net: introduce net.BlockList

`net.BlockList` provides an object intended to be used by net APIs to specify rules for disallowing network activity with specific IP addresses. This commit adds the basic mechanism but does not add the specific uses. PR-URL: #34625 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Bradley Farias <[email protected]>

Author: jasnell

doc/api/net.md

@@ -55,6 +55,86 @@ net.createServer().listen(
 path.join('\\\\?\\pipe', process.cwd(), 'myctl'));
 ```
 
+## Class: `net.BlockList`
+<!-- YAML
+added: REPLACEME
+-->
+
+The `BlockList` object can be used with some network APIs to specify rules for
+disabling inbound or outbound access to specific IP addresses, IP ranges, or
+IP subnets.
+
+### `blockList.addAddress(address[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+*`address`{string} An IPv4 or IPv6 address.
+*`type`{string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block the given IP address.
+
+### `blockList.addRange(start, end[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+*`start`{string} The starting IPv4 or IPv6 address in the range.
+*`end`{string} The ending IPv4 or IPv6 address in the range.
+*`type`{string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block a range of IP addresses from `start` (inclusive) to
+`end` (inclusive).
+
+### `blockList.addSubnet(net, prefix[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+*`net`{string} The network IPv4 or IPv6 address.
+*`prefix`{number} The number of CIDR prefix bits. For IPv4, this
+ must be a value between `0` and `32`. For IPv6, this must be between
+`0` and `128`.
+*`type`{string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+
+Adds a rule to block a range of IP addresses specified as a subnet mask.
+
+### `blockList.check(address[, type])`
+<!-- YAML
+added: REPLACEME
+-->
+
+*`address`{string} The IP address to check
+*`type`{string} Either `'ipv4'` or `'ipv6'`. **Default**: `'ipv4'`.
+* Returns:{boolean}
+
+Returns `true` if the given IP address matches any of the rules added to the
+`BlockList`.
+
+```js
+constblockList=newnet.BlockList();
+blockList.addAddress('123.123.123.123');
+blockList.addRange('10.0.0.1', '10.0.0.10');
+blockList.addSubnet('8592:757c:efae:4e45::', 64, 'ipv6');
+
+console.log(blockList.check('123.123.123.123')); // Prints: true
+console.log(blockList.check('10.0.0.3')); // Prints: true
+console.log(blockList.check('222.111.111.222')); // Prints: false
+
+// IPv6 notation for IPv4 addresses works:
+console.log(blockList.check('::ffff:7b7b:7b7b', 'ipv6')); // Prints: true
+console.log(blockList.check('::ffff:123.123.123.123', 'ipv6')); // Prints: true
+```
+
+### `blockList.rules`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Type:{string[]}
+
+The list of rules added to the blocklist.
+
 ## Class: `net.Server`
 <!-- YAML
 added: v0.1.90

lib/internal/blocklist.js

@@ -0,0 +1,115 @@
+'use strict';
+
+const{
+ Boolean,
+ Symbol
+}=primordials;
+
+const{
+BlockList: BlockListHandle,
+AF_INET,
+AF_INET6,
+}=internalBinding('block_list');
+
+const{
+customInspectSymbol: kInspect,
+}=require('internal/util');
+const{ inspect }=require('internal/util/inspect');
+
+constkHandle=Symbol('kHandle');
+const{ owner_symbol }=internalBinding('symbols');
+
+const{
+ERR_INVALID_ARG_TYPE,
+ERR_INVALID_ARG_VALUE,
+ERR_OUT_OF_RANGE,
+}=require('internal/errors').codes;
+
+classBlockList{
+constructor(){
+this[kHandle]=newBlockListHandle();
+this[kHandle][owner_symbol]=this;
+}
+
+[kInspect](depth,options){
+if(depth<0)
+returnthis;
+
+constopts={
+ ...options,
+depth: options.depth==null ? null : options.depth-1
+};
+
+return`BlockList ${inspect({
+rules: this.rules
+},opts)}`;
+}
+
+addAddress(address,family='ipv4'){
+if(typeofaddress!=='string')
+thrownewERR_INVALID_ARG_TYPE('address','string',address);
+if(typeoffamily!=='string')
+thrownewERR_INVALID_ARG_TYPE('family','string',family);
+if(family!=='ipv4'&&family!=='ipv6')
+thrownewERR_INVALID_ARG_VALUE('family',family);
+consttype=family==='ipv4' ? AF_INET : AF_INET6;
+this[kHandle].addAddress(address,type);
+}
+
+addRange(start,end,family='ipv4'){
+if(typeofstart!=='string')
+thrownewERR_INVALID_ARG_TYPE('start','string',start);
