Pull request: 5035-netip-maps-access
Updates #5035. Squashed commit of the following: commit 0c9f80761419dc50d89e0e82f68cdb462569417d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Oct 24 16:11:03 2022 +0300 dnsforward: fix access check commit df981acb4816cfba11bf6bbe4ef7796a6e365ea9 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Oct 24 15:27:45 2022 +0300 dnsforward: mv access to netip.Addr
This commit is contained in:
parent
b86250737e
commit
a272b61ed6
10
go.mod
10
go.mod
|
@ -4,7 +4,7 @@ go 1.18
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/AdguardTeam/dnsproxy v0.46.1
|
github.com/AdguardTeam/dnsproxy v0.46.1
|
||||||
github.com/AdguardTeam/golibs v0.10.9
|
github.com/AdguardTeam/golibs v0.11.0
|
||||||
github.com/AdguardTeam/urlfilter v0.16.0
|
github.com/AdguardTeam/urlfilter v0.16.0
|
||||||
github.com/NYTimes/gziphandler v1.1.1
|
github.com/NYTimes/gziphandler v1.1.1
|
||||||
github.com/ameshkov/dnscrypt/v2 v2.2.5
|
github.com/ameshkov/dnscrypt/v2 v2.2.5
|
||||||
|
@ -29,9 +29,9 @@ require (
|
||||||
github.com/ti-mo/netfilter v0.4.0
|
github.com/ti-mo/netfilter v0.4.0
|
||||||
go.etcd.io/bbolt v1.3.6
|
go.etcd.io/bbolt v1.3.6
|
||||||
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be
|
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be
|
||||||
golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9
|
golang.org/x/exp v0.0.0-20221019170559-20944726eadf
|
||||||
golang.org/x/net v0.0.0-20220927171203-f486391704dc
|
golang.org/x/net v0.1.0
|
||||||
golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec
|
golang.org/x/sys v0.1.0
|
||||||
gopkg.in/natefinch/lumberjack.v2 v2.0.0
|
gopkg.in/natefinch/lumberjack.v2 v2.0.0
|
||||||
gopkg.in/yaml.v3 v3.0.1
|
gopkg.in/yaml.v3 v3.0.1
|
||||||
howett.net/plist v1.0.0
|
howett.net/plist v1.0.0
|
||||||
|
@ -61,7 +61,7 @@ require (
|
||||||
github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
|
github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
|
||||||
golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e // indirect
|
golang.org/x/mod v0.6.0-dev.0.20220922195421-2adab6b8c60e // indirect
|
||||||
golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect
|
golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde // indirect
|
||||||
golang.org/x/text v0.3.7 // indirect
|
golang.org/x/text v0.4.0 // indirect
|
||||||
golang.org/x/tools v0.1.12 // indirect
|
golang.org/x/tools v0.1.12 // indirect
|
||||||
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
|
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
|
||||||
)
|
)
|
||||||
|
|
19
go.sum
19
go.sum
|
@ -2,8 +2,8 @@ github.com/AdguardTeam/dnsproxy v0.46.1 h1:ej9iRorG+vekaXGYB854waAiS+q8OfswYZ1MQ
|
||||||
github.com/AdguardTeam/dnsproxy v0.46.1/go.mod h1:PAmRzFqls0E92XTglyY2ESAqMAzZJhHKErG1ZpRnpjA=
|
github.com/AdguardTeam/dnsproxy v0.46.1/go.mod h1:PAmRzFqls0E92XTglyY2ESAqMAzZJhHKErG1ZpRnpjA=
|
||||||
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
|
||||||
github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
|
github.com/AdguardTeam/golibs v0.10.4/go.mod h1:rSfQRGHIdgfxriDDNgNJ7HmE5zRoURq8R+VdR81Zuzw=
|
||||||
github.com/AdguardTeam/golibs v0.10.9 h1:F9oP2da0dQ9RQDM1lGR7LxUTfUWu8hEFOs4icwAkKM0=
|
github.com/AdguardTeam/golibs v0.11.0 h1:fWp5bRLL7N806HWeNiRM7vHJH+wwWQ3Z6kpGPeu2onM=
|
||||||
github.com/AdguardTeam/golibs v0.10.9/go.mod h1:W+5rznZa1cSNSFt+gPS7f4Wytnr9fOrd5ZYqwadPw14=
|
github.com/AdguardTeam/golibs v0.11.0/go.mod h1:87bN2x4VsTritptE3XZg9l8T6gznWsIxHBcQ1DeRIXA=
|
||||||
github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
|
github.com/AdguardTeam/gomitmproxy v0.2.0/go.mod h1:Qdv0Mktnzer5zpdpi5rAwixNJzW2FN91LjKJCkVbYGU=
|
||||||
github.com/AdguardTeam/urlfilter v0.16.0 h1:IO29m+ZyQuuOnPLTzHuXj35V1DZOp1Dcryl576P2syg=
|
github.com/AdguardTeam/urlfilter v0.16.0 h1:IO29m+ZyQuuOnPLTzHuXj35V1DZOp1Dcryl576P2syg=
|
||||||
github.com/AdguardTeam/urlfilter v0.16.0/go.mod h1:46YZDOV1+qtdRDuhZKVPSSp7JWWes0KayqHrKAFBdEI=
