Fix for issue #1074 #1132
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -214,6 +214,25 @@ func initializeAllowedCIDRsList() (cidrs []*net.IPNet) { | |
| return cidrs | ||
| } | ||
|
|
||
| // IsDocumentation reports whether ip is a reserved address for documentation, | ||
| // according to RFC 5737 (IPv4 Address Blocks Reserved for Documentation) and | ||
| // RFC 3849 (IPv6 Address Prefix Reserved for Documentation). | ||
| func IsDocumentation(ip net.IP) (bool) { | ||
| if ip4 := ip.To4(); ip4 != nil { | ||
| // Following RFC 5737, Section 3. Documentation Address Blocks which says: | ||
| // The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), | ||
| // and 203.0.113.0/24 (TEST-NET-3) are provided for use in | ||
| // documentation. | ||
| return ((ip4[0] == 192 && ip4[1] == 0 && ip4[2] == 2) || | ||
| (ip4[0] == 198 && ip4[1] == 51 && ip4[2] == 100) || | ||
| (ip4[0] == 203 && ip4[1] == 0 && ip4[2] == 113)) | ||
| } | ||
| // Following RFC 3849, Section 2. Documentation IPv6 Address Prefix which | ||
| // says: | ||
| // The prefix allocated for documentation purposes is 2001:DB8::/32 | ||
|
There was a problem hiding this comment. You can run There was a problem hiding this comment.
There was a problem hiding this comment.
Ewww, tabs in use... I've replaced the spaces and pushed another commit. |
||
| return len(ip) == net.IPv6len && ip[0] == 32 && ip[1] == 1 && ip[2] == 13 && ip[3] == 184 | ||
| } | ||
|
|
||
| func loadFieldsFromDir(fieldsDir string) ([]FieldDefinition, error) { | ||
| files, err := filepath.Glob(filepath.Join(fieldsDir, "*.yml")) | ||
| if err != nil { | ||
|
|
@@ -648,6 +667,7 @@ func (v *Validator) isAllowedIPValue(s string) bool { | |
|
|
||
| if ip.IsUnspecified() || | ||
| ip.IsPrivate() || | ||
| IsDocumentation(ip) || | ||
|
There was a problem hiding this comment. I am ok with allowing documentation IPs for this purpose, but I would prefer if apart of allowing them, at least any of them are also included in the GeoIP database, so package developers can use them to check that geoip enrichment works. There was a problem hiding this comment. @jsoriano not possible, the whole point point of documentation addresses is that they are used in place of real addresses in documentation, the test events and sample events that wind up in the integration are a form of documentation and should be permitted. There is no GeoIP data to be associated with them. For anyone who is generating test events in a lab environment as part of Elastic integration testing, they can/should and likely will use the RFC addresses allocated for this purpose. They likely will not, and should not, take say... 89.160.20.128/25 - which is a real IP block belonging to someone in Swedend, and use that in their lab environment to generate test events. Summary: allowing the documentation IP's is important to support test events generated in a lab environment. It's not to support GeoIP lookups in any way. The documentation IP's are complementary to RFC-1918 private addresses and should be permitted. |
||
| ip.IsLoopback() || | ||
| ip.IsLinkLocalUnicast() || | ||
| ip.IsLinkLocalMulticast() || | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these IPs included in the current GeoIP database? At least some of them are not related to documentation.
The idea of this list is to have a reference of IP ranges that are included in the GeoIP database, so package developers can know when GeoIP enrichment is working.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeap, from: https://www.maxmind.com/en/geoip-demo