plugin/forward: Document and warn for unsupported FROM CIDR notations (#4639)

* trap unsupported FROM cidr notations Signed-off-by: Chris O'Haver <cohaver@infoblox.com> * make is a warning Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
2025-10-27 08:14:18 -04:00 · 2021-05-20 03:24:36 -04:00
parent 5d80a6e21e
commit 0348b019be
3 changed files with 9 additions and 2 deletions
--- a/plugin/forward/README.md
+++ b/plugin/forward/README.md
@@ -29,7 +29,8 @@ In its most basic form, a simple forwarder uses this syntax:
 forward FROM TO...
 ~~~

-* **FROM** is the base domain to match for the request to be forwarded.
+* **FROM** is the base domain to match for the request to be forwarded. Domains using CIDR notation
+  that expand to multiple reverse zones are not fully supported; only the first expanded zone is used.
 * **TO...** are the destination endpoints to forward to. The **TO** syntax allows you to specify
  a protocol, `tls://9.9.9.9` or `dns://` (or no protocol) for plain DNS. The number of upstreams is
  limited to 15.
--- a/plugin/forward/setup.go
+++ b/plugin/forward/setup.go
@@ -92,8 +92,13 @@ func parseStanza(c *caddy.Controller) (*Forward, error) {
 	if !c.Args(&f.from) {
 		return f, c.ArgErr()
 	}
+	origFrom := f.from
 	f.from = plugin.Host(f.from).Normalize()[0] // there can only be one here, won't work with non-octet reverse

+	if len(f.from) > 1 {
+		log.Warningf("Unsupported CIDR notation: '%s' expands to multiple zones. Using only '%s'.", origFrom, f.from)
+	}
+
 	to := c.RemainingArgs()
 	if len(to) == 0 {
 		return f, c.ArgErr()
--- a/plugin/forward/setup_test.go
+++ b/plugin/forward/setup_test.go
@@ -32,6 +32,7 @@ func TestSetup(t *testing.T) {
 		{"forward . [::1]:53", false, ".", nil, 2, options{hcRecursionDesired: true}, ""},
 		{"forward . [2003::1]:53", false, ".", nil, 2, options{hcRecursionDesired: true}, ""},
 		{"forward . 127.0.0.1 \n", false, ".", nil, 2, options{hcRecursionDesired: true}, ""},
+		{"forward 10.9.3.0/18 127.0.0.1", false, "0.9.10.in-addr.arpa.", nil, 2, options{hcRecursionDesired: true}, ""},
 		// negative
 		{"forward . a27.0.0.1", true, "", nil, 0, options{hcRecursionDesired: true}, "not an IP"},
 		{"forward . 127.0.0.1 {\nblaatl\n}\n", true, "", nil, 0, options{hcRecursionDesired: true}, "unknown property"},
@@ -50,7 +51,7 @@ func TestSetup(t *testing.T) {

 		if err != nil {
 			if !test.shouldErr {
-				t.Errorf("Test %d: expected no error but found one for input %s, got: %v", i, test.input, err)
+				t.Fatalf("Test %d: expected no error but found one for input %s, got: %v", i, test.input, err)
 			}

 			if !strings.Contains(err.Error(), test.expectedErr) {