|
github.com/AdguardTeam/urlfilter v0.16.0/go.mod h1:46YZDOV1+qtdRDuhZKVPSSp7JWWes0KayqHrKAFBdEI=
|
||||||
|
@ -175,8 +175,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
|
||||||
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be h1:fmw3UbQh+nxngCAHrDCCztao/kbYFnWjoqop8dHx05A=
|
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be h1:fmw3UbQh+nxngCAHrDCCztao/kbYFnWjoqop8dHx05A=
|
||||||
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
|
||||||
golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9 h1:lNtcVz/3bOstm7Vebox+5m3nLh/BYWnhmc3AhXOW6oI=
|
golang.org/x/exp v0.0.0-20221019170559-20944726eadf h1:nFVjjKDgNY37+ZSYCJmtYf7tOlfQswHqplG2eosjOMg=
|
||||||
golang.org/x/exp v0.0.0-20220929160808-de9c53c655b9/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
|
golang.org/x/exp v0.0.0-20221019170559-20944726eadf/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
|
||||||
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||||
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
||||||
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||||
|
@ -206,8 +206,8 @@ golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qx
|
||||||
golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||||
golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
|
||||||
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
|
||||||
golang.org/x/net v0.0.0-20220927171203-f486391704dc h1:FxpXZdoBqT8RjqTy6i1E8nXHhW21wK7ptQ/EPIGxzPQ=
|
golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
|
||||||
golang.org/x/net v0.0.0-20220927171203-f486391704dc/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
|
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
|
||||||
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||||
|
@ -254,16 +254,17 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||||
golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec h1:BkDtF2Ih9xZ7le9ndzTA7KJow28VbQW3odyk/8drmuI=
|
golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
|
||||||
golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||||
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
|
||||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||||
golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
|
|
||||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||||
|
golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
|
||||||
|
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||||
|
|
|
@ -21,6 +21,8 @@ import (
|
||||||
"github.com/miekg/dns"
|
"github.com/miekg/dns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap].
|
||||||
|
|
||||||
// DefaultHostsPaths returns the slice of paths default for the operating system
|
// DefaultHostsPaths returns the slice of paths default for the operating system
|
||||||
// to files and directories which are containing the hosts database. The result
|
// to files and directories which are containing the hosts database. The result
|
||||||
// is intended to be used within fs.FS so the initial slash is omitted.
|
// is intended to be used within fs.FS so the initial slash is omitted.
|
||||||
|
|
|
@ -3,25 +3,26 @@ package dnsforward
|
||||||
import (
|
import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/netip"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
||||||
"github.com/AdguardTeam/golibs/log"
|
"github.com/AdguardTeam/golibs/log"
|
||||||
"github.com/AdguardTeam/golibs/netutil"
|
|
||||||
"github.com/AdguardTeam/golibs/stringutil"
|
"github.com/AdguardTeam/golibs/stringutil"
|
||||||
"github.com/AdguardTeam/urlfilter"
|
"github.com/AdguardTeam/urlfilter"
|
||||||
"github.com/AdguardTeam/urlfilter/filterlist"
|
"github.com/AdguardTeam/urlfilter/filterlist"
|
||||||
)
|
)
|
||||||
|
|
||||||
// accessCtx controls IP and client blocking that takes place before all other
|
// unit is a convenient alias for struct{}
|
||||||
// processing. An accessCtx is safe for concurrent use.
