From df40da7c6413af14e0637d666a5e4ca156050b6b Mon Sep 17 00:00:00 2001 From: Dimitry Kolyshev Date: Wed, 17 Jan 2024 15:06:16 +0300 Subject: [PATCH] Pull request: AG-28961-upd-golibs Squashed commit of the following: commit b153bbc7100dd9184ca689f1755f068b63e3046b Merge: d16da0cf6 4508ae860 Author: Dimitry Kolyshev Date: Wed Jan 17 13:56:34 2024 +0200 Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs commit d16da0cf61d050afd04f00ffc36bca550548edd9 Author: Dimitry Kolyshev Date: Wed Jan 17 09:52:03 2024 +0200 all: imp code commit 46aeca7221586ce0cdc91838764bbacdbdfa8620 Author: Dimitry Kolyshev Date: Wed Jan 17 09:50:10 2024 +0200 all: imp code commit 32bc83c0a909467655a258e2e879731a90dc96e6 Merge: ee51c6046 6dbeb5b97 Author: Dimitry Kolyshev Date: Tue Jan 16 15:42:32 2024 +0200 Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs # Conflicts: # go.mod # go.sum commit ee51c6046632f89fbe5aa8f6d857c239f060aba5 Author: Dimitry Kolyshev Date: Tue Jan 16 10:56:38 2024 +0200 all: upd libs commit 02c1dbd9b568cb9f6ec52a0e9835d0d39e3cd377 Merge: 1daba8342 58b47adaf Author: Dimitry Kolyshev Date: Tue Jan 16 10:53:54 2024 +0200 Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs commit 1daba8342b72163c8a26380e083c4e497d6bb772 Author: Dimitry Kolyshev Date: Mon Jan 15 11:15:05 2024 +0200 all: upd dnsproxy commit b1670e8a81c04f400245e1316857578b549e58f1 Author: Dimitry Kolyshev Date: Mon Jan 15 10:46:27 2024 +0200 dnsforward: imp code commit 7b65a50fca37ad71b68a8bda504839a78b6f7319 Author: Dimitry Kolyshev Date: Fri Jan 12 14:14:34 2024 +0200 all: upd golibs --- go.mod | 6 +-- go.sum | 12 +++--- internal/client/addrproc.go | 3 +- internal/dnsforward/config.go | 13 ++++--- internal/dnsforward/dnsforward.go | 4 +- internal/dnsforward/process.go | 39 +++++--------------- internal/dnsforward/process_internal_test.go | 2 +- internal/dnsforward/upstreams.go | 2 +- internal/filtering/hosts.go | 4 +- internal/home/config.go | 11 ++++-- internal/home/dns.go | 26 +++---------- internal/whois/whois.go | 2 +- 12 files changed, 46 insertions(+), 78 deletions(-) diff --git a/go.mod b/go.mod index 50812877..e3c6dd0b 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/AdguardTeam/AdGuardHome go 1.20 require ( - github.com/AdguardTeam/dnsproxy v0.62.0 - github.com/AdguardTeam/golibs v0.18.1 + github.com/AdguardTeam/dnsproxy v0.63.0 + github.com/AdguardTeam/golibs v0.19.0 github.com/AdguardTeam/urlfilter v0.17.3 github.com/NYTimes/gziphandler v1.1.1 github.com/ameshkov/dnscrypt/v2 v2.2.7 @@ -33,7 +33,7 @@ require ( github.com/ti-mo/netfilter v0.5.1 go.etcd.io/bbolt v1.3.8 golang.org/x/crypto v0.16.0 - golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb + golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 golang.org/x/net v0.19.0 golang.org/x/sys v0.15.0 gopkg.in/natefinch/lumberjack.v2 v2.2.1 diff --git a/go.sum b/go.sum index ac3c236d..a466c3d6 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ -github.com/AdguardTeam/dnsproxy v0.62.0 h1:IaWW+Ln4SJ4V+y8qyVlTlYDN3ATDkqWCufph+Gxz82c= -github.com/AdguardTeam/dnsproxy v0.62.0/go.mod h1:IdmXdkpc+m+S2EajJkVZDZm//yQ4mQm2FCOugQpc/N8= -github.com/AdguardTeam/golibs v0.18.1 h1:6u0fvrIj2qjUsRdbIGJ9AR0g5QRSWdKIo/DYl3tp5aM= -github.com/AdguardTeam/golibs v0.18.1/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U= +github.com/AdguardTeam/dnsproxy v0.63.0 h1:Mpce87y9/RXy8b3A8gZ56Mfxl31fyjukesdm9T+MkR0= +github.com/AdguardTeam/dnsproxy v0.63.0/go.mod h1:dRRAFOjrq4QYM92jGs4lt4BoY0Dm3EY3HkaleoM2Feo= +github.com/AdguardTeam/golibs v0.19.0 h1:y/x+Xn3pDg1ZfQ+QEZapPJqaeVYUIMp/EODMtVhn7PM= +github.com/AdguardTeam/golibs v0.19.0/go.mod h1:3WunclLLfrVAq7fYQRhd6f168FHOEMssnipVXCxDL/w= github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw= github.com/AdguardTeam/urlfilter v0.17.3/go.mod h1:Jru7jFfeH2CoDf150uDs+rRYcZBzHHBz05r9REyDKyE= github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I= @@ -122,8 +122,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= -golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb h1:c0vyKkb6yr3KR7jEfJaOSv4lG7xPkbN6r52aJz1d8a8= -golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= +golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 h1:+iq7lrkxmFNBM7xx+Rae2W6uyPfhPeDWD+n+JgppptE= +golang.org/x/exp v0.0.0-20231219180239-dc181d75b848/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= diff --git a/internal/client/addrproc.go b/internal/client/addrproc.go index 2b8046f6..76ff1367 100644 --- a/internal/client/addrproc.go +++ b/internal/client/addrproc.go @@ -262,8 +262,7 @@ func (p *DefaultAddrProc) processRDNS(ip netip.Addr) (host string) { // shouldResolve returns false if ip is a loopback address, or ip is private and // resolving of private addresses is disabled. func (p *DefaultAddrProc) shouldResolve(ip netip.Addr) (ok bool) { - return !ip.IsLoopback() && - (p.usePrivateRDNS || !p.privateSubnets.Contains(ip.AsSlice())) + return !ip.IsLoopback() && (p.usePrivateRDNS || !p.privateSubnets.Contains(ip)) } // processWHOIS looks up the information about clients' IP addresses in the diff --git a/internal/dnsforward/config.go b/internal/dnsforward/config.go index 4ad2a29d..2a11773d 100644 --- a/internal/dnsforward/config.go +++ b/internal/dnsforward/config.go @@ -110,11 +110,10 @@ type Config struct { // BlockedHosts is the list of hosts that should be blocked. BlockedHosts []string `yaml:"blocked_hosts"` - // TrustedProxies is the list of IP addresses and CIDR networks to detect - // proxy servers addresses the DoH requests from which should be handled. - // The value of nil or an empty slice for this field makes Proxy not trust - // any address. - TrustedProxies []string `yaml:"trusted_proxies"` + // TrustedProxies is the list of CIDR networks with proxy servers addresses + // from which the DoH requests should be handled. The value of nil or an + // empty slice for this field makes Proxy not trust any address. + TrustedProxies []netutil.Prefix `yaml:"trusted_proxies"` // DNS cache settings @@ -303,6 +302,8 @@ const ( // newProxyConfig creates and validates configuration for the main proxy. func (s *Server) newProxyConfig() (conf *proxy.Config, err error) { srvConf := s.conf + trustedPrefixes := netutil.UnembedPrefixes(srvConf.TrustedProxies) + conf = &proxy.Config{ HTTP3: srvConf.ServeHTTP3, Ratelimit: int(srvConf.Ratelimit), @@ -310,7 +311,7 @@ func (s *Server) newProxyConfig() (conf *proxy.Config, err error) { RatelimitSubnetLenIPv6: srvConf.RatelimitSubnetLenIPv6, RatelimitWhitelist: srvConf.RatelimitWhitelist, RefuseAny: srvConf.RefuseAny, - TrustedProxies: srvConf.TrustedProxies, + TrustedProxies: netutil.SliceSubnetSet(trustedPrefixes), CacheMinTTL: srvConf.CacheMinTTL, CacheMaxTTL: srvConf.CacheMaxTTL, CacheOptimistic: srvConf.CacheOptimistic, diff --git a/internal/dnsforward/dnsforward.go b/internal/dnsforward/dnsforward.go index 612cf369..2da21391 100644 --- a/internal/dnsforward/dnsforward.go +++ b/internal/dnsforward/dnsforward.go @@ -311,7 +311,7 @@ func (s *Server) WriteDiskConfig(c *Config) { c.AllowedClients = stringutil.CloneSlice(sc.AllowedClients) c.DisallowedClients = stringutil.CloneSlice(sc.DisallowedClients) c.BlockedHosts = stringutil.CloneSlice(sc.BlockedHosts) - c.TrustedProxies = stringutil.CloneSlice(sc.TrustedProxies) + c.TrustedProxies = slices.Clone(sc.TrustedProxies) c.UpstreamDNS = stringutil.CloneSlice(sc.UpstreamDNS) } @@ -390,7 +390,7 @@ func (s *Server) Exchange(ip netip.Addr) (host string, ttl time.Duration, err er var resolver *proxy.Proxy var errMsg string - if s.privateNets.Contains(ip.AsSlice()) { + if s.privateNets.Contains(ip) { if !s.conf.UsePrivateRDNS { return "", 0, nil } diff --git a/internal/dnsforward/process.go b/internal/dnsforward/process.go index 4bab42f9..8cfe923a 100644 --- a/internal/dnsforward/process.go +++ b/internal/dnsforward/process.go @@ -36,11 +36,8 @@ type dnsContext struct { // unreversedReqIP