Add support for CIDR ranges in the IP allow/block plugins

jedisct1 · jedisct1 · commit b618b0df59d0 · 2026-02-13T12:15:35.000+01:00
diff --git a/dnscrypt-proxy/common.go b/dnscrypt-proxy/common.go
@@ -16,6 +16,7 @@ import (
 
 	iradix "github.com/hashicorp/go-immutable-radix"
 	"github.com/jedisct1/dlog"
+	"github.com/k-sone/critbitgo"
 )
 
 type CryptoConstruction uint16
@@ -313,9 +314,22 @@ func ProcessConfigLines(lines string, processor func(line string, lineNo int) er
 	return nil
 }
 
-// LoadIPRules loads IP rules from text lines into radix tree and map structures
-func LoadIPRules(lines string, prefixes *iradix.Tree, ips map[string]any) (*iradix.Tree, error) {
+// LoadIPRules loads IP rules from text lines into three structures:
+//   - ips (map): exact IP addresses
+//   - prefixes (radix tree): wildcard prefix rules (e.g. "192.168.*")
+//   - networks (critbit net): CIDR network masks (e.g. "10.0.0.0/8")
+func LoadIPRules(lines string, prefixes *iradix.Tree, ips map[string]any, networks *critbitgo.Net) (*iradix.Tree, error) {
 	err := ProcessConfigLines(lines, func(line string, lineNo int) error {
+		if strings.Contains(line, "/") {
+			if networks == nil {
+				dlog.Errorf("CIDR rule [%s] at line %d but no network table provided", line, lineNo)
+				return nil
+			}
+			if err := networks.AddCIDR(line, true); err != nil {
+				dlog.Errorf("Invalid CIDR rule [%s] at line %d: %v", line, lineNo, err)
+			}
+			return nil
+		}
 		cleanLine, trailingStar, lineErr := ParseIPRule(line, lineNo)
 		if lineErr != nil {
 			dlog.Error(lineErr)
diff --git a/dnscrypt-proxy/example-allowed-ips.txt b/dnscrypt-proxy/example-allowed-ips.txt
@@ -5,3 +5,5 @@
 #192.168.0.*
 #fe80:53:*          # IPv6 prefix example
 #81.169.145.105
+#192.168.0.0/16     # CIDR network mask
+#fe80::/10          # IPv6 CIDR network mask
diff --git a/dnscrypt-proxy/example-blocked-ips.txt b/dnscrypt-proxy/example-blocked-ips.txt
@@ -15,3 +15,5 @@
 163.5.1.4
 94.46.118.*
 fe80:53:*          # IPv6 prefix example
+10.0.0.0/8         # CIDR network mask
+fe80::/10          # IPv6 CIDR network mask
diff --git a/dnscrypt-proxy/plugin_allow_ip.go b/dnscrypt-proxy/plugin_allow_ip.go
@@ -3,16 +3,19 @@ package main
 import (
 	"errors"
 	"io"
+	"net"
 	"sync"
 
 	"codeberg.org/miekg/dns"
 	iradix "github.com/hashicorp/go-immutable-radix"
 	"github.com/jedisct1/dlog"
+	"github.com/k-sone/critbitgo"
 )
 
 type PluginAllowedIP struct {
 	allowedPrefixes *iradix.Tree
 	allowedIPs      map[string]any
+	allowedNetworks *critbitgo.Net
 	logger          io.Writer
 	format          string
 	ipCryptConfig   *IPCryptConfig
@@ -23,6 +26,7 @@ type PluginAllowedIP struct {
 	configWatcher   *ConfigWatcher
 	stagingPrefixes *iradix.Tree
 	stagingIPs      map[string]any
+	stagingNetworks *critbitgo.Net
 }
 
 func (plugin *PluginAllowedIP) Name() string {
@@ -44,8 +48,9 @@ func (plugin *PluginAllowedIP) Init(proxy *Proxy) error {
 
 	plugin.allowedPrefixes = iradix.New()
 	plugin.allowedIPs = make(map[string]any)
+	plugin.allowedNetworks = critbitgo.NewNet()
 
