From a272b61ed61b703ffffde389f8b0e57ba37ea4a3 Mon Sep 17 00:00:00 2001 From: Ainar Garipov Date: Mon, 24 Oct 2022 16:29:44 +0300 Subject: [PATCH] Pull request: 5035-netip-maps-access Updates #5035. Squashed commit of the following: commit 0c9f80761419dc50d89e0e82f68cdb462569417d Author: Ainar Garipov Date: Mon Oct 24 16:11:03 2022 +0300 dnsforward: fix access check commit df981acb4816cfba11bf6bbe4ef7796a6e365ea9 Author: Ainar Garipov Date: Mon Oct 24 15:27:45 2022 +0300 dnsforward: mv access to netip.Addr --- go.mod | 10 ++--- go.sum | 19 ++++---- internal/aghnet/hostscontainer.go | 2 + internal/dnsforward/access.go | 70 ++++++++++++++---------------- internal/dnsforward/access_test.go | 12 ++--- internal/dnsforward/config.go | 13 ++++-- internal/dnsforward/dns.go | 2 + internal/dnsforward/dnsforward.go | 31 +++++++++---- internal/home/clients.go | 2 + 9 files changed, 91 insertions(+), 70 deletions(-) diff --git a/go.mod b/go.mod index 992b4428..8e96920f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/AdguardTeam/dnsproxy v0.46.1 - github.com/AdguardTeam/golibs v0.10.9 + github.com/AdguardTeam/golibs v0.11.0 github.com/AdguardTeam/urlfilter v0.16.0 github.com/NYTimes/gziphandler v1.1.1 github.com/ameshkov/dnscrypt/v2 v2.2.5 @@ -29,9 +29,9 @@ require ( github.com/ti-mo/netfilter v0.4.0 go.etcd.io/bbolt v1.3.6 golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be - golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9 - golang.org/x/net v0.0.0-20220927171203-f486391704dc - golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec + golang.org/x/exp v0.0.0-20221019170559-20944726eadf + golang.org/x/net v0.1.0 + golang.org/x/sys v0.1.0 gopkg.in/natefinch/lumberjack.v2 v2.0.0 gopkg.in/yaml.v3 v3.0.1 howett.net/plist v1.0.0 @@ -61,7 +61,7 @@ require ( github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e // indirect golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.4.0 // indirect golang.org/x/tools v0.1.12 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect ) diff --git a/go.sum b/go.sum index f5eff3fa..05a48470 100644 --- a/go.sum +++ b/go.sum @@ -2,8 +2,8 @@ github.com/AdguardTeam/dnsproxy v0.46.1 h1:ej9iRorG+vekaXGYB854waAiS+q8OfswYZ1MQ github.com/AdguardTeam/dnsproxy v0.46.1/go.mod h1:PAmRzFqls0E92XTglyY2ESAqMAzZJhHKErG1ZpRnpjA= github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4= github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw= -github.com/AdguardTeam/golibs v0.10.9 h1:F9oP2da0dQ9RQDM1lGR7LxUTfUWu8hEFOs4icwAkKM0= -github.com/AdguardTeam/golibs v0.10.9/go.mod h1:W+5rznZa1cSNSFt+gPS7f4Wytnr9fOrd5ZYqwadPw14= +github.com/AdguardTeam/golibs v0.11.0 h1:fWp5bRLL7N806HWeNiRM7vHJH+wwWQ3Z6kpGPeu2onM= +github.com/AdguardTeam/golibs v0.11.0/go.mod h1:87bN2x4VsTritptE3XZg9l8T6gznWsIxHBcQ1DeRIXA= github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU= github.com/AdguardTeam/urlfilter v0.16.0 h1:IO29m+ZyQuuOnPLTzHuXj35V1DZOp1Dcryl576P2syg= github.com/AdguardTeam/urlfilter v0.16.0/go.mod h1:46YZDOV1+qtdRDuhZKVPSSp7JWWes0KayqHrKAFBdEI= @@ -175,8 +175,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be h1:fmw3UbQh+nxngCAHrDCCztao/kbYFnWjoqop8dHx05A= golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9 h1:lNtcVz/3bOstm7Vebox+5m3nLh/BYWnhmc3AhXOW6oI= -golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= +golang.org/x/exp v0.0.0-20221019170559-20944726eadf h1:nFVjjKDgNY37+ZSYCJmtYf7tOlfQswHqplG2eosjOMg= +golang.org/x/exp v0.0.0-20221019170559-20944726eadf/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -206,8 +206,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.0.0-20220927171203-f486391704dc h1:FxpXZdoBqT8RjqTy6i1E8nXHhW21wK7ptQ/EPIGxzPQ= -golang.org/x/net