Pull request 1966: 6050 upd urlfilter

Merge in DNS/adguard-home from upd-urlfilter to master Updates #6050. Squashed commit of the following: commit 80337ab02d616e25fa455e46c9535c088b5c5ea5 Merge: fb2cfd1a5 31f7aaecc Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Aug 23 16:50:49 2023 +0300 Merge branch 'master' into upd-urlfilter commit fb2cfd1a5c94d92030fc8832615764f100d010e5 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Aug 23 16:22:43 2023 +0300 dnsforward: imp code, docs commit 2900333bb85d4e064db9de27bd5bfe7c3ef00747 Merge: 977ed35e4 2bfc9fcb1 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 22 18:06:05 2023 +0300 Merge branch 'master' into upd-urlfilter commit 977ed35e4ed377f1031721d58e0fcb58de1e74ac Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 22 17:06:30 2023 +0300 all: log changes commit 1228a0770485799bf50bbe68005dbb0ba9a96a9c Merge: 78305eb2e 4b4036fa6 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 22 16:51:42 2023 +0300 Merge branch 'master' into upd-urlfilter commit 78305eb2ebc3854dd11ce35d6b4c7eecccd7cc78 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 22 15:55:05 2023 +0300 all: upd urlfilter commit 63a29e18d5034e5f9433121ff7e7c45aebfa1f0f Merge: 748c53430 762e5be97 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Aug 21 20:12:49 2023 +0300 Merge branch 'master' into upd-urlfilter commit 748c5343020b0c6d4d4f16eb3d30b875c0a94e0f Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Aug 21 20:07:44 2023 +0300 all: imp code, docs commit 91975140f3305a6793e07142f7c9a75120a4ce8c Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Aug 17 16:16:19 2023 +0300 all: upd urlfilter
2023-08-23 16:58:24 +03:00
parent 31f7aaecc3
commit 28cfde9212
28 changed files with 335 additions and 314 deletions
--- a/internal/dnsforward/access.go
+++ b/internal/dnsforward/access.go
@@ -131,7 +131,6 @@ func (a *accessManager) isBlockedClientID(id string) (ok bool) {
 func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) {
 	_, ok = a.blockedHostsEng.MatchRequest(&urlfilter.DNSRequest{
 		Hostname: host,
-		ClientIP: "0.0.0.0",
 		DNSType:  qt,
 	})

--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@@ -55,7 +55,7 @@ type FilteringConfig struct {
 	// Callbacks for other modules

 	// FilterHandler is an optional additional filtering callback.
-	FilterHandler func(clientAddr net.IP, clientID string, settings *filtering.Settings) `yaml:"-"`
+	FilterHandler func(cliAddr netip.Addr, clientID string, settings *filtering.Settings) `yaml:"-"`

 	// GetCustomUpstreamByClient is a callback that returns upstreams
 	// configuration based on the client IP address or ClientID.  It returns
@@ -71,11 +71,11 @@ type FilteringConfig struct {
 	BlockingMode BlockingMode `yaml:"blocking_mode"`

 	// BlockingIPv4 is the IP address to be returned for a blocked A request.
-	BlockingIPv4 net.IP `yaml:"blocking_ipv4"`
+	BlockingIPv4 netip.Addr `yaml:"blocking_ipv4"`

 	// BlockingIPv6 is the IP address to be returned for a blocked AAAA
 	// request.
-	BlockingIPv6 net.IP `yaml:"blocking_ipv6"`
+	BlockingIPv6 netip.Addr `yaml:"blocking_ipv6"`

 	// BlockedResponseTTL is the time-to-live value for blocked responses.  If
 	// 0, then default value is used (3600).
--- a/internal/dnsforward/dnsforward.go
+++ b/internal/dnsforward/dnsforward.go
@@ -645,7 +645,7 @@ func (s *Server) setupAddrProc() {
 }

