access to
 
-.. option:: --host HOST|IP|NET/CIDR
+.. option:: --host HOST|IP|SUBNET
 
    Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
 
-                             or an IP, or a whole network using the NET/CIDR notation
+                             or an IP, or a whole subnet using the PREFIX/SIZE notation
   --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
@@ -68,9 +68,9 @@ Options
 
 .. option:: widest_v4_prefix (optional, integer, between 0 and 32)
 
-    When specified, this limits the size of prefixes that can be added to an
-    ACL, e.g. 24 would not allow prefixes wider than /24 (such as /20 or
-    /16).
+    When specified, this limits the size of subnets that can be added to an
+    ACL, e.g. 24 would not allow prefix lengths wider than /24 (such as /20
+    or /16).
     Note that this doesn't prevent users from adding thousands of ACLs to
     cover a wide range of networks, but this helps ensuring ACLs such as
     0.0.0.0/0 can't be added in a single command.