Pull request: AG-28961-upd-golibs

Squashed commit of the following:

commit b153bbc7100dd9184ca689f1755f068b63e3046b
Merge: d16da0cf6 4508ae860
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 17 13:56:34 2024 +0200

    Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs

commit d16da0cf61d050afd04f00ffc36bca550548edd9
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 17 09:52:03 2024 +0200

    all: imp code

commit 46aeca7221586ce0cdc91838764bbacdbdfa8620
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 17 09:50:10 2024 +0200

    all: imp code

commit 32bc83c0a909467655a258e2e879731a90dc96e6
Merge: ee51c6046 6dbeb5b97
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Jan 16 15:42:32 2024 +0200

    Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs

    # Conflicts:
    #	go.mod
    #	go.sum

commit ee51c6046632f89fbe5aa8f6d857c239f060aba5
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Jan 16 10:56:38 2024 +0200

    all: upd libs

commit 02c1dbd9b568cb9f6ec52a0e9835d0d39e3cd377
Merge: 1daba8342 58b47adaf
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Jan 16 10:53:54 2024 +0200

    Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs

commit 1daba8342b72163c8a26380e083c4e497d6bb772
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Jan 15 11:15:05 2024 +0200

    all: upd dnsproxy

commit b1670e8a81c04f400245e1316857578b549e58f1
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Jan 15 10:46:27 2024 +0200

    dnsforward: imp code

commit 7b65a50fca37ad71b68a8bda504839a78b6f7319
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Fri Jan 12 14:14:34 2024 +0200

    all: upd golibs

internal/dnsforward/config.go

@@ -110,11 +110,10 @@ type Config struct {
 	// BlockedHosts is the list of hosts that should be blocked.
 	BlockedHosts []string `yaml:"blocked_hosts"`
 
-	// TrustedProxies is the list of IP addresses and CIDR networks to detect
-	// proxy servers addresses the DoH requests from which should be handled.
-	// The value of nil or an empty slice for this field makes Proxy not trust
-	// any address.
-	TrustedProxies []string `yaml:"trusted_proxies"`
+	// TrustedProxies is the list of CIDR networks with proxy servers addresses
+	// from which the DoH requests should be handled.  The value of nil or an
+	// empty slice for this field makes Proxy not trust any address.
+	TrustedProxies []netutil.Prefix `yaml:"trusted_proxies"`
 
 	// DNS cache settings
 
@@ -303,6 +302,8 @@ const (
 // newProxyConfig creates and validates configuration for the main proxy.
 func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 	srvConf := s.conf
+	trustedPrefixes := netutil.UnembedPrefixes(srvConf.TrustedProxies)
+
 	conf = &proxy.Config{
 		HTTP3:                  srvConf.ServeHTTP3,
 		Ratelimit:              int(srvConf.Ratelimit),
@@ -310,7 +311,7 @@ func (s *Server) newProxyConfig() (conf *proxy.Config, err error) {
 		RatelimitSubnetLenIPv6: srvConf.RatelimitSubnetLenIPv6,
 		RatelimitWhitelist:     srvConf.RatelimitWhitelist,
 		RefuseAny:              srvConf.RefuseAny,
-		TrustedProxies:         srvConf.TrustedProxies,
+		TrustedProxies:         netutil.SliceSubnetSet(trustedPrefixes),
 		CacheMinTTL:            srvConf.CacheMinTTL,
 		CacheMaxTTL:            srvConf.CacheMaxTTL,
 		CacheOptimistic:        srvConf.CacheOptimistic,

internal/dnsforward/dnsforward.go

@@ -311,7 +311,7 @@ func (s *Server) WriteDiskConfig(c *Config) {
 	c.AllowedClients = stringutil.CloneSlice(sc.AllowedClients)
 	c.DisallowedClients = stringutil.CloneSlice(sc.DisallowedClients)
 	c.BlockedHosts = stringutil.CloneSlice(sc.BlockedHosts)
-	c.TrustedProxies = stringutil.CloneSlice(sc.TrustedProxies)
+	c.TrustedProxies = slices.Clone(sc.TrustedProxies)
 	c.UpstreamDNS = stringutil.CloneSlice(sc.UpstreamDNS)
 }
 
@@ -390,7 +390,7 @@ func (s *Server) Exchange(ip netip.Addr) (host string, ttl time.Duration, err er
 
 	var resolver *proxy.Proxy
 	var errMsg string
-	if s.privateNets.Contains(ip.AsSlice()) {
+	if s.privateNets.Contains(ip) {
 		if !s.conf.UsePrivateRDNS {
 			return "", 0, nil
 		}

internal/dnsforward/process.go

@@ -36,11 +36,8 @@ type dnsContext struct {
 
 	// unreversedReqIP stores an IP address obtained from a PTR request if it
 	// was parsed successfully and belongs to one of the locally served IP
-	// ranges.  It is also filled with unmapped version of the address if it's
-	// within DNS64 prefixes.
-	//
-	// TODO(e.burkov):  Use netip.Addr when we switch to netip more fully.
-	unreversedReqIP net.IP
+	// ranges.
+	unreversedReqIP netip.Addr
 