 // validateBlockingMode returns an error if the blocking mode data aren't valid.
-func validateBlockingMode(mode BlockingMode, blockingIPv4, blockingIPv6 net.IP) (err error) {
+func validateBlockingMode(mode BlockingMode, blockingIPv4, blockingIPv6 netip.Addr) (err error) {
 	switch mode {
 	case
 		BlockingModeDefault,
@@ -654,10 +654,10 @@ func validateBlockingMode(mode BlockingMode, blockingIPv4, blockingIPv6 net.IP)
 		BlockingModeNullIP:
 		return nil
 	case BlockingModeCustomIP:
-		if blockingIPv4 == nil {
-			return fmt.Errorf("blocking_ipv4 must be set when blocking_mode is custom_ip")
-		} else if blockingIPv6 == nil {
-			return fmt.Errorf("blocking_ipv6 must be set when blocking_mode is custom_ip")
+		if !blockingIPv4.Is4() {
+			return fmt.Errorf("blocking_ipv4 must be valid ipv4 on custom_ip blocking_mode")
+		} else if !blockingIPv6.Is6() {
+			return fmt.Errorf("blocking_ipv6 must be valid ipv6 on custom_ip blocking_mode")
 		}

 		return nil
--- a/internal/dnsforward/dnsforward_test.go
+++ b/internal/dnsforward/dnsforward_test.go
@@ -243,17 +243,17 @@ func newResp(rcode int, req *dns.Msg, ans []dns.RR) (resp *dns.Msg) {
 }

 func assertGoogleAResponse(t *testing.T, reply *dns.Msg) {
-	assertResponse(t, reply, net.IP{8, 8, 8, 8})
+	assertResponse(t, reply, netip.AddrFrom4([4]byte{8, 8, 8, 8}))
 }

-func assertResponse(t *testing.T, reply *dns.Msg, ip net.IP) {
+func assertResponse(t *testing.T, reply *dns.Msg, ip netip.Addr) {
 	t.Helper()

 	require.Lenf(t, reply.Answer, 1, "dns server returned reply with wrong number of answers - %d", len(reply.Answer))

 	a, ok := reply.Answer[0].(*dns.A)
 	require.Truef(t, ok, "dns server returned wrong answer type instead of A: %v", reply.Answer[0])
-	assert.Truef(t, a.A.Equal(ip), "dns server returned wrong answer instead of %s: %s", ip, a.A)
+	assert.Equal(t, net.IP(ip.AsSlice()), a.A)
 }

 // sendTestMessagesAsync sends messages in parallel to check for race issues.
@@ -473,7 +473,7 @@ func TestSafeSearch(t *testing.T) {
 		OnLookupIP: func(_ context.Context, _, host string) (ips []net.IP, err error) {
 			ip4, ip6 := aghtest.HostToIPs(host)

-			return []net.IP{ip4, ip6}, nil
+			return []net.IP{ip4.AsSlice(), ip6.AsSlice()}, nil
 		},
 	}

@@ -514,12 +514,12 @@ func TestSafeSearch(t *testing.T) {
 	addr := s.dnsProxy.Addr(proxy.ProtoUDP).String()
 	client := &dns.Client{}

-	yandexIP := net.IP{213, 180, 193, 56}
+	yandexIP := netip.AddrFrom4([4]byte{213, 180, 193, 56})
 	googleIP, _ := aghtest.HostToIPs("forcesafesearch.google.com")

