Merge pull request #126 from steadybit/feat/cidr-support

feat: add utils to support CIDRs in network attacks
steadybit · May 19, 2024 · 997e33b · 997e33b
2 parents fed1da0 + fb0c490
commit 997e33b
Show file tree

Hide file tree

Showing 7 changed files with 326 additions and 61 deletions.
diff --git a/go/action_kit_commons/CHANGELOG.md b/go/action_kit_commons/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## 1.2.0
+
+- Add ParseCIDRs to parse ip Addresses and CIDRs for network attacks.
+- Resolve will not accept empty strings or ip addresses anymore.
+- IpToNet was renamed to IpsToNets
+
 ## 1.1.12
 
 - Check when CGroup2 nsdelegate is used and running containers on other CGroups

diff --git a/go/action_kit_commons/go.mod b/go/action_kit_commons/go.mod
@@ -11,14 +11,35 @@ require (
 )
 
 require (
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/creack/pty v1.1.21 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/pty v1.1.8 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/rs/xid v1.5.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/yuin/goldmark v1.7.1 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
 	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/telemetry v0.0.0-20240517185431-3f1148c77f69 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/tools v0.21.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go/action_kit_commons/go.sum b/go/action_kit_commons/go.sum
@@ -1,14 +1,25 @@
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
+github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
+github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
@@ -20,27 +31,57 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e h1:aoZm08cpOy4WuID//EZDgcC4zIxODThtZNPirFr42+A=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0=
 github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/yuin/goldmark v1.7.1 h1:3bajkSilaCbjdKVsKdZjZCLBNPL9pYzrCakKaf4U49U=
+github.com/yuin/goldmark v1.7.1/go.mod h1:uzxRWxtg69N339t3louHJ7+O03ezfj6PlliRlaOzY1E=
+golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240517185431-3f1148c77f69 h1:OATfEPNMx+WWAp8ufM8G/vtt3OSDCAN6ssWFJxXvAcE=
+golang.org/x/telemetry v0.0.0-20240517185431-3f1148c77f69/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
+golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

diff --git a/go/action_kit_commons/network/resolve_hostnames.go b/go/action_kit_commons/network/resolve_hostnames.go
@@ -1,5 +1,5 @@
 /*
- * Copyright 2023 steadybit GmbH. All rights reserved.
+ * Copyright 2024 steadybit GmbH. All rights reserved.
  */
 
 package network
@@ -13,6 +13,7 @@ import (
 	"io"
 	"net"
 	"os/exec"
+	"slices"
 	"strings"
 )
 
@@ -26,22 +27,32 @@ type HostnameResolver struct {
 
 var defaultHostnameResolver = &HostnameResolver{Dig: &CommandDigRunner{}}
 
-func Resolve(ctx context.Context, ipOrHostnames ...string) ([]net.IP, error) {
-	return defaultHostnameResolver.Resolve(ctx, ipOrHostnames...)
+func Resolve(ctx context.Context, hostnames ...string) ([]net.IP, error) {
+	return defaultHostnameResolver.Resolve(ctx, hostnames...)
 }
 
-func (h *HostnameResolver) Resolve(ctx context.Context, ipOrHostnames ...string) ([]net.IP, error) {
-	hostnames, ips := classify(ipOrHostnames)
+func (h *HostnameResolver) Resolve(ctx context.Context, hostnames ...string) ([]net.IP, error) {
 	if len(hostnames) == 0 {
-		return ips, nil
+		return nil, nil
 	}
 
