mirror of
https://github.com/SquidDev-CC/CC-Tweaked
synced 2024-06-26 07:03:22 +00:00
Also block the CGNAT range (100.64.0.0/10)
This commit is contained in:
parent
9ea7f45fa7
commit
8914b78816
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
import com.google.common.net.InetAddresses;
|
import com.google.common.net.InetAddresses;
|
||||||
|
|
||||||
|
import java.net.Inet4Address;
|
||||||
import java.net.Inet6Address;
|
import java.net.Inet6Address;
|
||||||
import java.net.InetAddress;
|
import java.net.InetAddress;
|
||||||
import java.net.InetSocketAddress;
|
import java.net.InetSocketAddress;
|
||||||
|
@ -113,7 +114,6 @@ final class PrivatePattern implements AddressPredicate {
|
||||||
|
|
||||||
private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
|
private static final Set<InetAddress> additionalAddresses = Arrays.stream(new String[]{
|
||||||
// Block various cloud providers internal IPs.
|
// Block various cloud providers internal IPs.
|
||||||
"100.100.100.200", // Alibaba
|
|
||||||
"192.0.0.192", // Oracle
|
"192.0.0.192", // Oracle
|
||||||
}).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());
|
}).map(InetAddresses::forString).collect(Collectors.toUnmodifiableSet());
|
||||||
|
|
||||||
|
@ -126,6 +126,7 @@ public boolean matches(InetAddress socketAddress) {
|
||||||
|| socketAddress.isSiteLocalAddress() // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
|
|| socketAddress.isSiteLocalAddress() // 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fec0::/10
|
||||||
|| socketAddress.isMulticastAddress() // 224.0.0.0/4, ff00::/8
|
|| socketAddress.isMulticastAddress() // 224.0.0.0/4, ff00::/8
|
||||||
|| isUniqueLocalAddress(socketAddress) // fd00::/8
|
|| isUniqueLocalAddress(socketAddress) // fd00::/8
|
||||||
|
|| isCarrierGradeNatAddress(socketAddress) // 100.64.0.0/10
|
||||||
|| additionalAddresses.contains(socketAddress);
|
|| additionalAddresses.contains(socketAddress);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -141,6 +142,19 @@ private boolean isUniqueLocalAddress(InetAddress address) {
|
||||||
// defined right now, so let's be conservative.
|
// defined right now, so let's be conservative.
|
||||||
return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
|
return address instanceof Inet6Address && (address.getAddress()[0] & 0xff) == 0xfd;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine if an IP address lives within the CGNAT address range (100.64.0.0/10).
|
||||||
|
*
|
||||||
|
* @param address The IP address to test.
|
||||||
|
* @return Whether this address sits in the CGNAT address range.
|
||||||
|
* @see <a href="https://en.wikipedia.org/wiki/Carrier-grade_NAT">Carrier-grade NAT on Wikipedia</a>
|
||||||
|
*/
|
||||||
|
private boolean isCarrierGradeNatAddress(InetAddress address) {
|
||||||
|
if (!(address instanceof Inet4Address)) return false;
|
||||||
|
var bytes = address.getAddress();
|
||||||
|
return bytes[0] == 100 && ((bytes[1] & 0xFF) >= 64 && (bytes[1] & 0xFF) <= 127);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,6 +34,8 @@ public void matchesPort() {
|
||||||
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
|
"172.17.0.1", "192.168.1.114", "[0:0:0:0:0:ffff:c0a8:172]", "10.0.0.1",
|
||||||
// Multicast
|
// Multicast
|
||||||
"224.0.0.1", "ff02::1",
|
"224.0.0.1", "ff02::1",
|
||||||
|
// CGNAT
|
||||||
|
"100.64.0.0", "100.127.255.255",
|
||||||
// Cloud metadata providers
|
// Cloud metadata providers
|
||||||
"100.100.100.200", // Alibaba
|
"100.100.100.200", // Alibaba
|
||||||
"192.0.0.192", // Oracle
|
"192.0.0.192", // Oracle
|
||||||
|
@ -44,6 +46,15 @@ public void blocksLocalDomains(String domain) {
|
||||||
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
|
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.DENY);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ParameterizedTest
|
||||||
|
@ValueSource(strings = {
|
||||||
|
// Ensure either side of the CGNAT range is allowed.
|
||||||
|
"100.63.255.255", "100.128.0.0"
|
||||||
|
})
|
||||||
|
public void allowsNonLocalDomains(String domain) {
|
||||||
|
assertEquals(apply(CoreConfig.httpRules, domain, 80).action, Action.ALLOW);
|
||||||
|
}
|
||||||
|
|
||||||
private Options apply(Iterable<AddressRule> rules, String host, int port) {
|
private Options apply(Iterable<AddressRule> rules, String host, int port) {
|
||||||
return AddressRule.apply(rules, host, new InetSocketAddress(host, port));
|
return AddressRule.apply(rules, host, new InetSocketAddress(host, port));
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user