v0.0.0-20220927171203-f486391704dc/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -254,16 +254,17 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec h1:BkDtF2Ih9xZ7le9ndzTA7KJow28VbQW3odyk/8drmuI= -golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= diff --git a/internal/aghnet/hostscontainer.go b/internal/aghnet/hostscontainer.go index 9b9124d9..46430e4e 100644 --- a/internal/aghnet/hostscontainer.go +++ b/internal/aghnet/hostscontainer.go @@ -21,6 +21,8 @@ import ( "github.com/miekg/dns" ) +//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap]. + // DefaultHostsPaths returns the slice of paths default for the operating system // to files and directories which are containing the hosts database. The result // is intended to be used within fs.FS so the initial slash is omitted. diff --git a/internal/dnsforward/access.go b/internal/dnsforward/access.go index ddf3d93f..6d45a6d5 100644 --- a/internal/dnsforward/access.go +++ b/internal/dnsforward/access.go @@ -3,25 +3,26 @@ package dnsforward import ( "encoding/json" "fmt" - "net" "net/http" + "net/netip" "strings" "github.com/AdguardTeam/AdGuardHome/internal/aghalg" "github.com/AdguardTeam/AdGuardHome/internal/aghhttp" "github.com/AdguardTeam/golibs/log" - "github.com/AdguardTeam/golibs/netutil" "github.com/AdguardTeam/golibs/stringutil" "github.com/AdguardTeam/urlfilter" "github.com/AdguardTeam/urlfilter/filterlist" ) -// accessCtx controls IP and client blocking that takes place before all other -// processing. An accessCtx is safe for concurrent use. -type accessCtx struct { - // TODO(e.burkov): Use map[netip.Addr]struct{} instead. - allowedIPs *netutil.IPMap - blockedIPs *netutil.IPMap +// unit is a convenient alias for struct{} +type unit = struct{} + +// accessManager controls IP and client blocking that takes place before all +// other processing. An accessManager is safe for concurrent use. +type accessManager struct { + allowedIPs map[netip.Addr]unit + blockedIPs map[netip.Addr]unit allowedClientIDs *stringutil.Set blockedClientIDs *stringutil.Set @@ -29,36 +30,29 @@ type accessCtx struct { blockedHostsEng *urlfilter.DNSEngine // TODO(a.garipov): Create a type for a set of IP networks. - // netutil.IPNetSet? - allowedNets []*net.IPNet - blockedNets []*net.IPNet + allowedNets []netip.Prefix + blockedNets []netip.Prefix } -// unit is a convenient alias for struct{} -type unit = struct{} - // processAccessClients is a helper for processing a list of client strings, // which may be an IP address, a CIDR, or a ClientID. func processAccessClients( clientStrs []string, - ips *netutil.IPMap, - nets *[]*net.IPNet, + ips map[netip.Addr]unit, + nets *[]netip.Prefix, clientIDs *stringutil.Set, ) (err error) { for i, s := range clientStrs { - if ip := net.ParseIP(s); ip != nil { - ips.Set(ip, unit{}) - } else if cidrIP, ipnet, cidrErr := net.ParseCIDR(s); cidrErr == nil { - ipnet.IP = cidrIP + var ip netip.Addr + var ipnet netip.Prefix + if ip, err = netip.ParseAddr(s); err == nil { + ips[ip] = unit{} + } else if ipnet, err = netip.ParsePrefix(s); err == nil { *nets = append(*nets, ipnet) } else { - idErr := ValidateClientID(s) - if idErr != nil { - return fmt.Errorf( - "value %q at index %d: bad ip, cidr, or clientid", - s, - i, - ) + err = ValidateClientID(s) + if err != nil { + return fmt.Errorf("value %q at index %d: bad ip, cidr, or clientid", s, i) } clientIDs.Add(s) @@ -69,10 +63,10 @@ func processAccessClients( } // newAccessCtx creates a new accessCtx. -func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessCtx, err error) { - a = &accessCtx{ - allowedIPs: netutil.NewIPMap(0), - blockedIPs: netutil.NewIPMap(0), +func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, err error) { + a = &accessManager{ + allowedIPs: map[netip.Addr]unit{}, + blockedIPs: map[netip.Addr]unit{}, allowedClientIDs: stringutil.NewSet(), blockedClientIDs: stringutil.NewSet(), @@ -112,12 +106,12 @@ func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessCtx, err er } // allowlistMode returns true if this *accessCtx is in the allowlist mode. -func (a *accessCtx) allowlistMode() (ok bool) { - return a.allowedIPs.Len() != 0 || a.allowedClientIDs.Len() != 0 || len(a.allowedNets) != 0 +func (a *accessManager) allowlistMode() (ok bool) { + return len(a.allowedIPs) != 0 || a.allowedClientIDs.Len() != 0 || len(a.allowedNets) != 0 } // isBlockedClientID returns true if the ClientID should be blocked. -func (a *accessCtx) isBlockedClientID(id string) (ok bool) { +func (a *accessManager) isBlockedClientID(id string) (ok bool) { allowlistMode := a.allowlistMode() if id == "" { // In allowlist mode, consider requests without ClientIDs blocked by @@ -133,7 +127,7 @@ func (a *accessCtx) isBlockedClientID(id string) (ok bool) { } // isBlockedHost returns true if host should be blocked. -func (a *accessCtx) isBlockedHost(host string) (ok bool) { +func (a *accessManager) isBlockedHost(host string) (ok bool) { _, ok = a.blockedHostsEng.Match(strings.ToLower(host)) return ok @@ -141,7 +135,7 @@ func (a *accessCtx) isBlockedHost(host string) (ok bool) { // isBlockedIP returns the status of the IP address blocking as well as the rule // that blocked it. -func (a *accessCtx) isBlockedIP(ip net.IP) (blocked bool, rule string) { +func (a *accessManager) isBlockedIP(ip netip.Addr) (blocked bool, rule string) { blocked = true ips := a.blockedIPs ipnets := a.blockedNets @@ -153,7 +147,7 @@ func (a *accessCtx) isBlockedIP(ip net.IP) (blocked bool, rule string) { ipnets = a.allowedNets } - if _, ok := ips.Get(ip); ok { + if _, ok := ips[ip]; ok { return blocked, ip.String() } @@ -241,7 +235,7 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) { return } - var a *accessCtx + var a *accessManager a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts) if err != nil { aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err) diff --git a/internal/dnsforward/access_test.go b/internal/dnsforward/access_test.go index 7f9c4e79..7889cdad 100644 --- a/internal/dnsforward/access_test.go +++ b/internal/dnsforward/access_test.go @@ -1,7 +1,7 @@ package dnsforward import ( - "net" + "net/netip" "testing" "github.com/stretchr/testify/assert" @@ -95,27 +95,27 @@ func TestIsBlockedIP(t *testing.T) { testCases := []struct { name string wantRule string - ip net.IP + ip netip.Addr wantBlocked bool }{{ name: "match_ip", wantRule: "1.2.3.4", - ip: net.IP{1, 2, 3, 4}, + ip: netip.MustParseAddr("1.2.3.4"), wantBlocked: true, }, { name: "match_cidr", wantRule: "5.6.7.8/24", - ip: net.IP{5, 6, 7, 100}, + ip: netip.MustParseAddr("5.6.7.100"), wantBlocked: true, }, { name: "no_match_ip", wantRule: "", - ip: net.IP{9, 2, 3, 4}, + ip: netip.MustParseAddr("9.2.3.4"), wantBlocked: false, }, { name: "no_match_cidr", wantRule: "", - ip: net.IP{9, 6, 7, 100}, + ip: netip.MustParseAddr("9.6.7.100"), wantBlocked: false, }} diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index caad6547..c49f0fdd 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -96,9 +96,16 @@ type FilteringConfig struct { // Access settings // -- - AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients - DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked - BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked + // AllowedClients is the slice of IP addresses, CIDR networks, and ClientIDs + // of allowed clients. If not empty, only these clients are allowed, and + // [FilteringConfig.DisallowedClients] are ignored. + AllowedClients []string `yaml:"allowed_clients"` + + // DisallowedClients