2019-09-04 23:43:45 +08:00
|
|
|
package acl
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"testing"
|
|
|
|
|
|
2020-09-24 18:14:41 +02:00
|
|
|
"github.com/coredns/caddy"
|
2019-09-04 23:43:45 +08:00
|
|
|
"github.com/coredns/coredns/plugin/test"
|
|
|
|
|
|
|
|
|
|
"github.com/miekg/dns"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type testResponseWriter struct {
|
|
|
|
|
test.ResponseWriter
|
|
|
|
|
Rcode int
|
2022-07-25 16:44:13 +02:00
|
|
|
Msg *dns.Msg
|
2019-09-04 23:43:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (t *testResponseWriter) setRemoteIP(ip string) {
|
|
|
|
|
t.RemoteIP = ip
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-20 10:22:30 +05:30
|
|
|
func (t *testResponseWriter) setZone(zone string) {
|
|
|
|
|
t.Zone = zone
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-04 23:43:45 +08:00
|
|
|
// WriteMsg implement dns.ResponseWriter interface.
|
|
|
|
|
func (t *testResponseWriter) WriteMsg(m *dns.Msg) error {
|
|
|
|
|
t.Rcode = m.Rcode
|
2022-07-25 16:44:13 +02:00
|
|
|
t.Msg = m
|
2019-09-04 23:43:45 +08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewTestControllerWithZones(input string, zones []string) *caddy.Controller {
|
|
|
|
|
ctr := caddy.NewTestController("dns", input)
|
2019-09-25 20:23:43 +08:00
|
|
|
ctr.ServerBlockKeys = append(ctr.ServerBlockKeys, zones...)
|
2019-09-04 23:43:45 +08:00
|
|
|
return ctr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestACLServeDNS(t *testing.T) {
|
|
|
|
|
type args struct {
|
|
|
|
|
domain string
|
|
|
|
|
sourceIP string
|
|
|
|
|
qtype uint16
|
|
|
|
|
}
|
|
|
|
|
tests := []struct {
|
2022-07-25 16:44:13 +02:00
|
|
|
name string
|
|
|
|
|
config string
|
|
|
|
|
zones []string
|
|
|
|
|
args args
|
|
|
|
|
wantRcode int
|
|
|
|
|
wantErr bool
|
|
|
|
|
wantExtendedErrorCode uint16
|
2019-09-04 23:43:45 +08:00
|
|
|
}{
|
|
|
|
|
// IPv4 tests.
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 1 BLOCKED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 192.168.0.0/16
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 1 ALLOWED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 192.168.0.0/16
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.167.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 2 BLOCKED",
|
|
|
|
|
config: `
|
2019-09-04 23:43:45 +08:00
|
|
|
acl example.org {
|
|
|
|
|
block type * net 192.168.0.0/16
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.0.2",
|
|
|
|
|
qtype: dns.TypeAAAA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 3 BLOCKED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "10.1.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 3 ALLOWED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "10.1.0.2",
|
|
|
|
|
qtype: dns.TypeAAAA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 4 Single IP BLOCKED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 192.168.1.2
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 4 Single IP ALLOWED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 192.168.1.2
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.3",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2021-02-01 09:52:23 -05:00
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Filter 1 FILTERED",
|
|
|
|
|
config: `acl example.org {
|
2021-02-01 09:52:23 -05:00
|
|
|
filter type A net 192.168.0.0/16
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2021-02-01 09:52:23 -05:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeFiltered,
|
2021-02-01 09:52:23 -05:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Filter 1 ALLOWED",
|
|
|
|
|
config: `acl example.org {
|
2021-02-01 09:52:23 -05:00
|
|
|
filter type A net 192.168.0.0/16
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.167.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2021-02-01 09:52:23 -05:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2021-02-01 09:52:23 -05:00
|
|
|
},
|
2019-09-04 23:43:45 +08:00
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Whitelist 1 ALLOWED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
allow net 192.168.0.0/16
|
|
|
|
|
block
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Whitelist 1 REFUSED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
allow type * net 192.168.0.0/16
|
|
|
|
|
block
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "10.1.0.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 1 REFUSED",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type * net 192.168.1.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "a.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 1 ALLOWED",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 192.168.1.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 2 REFUSED",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 192.168.1.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "a.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 2 ALLOWED",
|
|
|
|
|
config: `acl {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 192.168.1.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "a.example.com.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 3 REFUSED",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 192.168.1.0/24
|
|
|
|
|
}
|
|
|
|
|
acl b.example.org {
|
|
|
|
|
block type * net 192.168.2.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "b.example.org.",
|
|
|
|
|
sourceIP: "192.168.2.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 3 ALLOWED",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 192.168.1.0/24
|
|
|
|
|
}
|
|
|
|
|
acl b.example.org {
|
|
|
|
|
block net 192.168.2.0/24
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "b.example.org.",
|
|
|
|
|
sourceIP: "192.168.1.2",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
// IPv6 tests.