+	unresolved := make([]string, 0, len(hostnames))
+	var invalid []string
 	var sb strings.Builder
 	for _, hostname := range hostnames {
+		if len(strings.TrimSpace(hostname)) == 0 {
+			invalid = append(invalid, hostname)
+			continue
+		}
 		sb.WriteString(hostname)
 		sb.WriteString(" A\n")
 		sb.WriteString(hostname)
 		sb.WriteString(" AAAA\n")
+		unresolved = append(unresolved, hostname)
+	}
+
+	if len(invalid) > 0 {
+		return nil, fmt.Errorf("could not resolve hostnames: '%s'", strings.Join(unresolved, "', '"))
 	}
 
 	outb, err := h.Dig.Run(ctx, []string{"-f-", "+timeout=4", "+noall", "+nottlid", "+answer"}, strings.NewReader(sb.String()))
@@ -50,41 +61,24 @@ func (h *HostnameResolver) Resolve(ctx context.Context, ipOrHostnames ...string)
 	}
 
 	scanner := bufio.NewScanner(bytes.NewReader(outb))
+	var resolved []net.IP
 	for scanner.Scan() {
-		line := scanner.Text()
-		fields := strings.Fields(line)
+		fields := strings.Fields(scanner.Text())
 		if len(fields) >= 4 {
 			domain := strings.TrimSuffix(fields[0], ".")
-			ips = append(ips, net.ParseIP(fields[3]))
-			for i, hostname := range hostnames {
-				if hostname == domain {
-					hostnames = append(hostnames[:i], hostnames[i+1:]...)
-					break
-				}
-			}
+			resolved = append(resolved, net.ParseIP(fields[3]))
+			unresolved = slices.DeleteFunc(unresolved, func(hostname string) bool {
+				return hostname == domain
+			})
 		}
 	}
 
-	if len(hostnames) > 0 {
-		return ips, fmt.Errorf("could not resolve hostnames: %s", strings.Join(hostnames, ", "))
+	if len(unresolved) > 0 {
+		return nil, fmt.Errorf("could not resolve hostnames: '%s'", strings.Join(unresolved, "', '"))
 	}
 
-	log.Trace().Interface("ips", ips).Strs("ipOrHostnames", ipOrHostnames).Msg("resolved ips")
-	return ips, nil
-}
-
-func classify(ipOrHostnames []string) (unresolved []string, resolved []net.IP) {
-	for _, ipOrHostname := range ipOrHostnames {
-		if len(ipOrHostname) == 0 {
-			continue
-		}
-		if ip := net.ParseIP(strings.TrimPrefix(strings.TrimSuffix(ipOrHostname, "]"), "[")); ip == nil {
-			unresolved = append(unresolved, ipOrHostname)
-		} else {
-			resolved = append(resolved, ip)
-		}
-	}
-	return unresolved, resolved
+	log.Trace().Interface("resolved", resolved).Strs("hostnames", hostnames).Msg("resolved resolved")
+	return resolved, nil
 }
 
 type CommandDigRunner struct {

diff --git a/go/action_kit_commons/network/resolve_hostnames_test.go b/go/action_kit_commons/network/resolve_hostnames_test.go
@@ -1,5 +1,5 @@
 /*
- * Copyright 2023 steadybit GmbH. All rights reserved.
+ * Copyright 2024 steadybit GmbH. All rights reserved.
  */
 
 package network
@@ -13,27 +13,47 @@ import (
 )
 
 func TestHostnameResolver_Resolve(t *testing.T) {
-	githubIPs, _ := net.LookupIP("github.com")
-	for i, p := range githubIPs {
-		githubIPs[i] = p.To16()
+	steadybitIPs, _ := net.LookupIP("steadybit.com")
+	for i, p := range steadybitIPs {
+		steadybitIPs[i] = p.To16()
 	}
 