is the slice of IP addresses, CIDR networks, and + // ClientIDs of disallowed clients. + DisallowedClients []string `yaml:"disallowed_clients"` + + BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked // TrustedProxies is the list of IP addresses and CIDR networks to detect // proxy servers addresses the DoH requests from which should be handled. // The value of nil or an empty slice for this field makes Proxy not trust diff --git a/internal/dnsforward/dns.go b/internal/dnsforward/dns.go index 48bb81c0..e535dbc3 100644 --- a/internal/dnsforward/dns.go +++ b/internal/dnsforward/dns.go @@ -16,6 +16,8 @@ import ( "golang.org/x/exp/slices" ) +//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap]. + // To transfer information between modules type dnsContext struct { proxyCtx *proxy.DNSContext diff --git a/internal/dnsforward/dnsforward.go b/internal/dnsforward/dnsforward.go index b6f5c4cf..914ec0a9 100644 --- a/internal/dnsforward/dnsforward.go +++ b/internal/dnsforward/dnsforward.go @@ -10,6 +10,7 @@ import ( "sync" "time" + "github.com/AdguardTeam/AdGuardHome/internal/aghalg" "github.com/AdguardTeam/AdGuardHome/internal/aghnet" "github.com/AdguardTeam/AdGuardHome/internal/dhcpd" "github.com/AdguardTeam/AdGuardHome/internal/filtering" @@ -25,6 +26,8 @@ import ( "github.com/miekg/dns" ) +//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap]. + // DefaultTimeout is the default upstream timeout const DefaultTimeout = 10 * time.Second @@ -63,7 +66,7 @@ type Server struct { dhcpServer dhcpd.Interface // DHCP server instance (optional) queryLog querylog.QueryLog // Query log instance stats stats.Interface - access *accessCtx + access *accessManager // localDomainSuffix is the suffix used to detect internal hosts. It // must be a valid domain name plus dots on each side. @@ -673,27 +676,37 @@ func (s *Server) IsBlockedClient(ip net.IP, clientID string) (blocked bool, rule s.serverLock.RLock() defer s.serverLock.RUnlock() + blockedByIP := false + if ip != nil { + // TODO(a.garipov): Remove once we switch to netip.Addr more fully. + ipAddr, err := netutil.IPToAddrNoMapped(ip) + if err != nil { + log.Error("dnsforward: bad client ip %v: %s", ip, err) + + return false, "" + } + + blockedByIP, rule = s.access.isBlockedIP(ipAddr) + } + allowlistMode := s.access.allowlistMode() - blockedByIP, rule := s.access.isBlockedIP(ip) blockedByClientID := s.access.isBlockedClientID(clientID) - // Allow if at least one of the checks allows in allowlist mode, but - // block if at least one of the checks blocks in blocklist mode. + // Allow if at least one of the checks allows in allowlist mode, but block + // if at least one of the checks blocks in blocklist mode. if allowlistMode && blockedByIP && blockedByClientID { - log.Debug("client %s (id %q) is not in access allowlist", ip, clientID) + log.Debug("client %v (id %q) is not in access allowlist", ip, clientID) // Return now without substituting the empty rule for the // clientID because the rule can't be empty here. return true, rule } else if !allowlistMode && (blockedByIP || blockedByClientID) { - log.Debug("client %s (id %q) is in access blocklist", ip, clientID) + log.Debug("client %v (id %q) is in access blocklist", ip, clientID) blocked = true } - if rule == "" { - rule = clientID - } + rule = aghalg.Coalesce(rule, clientID) return blocked, rule } diff --git a/internal/home/clients.go b/internal/home/clients.go index e4267ab6..28b6eccb 100644 --- a/internal/home/clients.go +++ b/internal/home/clients.go @@ -25,6 +25,8 @@ import ( "golang.org/x/exp/slices" ) +//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap]. + const clientsUpdatePeriod = 10 * time.Minute var webHandlersRegistered = false