-	plugin.allowedPrefixes, err = plugin.loadRules(lines, plugin.allowedPrefixes, plugin.allowedIPs)
+	plugin.allowedPrefixes, err = plugin.loadRules(lines, plugin.allowedPrefixes, plugin.allowedIPs, plugin.allowedNetworks)
 	if err != nil {
 		return err
 	}
@@ -56,9 +61,9 @@ func (plugin *PluginAllowedIP) Init(proxy *Proxy) error {
 	return nil
 }
 
-// loadRules parses and loads IP rules into the provided tree and map
-func (plugin *PluginAllowedIP) loadRules(lines string, prefixes *iradix.Tree, ips map[string]any) (*iradix.Tree, error) {
-	return LoadIPRules(lines, prefixes, ips)
+// loadRules parses and loads IP rules into the provided tree, map, and network table
+func (plugin *PluginAllowedIP) loadRules(lines string, prefixes *iradix.Tree, ips map[string]any, networks *critbitgo.Net) (*iradix.Tree, error) {
+	return LoadIPRules(lines, prefixes, ips, networks)
 }
 
 func (plugin *PluginAllowedIP) Drop() error {
@@ -74,27 +79,30 @@ func (plugin *PluginAllowedIP) PrepareReload() error {
 		// Create staging structures
 		plugin.stagingPrefixes = iradix.New()
 		plugin.stagingIPs = make(map[string]any)
+		plugin.stagingNetworks = critbitgo.NewNet()
 
 		// Load rules into staging structures
 		var err error
-		plugin.stagingPrefixes, err = plugin.loadRules(lines, plugin.stagingPrefixes, plugin.stagingIPs)
+		plugin.stagingPrefixes, err = plugin.loadRules(lines, plugin.stagingPrefixes, plugin.stagingIPs, plugin.stagingNetworks)
 		return err
 	})
 }
 
 // ApplyReload atomically replaces the active rules with the staging ones
 func (plugin *PluginAllowedIP) ApplyReload() error {
 	return StandardApplyReloadPattern(plugin.Name(), func() error {
-		if plugin.stagingPrefixes == nil || plugin.stagingIPs == nil {
+		if plugin.stagingPrefixes == nil || plugin.stagingIPs == nil || plugin.stagingNetworks == nil {
 			return errors.New("no staged configuration to apply")
 		}
 
 		// Use write lock to swap rule structures
 		plugin.rwLock.Lock()
 		plugin.allowedPrefixes = plugin.stagingPrefixes
 		plugin.allowedIPs = plugin.stagingIPs
+		plugin.allowedNetworks = plugin.stagingNetworks
 		plugin.stagingPrefixes = nil
 		plugin.stagingIPs = nil
+		plugin.stagingNetworks = nil
 		plugin.rwLock.Unlock()
 
 		return nil
@@ -105,6 +113,7 @@ func (plugin *PluginAllowedIP) ApplyReload() error {
 func (plugin *PluginAllowedIP) CancelReload() {
 	plugin.stagingPrefixes = nil
 	plugin.stagingIPs = nil
+	plugin.stagingNetworks = nil
 }
 
 // Reload implements hot-reloading for the plugin
@@ -165,6 +174,14 @@ func (plugin *PluginAllowedIP) Eval(pluginsState *PluginsState, msg *dns.Msg) er
 				break
 			}
 		}
+		if plugin.allowedNetworks.Size() > 0 {
+			if ip := net.ParseIP(ipStr); ip != nil {
+				if route, _, _ := plugin.allowedNetworks.MatchIP(ip); route != nil {
+					allowed, reason = true, route.String()
+					break
+				}
+			}
+		}
 	}
 
 	if allowed {
diff --git a/dnscrypt-proxy/plugin_block_ip.go b/dnscrypt-proxy/plugin_block_ip.go
@@ -3,16 +3,19 @@ package main
 import (
 	"errors"
 	"io"
+	"net"
 	"sync"
 