 	testCases := []struct {
 		host string
-		want net.IP
+		want netip.Addr
 	}{{
 		host: "yandex.com.",
 		want: yandexIP,
@@ -776,7 +776,7 @@ func TestClientRulesForCNAMEMatching(t *testing.T) {
 		TCPListenAddrs: []*net.TCPAddr{{}},
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
-			FilterHandler: func(_ net.IP, _ string, settings *filtering.Settings) {
+			FilterHandler: func(_ netip.Addr, _ string, settings *filtering.Settings) {
 				settings.FilteringEnabled = false
 			},
 			EDNSClientSubnet: &EDNSClientSubnet{
@@ -876,7 +876,8 @@ func TestBlockedCustomIP(t *testing.T) {
 		FilteringConfig: FilteringConfig{
 			ProtectionEnabled: true,
 			BlockingMode:      BlockingModeCustomIP,
-			BlockingIPv4:      nil,
+			BlockingIPv4:      netip.Addr{},
+			BlockingIPv6:      netip.Addr{},
 			UpstreamDNS:       []string{"8.8.8.8:53", "8.8.4.4:53"},
 			EDNSClientSubnet: &EDNSClientSubnet{
 				Enabled: false,
@@ -888,8 +889,8 @@ func TestBlockedCustomIP(t *testing.T) {
 	err = s.Prepare(conf)
 	assert.Error(t, err)

-	conf.BlockingIPv4 = net.IP{0, 0, 0, 1}
-	conf.BlockingIPv6 = net.ParseIP("::1")
+	conf.BlockingIPv4 = netip.AddrFrom4([4]byte{0, 0, 0, 1})
+	conf.BlockingIPv6 = netip.MustParseAddr("::1")

 	err = s.Prepare(conf)
 	require.NoError(t, err)
@@ -991,9 +992,7 @@ func TestBlockedBySafeBrowsing(t *testing.T) {
 	require.NoErrorf(t, err, "couldn't talk to server %s: %s", addr, err)
 	require.Lenf(t, reply.Answer, 1, "dns server %s returned reply with wrong number of answers - %d", addr, len(reply.Answer))

-	a, ok := reply.Answer[0].(*dns.A)
-	require.Truef(t, ok, "dns server %s returned wrong answer type instead of A: %v", addr, reply.Answer[0])
-	assert.Equal(t, ans4, a.A, "dns server %s returned wrong answer: %v", addr, a.A)
+	assertResponse(t, reply, ans4)
 }

 func TestRewrite(t *testing.T) {
--- a/internal/dnsforward/dnsrewrite.go
+++ b/internal/dnsforward/dnsrewrite.go
@@ -2,7 +2,7 @@ package dnsforward

 import (
 	"fmt"
-	"net"
+	"net/netip"

 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
@@ -44,13 +44,13 @@ func (s *Server) ansFromDNSRewriteIP(
 	rr rules.RRType,
 	req *dns.Msg,
 ) (ans dns.RR, err error) {
-	ip, ok := v.(net.IP)
+	ip, ok := v.(netip.Addr)
 	if !ok {
-		return nil, fmt.Errorf("value for rr type %s has type %T, not net.IP", dns.Type(rr), v)
+		return nil, fmt.Errorf("value for rr type %s has type %T, not netip.Addr", dns.Type(rr), v)
 	}

 	if rr == dns.TypeA {
-		return s.genAnswerA(req, ip.To4()), nil
+		return s.genAnswerA(req, ip), nil
 	}

 	return s.genAnswerAAAA(req, ip), nil
@@ -160,13 +160,13 @@ func (s *Server) filterDNSRewrite(
 		return errors.Error("no dns rewrite rule responses")
 	}

-	rr := req.Question[0].Qtype
-	values := dnsrr.Response[rr]
+	qtype := req.Question[0].Qtype
+	values := dnsrr.Response[qtype]
 	for i, v := range values {
 		var ans dns.RR
-		ans, err = s.filterDNSRewriteResponse(req, rr, v)
+		ans, err = s.filterDNSRewriteResponse(req, qtype, v)
 		if err != nil {
-			return fmt.Errorf("dns rewrite response for %d[%d]: %w", rr, i, err)
+			return fmt.Errorf("dns rewrite response for %s[%d]: %w", dns.Type(qtype), i, err)
 		}

 		resp.Answer = append(resp.Answer, ans)
--- a/internal/dnsforward/dnsrewrite_test.go
+++ b/internal/dnsforward/dnsrewrite_test.go
@@ -6,6 +6,7 @@ import (