|
type unit = struct{}
|
||||||
type accessCtx struct {
|
|
||||||
// TODO(e.burkov): Use map[netip.Addr]struct{} instead.
|
// accessManager controls IP and client blocking that takes place before all
|
||||||
allowedIPs *netutil.IPMap
|
// other processing. An accessManager is safe for concurrent use.
|
||||||
blockedIPs *netutil.IPMap
|
type accessManager struct {
|
||||||
|
allowedIPs map[netip.Addr]unit
|
||||||
|
blockedIPs map[netip.Addr]unit
|
||||||
|
|
||||||
allowedClientIDs *stringutil.Set
|
allowedClientIDs *stringutil.Set
|
||||||
blockedClientIDs *stringutil.Set
|
blockedClientIDs *stringutil.Set
|
||||||
|
@ -29,36 +30,29 @@ type accessCtx struct {
|
||||||
blockedHostsEng *urlfilter.DNSEngine
|
blockedHostsEng *urlfilter.DNSEngine
|
||||||
|
|
||||||
// TODO(a.garipov): Create a type for a set of IP networks.
|
// TODO(a.garipov): Create a type for a set of IP networks.
|
||||||
// netutil.IPNetSet?
|
allowedNets []netip.Prefix
|
||||||
allowedNets []*net.IPNet
|
blockedNets []netip.Prefix
|
||||||
blockedNets []*net.IPNet
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// unit is a convenient alias for struct{}
|
|
||||||
type unit = struct{}
|
|
||||||
|
|
||||||
// processAccessClients is a helper for processing a list of client strings,
|
// processAccessClients is a helper for processing a list of client strings,
|
||||||
// which may be an IP address, a CIDR, or a ClientID.
|
// which may be an IP address, a CIDR, or a ClientID.
|
||||||
func processAccessClients(
|
func processAccessClients(
|
||||||
clientStrs []string,
|
clientStrs []string,
|
||||||
ips *netutil.IPMap,
|
ips map[netip.Addr]unit,
|
||||||
nets *[]*net.IPNet,
|
nets *[]netip.Prefix,
|
||||||
clientIDs *stringutil.Set,
|
clientIDs *stringutil.Set,
|
||||||
) (err error) {
|
) (err error) {
|
||||||
for i, s := range clientStrs {
|
for i, s := range clientStrs {
|
||||||
if ip := net.ParseIP(s); ip != nil {
|
var ip netip.Addr
|
||||||
ips.Set(ip, unit{})
|
var ipnet netip.Prefix
|
||||||
} else if cidrIP, ipnet, cidrErr := net.ParseCIDR(s); cidrErr == nil {
|
if ip, err = netip.ParseAddr(s); err == nil {
|
||||||
ipnet.IP = cidrIP
|
ips[ip] = unit{}
|
||||||
|
} else if ipnet, err = netip.ParsePrefix(s); err == nil {
|
||||||
*nets = append(*nets, ipnet)
|
*nets = append(*nets, ipnet)
|
||||||
} else {
|
} else {
|
||||||
idErr := ValidateClientID(s)
|
err = ValidateClientID(s)
|
||||||
if idErr != nil {
|
if err != nil {
|
||||||
return fmt.Errorf(
|
return fmt.Errorf("value %q at index %d: bad ip, cidr, or clientid", s, i)
|
||||||
"value %q at index %d: bad ip, cidr, or clientid",
|
|
||||||
s,
|
|
||||||
i,
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
clientIDs.Add(s)
|
clientIDs.Add(s)
|
||||||
|
@ -69,10 +63,10 @@ func processAccessClients(
|
||||||
}
|
}
|
||||||
|
|
||||||
// newAccessCtx creates a new accessCtx.
|
// newAccessCtx creates a new accessCtx.
