Pull request 2087: AG-27616-upd-proxy-ratelimit-whitelist

Squashed commit of the following: commit 099a2eb11609a07a1cb72d9e15da3e668042de1d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Dec 5 17:25:49 2023 +0300 all: upd proxy commit db07130df80ed06b867f6ce6878908b1eb93a934 Merge: 9e6e8e7cf 75cb9d412 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Dec 5 14:44:44 2023 +0300 Merge branch 'master' into AG-27616-upd-proxy-ratelimit-whitelist commit 9e6e8e7cfc80507cff81761dd3964cf7777ac58b Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 29 19:46:17 2023 +0300 all: imp tests commit e753bb53880c2a0791d97079a12960e0b1d667ed Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 29 13:35:21 2023 +0300 all: upd proxy ratelimit whitelist
2023-12-05 17:43:50 +03:00
parent 75cb9d412a
commit 99af7f46de
13 changed files with 82 additions and 135 deletions
--- a/internal/dnsforward/http.go
+++ b/internal/dnsforward/http.go
@@ -52,7 +52,7 @@ type jsonDNSConfig struct {
 	RatelimitSubnetLenIPv6 *int `json:"ratelimit_subnet_len_ipv6"`

 	// RatelimitWhitelist is a list of IP addresses excluded from rate limiting.
-	RatelimitWhitelist *[]string `json:"ratelimit_whitelist"`
+	RatelimitWhitelist *[]netip.Addr `json:"ratelimit_whitelist"`

 	// BlockingMode defines the way blocked responses are constructed.
 	BlockingMode *filtering.BlockingMode `json:"blocking_mode"`
@@ -129,7 +129,7 @@ func (s *Server) getDNSConfig() (c *jsonDNSConfig) {
 	ratelimit := s.conf.Ratelimit
 	ratelimitSubnetLenIPv4 := s.conf.RatelimitSubnetLenIPv4
 	ratelimitSubnetLenIPv6 := s.conf.RatelimitSubnetLenIPv6
-	ratelimitWhitelist := stringutil.CloneSliceOrEmpty(s.conf.RatelimitWhitelist)
+	ratelimitWhitelist := append([]netip.Addr{}, s.conf.RatelimitWhitelist...)

 	customIP := s.conf.EDNSClientSubnet.CustomIP
 	enableEDNSClientSubnet := s.conf.EDNSClientSubnet.Enabled
@@ -291,12 +291,6 @@ func (req *jsonDNSConfig) validate(privateNets netutil.SubnetSet) (err error) {
 		return err
 	}

-	err = req.checkRatelimitWhitelist()
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return err
-	}
-
 	err = req.checkBlockingMode()
 	if err != nil {
 		// Don't wrap the error since it's informative enough as is.
@@ -405,21 +399,6 @@ func checkInclusion(ptr *int, minN, maxN int) (err error) {
 	return nil
 }

-// checkRatelimitWhitelist returns an error if any of IP addresses is invalid.
-func (req *jsonDNSConfig) checkRatelimitWhitelist() (err error) {
-	if req.RatelimitWhitelist == nil {
-		return nil
-	}
-
-	for i, ipStr := range *req.RatelimitWhitelist {
-		if _, err = netip.ParseAddr(ipStr); err != nil {
-			return fmt.Errorf("ratelimit whitelist: at index %d: %w", i, err)
-		}
-	}
-
-	return nil
-}
-
 // handleSetConfig handles requests to the POST /control/dns_config endpoint.
 func (s *Server) handleSetConfig(w http.ResponseWriter, r *http.Request) {
 	req := &jsonDNSConfig{}