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 1 BLOCKED IPv6",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 2001:db8:abcd:0012::0/64
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:db8:abcd:0012::1230",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 1 ALLOWED IPv6",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 2001:db8:abcd:0012::0/64
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:db8:abcd:0013::0",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 2 BLOCKED IPv6",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 3 Single IP BLOCKED IPv6",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist 3 Single IP ALLOWED IPv6",
|
|
|
|
|
config: `acl example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type A net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7335",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 1 REFUSED IPv6",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block type * net 2001:db8:abcd:0012::0/64
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "a.example.org.",
|
|
|
|
|
sourceIP: "2001:db8:abcd:0012:2019::0",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
|
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Fine-Grained 1 ALLOWED IPv6",
|
|
|
|
|
config: `acl a.example.org {
|
2019-09-04 23:43:45 +08:00
|
|
|
block net 2001:db8:abcd:0012::0/64
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"example.org"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:db8:abcd:0012:2019::0",
|
|
|
|
|
qtype: dns.TypeA,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeSuccess,
|
2019-09-04 23:43:45 +08:00
|
|
|
},
|
2022-05-20 10:22:30 +05:30
|
|
|
{
|
2022-07-25 16:44:13 +02:00
|
|
|
name: "Blacklist Address%ifname",
|
|
|
|
|
config: `acl example.org {
|
2022-05-20 10:22:30 +05:30
|
|
|
block type AAAA net 2001:0db8:85a3:0000:0000:8a2e:0370:7334
|
|
|
|
|
}`,
|
2022-07-25 16:44:13 +02:00
|
|
|
zones: []string{"eth0"},
|
|
|
|
|
args: args{
|
|
|
|
|
domain: "www.example.org.",
|
|
|
|
|
sourceIP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
|
|
|
|
|
qtype: dns.TypeAAAA,
|
2022-05-20 10:22:30 +05:30
|
|
|
},
|
2022-07-25 16:44:13 +02:00
|
|
|
wantRcode: dns.RcodeRefused,
|
|
|
|
|
wantExtendedErrorCode: dns.ExtendedErrorCodeBlocked,
|
2022-05-20 10:22:30 +05:30
|
|
|
},
|
2019-09-04 23:43:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
|
ctr := NewTestControllerWithZones(tt.config, tt.zones)
|
|
|
|
|
a, err := parse(ctr)
|
|
|
|
|
a.Next = test.NextHandler(dns.RcodeSuccess, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("Error: Cannot parse acl from config: %v", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w := &testResponseWriter{}
|
|
|
|
|
m := new(dns.Msg)
|
|
|
|
|
w.setRemoteIP(tt.args.sourceIP)
|
2022-05-20 10:22:30 +05:30
|
|
|
if len(tt.zones) > 0 {
|
|
|
|
|
w.setZone(tt.zones[0])
|
|
|
|
|
}
|
2019-09-04 23:43:45 +08:00
|
|
|
m.SetQuestion(tt.args.domain, tt.args.qtype)
|
|
|
|
|
_, err = a.ServeDNS(ctx, w, m)
|
|
|
|
|
if (err != nil) != tt.wantErr {
|
|
|
|
|
t.Errorf("Error: acl.ServeDNS() error = %v, wantErr %v", err, tt.wantErr)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if w.Rcode != tt.wantRcode {
|
|
|
|
|
t.Errorf("Error: acl.ServeDNS() Rcode = %v, want %v", w.Rcode, tt.wantRcode)
|
|
|
|
|
}
|
2022-07-25 16:44:13 +02:00
|
|
|
if tt.wantExtendedErrorCode != 0 {
|
|
|
|
|
matched := false
|
|
|
|
|
for _, opt := range w.Msg.IsEdns0().Option {
|
|
|
|
|
if ede, ok := opt.(*dns.EDNS0_EDE); ok {
|
|
|
|
|
if ede.InfoCode != tt.wantExtendedErrorCode {
|
|
|
|
|
t.Errorf("Error: acl.ServeDNS() Extended DNS Error = %v, want %v", ede.InfoCode, tt.wantExtendedErrorCode)
|
|
|
|
|
}
|
|
|
|
|
matched = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !matched {
|
|
|
|
|
t.Error("Error: acl.ServeDNS() missing Extended DNS Error option")
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-09-04 23:43:45 +08:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
