forked from Psiphon-Labs/psiphon-tunnel-core
-
Notifications
You must be signed in to change notification settings - Fork 0
/
blocklist.go
203 lines (167 loc) · 4.89 KB
/
blocklist.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
/*
* Copyright (c) 2019, Psiphon Inc.
* All rights reserved.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
package server
import (
"encoding/csv"
"fmt"
"io"
"net"
"os"
"sync/atomic"
"github.com/Psiphon-Labs/psiphon-tunnel-core/psiphon/common"
)
// Blocklist provides a fast lookup of IP addresses that are candidates for
// egress blocking. This is intended to be used to block malware and other
// malicious traffic.
//
// The Reload function supports hot reloading of rules data while the server
// is running.
//
// Limitations: currently supports only IPv4 addresses, and is implemented
// with an in-memory Go map, which limits the practical size of the blocklist.
type Blocklist struct {
common.ReloadableFile
loaded int32
data atomic.Value
}
// BlocklistTag indicates the source containing an IP address and the subject,
// or name of the suspected malicious traffic.
type BlocklistTag struct {
Source string
Subject string
}
type blocklistData struct {
lookup map[[net.IPv4len]byte][]BlocklistTag
internedStrings map[string]string
}
// NewBlocklist creates a new block list.
//
// The input file must be a 3 field comma-delimited and optional quote-escaped
// CSV. Fields: <IPv4 address>,<source>,<subject>.
//
// IP addresses may appear multiple times in the input file; each distinct
// source/subject is associated with the IP address and returned in the Lookup
// tag list.
func NewBlocklist(filename string) (*Blocklist, error) {
blocklist := &Blocklist{}
blocklist.ReloadableFile = common.NewReloadableFile(
filename,
false,
func(_ []byte) error {
newData, err := loadBlocklistFromFile(filename)
if err != nil {
return common.ContextError(err)
}
blocklist.data.Store(newData)
atomic.StoreInt32(&blocklist.loaded, 1)
return nil
})
_, err := blocklist.Reload()
if err != nil {
return nil, common.ContextError(err)
}
return blocklist, nil
}
// Lookup returns the blocklist tags for any IP address that is on the
// blocklist, or returns nil for any IP address not on the blocklist. Lookup
// may be called oncurrently. The caller must not modify the return value.
func (b *Blocklist) Lookup(IPAddress net.IP) []BlocklistTag {
// When not configured, no blocklist is loaded/initialized.
if atomic.LoadInt32(&b.loaded) != 1 {
return nil
}
var key [net.IPv4len]byte
IPv4Address := IPAddress.To4()
if IPv4Address == nil {
return nil
}
copy(key[:], IPv4Address)
// As data is an atomic.Value, it's not necessary to call
// ReloadableFile.RLock/ReloadableFile.RUnlock in this case.
tags, ok := b.data.Load().(*blocklistData).lookup[key]
if !ok {
return nil
}
return tags
}
func loadBlocklistFromFile(filename string) (*blocklistData, error) {
data := newBlocklistData()
file, err := os.Open(filename)
if err != nil {
return nil, common.ContextError(err)
}
defer file.Close()
reader := csv.NewReader(file)
reader.FieldsPerRecord = 3
reader.Comment = '#'
reader.ReuseRecord = true
for {
record, err := reader.Read()
if err == io.EOF {
break
} else if err != nil {
return nil, common.ContextError(err)
}
IPAddress := net.ParseIP(record[0])
if IPAddress == nil {
return nil, common.ContextError(
fmt.Errorf("invalid IP address: %s", record[0]))
}
IPv4Address := IPAddress.To4()
if IPAddress == nil {
return nil, common.ContextError(
fmt.Errorf("invalid IPv4 address: %s", record[0]))
}
var key [net.IPv4len]byte
copy(key[:], IPv4Address)
// Intern the source and subject strings so we only store one copy of
// each in memory. These values are expected to repeat often.
source := data.internString(record[1])
subject := data.internString(record[2])
tag := BlocklistTag{
Source: source,
Subject: subject,
}
tags := data.lookup[key]
found := false
for _, existingTag := range tags {
if tag == existingTag {
found = true
break
}
}
if !found {
data.lookup[key] = append(tags, tag)
}
}
return data, nil
}
func newBlocklistData() *blocklistData {
return &blocklistData{
lookup: make(map[[net.IPv4len]byte][]BlocklistTag),
internedStrings: make(map[string]string),
}
}
func (data *blocklistData) internString(str string) string {
if internedStr, ok := data.internedStrings[str]; ok {
return internedStr
}
data.internedStrings[str] = str
return str
}