 	// err is the error returned from a processing function.
 	err error
@@ -350,7 +347,7 @@ func (s *Server) processDetermineLocal(dctx *dnsContext) (rc resultCode) {
 
 	rc = resultCodeSuccess
 
-	dctx.isLocalClient = s.privateNets.Contains(dctx.proxyCtx.Addr.Addr().AsSlice())
+	dctx.isLocalClient = s.privateNets.Contains(dctx.proxyCtx.Addr.Addr())
 
 	return rc
 }
@@ -491,14 +488,7 @@ func extractARPASubnet(domain string) (pref netip.Prefix, err error) {
 		}
 	}
 
-	var subnet *net.IPNet
-	subnet, err = netutil.SubnetFromReversedAddr(domain[idx:])
-	if err != nil {
-		// Don't wrap the error since it's informative enough as is.
-		return netip.Prefix{}, err
-	}
-
-	return netutil.IPNetToPrefixNoMapped(subnet)
+	return netutil.PrefixFromReversedAddr(domain[idx:])
 }
 
 // processRestrictLocal responds with NXDOMAIN to PTR requests for IP addresses
@@ -532,8 +522,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
 	// assume that all the DHCP leases we give are locally served or at least
 	// shouldn't be accessible externally.
 	subnetAddr := subnet.Addr()
-	addrData := subnetAddr.AsSlice()
-	if !s.privateNets.Contains(addrData) {
+	if !s.privateNets.Contains(subnetAddr) {
 		return resultCodeSuccess
 	}
 
@@ -548,7 +537,7 @@ func (s *Server) processRestrictLocal(dctx *dnsContext) (rc resultCode) {
 	}
 
 	// Do not perform unreversing ever again.
-	dctx.unreversedReqIP = addrData
+	dctx.unreversedReqIP = subnetAddr
 
 	// There is no need to filter request from external addresses since this
 	// code is only executed when the request is for locally served ARPA
@@ -573,16 +562,8 @@ func (s *Server) processDHCPAddrs(dctx *dnsContext) (rc resultCode) {
 		return resultCodeSuccess
 	}
 
-	ip := dctx.unreversedReqIP
-	if ip == nil {
-		return resultCodeSuccess
-	}
-
-	// TODO(a.garipov):  Remove once we switch to [netip.Addr] more fully.
-	ipAddr, err := netutil.IPToAddrNoMapped(ip)
-	if err != nil {
-		log.Debug("dnsforward: bad reverse ip %v from dhcp: %s", ip, err)
-
+	ipAddr := dctx.unreversedReqIP
+	if ipAddr == (netip.Addr{}) {
 		return resultCodeSuccess
 	}
 
@@ -591,7 +572,7 @@ func (s *Server) processDHCPAddrs(dctx *dnsContext) (rc resultCode) {
 		return resultCodeSuccess
 	}
 
-	log.Debug("dnsforward: dhcp client %s is %q", ip, host)
+	log.Debug("dnsforward: dhcp client %s is %q", ipAddr, host)
 
 	req := pctx.Req
 	resp := s.makeResponse(req)
@@ -624,7 +605,7 @@ func (s *Server) processLocalPTR(dctx *dnsContext) (rc resultCode) {
 	}
 
 	ip := dctx.unreversedReqIP
-	if ip == nil {
+	if ip == (netip.Addr{}) {
 		return resultCodeSuccess
 	}
 

internal/dnsforward/process_internal_test.go

@@ -795,7 +795,7 @@ func TestServer_ProcessLocalPTR_usingResolvers(t *testing.T) {
 		}
 		dnsCtx = &dnsContext{
 			proxyCtx:        proxyCtx,
-			unreversedReqIP: net.IP{192, 168, 1, 1},
+			unreversedReqIP: netip.MustParseAddr("192.168.1.1"),
 		}
 		s.conf.UsePrivateRDNS = use
 	}

internal/dnsforward/upstreams.go

@@ -298,7 +298,7 @@ func ValidateUpstreamsPrivate(upstreams []string, privateNets netutil.SubnetSet)
 			continue
 		}
 
-		if !privateNets.Contains(subnet.Addr().AsSlice()) {
+		if !privateNets.Contains(subnet.Addr()) {
 			errs = append(
 				errs,
 				fmt.Errorf("arpa domain %q should point to a locally-served network", domain),