 	"codeberg.org/miekg/dns"
 	iradix "github.com/hashicorp/go-immutable-radix"
 	"github.com/jedisct1/dlog"
+	"github.com/k-sone/critbitgo"
 )
 
 type PluginBlockIP struct {
 	blockedPrefixes *iradix.Tree
 	blockedIPs      map[string]any
+	blockedNetworks *critbitgo.Net
 	logger          io.Writer
 	format          string
 	ipCryptConfig   *IPCryptConfig
@@ -23,6 +26,7 @@ type PluginBlockIP struct {
 	configWatcher   *ConfigWatcher
 	stagingPrefixes *iradix.Tree
 	stagingIPs      map[string]any
+	stagingNetworks *critbitgo.Net
 }
 
 func (plugin *PluginBlockIP) Name() string {
@@ -44,8 +48,9 @@ func (plugin *PluginBlockIP) Init(proxy *Proxy) error {
 
 	plugin.blockedPrefixes = iradix.New()
 	plugin.blockedIPs = make(map[string]any)
+	plugin.blockedNetworks = critbitgo.NewNet()
 
-	plugin.blockedPrefixes, err = plugin.loadRules(lines, plugin.blockedPrefixes, plugin.blockedIPs)
+	plugin.blockedPrefixes, err = plugin.loadRules(lines, plugin.blockedPrefixes, plugin.blockedIPs, plugin.blockedNetworks)
 	if err != nil {
 		return err
 	}
@@ -56,9 +61,9 @@ func (plugin *PluginBlockIP) Init(proxy *Proxy) error {
 	return nil
 }
 
-// loadRules parses and loads IP rules into the provided tree and map
-func (plugin *PluginBlockIP) loadRules(lines string, prefixes *iradix.Tree, ips map[string]any) (*iradix.Tree, error) {
-	return LoadIPRules(lines, prefixes, ips)
+// loadRules parses and loads IP rules into the provided tree, map, and network table
+func (plugin *PluginBlockIP) loadRules(lines string, prefixes *iradix.Tree, ips map[string]any, networks *critbitgo.Net) (*iradix.Tree, error) {
+	return LoadIPRules(lines, prefixes, ips, networks)
 }
 
 func (plugin *PluginBlockIP) Drop() error {
@@ -74,27 +79,30 @@ func (plugin *PluginBlockIP) PrepareReload() error {
 		// Create staging structures
 		plugin.stagingPrefixes = iradix.New()
 		plugin.stagingIPs = make(map[string]any)
+		plugin.stagingNetworks = critbitgo.NewNet()
 
 		// Load rules into staging structures
 		var err error
-		plugin.stagingPrefixes, err = plugin.loadRules(lines, plugin.stagingPrefixes, plugin.stagingIPs)
+		plugin.stagingPrefixes, err = plugin.loadRules(lines, plugin.stagingPrefixes, plugin.stagingIPs, plugin.stagingNetworks)
 		return err
 	})
 }
 
 // ApplyReload atomically replaces the active rules with the staging ones
 func (plugin *PluginBlockIP) ApplyReload() error {
 	return StandardApplyReloadPattern(plugin.Name(), func() error {
-		if plugin.stagingPrefixes == nil || plugin.stagingIPs == nil {
+		if plugin.stagingPrefixes == nil || plugin.stagingIPs == nil || plugin.stagingNetworks == nil {
 			return errors.New("no staged configuration to apply")
 		}
 
 		// Use write lock to swap rule structures
 		plugin.rwLock.Lock()
 		plugin.blockedPrefixes = plugin.stagingPrefixes
 		plugin.blockedIPs = plugin.stagingIPs
+		plugin.blockedNetworks = plugin.stagingNetworks
 		plugin.stagingPrefixes = nil
 		plugin.stagingIPs = nil
+		plugin.stagingNetworks = nil
 		plugin.rwLock.Unlock()
 
 		return nil
@@ -105,6 +113,7 @@ func (plugin *PluginBlockIP) ApplyReload() error {
 func (plugin *PluginBlockIP) CancelReload() {
 	plugin.stagingPrefixes = nil
 	plugin.stagingIPs = nil
+	plugin.stagingNetworks = nil
 }
 
 // Reload implements hot-reloading for the plugin
@@ -169,6 +178,14 @@ func (plugin *PluginBlockIP) Eval(pluginsState *PluginsState, msg *dns.Msg) erro
 				break
 			}
 		}
+		if plugin.blockedNetworks.Size() > 0 {
+			if ip := net.ParseIP(ipStr); ip != nil {
+				if route, _, _ := plugin.blockedNetworks.MatchIP(ip); route != nil {
+					reject, reason = true, route.String()
+					break
+				}
+			}
+		}
 	}
 
 	if reject {