|
||||||
func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessCtx, err error) {
|
func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, err error) {
|
||||||
a = &accessCtx{
|
a = &accessManager{
|
||||||
allowedIPs: netutil.NewIPMap(0),
|
allowedIPs: map[netip.Addr]unit{},
|
||||||
blockedIPs: netutil.NewIPMap(0),
|
blockedIPs: map[netip.Addr]unit{},
|
||||||
|
|
||||||
allowedClientIDs: stringutil.NewSet(),
|
allowedClientIDs: stringutil.NewSet(),
|
||||||
blockedClientIDs: stringutil.NewSet(),
|
blockedClientIDs: stringutil.NewSet(),
|
||||||
|
@ -112,12 +106,12 @@ func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessCtx, err er
|
||||||
}
|
}
|
||||||
|
|
||||||
// allowlistMode returns true if this *accessCtx is in the allowlist mode.
|
// allowlistMode returns true if this *accessCtx is in the allowlist mode.
|
||||||
func (a *accessCtx) allowlistMode() (ok bool) {
|
func (a *accessManager) allowlistMode() (ok bool) {
|
||||||
return a.allowedIPs.Len() != 0 || a.allowedClientIDs.Len() != 0 || len(a.allowedNets) != 0
|
return len(a.allowedIPs) != 0 || a.allowedClientIDs.Len() != 0 || len(a.allowedNets) != 0
|
||||||
}
|
}
|
||||||
|
|
||||||
// isBlockedClientID returns true if the ClientID should be blocked.
|
// isBlockedClientID returns true if the ClientID should be blocked.
|
||||||
func (a *accessCtx) isBlockedClientID(id string) (ok bool) {
|
func (a *accessManager) isBlockedClientID(id string) (ok bool) {
|
||||||
allowlistMode := a.allowlistMode()
|
allowlistMode := a.allowlistMode()
|
||||||
if id == "" {
|
if id == "" {
|
||||||
// In allowlist mode, consider requests without ClientIDs blocked by
|
// In allowlist mode, consider requests without ClientIDs blocked by
|
||||||
|
@ -133,7 +127,7 @@ func (a *accessCtx) isBlockedClientID(id string) (ok bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// isBlockedHost returns true if host should be blocked.
|
// isBlockedHost returns true if host should be blocked.
|
||||||
func (a *accessCtx) isBlockedHost(host string) (ok bool) {
|
func (a *accessManager) isBlockedHost(host string) (ok bool) {
|
||||||
_, ok = a.blockedHostsEng.Match(strings.ToLower(host))
|
_, ok = a.blockedHostsEng.Match(strings.ToLower(host))
|
||||||
|
|
||||||
return ok
|
return ok
|
||||||
|
@ -141,7 +135,7 @@ func (a *accessCtx) isBlockedHost(host string) (ok bool) {
|
||||||
|
|
||||||
// isBlockedIP returns the status of the IP address blocking as well as the rule
|
// isBlockedIP returns the status of the IP address blocking as well as the rule
|
||||||
// that blocked it.
|
// that blocked it.
|
||||||
func (a *accessCtx) isBlockedIP(ip net.IP) (blocked bool, rule string) {
|
func (a *accessManager) isBlockedIP(ip netip.Addr) (blocked bool, rule string) {
|
||||||
blocked = true
|
blocked = true
|
||||||
ips := a.blockedIPs
|
ips := a.blockedIPs
|
||||||
ipnets := a.blockedNets
|
ipnets := a.blockedNets
|
||||||
|
@ -153,7 +147,7 @@ func (a *accessCtx) isBlockedIP(ip net.IP) (blocked bool, rule string) {
|
||||||
ipnets = a.allowedNets
|
ipnets = a.allowedNets
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, ok := ips.Get(ip); ok {
|
if _, ok := ips[ip]; ok {
|
||||||
return blocked, ip.String()
|
return blocked, ip.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -241,7 +235,7 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var a *accessCtx
|
var a *accessManager
|
||||||
a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
|
a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err)
|
aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err)
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
package dnsforward