stores an IP address obtained from a PTR request if it // was parsed successfully and belongs to one of the locally served IP - // ranges. It is also filled with unmapped version of the address if it's - // within DNS64 prefixes. - // - // TODO(e.burkov): Use netip.Addr when we switch to netip more fully. - unreversedReqIP net.IP + // ranges. + unreversedReqIP netip.Addr // err is the error returned from a processing function. err error @@ -350,7 +347,7 @@ func (s *Server) processDetermineLocal(dctx *dnsContext) (rc resultCode) { rc = resultCodeSuccess - dctx.isLocalClient = s.privateNets.Contains(dctx.proxyCtx.Addr.Addr().AsSlice()) + dctx.isLocalClient = s.privateNets.Contains(dctx.proxyCtx.Addr.Addr()) return rc } @@ -491,14 +488,7 @@ func extractARPASubnet(domain string) (pref netip.Prefix, err error) { } } - var subnet *net.IPNet - subnet, err = netutil.SubnetFromReversedAddr(domain[idx:]) - if err != nil { - // Don't wrap the error since it's informative enough as is. - return netip.Prefix{}, err - } - - return netutil.IPNetToPrefixNoMapped(subnet) + return netutil.PrefixFromReversedAddr(domain[idx:]) } // processRestrictLocal responds with NXDOMAIN to PTR requests for IP addresses @@ -532,8 +522,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) { // assume that all the DHCP leases we give are locally served or at least // shouldn't be accessible externally. subnetAddr := subnet.Addr() - addrData := subnetAddr.AsSlice() - if !s.privateNets.Contains(addrData) { + if !s.privateNets.Contains(subnetAddr) { return resultCodeSuccess } @@ -548,7 +537,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) { } // Do not perform unreversing ever again. - dctx.unreversedReqIP = addrData + dctx.unreversedReqIP = subnetAddr // There is no need to filter request from external addresses since this // code is only executed when the request is for locally served ARPA @@ -573,16 +562,8 @@ func (s *Server) processDHCPAddrs(dctx *dnsContext) (rc resultCode) { return resultCodeSuccess } - ip := dctx.unreversedReqIP - if ip == nil { - return resultCodeSuccess - } - - // TODO(a.garipov): Remove once we switch to [netip.Addr] more fully. - ipAddr, err := netutil.IPToAddrNoMapped(ip) - if err != nil { - log.Debug("dnsforward: bad reverse ip %v from dhcp: %s", ip, err) - + ipAddr := dctx.unreversedReqIP + if ipAddr == (netip.Addr{}) { return resultCodeSuccess } @@ -591,7 +572,7 @@ func (s *Server) processDHCPAddrs(dctx *dnsContext) (rc resultCode) { return resultCodeSuccess } - log.Debug("dnsforward: dhcp client %s is %q", ip, host) + log.Debug("dnsforward: dhcp client %s is %q", ipAddr, host) req := pctx.Req resp := s.makeResponse(req) @@ -624,7 +605,7 @@ func (s *Server) processLocalPTR(dctx *dnsContext) (rc resultCode) { } ip := dctx.unreversedReqIP - if ip == nil { + if ip == (netip.Addr{}) { return resultCodeSuccess } diff --git a/internal/dnsforward/process_internal_test.go b/internal/dnsforward/process_internal_test.go index bec9c98e..2c919d7d 100644 --- a/internal/dnsforward/process_internal_test.go +++ b/internal/dnsforward/process_internal_test.go @@ -795,7 +795,7 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) { } dnsCtx = &dnsContext{ proxyCtx: proxyCtx, - unreversedReqIP: net.IP{192, 168, 1, 1}, + unreversedReqIP: netip.MustParseAddr("192.168.1.1"), } s.conf.UsePrivateRDNS = use } diff --git a/internal/dnsforward/upstreams.go b/internal/dnsforward/upstreams.go index d9644dec..5fed582a 100644 --- a/internal/dnsforward/upstreams.go +++ b/internal/dnsforward/upstreams.go @@ -298,7 +298,7 @@ func ValidateUpstreamsPrivate(upstreams []string, privateNets netutil.SubnetSet) continue } - if !privateNets.Contains(subnet.Addr().AsSlice()) { + if !privateNets.Contains(subnet.Addr()) { errs = append( errs, fmt.Errorf("arpa domain %q should point to a locally-served network", domain), diff --git a/internal/filtering/hosts.go b/internal/filtering/hosts.go index 