+if(typeofend!=='string')
+thrownewERR_INVALID_ARG_TYPE('end','string',end);
+if(typeoffamily!=='string')
+thrownewERR_INVALID_ARG_TYPE('family','string',family);
+if(family!=='ipv4'&&family!=='ipv6')
+thrownewERR_INVALID_ARG_VALUE('family',family);
+consttype=family==='ipv4' ? AF_INET : AF_INET6;
+constret=this[kHandle].addRange(start,end,type);
+if(ret===false)
+thrownewERR_INVALID_ARG_VALUE('start',start,'must come before end');
+}
+
+addSubnet(network,prefix,family='ipv4'){
+if(typeofnetwork!=='string')
+thrownewERR_INVALID_ARG_TYPE('network','string',network);
+if(typeofprefix!=='number')
+thrownewERR_INVALID_ARG_TYPE('prefix','number',prefix);
+if(typeoffamily!=='string')
+thrownewERR_INVALID_ARG_TYPE('family','string',family);
+lettype;
+switch(family){
+case'ipv4':
+type=AF_INET;
+if(prefix<0||prefix>32)
+thrownewERR_OUT_OF_RANGE(prefix,'>= 0 and <= 32',prefix);
+break;
+case'ipv6':
+type=AF_INET6;
+if(prefix<0||prefix>128)
+thrownewERR_OUT_OF_RANGE(prefix,'>= 0 and <= 128',prefix);
+break;
+default:
+thrownewERR_INVALID_ARG_VALUE('family',family);
+}
+this[kHandle].addSubnet(network,type,prefix);
+}
+
+check(address,family='ipv4'){
+if(typeofaddress!=='string')
+thrownewERR_INVALID_ARG_TYPE('address','string',address);
+if(typeoffamily!=='string')
+thrownewERR_INVALID_ARG_TYPE('family','string',family);
+if(family!=='ipv4'&&family!=='ipv6')
+thrownewERR_INVALID_ARG_VALUE('family',family);
+consttype=family==='ipv4' ? AF_INET : AF_INET6;
+returnBoolean(this[kHandle].check(address,type));
+}
+
+getrules(){
+returnthis[kHandle].getRules();
+}
+}
+
+module.exports=BlockList;

lib/net.js

@@ -115,6 +115,7 @@ const{
 // Lazy loaded to improve startup performance.
 letcluster;
 letdns;
+letBlockList;
 
 const{ clearTimeout }=require('timers');
 const{ kTimeout }=require('internal/timers');
@@ -1755,6 +1756,11 @@ module.exports ={
 _createServerHandle: createServerHandle,
 _normalizeArgs: normalizeArgs,
  _setSimultaneousAccepts,
+getBlockList(){
+if(BlockList===undefined)
+BlockList=require('internal/blocklist');
+returnBlockList;
+},
  connect,
 createConnection: connect,
  createServer,

node.gyp

@@ -101,6 +101,7 @@
 'lib/internal/assert/assertion_error.js',
 'lib/internal/assert/calltracker.js',
 'lib/internal/async_hooks.js',
+'lib/internal/blocklist.js',
 'lib/internal/buffer.js',
 'lib/internal/cli_table.js',
 'lib/internal/child_process.js',

src/node_binding.cc

@@ -37,6 +37,7 @@
 // __attribute__((constructor)) like mechanism in GCC.
 #defineNODE_BUILTIN_STANDARD_MODULES(V) \
 V(async_wrap) \
+ V(block_list) \
  V(buffer) \
  V(cares_wrap) \
  V(config) \

src/node_sockaddr-inl.h

@@ -4,6 +4,7 @@
 #if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
 
 #include"node.h"
+#include"env-inl.h"
 #include"node_internals.h"
 #include"node_sockaddr.h"
 #include"util-inl.h"
@@ -88,11 +89,11 @@ SocketAddress& SocketAddress::operator=(const SocketAddress& addr){
 }
 
 const sockaddr& SocketAddress::operator*() const{
-return *this->data();
+return *data();
 }
 
 const sockaddr* SocketAddress::operator->() const{
-returnthis->data();
+returndata();
 }
 
 size_tSocketAddress::length() const{
@@ -166,6 +167,24 @@ bool SocketAddress::operator!=(const SocketAddress& other) const{
 return !(*this == other);
 }
 
+bool SocketAddress::operator<(const SocketAddress& other) const{
+returncompare(other) == CompareResult::LESS_THAN;
+}
+
+bool SocketAddress::operator>(const SocketAddress& other) const{
+returncompare(other) == CompareResult::GREATER_THAN;
+}
+
+bool SocketAddress::operator<=(const SocketAddress& other) const{
+ CompareResult c = compare(other);
+return c == CompareResult::NOT_COMPARABLE ? false :
+ c <= CompareResult::SAME;
+}
+
+bool SocketAddress::operator>=(const SocketAddress& other) const{
+returncompare(other) >= CompareResult::SAME;
+}
+
 template <typename T>
 SocketAddressLRU<T>::SocketAddressLRU(
 size_t max_size)
@@ -231,6 +250,11 @@ typename T::Type* SocketAddressLRU<T>::Upsert(
 return &map_[address]->second;
 }
 
+v8::MaybeLocal<v8::Value> SocketAddressBlockList::Rule::ToV8String(
+ Environment* env){
+ std::string str = ToString();
+returnToV8Value(env->context(), str);
+}
 } // namespace node
 
 #endif// NODE_WANT_INTERNALS