|
package dnsforward
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"net"
|
"net/netip"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
@ -95,27 +95,27 @@ func TestIsBlockedIP(t *testing.T) {
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
name string
|
name string
|
||||||
wantRule string
|
wantRule string
|
||||||
ip net.IP
|
ip netip.Addr
|
||||||
wantBlocked bool
|
wantBlocked bool
|
||||||
}{{
|
}{{
|
||||||
name: "match_ip",
|
name: "match_ip",
|
||||||
wantRule: "1.2.3.4",
|
wantRule: "1.2.3.4",
|
||||||
ip: net.IP{1, 2, 3, 4},
|
ip: netip.MustParseAddr("1.2.3.4"),
|
||||||
wantBlocked: true,
|
wantBlocked: true,
|
||||||
}, {
|
}, {
|
||||||
name: "match_cidr",
|
name: "match_cidr",
|
||||||
wantRule: "5.6.7.8/24",
|
wantRule: "5.6.7.8/24",
|
||||||
ip: net.IP{5, 6, 7, 100},
|
ip: netip.MustParseAddr("5.6.7.100"),
|
||||||
wantBlocked: true,
|
wantBlocked: true,
|
||||||
}, {
|
}, {
|
||||||
name: "no_match_ip",
|
name: "no_match_ip",
|
||||||
wantRule: "",
|
wantRule: "",
|
||||||
ip: net.IP{9, 2, 3, 4},
|
ip: netip.MustParseAddr("9.2.3.4"),
|
||||||
wantBlocked: false,
|
wantBlocked: false,
|
||||||
}, {
|
}, {
|
||||||
name: "no_match_cidr",
|
name: "no_match_cidr",
|
||||||
wantRule: "",
|
wantRule: "",
|
||||||
ip: net.IP{9, 6, 7, 100},
|
ip: netip.MustParseAddr("9.6.7.100"),
|
||||||
wantBlocked: false,
|
wantBlocked: false,
|
||||||
}}
|
}}
|
||||||
|
|
||||||
|
|
|
@ -96,9 +96,16 @@ type FilteringConfig struct {
|
||||||
// Access settings
|
// Access settings
|
||||||
// --
|
// --
|
||||||
|
|
||||||
AllowedClients []string `yaml:"allowed_clients"` // IP addresses of whitelist clients
|
// AllowedClients is the slice of IP addresses, CIDR networks, and ClientIDs
|
||||||
DisallowedClients []string `yaml:"disallowed_clients"` // IP addresses of clients that should be blocked
|
// of allowed clients. If not empty, only these clients are allowed, and
|
||||||
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
// [FilteringConfig.DisallowedClients] are ignored.
|
||||||
|
AllowedClients []string `yaml:"allowed_clients"`
|
||||||
|
|
||||||
|
// DisallowedClients is the slice of IP addresses, CIDR networks, and
|
||||||
|
// ClientIDs of disallowed clients.
|
||||||
|
DisallowedClients []string `yaml:"disallowed_clients"`
|
||||||
|
|
||||||
|
BlockedHosts []string `yaml:"blocked_hosts"` // hosts that should be blocked
|
||||||
// TrustedProxies is the list of IP addresses and CIDR networks to detect
|
// TrustedProxies is the list of IP addresses and CIDR networks to detect
|
||||||
// proxy servers addresses the DoH requests from which should be handled.
|
// proxy servers addresses the DoH requests from which should be handled.
|
||||||
// The value of nil or an empty slice for this field makes Proxy not trust
|
// The value of nil or an empty slice for this field makes Proxy not trust
|
||||||
|
|
|
@ -16,6 +16,8 @@ import (
|
||||||
"golang.org/x/exp/slices"
|
"golang.org/x/exp/slices"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap].
|
||||||
|
|
||||||
// To transfer information between modules
|
// To transfer information between modules
|
||||||
type dnsContext struct {
|
type dnsContext struct {
|
||||||
proxyCtx *proxy.DNSContext
|
proxyCtx *proxy.DNSContext
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
|
"github.com/AdguardTeam/AdGuardHome/internal/dhcpd"
|
||||||
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
|
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
|
||||||
|
@ -25,6 +26,8 @@ import (
|
||||||
"github.com/miekg/dns"
|
"github.com/miekg/dns"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap].