2f747669..79cb69ac 100644 --- a/internal/filtering/hosts.go +++ b/internal/filtering/hosts.go @@ -53,15 +53,13 @@ func hostsRewrites( case dns.TypeAAAA: isValidProto = netip.Addr.Is6 case dns.TypePTR: - // TODO(e.burkov): Add some [netip]-aware alternative to [netutil]. - ip, err := netutil.IPFromReversedAddr(host) + addr, err := netutil.IPFromReversedAddr(host) if err != nil { log.Debug("filtering: failed to parse PTR record %q: %s", host, err) return nil, nil, false } - addr, _ := netip.AddrFromSlice(ip) names := hs.ByAddr(addr) for _, name := range names { diff --git a/internal/home/config.go b/internal/home/config.go index 753e1260..fac08df0 100644 --- a/internal/home/config.go +++ b/internal/home/config.go @@ -20,6 +20,7 @@ import ( "github.com/AdguardTeam/dnsproxy/fastip" "github.com/AdguardTeam/golibs/errors" "github.com/AdguardTeam/golibs/log" + "github.com/AdguardTeam/golibs/netutil" "github.com/AdguardTeam/golibs/timeutil" "github.com/google/renameio/v2/maybe" yaml "gopkg.in/yaml.v3" @@ -200,7 +201,7 @@ type dnsConfig struct { // PrivateNets is the set of IP networks for which the private reverse DNS // resolver should be used. - PrivateNets []string `yaml:"private_networks"` + PrivateNets []netutil.Prefix `yaml:"private_networks"` // UsePrivateRDNS defines if the PTR requests for unknown addresses from // locally-served networks should be resolved via private PTR resolvers. @@ -321,8 +322,12 @@ var config = &configuration{ Duration: fastip.DefaultPingWaitTimeout, }, - TrustedProxies: []string{"127.0.0.0/8", "::1/128"}, - CacheSize: 4 * 1024 * 1024, + TrustedProxies: []netutil.Prefix{{ + Prefix: netip.MustParsePrefix("127.0.0.0/8"), + }, { + Prefix: netip.MustParsePrefix("::1/128"), + }}, + CacheSize: 4 * 1024 * 1024, EDNSClientSubnet: &dnsforward.EDNSClientSubnet{ CustomIP: netip.Addr{}, diff --git a/internal/home/dns.go b/internal/home/dns.go index 38f05b63..5d601694 100644 --- a/internal/home/dns.go +++ b/internal/home/dns.go @@ -127,16 +127,11 @@ func initDNSServer( httpReg aghhttp.RegisterFunc, tlsConf *tlsConfigSettings, ) (err error) { - privateNets, err := parseSubnetSet(config.DNS.PrivateNets) - if err != nil { - return fmt.Errorf("preparing set of private subnets: %w", err) - } - Context.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{ DNSFilter: filters, Stats: sts, QueryLog: qlog, - PrivateNets: privateNets, + PrivateNets: parseSubnetSet(config.DNS.PrivateNets), Anonymizer: anonymizer, DHCPServer: dhcpSrv, EtcHosts: Context.etcHosts, @@ -169,26 +164,15 @@ func initDNSServer( // parseSubnetSet parses a slice of subnets. If the slice is empty, it returns // a subnet set that matches all locally served networks, see // [netutil.IsLocallyServed]. -func parseSubnetSet(nets []string) (s netutil.SubnetSet, err error) { +func parseSubnetSet(nets []netutil.Prefix) (s netutil.SubnetSet) { switch len(nets) { case 0: // Use an optimized function-based matcher. - return netutil.SubnetSetFunc(netutil.IsLocallyServed), nil + return netutil.SubnetSetFunc(netutil.IsLocallyServed) case 1: - s, err = netutil.ParseSubnet(nets[0]) - if err != nil { - return nil, err - } - - return s, nil + return nets[0].Prefix default: - var nets []*net.IPNet - nets, err = netutil.ParseSubnets(config.DNS.PrivateNets...) - if err != nil { - return nil, err - } - - return netutil.SliceSubnetSet(nets), nil + return netutil.SliceSubnetSet(netutil.UnembedPrefixes(nets)) } } diff --git a/internal/whois/whois.go b/internal/whois/whois.go index b2d20a80..37f1dec8 100644 --- a/internal/whois/whois.go +++ b/internal/whois/whois.go @@ -268,7 +268,7 @@ var _ Interface = (*Default)(nil) // Process makes WHOIS request and returns WHOIS information or nil. changed // indicates that Info was updated since last request. func (w *Default) Process(ctx context.Context, ip netip.Addr) (wi *Info, changed bool) { - if netutil.IsSpecialPurposeAddr(ip) { + if netutil.IsSpecialPurpose(ip) { return nil, false }