 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
 	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
@@ -15,8 +16,7 @@ import (
 func TestServer_FilterDNSRewrite(t *testing.T) {
 	// Helper data.
 	const domain = "example.com"
-	ip4 := net.IP{127, 0, 0, 1}
-	ip6 := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1}
+	ip4, ip6 := netutil.IPv4Localhost(), netutil.IPv6Localhost()
 	mxVal := &rules.DNSMX{
 		Exchange:   "mail.example.com",
 		Preference: 32,
@@ -89,7 +89,7 @@ func TestServer_FilterDNSRewrite(t *testing.T) {
 		assert.Equal(t, dns.RcodeSuccess, d.Res.Rcode)

 		require.Len(t, d.Res.Answer, 1)
-		assert.Equal(t, ip4, d.Res.Answer[0].(*dns.A).A)
+		assert.Equal(t, net.IP(ip4.AsSlice()), d.Res.Answer[0].(*dns.A).A)
 	})

 	t.Run("noerror_aaaa", func(t *testing.T) {
@@ -103,7 +103,7 @@ func TestServer_FilterDNSRewrite(t *testing.T) {
 		assert.Equal(t, dns.RcodeSuccess, d.Res.Rcode)

 		require.Len(t, d.Res.Answer, 1)
-		assert.Equal(t, ip6, d.Res.Answer[0].(*dns.AAAA).AAAA)
+		assert.Equal(t, net.IP(ip6.AsSlice()), d.Res.Answer[0].(*dns.AAAA).AAAA)
 	})

 	t.Run("noerror_ptr", func(t *testing.T) {
--- a/internal/dnsforward/filter.go
+++ b/internal/dnsforward/filter.go
@@ -59,8 +59,8 @@ func (s *Server) clientRequestFilteringSettings(dctx *dnsContext) (setts *filter
 	setts = s.dnsFilter.Settings()
 	setts.ProtectionEnabled = dctx.protectionEnabled
 	if s.conf.FilterHandler != nil {
-		ip, _ := netutil.IPAndPortFromAddr(dctx.proxyCtx.Addr)
-		s.conf.FilterHandler(ip, dctx.clientID, setts)
+		addrPort := netutil.NetAddrToAddrPort(dctx.proxyCtx.Addr)
+		s.conf.FilterHandler(addrPort.Addr(), dctx.clientID, setts)
 	}

 	return setts
@@ -125,7 +125,7 @@ func (s *Server) filterRewritten(
 	for _, ip := range res.IPList {
 		switch qt {
 		case dns.TypeA:
-			a := s.genAnswerA(req, ip.To4())
+			a := s.genAnswerA(req, ip)
 			a.Hdr.Name = dns.Fqdn(name)
 			resp.Answer = append(resp.Answer, a)
 		case dns.TypeAAAA:
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/netip"
 	"strings"
@@ -83,10 +82,10 @@ type jsonDNSConfig struct {
 	LocalPTRUpstreams *[]string `json:"local_ptr_upstreams"`

 	// BlockingIPv4 is custom IPv4 address for blocked A requests.
-	BlockingIPv4 net.IP `json:"blocking_ipv4"`
+	BlockingIPv4 netip.Addr `json:"blocking_ipv4"`

 	// BlockingIPv6 is custom IPv6 address for blocked AAAA requests.
-	BlockingIPv6 net.IP `json:"blocking_ipv6"`
+	BlockingIPv6 netip.Addr `json:"blocking_ipv6"`

 	// DisabledUntil is a timestamp until when the protection is disabled.
 	DisabledUntil *time.Time `json:"protection_disabled_until"`
@@ -297,8 +296,8 @@ func (s *Server) setConfig(dc *jsonDNSConfig) (shouldRestart bool) {
 	if dc.BlockingMode != nil {
 		s.conf.BlockingMode = *dc.BlockingMode
 		if *dc.BlockingMode == BlockingModeCustomIP {
-			s.conf.BlockingIPv4 = dc.BlockingIPv4.To4()
-			s.conf.BlockingIPv6 = dc.BlockingIPv6.To16()
+			s.conf.BlockingIPv4 = dc.BlockingIPv4
+			s.conf.BlockingIPv6 = dc.BlockingIPv6
 		}
 	}

