lib/connections: Allow negative ACL entries on devices (fixes #4096)

Prefix an entry with "!" to make it a negative entry. First match wins.

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/4097

lib/connections/connections_test.go

@@ -81,6 +81,21 @@ func TestAllowedNetworks(t *testing.T) {
 			[]string{"192.168.0.0/24", "fe80::/48"},
 			true,
 		},
+		{
+			"10.20.30.40",
+			[]string{"!10.20.30.0/24", "10.0.0.0/8"},
+			false,
+		},
+		{
+			"10.20.30.40",
+			[]string{"10.0.0.0/8", "!10.20.30.0/24"},
+			true,
+		},
+		{
+			"[fe80::1]:4242",
+			[]string{"192.168.0.0/24", "!fe00::/8", "fe80::/48"},
+			false,
+		},
 	}
 
 	for _, tc := range cases {

lib/connections/service.go

@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/syncthing/syncthing/lib/config"
@@ -662,12 +663,17 @@ func IsAllowedNetwork(host string, allowed []string) bool {
 	}
 
 	for _, n := range allowed {
+		result := true
+		if strings.HasPrefix(n, "!") {
+			result = false
+			n = n[1:]
+		}
 		_, cidr, err := net.ParseCIDR(n)
 		if err != nil {
 			continue
 		}
 		if cidr.Contains(addr.IP) {
-			return true
+			return result
 		}
 	}