daxi20/AdGuardHome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dnsforward: allowed clients private nets

Browse Source
This commit is contained in:
Dimitry Kolyshev
2023-05-18 13:59:37 +03:00
parent 9caf0d54c6
commit 668155b367
4 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -30,8 +30,8 @@ NOTE: Add new changes BELOW THIS COMMENT.
### Fixed ### Fixed
- Locally served address are now ignored from allowed/blocked clients access - Private networks are now ignored from allowed/blocked clients access lists.
lists. These addresses are always allowed ([#5799]). These addresses are always allowed ([#5799]).
- Unquoted IPv6 bind hosts with trailing colons erroneously considered - Unquoted IPv6 bind hosts with trailing colons erroneously considered
unspecified addresses are now properly validated ([#5752]). unspecified addresses are now properly validated ([#5752]).

18
internal/dnsforward/access.go
View File

@@ -31,6 +31,9 @@ type accessManager struct {
blockedHostsEng *urlfilter.DNSEngine blockedHostsEng *urlfilter.DNSEngine
// privateNets is the set of IP networks those are ignored by the manager.
privateNets netutil.SubnetSet
// TODO(a.garipov): Create a type for a set of IP networks. // TODO(a.garipov): Create a type for a set of IP networks.
allowedNets []netip.Prefix allowedNets []netip.Prefix
blockedNets []netip.Prefix blockedNets []netip.Prefix
@@ -65,13 +68,20 @@ func processAccessClients(
} }
// newAccessCtx creates a new accessCtx. // newAccessCtx creates a new accessCtx.
func newAccessCtx(allowed, blocked, blockedHosts []string) (a *accessManager, err error) { func newAccessCtx(
allowed []string,
blocked []string,
blockedHosts []string,
privateNets netutil.SubnetSet,
) (a *accessManager, err error) {
a = &accessManager{ a = &accessManager{
allowedIPs: map[netip.Addr]unit{}, allowedIPs: map[netip.Addr]unit{},
blockedIPs: map[netip.Addr]unit{}, blockedIPs: map[netip.Addr]unit{},
allowedClientIDs: stringutil.NewSet(), allowedClientIDs: stringutil.NewSet(),
blockedClientIDs: stringutil.NewSet(), blockedClientIDs: stringutil.NewSet(),
privateNets: privateNets,
} }
err = processAccessClients(allowed, a.allowedIPs, &a.allowedNets, a.allowedClientIDs) err = processAccessClients(allowed, a.allowedIPs, &a.allowedNets, a.allowedClientIDs)
@@ -140,9 +150,9 @@ func (a *accessManager) isBlockedHost(host string, qt rules.RRType) (ok bool) {
} }
// isBlockedIP returns the status of the IP address blocking as well as the // isBlockedIP returns the status of the IP address blocking as well as the
// rule that blocked it. Locally served addresses are always allowed. // rule that blocked it. Addresses from private nets are always allowed.
func (a *accessManager) isBlockedIP(ip netip.Addr) (blocked bool, rule string) { func (a *accessManager) isBlockedIP(ip netip.Addr) (blocked bool, rule string) {
if netutil.IsLocallyServedAddr(ip) { if a.privateNets.Contains(ip.AsSlice()) {
return false, "" return false, ""
} }
@@ -246,7 +256,7 @@ func (s *Server) handleAccessSet(w http.ResponseWriter, r *http.Request) {
} }
var a *accessManager var a *accessManager
a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts) a, err = newAccessCtx(list.AllowedClients, list.DisallowedClients, list.BlockedHosts, nil)
if err != nil { if err != nil {
aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err) aghhttp.Error(r, w, http.StatusBadRequest, "creating access ctx: %s", err)

13
internal/dnsforward/access_test.go
View File

@@ -4,6 +4,7 @@ import (
"net/netip" "net/netip"
"testing" "testing"
"github.com/AdguardTeam/golibs/netutil"
"github.com/AdguardTeam/urlfilter/rules" "github.com/AdguardTeam/urlfilter/rules"
"github.com/miekg/dns" "github.com/miekg/dns"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@@ -14,12 +15,12 @@ func TestIsBlockedClientID(t *testing.T) {
clientID := "client-1" clientID := "client-1"
clients := []string{clientID} clients := []string{clientID}
a, err := newAccessCtx(clients, nil, nil) a, err := newAccessCtx(clients, nil, nil, nil)
require.NoError(t, err) require.NoError(t, err)
assert.False(t, a.isBlockedClientID(clientID)) assert.False(t, a.isBlockedClientID(clientID))
a, err = newAccessCtx(nil, clients, nil) a, err = newAccessCtx(nil, clients, nil, nil)
require.NoError(t, err) require.NoError(t, err)
assert.True(t, a.isBlockedClientID(clientID)) assert.True(t, a.isBlockedClientID(clientID))
@@ -31,7 +32,7 @@ func TestIsBlockedHost(t *testing.T) {
"*.host.com", "*.host.com",
"||host3.com^", "||host3.com^",
"||*^$dnstype=HTTPS", "||*^$dnstype=HTTPS",
}) }, nil)
require.NoError(t, err) require.NoError(t, err)
testCases := []struct { testCases := []struct {
@@ -109,7 +110,8 @@ func TestAccessManager_IsBlockedIP_allow(t *testing.T) {
"5.6.7.8/24", "5.6.7.8/24",
} }
allowCtx, err := newAccessCtx(clients, nil, nil) privateNets := netutil.SubnetSetFunc(netutil.IsLocallyServed)
allowCtx, err := newAccessCtx(clients, nil, nil, privateNets)
require.NoError(t, err) require.NoError(t, err)
testCases := []struct { testCases := []struct {
@@ -159,7 +161,8 @@ func TestAccessManager_IsBlockedIP_block(t *testing.T) {
"5.6.7.8/24", "5.6.7.8/24",
} }
blockCtx, err := newAccessCtx(nil, clients, nil) privateNets := netutil.SubnetSetFunc(netutil.IsLocallyServed)
blockCtx, err := newAccessCtx(nil, clients, nil, privateNets)
require.NoError(t, err) require.NoError(t, err)
testCases := []struct { testCases := []struct {

1
internal/dnsforward/dnsforward.go
View File

@@ -509,6 +509,7 @@ func (s *Server) Prepare(conf *ServerConfig) (err error) {
s.conf.AllowedClients, s.conf.AllowedClients,
s.conf.DisallowedClients, s.conf.DisallowedClients,
s.conf.BlockedHosts, s.conf.BlockedHosts,
s.privateNets,
) )
if err != nil { if err != nil {
return fmt.Errorf("preparing access: %w", err) return fmt.Errorf("preparing access: %w", err)