--- a/internal/dnsforward/http_test.go
+++ b/internal/dnsforward/http_test.go
@@ -177,7 +177,7 @@ func TestDNSForwardHTTP_handleSetConfig(t *testing.T) {
 		wantSet: "",
 	}, {
 		name:    "blocking_mode_bad",
-		wantSet: "blocking_ipv4 must be set when blocking_mode is custom_ip",
+		wantSet: "blocking_ipv4 must be valid ipv4 on custom_ip blocking_mode",
 	}, {
 		name:    "ratelimit",
 		wantSet: "",
--- a/internal/dnsforward/msg.go
+++ b/internal/dnsforward/msg.go
@@ -1,7 +1,7 @@
 package dnsforward

 import (
-	"net"
+	"net/netip"
 	"time"

 	"github.com/AdguardTeam/AdGuardHome/internal/filtering"
@@ -9,6 +9,7 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/urlfilter/rules"
 	"github.com/miekg/dns"
+	"golang.org/x/exp/slices"
 )

 // makeResponse creates a DNS response by req and sets necessary flags.  It also
@@ -26,24 +27,13 @@ func (s *Server) makeResponse(req *dns.Msg) (resp *dns.Msg) {
 	return resp
 }

-// containsIP returns true if the IP is already in the list.
-func containsIP(ips []net.IP, ip net.IP) bool {
-	for _, a := range ips {
-		if a.Equal(ip) {
-			return true
-		}
-	}
-
-	return false
-}
-
 // ipsFromRules extracts unique non-IP addresses from the filtering result
 // rules.
-func ipsFromRules(resRules []*filtering.ResultRule) (ips []net.IP) {
+func ipsFromRules(resRules []*filtering.ResultRule) (ips []netip.Addr) {
 	for _, r := range resRules {
 		// len(resRules) and len(ips) are actually small enough for O(n^2) to do
 		// not raise performance questions.
-		if ip := r.IP; ip != nil && !containsIP(ips, ip) {
+		if ip := r.IP; ip != (netip.Addr{}) && !slices.Contains(ips, ip) {
 			ips = append(ips, ip)
 		}
 	}
@@ -84,7 +74,7 @@ func (s *Server) genDNSFilterMessage(

 // genForBlockingMode generates a filtered response to req based on the server's
 // blocking mode.
-func (s *Server) genForBlockingMode(req *dns.Msg, ips []net.IP) (resp *dns.Msg) {
+func (s *Server) genForBlockingMode(req *dns.Msg, ips []netip.Addr) (resp *dns.Msg) {
 	qt := req.Question[0].Qtype
 	switch m := s.conf.BlockingMode; m {
 	case BlockingModeCustomIP:
@@ -126,13 +116,13 @@ func (s *Server) genServerFailure(request *dns.Msg) *dns.Msg {
 	return &resp
 }

-func (s *Server) genARecord(request *dns.Msg, ip net.IP) *dns.Msg {
+func (s *Server) genARecord(request *dns.Msg, ip netip.Addr) *dns.Msg {
 	resp := s.makeResponse(request)
 	resp.Answer = append(resp.Answer, s.genAnswerA(request, ip))
 	return resp
 }

-func (s *Server) genAAAARecord(request *dns.Msg, ip net.IP) *dns.Msg {
+func (s *Server) genAAAARecord(request *dns.Msg, ip netip.Addr) *dns.Msg {
 	resp := s.makeResponse(request)
 	resp.Answer = append(resp.Answer, s.genAnswerAAAA(request, ip))
 	return resp
@@ -147,17 +137,17 @@ func (s *Server) hdr(req *dns.Msg, rrType rules.RRType) (h dns.RR_Header) {
 	}
 }

