1
0
mirror of https://github.com/SquidDev-CC/CC-Tweaked synced 2024-06-17 02:40:06 +00:00

Also block the CGNAT range (100.64.0.0/10)

This commit is contained in:
Jonathan Coates 2023-07-08 09:27:09 +01:00
parent 9ea7f45fa7
commit 8914b78816
No known key found for this signature in database
GPG Key ID: B9E431FF07C98D06
2 changed files with 26 additions and 1 deletions

View File

@ -6,6 +6,7 @@
import com.google.common.net.InetAddresses;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
@ -113,7 +114,6 @@ final class PrivatePattern implements AddressPredicate {
private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
// Block various cloud providers internal IPs.
"100.100.100.200", // Alibaba
"192.0.0.192", // Oracle
}).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());
@ -126,6 +126,7 @@ public boolean matches(InetAddress socketAddress) {
|| socketAddress.isSiteLocalAddress() // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
|| socketAddress.isMulticastAddress() // 224.0.0.0/4, ff00::/8
|| isUniqueLocalAddress(socketAddress) // fd00::/8
|| isCarrierGradeNatAddress(socketAddress) // 100.64.0.0/10
|| additionalAddresses.contains(socketAddress);
}
@ -141,6 +142,19 @@ private boolean isUniqueLocalAddress(InetAddress address) {
// defined right now, so let's be conservative.
return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
}
/**
* Determine if an IP address lives within the CGNAT address range (100.64.0.0/10).
*
* @param address The IP address to test.
* @return Whether this address sits in the CGNAT address range.
* @see <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT">Carrier-grade NAT on Wikipedia</a>
*/
private boolean isCarrierGradeNatAddress(InetAddress address) {
if (!(address instanceof Inet4Address)) return false;
var bytes = address.getAddress();
return bytes[0] == 100 && ((bytes[1] & 0xFF) >= 64 && (bytes[1] & 0xFF) <= 127);
}
}
}

View File

@ -34,6 +34,8 @@ public void matchesPort() {
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
// Multicast
"224.0.0.1", "ff02::1",
// CGNAT
"100.64.0.0", "100.127.255.255",
// Cloud metadata providers
"100.100.100.200", // Alibaba
"192.0.0.192", // Oracle
@ -44,6 +46,15 @@ public void blocksLocalDomains(String domain) {
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
}
@ParameterizedTest
@ValueSource(strings = {
// Ensure either side of the CGNAT range is allowed.
"100.63.255.255", "100.128.0.0"
})
public void allowsNonLocalDomains(String domain) {
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.ALLOW);
}
private Options apply(Iterable<AddressRule> rules, String host, int port) {
return AddressRule.apply(rules, host, new InetSocketAddress(host, port));
}