Add support for ipv6 subnet in ipStrategy
This commit is contained in:
Michal Kralik
GitHub
parent
a398536688
commit
312ebb17ab
17 changed files with 544 additions and 12 deletions
57
pkg/config/dynamic/middleware_test.go
Normal file
57
pkg/config/dynamic/middleware_test.go
Normal file
|
|
@ -0,0 +1,57 @@
|
|||
package dynamic
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func Test_GetStrategy_ipv6Subnet(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
expectError bool
|
||||
ipv6Subnet *int
|
||||
}{
|
||||
{
|
||||
desc: "Nil subnet",
|
||||
},
|
||||
{
|
||||
desc: "Zero subnet",
|
||||
expectError: true,
|
||||
ipv6Subnet: intPtr(0),
|
||||
},
|
||||
{
|
||||
desc: "Subnet greater that 128",
|
||||
expectError: true,
|
||||
ipv6Subnet: intPtr(129),
|
||||
},
|
||||
{
|
||||
desc: "Valid subnet",
|
||||
ipv6Subnet: intPtr(128),
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range testCases {
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
strategy := IPStrategy{
|
||||
IPv6Subnet: test.ipv6Subnet,
|
||||
}
|
||||
|
||||
get, err := strategy.Get()
|
||||
if test.expectError {
|
||||
require.Error(t, err)
|
||||
assert.Nil(t, get)
|
||||
} else {
|
||||
require.NoError(t, err)
|
||||
assert.NotNil(t, get)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func intPtr(value int) *int {
|
||||
return &value
|
||||
}
|
||||
|
|
@ -1,6 +1,7 @@
|
|||
package dynamic
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
|
|
@ -405,6 +406,8 @@ type IPStrategy struct {
|
|||
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
|
||||
// ExcludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.
|
||||
ExcludedIPs []string `json:"excludedIPs,omitempty" toml:"excludedIPs,omitempty" yaml:"excludedIPs,omitempty"`
|
||||
// IPv6Subnet configures Traefik to consider all IPv6 addresses from the defined subnet as originating from the same IP. Applies to RemoteAddrStrategy and DepthStrategy.
|
||||
IPv6Subnet *int `json:"ipv6Subnet,omitempty" toml:"ipv6Subnet,omitempty" yaml:"ipv6Subnet,omitempty"`
|
||||
// TODO(mpl): I think we should make RemoteAddr an explicit field. For one thing, it would yield better documentation.
|
||||
}
|
||||
|
||||
|
|
@ -418,8 +421,13 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
|
|||
}
|
||||
|
||||
if s.Depth > 0 {
|
||||
if s.IPv6Subnet != nil && (*s.IPv6Subnet <= 0 || *s.IPv6Subnet > 128) {
|
||||
return nil, fmt.Errorf("invalid IPv6 subnet %d value, should be greater to 0 and lower or equal to 128", *s.IPv6Subnet)
|
||||
}
|
||||
|
||||
return &ip.DepthStrategy{
|
||||
Depth: s.Depth,
|
||||
Depth: s.Depth,
|
||||
IPv6Subnet: s.IPv6Subnet,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -433,7 +441,13 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
|
|||
}, nil
|
||||
}
|
||||
|
||||
return &ip.RemoteAddrStrategy{}, nil
|
||||
if s.IPv6Subnet != nil && (*s.IPv6Subnet <= 0 || *s.IPv6Subnet > 128) {
|
||||
return nil, fmt.Errorf("invalid IPv6 subnet %d value, should be greater to 0 and lower or equal to 128", *s.IPv6Subnet)
|
||||
}
|
||||
|
||||
return &ip.RemoteAddrStrategy{
|
||||
IPv6Subnet: s.IPv6Subnet,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
|
|
|||
|
|
@ -704,6 +704,11 @@ func (in *IPStrategy) DeepCopyInto(out *IPStrategy) {
|
|||
*out = make([]string, len(*in))
|
||||
copy(*out, *in)
|
||||
}
|
||||
if in.IPv6Subnet != nil {
|
||||
in, out := &in.IPv6Subnet, &out.IPv6Subnet
|
||||
*out = new(int)
|
||||
**out = **in
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -90,10 +90,12 @@ func TestDecodeConfiguration(t *testing.T) {
|
|||
"traefik.http.middlewares.Middleware8.headers.stsseconds": "42",
|
||||
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.depth": "42",
|
||||
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.excludedips": "foobar, fiibar",
|
||||
"traefik.http.middlewares.Middleware9.ipallowlist.ipstrategy.ipv6subnet": "42",
|
||||
"traefik.http.middlewares.Middleware9.ipallowlist.sourcerange": "foobar, fiibar",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.amount": "42",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.depth": "42",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.excludedips": "foobar, fiibar",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.ipstrategy.ipv6subnet": "42",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.requestheadername": "foobar",