|
||||||
|
|
||||||
// DefaultTimeout is the default upstream timeout
|
// DefaultTimeout is the default upstream timeout
|
||||||
const DefaultTimeout = 10 * time.Second
|
const DefaultTimeout = 10 * time.Second
|
||||||
|
|
||||||
|
@ -63,7 +66,7 @@ type Server struct {
|
||||||
dhcpServer dhcpd.Interface // DHCP server instance (optional)
|
dhcpServer dhcpd.Interface // DHCP server instance (optional)
|
||||||
queryLog querylog.QueryLog // Query log instance
|
queryLog querylog.QueryLog // Query log instance
|
||||||
stats stats.Interface
|
stats stats.Interface
|
||||||
access *accessCtx
|
access *accessManager
|
||||||
|
|
||||||
// localDomainSuffix is the suffix used to detect internal hosts. It
|
// localDomainSuffix is the suffix used to detect internal hosts. It
|
||||||
// must be a valid domain name plus dots on each side.
|
// must be a valid domain name plus dots on each side.
|
||||||
|
@ -673,27 +676,37 @@ func (s *Server) IsBlockedClient(ip net.IP, clientID string) (blocked bool, rule
|
||||||
s.serverLock.RLock()
|
s.serverLock.RLock()
|
||||||
defer s.serverLock.RUnlock()
|
defer s.serverLock.RUnlock()
|
||||||
|
|
||||||
|
blockedByIP := false
|
||||||
|
if ip != nil {
|
||||||
|
// TODO(a.garipov): Remove once we switch to netip.Addr more fully.
|
||||||
|
ipAddr, err := netutil.IPToAddrNoMapped(ip)
|
||||||
|
if err != nil {
|
||||||
|
log.Error("dnsforward: bad client ip %v: %s", ip, err)
|
||||||
|
|
||||||
|
return false, ""
|
||||||
|
}
|
||||||
|
|
||||||
|
blockedByIP, rule = s.access.isBlockedIP(ipAddr)
|
||||||
|
}
|
||||||
|
|
||||||
allowlistMode := s.access.allowlistMode()
|
allowlistMode := s.access.allowlistMode()
|
||||||
blockedByIP, rule := s.access.isBlockedIP(ip)
|
|
||||||
blockedByClientID := s.access.isBlockedClientID(clientID)
|
blockedByClientID := s.access.isBlockedClientID(clientID)
|
||||||
|
|
||||||
// Allow if at least one of the checks allows in allowlist mode, but
|
// Allow if at least one of the checks allows in allowlist mode, but block
|
||||||
// block if at least one of the checks blocks in blocklist mode.
|
// if at least one of the checks blocks in blocklist mode.
|
||||||
if allowlistMode && blockedByIP && blockedByClientID {
|
if allowlistMode && blockedByIP && blockedByClientID {
|
||||||
log.Debug("client %s (id %q) is not in access allowlist", ip, clientID)
|
log.Debug("client %v (id %q) is not in access allowlist", ip, clientID)
|
||||||
|
|
||||||
// Return now without substituting the empty rule for the
|
// Return now without substituting the empty rule for the
|
||||||
// clientID because the rule can't be empty here.
|
// clientID because the rule can't be empty here.
|
||||||
return true, rule
|
return true, rule
|
||||||
} else if !allowlistMode && (blockedByIP || blockedByClientID) {
|
} else if !allowlistMode && (blockedByIP || blockedByClientID) {
|
||||||
log.Debug("client %s (id %q) is in access blocklist", ip, clientID)
|
log.Debug("client %v (id %q) is in access blocklist", ip, clientID)
|
||||||
|
|
||||||
blocked = true
|
blocked = true
|
||||||
}
|
}
|
||||||
|
|
||||||
if rule == "" {
|
rule = aghalg.Coalesce(rule, clientID)
|
||||||
rule = clientID
|
|
||||||
}
|
|
||||||
|
|
||||||
return blocked, rule
|
return blocked, rule
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,6 +25,8 @@ import (
|
||||||
"golang.org/x/exp/slices"
|
"golang.org/x/exp/slices"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
//lint:file-ignore SA1019 TODO(a.garipov): Replace [*netutil.IPMap].
|
||||||
|
|
||||||
const clientsUpdatePeriod = 10 * time.Minute
|
const clientsUpdatePeriod = 10 * time.Minute
|
||||||
|
|
||||||
var webHandlersRegistered = false
|
var webHandlersRegistered = false
|
||||||
|
|
Loading…
Reference in New Issue