-func (s *Server) genAnswerA(req *dns.Msg, ip net.IP) (ans *dns.A) {
+func (s *Server) genAnswerA(req *dns.Msg, ip netip.Addr) (ans *dns.A) {
 	return &dns.A{
 		Hdr: s.hdr(req, dns.TypeA),
-		A:   ip,
+		A:   ip.AsSlice(),
 	}
 }

-func (s *Server) genAnswerAAAA(req *dns.Msg, ip net.IP) (ans *dns.AAAA) {
+func (s *Server) genAnswerAAAA(req *dns.Msg, ip netip.Addr) (ans *dns.AAAA) {
 	return &dns.AAAA{
 		Hdr:  s.hdr(req, dns.TypeAAAA),
-		AAAA: ip,
+		AAAA: ip.AsSlice(),
 	}
 }

@@ -204,22 +194,24 @@ func (s *Server) genAnswerTXT(req *dns.Msg, strs []string) (ans *dns.TXT) {
 // addresses and an appropriate resource record type.  If any of the IPs cannot
 // be converted to the correct protocol, genResponseWithIPs returns an empty
 // response.
-func (s *Server) genResponseWithIPs(req *dns.Msg, ips []net.IP) (resp *dns.Msg) {
+func (s *Server) genResponseWithIPs(req *dns.Msg, ips []netip.Addr) (resp *dns.Msg) {
 	var ans []dns.RR
 	switch req.Question[0].Qtype {
 	case dns.TypeA:
 		for _, ip := range ips {
-			if ip4 := ip.To4(); ip4 == nil {
+			if ip.Is4() {
+				ans = append(ans, s.genAnswerA(req, ip))
+			} else {
 				ans = nil

 				break
 			}
-
-			ans = append(ans, s.genAnswerA(req, ip))
 		}
 	case dns.TypeAAAA:
 		for _, ip := range ips {
-			ans = append(ans, s.genAnswerAAAA(req, ip.To16()))
+			if ip.Is6() {
+				ans = append(ans, s.genAnswerAAAA(req, ip))
+			}
 		}
 	default:
 		// Go on and return an empty response.
@@ -240,9 +232,9 @@ func (s *Server) makeResponseNullIP(req *dns.Msg) (resp *dns.Msg) {
 	// converted into an empty slice instead of the zero IPv4.
 	switch req.Question[0].Qtype {
 	case dns.TypeA:
-		resp = s.genResponseWithIPs(req, []net.IP{{0, 0, 0, 0}})
+		resp = s.genResponseWithIPs(req, []netip.Addr{netip.IPv4Unspecified()})
 	case dns.TypeAAAA:
-		resp = s.genResponseWithIPs(req, []net.IP{net.IPv6zero})
+		resp = s.genResponseWithIPs(req, []netip.Addr{netip.IPv6Unspecified()})
 	default:
 		resp = s.makeResponse(req)
 	}
@@ -251,9 +243,9 @@ func (s *Server) makeResponseNullIP(req *dns.Msg) (resp *dns.Msg) {
 }

 func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSContext) *dns.Msg {
-	ip := net.ParseIP(newAddr)
-	if ip != nil {
-		return s.genResponseWithIPs(request, []net.IP{ip})
+	ip, err := netip.ParseAddr(newAddr)
+	if err == nil {
+		return s.genResponseWithIPs(request, []netip.Addr{ip})
 	}

 	// look up the hostname, TODO: cache
@@ -275,7 +267,7 @@ func (s *Server) genBlockedHost(request *dns.Msg, newAddr string, d *proxy.DNSCo
 		return s.genServerFailure(request)
 	}

-	err := prx.Resolve(newContext)
+	err = prx.Resolve(newContext)
 	if err != nil {
 		log.Printf("couldn't look up replacement host %q: %s", newAddr, err)