 	tests := []struct {
-		ipOrHostnames []string
-		want          []net.IP
-		wantErr       assert.ErrorAssertionFunc
+		hostnames []string
+		want      []net.IP
+		wantErr   assert.ErrorAssertionFunc
 	}{
-		{ipOrHostnames: []string{"", ""}, want: nil, wantErr: assert.NoError},
-		{ipOrHostnames: []string{"127.0.0.1", "github.com"}, want: append([]net.IP{net.ParseIP("127.0.0.1")}, githubIPs...), wantErr: assert.NoError},
-		{ipOrHostnames: []string{"not-existing.local"}, want: nil, wantErr: assert.Error},
+		{
+			hostnames: []string{""},
+			want:      []net.IP{},
+			wantErr:   assert.Error,
+		},
+		{
+			hostnames: []string{" "},
+			wantErr:   assert.Error,
+		},
+		{
+			hostnames: []string{"not-existing.local"},
+			wantErr:   assert.Error,
+		},
+		{
+			hostnames: []string{"127.0.0.1"},
+			wantErr:   assert.Error,
+		},
+		{
+			hostnames: []string{"steadybit.com"},
+			want:      steadybitIPs,
+			wantErr:   assert.NoError,
+		},
 	}
+
 	for _, tt := range tests {
-		t.Run(fmt.Sprintf("Resolve(%+v)", tt.ipOrHostnames), func(t *testing.T) {
-			got, err := Resolve(context.Background(), tt.ipOrHostnames...)
-			if !tt.wantErr(t, err, fmt.Sprintf("Resolve(ctx, %v)", tt.ipOrHostnames)) {
+		t.Run(fmt.Sprintf("Resolve(%+v)", tt.hostnames), func(t *testing.T) {
+			got, err := Resolve(context.Background(), tt.hostnames...)
+			if !tt.wantErr(t, err, fmt.Sprintf("Resolve(ctx, %v)", tt.hostnames)) {
 				return
 			}
-			assert.Equalf(t, tt.want, got, "Resolve(ctx, %v)", tt.ipOrHostnames)
+			assert.ElementsMatchf(t, tt.want, got, "Resolve(ctx, %v)", tt.hostnames)
 		})
 	}
 }
diff --git a/go/action_kit_commons/network/types.go b/go/action_kit_commons/network/types.go
@@ -81,13 +81,57 @@ func ParsePortRange(raw string) (PortRange, error) {
 	return PortRange{From: uint16(from), To: uint16(to)}, nil
 }
 
-func IpToNet(ips []net.IP) []net.IPNet {
+func ParseCIDRs(raw []string) ([]net.IPNet, []string) {
+	var cidrs []net.IPNet
+	var nonCidrs []string
+
+	for _, r := range raw {
+		if len(r) == 0 {
+			continue
+		}
+
+		if cidr, err := ParseCIDR(r); err == nil {
+			cidrs = append(cidrs, *cidr)
+		} else {
+			nonCidrs = append(nonCidrs, r)
+		}
+	}
+
+	return cidrs, nonCidrs
+}
+
+func ParseCIDR(s string) (*net.IPNet, error) {
+	if _, cidr, err := net.ParseCIDR(s); err == nil {
+		return cidr, nil
+	}
+
+	if ip := net.ParseIP(strings.TrimPrefix(strings.TrimSuffix(s, "]"), "[")); ip != nil {
+		if cidr := IpToNet(ip); cidr != nil {
+			return cidr, nil
+		}
+	}
+	return nil, &net.ParseError{Type: "CIDR address", Text: s}
+}
+
+var (
+	ipV4SingleAddressMask = net.CIDRMask(32, 32)
+	ipV6SingleAddressMask = net.CIDRMask(128, 128)
+)
+
+func IpToNet(ip net.IP) *net.IPNet {
+	if v4 := ip.To4(); v4 != nil {
+		return &net.IPNet{IP: v4, Mask: ipV4SingleAddressMask}
+	} else if v6 := ip.To16(); v6 != nil {
+		return &net.IPNet{IP: v6, Mask: ipV6SingleAddressMask}
+	}
+	return nil
+}
+
+func IpsToNets(ips []net.IP) []net.IPNet {
 	var nets []net.IPNet
 	for _, ip := range ips {
-		if v4 := ip.To4(); v4 != nil {
-			nets = append(nets, net.IPNet{IP: v4, Mask: net.CIDRMask(32, 32)})
-		} else if v6 := ip.To16(); v6 != nil {
-			nets = append(nets, net.IPNet{IP: v6, Mask: net.CIDRMask(128, 128)})
+		if n := IpToNet(ip); n != nil {
+			nets = append(nets, *n)
 		}
 	}
 	return nets