From 9e0e7b1ea58d2c4ff5457fddff6acd0085f9dd3a Mon Sep 17 00:00:00 2001 From: Samuel Gaist Date: Thu, 2 Nov 2023 19:06:55 +0100 Subject: [PATCH] feat(userspace/falco): add configuration support for IPV6 webserver listen address The IPV6 capabilities is provided through cpp-httplib. --- falco.yaml | 2 +- unit_tests/falco/test_configuration.cpp | 42 +++++++++++++++++++++++-- userspace/falco/configuration.cpp | 7 ++--- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/falco.yaml b/falco.yaml index b3f11328595..657395995ad 100644 --- a/falco.yaml +++ b/falco.yaml @@ -492,7 +492,7 @@ webserver: # the appropriate number of threads based on the number of online cores in the system. threadiness: 0 listen_port: 8765 - # IPV4 only is supported + # Can be an IPV4 or IPV6 address, defaults to IPV4 listen_address: 0.0.0.0 k8s_healthz_endpoint: /healthz ssl_enabled: false diff --git a/unit_tests/falco/test_configuration.cpp b/unit_tests/falco/test_configuration.cpp index 48019305a84..0714035c26c 100644 --- a/unit_tests/falco/test_configuration.cpp +++ b/unit_tests/falco/test_configuration.cpp @@ -182,7 +182,30 @@ TEST(Configuration, configuration_webserver_ip) std::vector valid_addresses = {"127.0.0.1", "1.127.0.1", "1.1.127.1", - "1.1.1.127"}; + "1.1.1.127", + "::", + "::1", + "1200:0000:AB00:1234:0000:2552:7777:1313", + "1200::AB00:1234:0000:2552:7777:1313", + "1200:0000:AB00:1234::2552:7777:1313", + "21DA:D3:0:2F3B:2AA:FF:FE28:9C5A", + "FE80:0000:0000:0000:0202:B3FF:FE1E:8329", + "0.0.0.0", + "9.255.255.255", + "11.0.0.0", + "126.255.255.255", + "129.0.0.0", + "169.253.255.255", + "169.255.0.0", + "172.15.255.255", + "172.32.0.0", + "191.0.1.255", + "192.88.98.255", + "192.88.100.0", + "192.167.255.255", + "192.169.0.0", + "198.17.255.255", + "223.255.255.255"}; for (const std::string &address: valid_addresses) { std::string option = "webserver.listen_address="; @@ -204,7 +227,22 @@ TEST(Configuration, configuration_webserver_ip) "127. 0.0.1", "127.0. 0.1", "127.0.0. 1", - "!27.0.0.1"}; + "!27.0.0.1", + "1200: 0000:AB00:1234:0000:2552:7777:1313", + "1200:0000: AB00:1234:0000:2552:7777:1313", + "1200:0000:AB00: 1234:0000:2552:7777:1313", + "1200:0000:AB00:1234: 0000:2552:7777:1313", + "1200:0000:AB00:1234:0000: 2552:7777:1313", + "1200:0000:AB00:1234:0000:2552: 7777:1313", + "1200:0000:AB00:1234:0000:2552:7777: 1313", + "1200:0000:AB00:1234:0000:2552:7777:131G", + "1200:0000:AB00:1234:0000:2552:77Z7:1313", + "1200:0000:AB00:1234:0000:2G52:7777:1313", + "1200:0000:AB00:1234:0O00:2552:7777:1313", + "1200:0000:AB00:H234:0000:2552:7777:1313", + "1200:0000:IB00:1234:0000:2552:7777:1313", + "1200:0O00:AB00:1234:0000:2552:7777:1313", + "12O0:0000:AB00:1234:0000:2552:7777:1313",}; for (const std::string &address: invalid_addresses) { std::string option = "webserver.listen_address="; diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 1e7d15309ba..64f02620cf6 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -33,9 +33,8 @@ limitations under the License. #include -// Reference: https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html -static re2::RE2 ipv4_address_re("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"); - +// Reference: https://digitalfortress.tech/tips/top-15-commonly-used-regex/ +static re2::RE2 ip_address_re("((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))"); falco_configuration::falco_configuration(): m_json_output(false), @@ -293,7 +292,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h m_webserver_threadiness = config.get_scalar("webserver.threadiness", 0); m_webserver_listen_port = config.get_scalar("webserver.listen_port", 8765); m_webserver_listen_address = config.get_scalar("webserver.listen_address", "0.0.0.0"); - if(!re2::RE2::FullMatch(m_webserver_listen_address, ipv4_address_re)) + if(!re2::RE2::FullMatch(m_webserver_listen_address, ip_address_re)) { throw std::logic_error("Error reading config file (" + config_name + "): webserver listen address \"" + m_webserver_listen_address + "\" is not a valid IP address"); }