Pull request: AG-28961-upd-golibs

Squashed commit of the following:

commit 75ef975
Merge: 6e9453f f1ceef0
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Jan 16 10:02:11 2024 +0200

    Merge remote-tracking branch 'origin/master' into AG-28961-upd-golibs

commit 6e9453f
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Jan 15 12:35:10 2024 +0200

    all: upd golibs

commit 42fbf39
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Jan 15 11:24:46 2024 +0200

    proxy: imp code

commit 1b3dde7
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Jan 15 11:02:20 2024 +0200

    proxy: imp code

commit 129935d
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 10 14:49:36 2024 +0200

    proxy: imp code

commit 9205a0c
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 10 14:46:27 2024 +0200

    proxy: conf

commit 7d82000
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 10 13:56:55 2024 +0200

    proxy: slices

commit 4e50cd1
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 10 13:53:06 2024 +0200

    proxy: addr

commit 46ee8f7
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Jan 10 13:42:57 2024 +0200

    proxy: conf

go.mod

@@ -3,7 +3,7 @@ module github.com/AdguardTeam/dnsproxy
 go 1.20
 
 require (
-	github.com/AdguardTeam/golibs v0.18.1
+	github.com/AdguardTeam/golibs v0.19.0
 	github.com/ameshkov/dnscrypt/v2 v2.2.7
 	github.com/ameshkov/dnsstamps v1.0.3
 	github.com/beefsack/go-rate v0.0.0-20220214233405-116f4ca011a0
@@ -13,9 +13,9 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/quic-go/quic-go v0.39.1
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
-	golang.org/x/net v0.17.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/exp v0.0.0-20231219180239-dc181d75b848
+	golang.org/x/net v0.19.0
+	golang.org/x/sys v0.15.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -32,10 +32,10 @@ require (
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/qtls-go1-20 v0.3.4 // indirect
 	go.uber.org/mock v0.3.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/crypto v0.16.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/tools v0.16.0 // indirect
 	gonum.org/v1/gonum v0.14.0
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/AdguardTeam/golibs v0.18.1 h1:6u0fvrIj2qjUsRdbIGJ9AR0g5QRSWdKIo/DYl3tp5aM=
-github.com/AdguardTeam/golibs v0.18.1/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
+github.com/AdguardTeam/golibs v0.19.0 h1:y/x+Xn3pDg1ZfQ+QEZapPJqaeVYUIMp/EODMtVhn7PM=
+github.com/AdguardTeam/golibs v0.19.0/go.mod h1:3WunclLLfrVAq7fYQRhd6f168FHOEMssnipVXCxDL/w=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
@@ -52,22 +52,22 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 go.uber.org/mock v0.3.0 h1:3mUxI1No2/60yUYax92Pt8eNOEecx2D3lcXZh2NEZJo=
 go.uber.org/mock v0.3.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
-golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 h1:+iq7lrkxmFNBM7xx+Rae2W6uyPfhPeDWD+n+JgppptE=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
+golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
+golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
 gonum.org/v1/gonum v0.14.0 h1:2NiG67LD1tEH0D7kM+ps2V+fXmsAnpUeec7n8tcr4S0=
 gonum.org/v1/gonum v0.14.0/go.mod h1:AoWeoz0becf9QMWtE8iWXNXc27fK4fNeHNf/oMejGfU=
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=

main.go

@@ -21,6 +21,7 @@ import (
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/mathutil"
+	"github.com/AdguardTeam/golibs/netutil"
 	"github.com/AdguardTeam/golibs/osutil"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/ameshkov/dnscrypt/v2"
@@ -345,10 +346,13 @@ func createProxyConfig(options *Options) (conf proxy.Config) {
 		CacheOptimistic: options.CacheOptimistic,
 		RefuseAny:       options.RefuseAny,
 		HTTP3:           options.HTTP3,
-		// TODO(e.burkov):  The following CIDRs are aimed to match any
-		// address.  This is not quite proper approach to be used by
-		// default so think about configuring it.
-		TrustedProxies:         []string{"0.0.0.0/0", "::0/0"},
+		// TODO(e.burkov):  The following CIDRs are aimed to match any address.
+		// This is not quite proper approach to be used by default so think
+		// about configuring it.
+		TrustedProxies: netutil.SliceSubnetSet{
+			netip.MustParsePrefix("0.0.0.0/0"),
+			netip.MustParsePrefix("::0/0"),
+		},
 		EnableEDNSClientSubnet: options.EnableEDNSSubnet,
 		UDPBufferSize:          options.UDPBufferSize,
 		HTTPSServerName:        options.HTTPSServerName,

proxy/config.go

@@ -86,11 +86,10 @@ type Config struct {
 	// RefuseAny makes proxy refuse the requests of type ANY.
 	RefuseAny bool
 
-	// TrustedProxies is the list of IP addresses and CIDR networks to
-	// detect proxy servers addresses the DoH requests from which should be
-	// handled.  The value of nil or an empty slice for this field makes
-	// Proxy not trust any address.
-	TrustedProxies []string
+	// TrustedProxies is the trusted list of CIDR networks to detect proxy
+	// servers addresses from where the DoH requests should be handled.  The
+	// value of nil makes Proxy not trust any address.
+	TrustedProxies netutil.SubnetSet
 
 	// Upstream DNS servers and their settings
 	// --

proxy/dns64.go

@@ -213,7 +213,7 @@ func (p *Proxy) withinDNS64(ip netip.Addr) (ok bool) {
 	return false
 }
 
-// shouldStripDNS64 returns true if DNS64 is enabled and ip has either one of
+// shouldStripDNS64 returns true if DNS64 is enabled and addr has either one of
 // custom DNS64 prefixes or the Well-Known one.  This is intended to be used
 // with PTR requests.
 //
@@ -223,21 +223,16 @@ func (p *Proxy) withinDNS64(ip netip.Addr) (ok bool) {
 // DNS64.
 //
 // See https://datatracker.ietf.org/doc/html/rfc6147#section-5.3.1.
-func (p *Proxy) shouldStripDNS64(ip net.IP) (ok bool) {
+func (p *Proxy) shouldStripDNS64(addr netip.Addr) (ok bool) {
 	if len(p.dns64Prefs) == 0 {
 		return false
 	}
 
-	addr, err := netutil.IPToAddr(ip, netutil.AddrFamilyIPv6)
-	if err != nil {
-		return false
-	}
-
 	switch {
 	case p.withinDNS64(addr):
-		log.Debug("proxy: %s is within DNS64 custom prefix set", ip)
+		log.Debug("proxy: %s is within DNS64 custom prefix set", addr)
 	case dns64WellKnownPref.Contains(addr):
-		log.Debug("proxy: %s is within DNS64 well-known prefix", ip)
+		log.Debug("proxy: %s is within DNS64 well-known prefix", addr)
 	default:
 		return false
 	}

proxy/proxy.go

@@ -137,9 +137,6 @@ type Proxy struct {
 	// ratelimitLock protects ratelimitBuckets.
 	ratelimitLock sync.Mutex
 
-	// proxyVerifier checks if the proxy is in the trusted list.
-	proxyVerifier netutil.SubnetSet
-
 	// DNS cache
 	// --
 
@@ -229,14 +226,6 @@ func (p *Proxy) Init() (err error) {
 		}
 	}
 
-	var trusted []*net.IPNet
-	trusted, err = netutil.ParseSubnets(p.TrustedProxies...)
-	if err != nil {
-		return fmt.Errorf("initializing subnet detector for proxies verifying: %w", err)
-	}
-
-	p.proxyVerifier = netutil.SliceSubnetSet(trusted)
-
 	err = p.setupDNS64()
 	if err != nil {
 		return fmt.Errorf("setting up DNS64: %w", err)
@@ -528,7 +517,7 @@ func (p *Proxy) selectUpstreams(d *DNSContext) (upstreams []upstream.Upstream) {
 
 	// TODO(e.burkov):  Detect against the actual configured subnet set.
 	// Perhaps, even much earlier.
-	if !netutil.IsLocallyServedAddr(d.Addr.Addr()) {
+	if !netutil.IsLocallyServed(d.Addr.Addr()) {
 		return nil
 	}
 
@@ -719,12 +708,15 @@ func (dctx *DNSContext) processECS(cliIP net.IP) {
 		}
 	}
 
-	// Set ECS.
+	var cliAddr netip.Addr
 	if cliIP == nil {
-		cliIP = dctx.Addr.Addr().AsSlice()
+		cliAddr = dctx.Addr.Addr()
+		cliIP = cliAddr.AsSlice()
+	} else {
+		cliAddr, _ = netip.AddrFromSlice(cliIP)
 	}
 
-	if !netutil.IsSpecialPurpose(cliIP) {
+	if !netutil.IsSpecialPurpose(cliAddr) {
 		// A Stub Resolver MUST set SCOPE PREFIX-LENGTH to 0.  See RFC 7871
 		// Section 6.
 		dctx.ReqECS = setECS(dctx.Req, cliIP, 0)

proxy/proxy_test.go

@@ -1188,7 +1188,10 @@ func createTestProxy(t *testing.T, tlsConfig *tls.Config) (p *Proxy) {
 	p.UpstreamConfig = &UpstreamConfig{}
 	p.UpstreamConfig.Upstreams = append(upstreams, dnsUpstream)
 
-	p.TrustedProxies = []string{"0.0.0.0/0", "::0/0"}
+	p.TrustedProxies = netutil.SliceSubnetSet{
+		netip.MustParsePrefix("0.0.0.0/0"),
+		netip.MustParsePrefix("::0/0"),
+	}
 
 	p.RatelimitSubnetLenIPv4 = 24
 	p.RatelimitSubnetLenIPv6 = 64

proxy/proxycache.go

@@ -4,7 +4,7 @@ import (
 	"net"
 
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/AdguardTeam/golibs/netutil"
+	"golang.org/x/exp/slices"
 )
 
 // cacheForContext returns cache object for the given context.
@@ -52,7 +52,7 @@ func (p *Proxy) replyFromCache(d *DNSContext) (hit bool) {
 		minCtxClone := &DNSContext{
 			// It is only read inside the optimistic resolver.
 			CustomUpstreamConfig: d.CustomUpstreamConfig,
-			ReqECS:               netutil.CloneIPNet(d.ReqECS),
+			ReqECS:               cloneIPNet(d.ReqECS),
 		}
 		if d.Req != nil {
 			minCtxClone.Req = d.Req.Copy()
@@ -65,6 +65,18 @@ func (p *Proxy) replyFromCache(d *DNSContext) (hit bool) {
 	return hit
 }
 
+// cloneIPNet returns a deep clone of n.
+func cloneIPNet(n *net.IPNet) (clone *net.IPNet) {
+	if n == nil {
+		return nil
+	}
+
+	return &net.IPNet{
+		IP:   slices.Clone(n.IP),
+		Mask: slices.Clone(n.Mask),
+	}
+}
+
 // cacheResp stores the response from d in general or subnet cache.  In case the
 // cache is present in d, it's used first.
 func (p *Proxy) cacheResp(d *DNSContext) {

proxy/server_https.go

@@ -162,8 +162,7 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if prx.IsValid() {
 		log.Debug("dnsproxy: request came from proxy server %s", prx)
 
-		// TODO(s.chzhen):  Consider using []netip.Prefix.
-		if !p.proxyVerifier.Contains(prx.Addr().AsSlice()) {
+		if !p.TrustedProxies.Contains(prx.Addr()) {
 			log.Debug("dnsproxy: proxy %s is not trusted, using original remote addr", prx)
 			d.Addr = prx
 		}

proxy/server_https_test.go

@@ -66,7 +66,7 @@ func TestProxy_trustedProxies(t *testing.T) {
 		proxyAddr  = netip.MustParseAddr("127.0.0.1")
 	)
 
-	doRequest := func(t *testing.T, addr string, expectedClientIP netip.Addr) {
+	doRequest := func(t *testing.T, addr, expectedClientIP netip.Addr) {
 		// Prepare the proxy server.
 		tlsConf, caPem := createServerTLSConfig(t)
 		dnsProxy := createTestProxy(t, tlsConf)
@@ -82,7 +82,7 @@ func TestProxy_trustedProxies(t *testing.T) {
 
 		msg := createTestMessage()
 
-		dnsProxy.TrustedProxies = []string{addr}
+		dnsProxy.TrustedProxies = netip.PrefixFrom(addr, addr.BitLen())
 
 		// Start listening.
 		serr := dnsProxy.Start()
@@ -100,11 +100,11 @@ func TestProxy_trustedProxies(t *testing.T) {
 	}
 
 	t.Run("success", func(t *testing.T) {
-		doRequest(t, proxyAddr.String(), clientAddr)
+		doRequest(t, proxyAddr, clientAddr)
 	})
 
 	t.Run("not_in_trusted", func(t *testing.T) {
-		doRequest(t, "127.0.0.2", proxyAddr)
+		doRequest(t, netip.MustParseAddr("127.0.0.2"), proxyAddr)
 	})
 }