|
||||
"traefik.http.middlewares.Middleware10.inflightreq.sourcecriterion.requesthost": "true",
|
||||
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.notafter": "true",
|
||||
|
|
@ -123,6 +125,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
|||
"traefik.http.middlewares.Middleware12.ratelimit.sourcecriterion.requesthost": "true",
|
||||
"traefik.http.middlewares.Middleware12.ratelimit.sourcecriterion.ipstrategy.depth": "42",
|
||||
"traefik.http.middlewares.Middleware12.ratelimit.sourcecriterion.ipstrategy.excludedips": "foobar, foobar",
|
||||
"traefik.http.middlewares.Middleware12.ratelimit.sourcecriterion.ipstrategy.ipv6subnet": "42",
|
||||
"traefik.http.middlewares.Middleware13.redirectregex.permanent": "true",
|
||||
"traefik.http.middlewares.Middleware13.redirectregex.regex": "foobar",
|
||||
"traefik.http.middlewares.Middleware13.redirectregex.replacement": "foobar",
|
||||
|
|
@ -392,6 +395,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
|||
IPStrategy: &dynamic.IPStrategy{
|
||||
Depth: 42,
|
||||
ExcludedIPs: []string{"foobar", "fiibar"},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
RequestHeaderName: "foobar",
|
||||
RequestHost: true,
|
||||
|
|
@ -437,6 +441,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
|||
IPStrategy: &dynamic.IPStrategy{
|
||||
Depth: 42,
|
||||
ExcludedIPs: []string{"foobar", "foobar"},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
RequestHeaderName: "foobar",
|
||||
RequestHost: true,
|
||||
|
|
@ -648,6 +653,7 @@ func TestDecodeConfiguration(t *testing.T) {
|
|||
"foobar",
|
||||
"fiibar",
|
||||
},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -913,6 +919,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
IPStrategy: &dynamic.IPStrategy{
|
||||
Depth: 42,
|
||||
ExcludedIPs: []string{"foobar", "fiibar"},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
RequestHeaderName: "foobar",
|
||||
RequestHost: true,
|
||||
|
|
@ -957,6 +964,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
IPStrategy: &dynamic.IPStrategy{
|
||||
Depth: 42,
|
||||
ExcludedIPs: []string{"foobar", "foobar"},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
RequestHeaderName: "foobar",
|
||||
RequestHost: true,
|
||||
|
|
@ -1176,6 +1184,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
"foobar",
|
||||
"fiibar",
|
||||
},
|
||||
IPv6Subnet: intPtr(42),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -1338,11 +1347,13 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.Depth": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
||||
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.IPStrategy.IPv6Subnet": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.RejectStatusCode": "0",
|
||||
"traefik.HTTP.Middlewares.Middleware9.IPAllowList.SourceRange": "foobar, fiibar",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.Amount": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.Depth": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, fiibar",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.IPStrategy.IPv6Subnet": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.RequestHeaderName": "foobar",
|
||||
"traefik.HTTP.Middlewares.Middleware10.InFlightReq.SourceCriterion.RequestHost": "true",
|
||||
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter": "true",
|
||||
|
|
@ -1372,6 +1383,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
"traefik.HTTP.Middlewares.Middleware12.RateLimit.SourceCriterion.RequestHost": "true",
|
||||
"traefik.HTTP.Middlewares.Middleware12.RateLimit.SourceCriterion.IPStrategy.Depth": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware12.RateLimit.SourceCriterion.IPStrategy.ExcludedIPs": "foobar, foobar",
|
||||
"traefik.HTTP.Middlewares.Middleware12.RateLimit.SourceCriterion.IPStrategy.IPv6Subnet": "42",
|
||||
"traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Regex": "foobar",
|
||||
"traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Replacement": "foobar",
|
||||
"traefik.HTTP.Middlewares.Middleware13.RedirectRegex.Permanent": "true",
|
||||
|
|
@ -1486,3 +1498,7 @@ func TestEncodeConfiguration(t *testing.T) {
|
|||
}
|
||||
assert.Equal(t, expected, labels)
|
||||
}
|
||||
|
||||
func intPtr(value int) *int {
|
||||
return &value
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue