ei
/
mtg
镜像自地址 https://github.com/9seconds/mtg


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343
							package ipblocklist

import (
	"bufio"
	"context"
	"fmt"
	"io"
	"io/ioutil"
	"net"
	"net/http"
	"net/url"
	"os"
	"regexp"
	"strings"
	"sync"
	"time"

	"github.com/9seconds/mtg/v2/mtglib"
	"github.com/kentik/patricia"
	"github.com/kentik/patricia/bool_tree"
	"github.com/panjf2000/ants/v2"
)

const (
	fireholIPv4DefaultCIDR = 32
	fireholIPv6DefaultCIDR = 128
)

var fireholRegexpComment = regexp.MustCompile(`\s*#.*?$`)

type Firehol struct {
	ctx       context.Context
	ctxCancel context.CancelFunc
	logger    mtglib.Logger

	rwMutex sync.RWMutex

	remoteURLs []string
	localFiles []string

	httpClient *http.Client
	workerPool *ants.Pool

	treeV4 *bool_tree.TreeV4
	treeV6 *bool_tree.TreeV6
}

func (f *Firehol) Contains(ip net.IP) bool {
	if ip == nil {
		return true
	}

	ip4 := ip.To4()

	f.rwMutex.RLock()
	defer f.rwMutex.RUnlock()

	if ip4 != nil {
		return f.containsIPv4(ip4)
	}

	return f.containsIPv6(ip.To16())
}

func (f *Firehol) containsIPv4(addr net.IP) bool {
	ip := patricia.NewIPv4AddressFromBytes(addr, 32)

	if ok, _, err := f.treeV4.FindDeepestTag(ip); ok && err == nil {
		return true
	}

	return false
}

func (f *Firehol) containsIPv6(addr net.IP) bool {
	ip := patricia.NewIPv6Address(addr, 128)

	if ok, _, err := f.treeV6.FindDeepestTag(ip); ok && err == nil {
		return true
	}

	return false
}

func (f *Firehol) Run(updateEach time.Duration) {
	ticker := time.NewTicker(updateEach)

	defer func() {
		ticker.Stop()

		select {
		case <-ticker.C:
		default:
		}
	}()

	if err := f.update(); err != nil {
		f.logger.WarningError("cannot update blocklist", err)
	}

	for {
		select {
		case <-f.ctx.Done():
			return
		case <-ticker.C:
			if err := f.update(); err != nil {
				f.logger.WarningError("cannot update blocklist", err)
			}
		}
	}
}

func (f *Firehol) Shutdown() {
	f.ctxCancel()
}

func (f *Firehol) update() error { // nolint: funlen, cyclop
	ctx, cancel := context.WithCancel(f.ctx)
	defer cancel()

	wg := &sync.WaitGroup{}
	wg.Add(len(f.remoteURLs) + len(f.localFiles))

	treeMutex := &sync.Mutex{}
	v4tree := bool_tree.NewTreeV4()
	v6tree := bool_tree.NewTreeV6()

	errorChan := make(chan error, 1)
	defer close(errorChan)

	for _, v := range f.localFiles {
		go func(filename string) {
			defer wg.Done()

			if err := f.updateLocalFile(ctx, filename, treeMutex, v4tree, v6tree); err != nil {
				cancel()
				f.logger.BindStr("filename", filename).WarningError("cannot update", err)

				select {
				case errorChan <- err:
				default:
				}
			}
		}(v)
	}

	for _, v := range f.remoteURLs {
		value := v

		f.workerPool.Submit(func() { // nolint: errcheck
			defer wg.Done()

			if err := f.updateRemoteURL(ctx, value, treeMutex, v4tree, v6tree); err != nil {
				cancel()
				f.logger.BindStr("url", value).WarningError("cannot update", err)

				select {
				case errorChan <- err:
				default:
				}
			}
		})
	}

	wg.Wait()

	select {
	case err := <-errorChan:
		return fmt.Errorf("cannot update trees: %w", err)
	default:
	}

	f.rwMutex.Lock()
	defer f.rwMutex.Unlock()

	f.treeV4 = v4tree
	f.treeV6 = v6tree

	return nil
}

func (f *Firehol) updateLocalFile(ctx context.Context, filename string,
	mutex sync.Locker,
	v4tree *bool_tree.TreeV4, v6tree *bool_tree.TreeV6) error {
	filefp, err := os.Open(filename)
	if err != nil {
		return fmt.Errorf("cannot open file: %w", err)
	}

	go func(ctx context.Context, closer io.Closer) {
		<-ctx.Done()
		closer.Close()
	}(ctx, filefp)

	defer filefp.Close()

	return f.updateTrees(mutex, filefp, v4tree, v6tree)
}

func (f *Firehol) updateRemoteURL(ctx context.Context, url string,
	mutex sync.Locker,
	v4tree *bool_tree.TreeV4, v6tree *bool_tree.TreeV6) error {
	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
	if err != nil {
		return fmt.Errorf("cannot build a request: %w", err)
	}

	resp, err := f.httpClient.Do(req) // nolint: bodyclose
	if err != nil {
		return fmt.Errorf("cannot request a remote URL %s: %w", url, err)
	}

	go func(ctx context.Context, closer io.Closer) {
		<-ctx.Done()
		closer.Close()
	}(ctx, resp.Body)

	defer func(rc io.ReadCloser) {
		io.Copy(ioutil.Discard, rc) // nolint: errcheck
		rc.Close()
	}(resp.Body)

	return f.updateTrees(mutex, resp.Body, v4tree, v6tree)
}

func (f *Firehol) updateTrees(mutex sync.Locker,
	reader io.Reader,
	v4tree *bool_tree.TreeV4,
	v6tree *bool_tree.TreeV6) error {
	scanner := bufio.NewScanner(reader)

	for scanner.Scan() {
		text := scanner.Text()
		text = fireholRegexpComment.ReplaceAllLiteralString(text, "")
		text = strings.TrimSpace(text)

		if text == "" {
			continue
		}

		ip, cidr, err := f.updateParseLine(text)
		if err != nil {
			return fmt.Errorf("cannot parse a line: %w", err)
		}

		if err := f.updateAddToTrees(ip, cidr, mutex, v4tree, v6tree); err != nil {
			return fmt.Errorf("cannot add a node to the tree: %w", err)
		}
	}

	if scanner.Err() != nil {
		return fmt.Errorf("cannot parse a response: %w", scanner.Err())
	}

	return nil
}

func (f *Firehol) updateParseLine(text string) (net.IP, uint, error) {
	_, ipnet, err := net.ParseCIDR(text)
	if err != nil {
		ipaddr := net.ParseIP(text)
		if ipaddr == nil {
			return nil, 0, fmt.Errorf("incorrect ip address %s", text)
		}

		ip4 := ipaddr.To4()
		if ip4 != nil {
			return ip4, fireholIPv4DefaultCIDR, nil
		}

		return ipaddr.To16(), fireholIPv6DefaultCIDR, nil
	}

	ones, _ := ipnet.Mask.Size()

	return ipnet.IP, uint(ones), nil
}

func (f *Firehol) updateAddToTrees(ip net.IP, cidr uint,
	mutex sync.Locker,
	v4tree *bool_tree.TreeV4, v6tree *bool_tree.TreeV6) error {
	mutex.Lock()
	defer mutex.Unlock()

	if ip.To4() != nil {
		addr := patricia.NewIPv4AddressFromBytes(ip, cidr)

		if _, _, err := v4tree.Set(addr, true); err != nil {
			return err // nolint: wrapcheck
		}
	} else {
		addr := patricia.NewIPv6Address(ip, cidr)

		if _, _, err := v6tree.Set(addr, true); err != nil {
			return err // nolint: wrapcheck
		}
	}

	return nil
}

func NewFirehol(logger mtglib.Logger, network mtglib.Network,
	downloadConcurrency uint,
	remoteURLs []string,
	localFiles []string) (*Firehol, error) {
	for _, v := range remoteURLs {
		parsed, err := url.Parse(v)
		if err != nil {
			return nil, fmt.Errorf("incorrect url %s: %w", v, err)
		}

		switch parsed.Scheme {
		case "http", "https":
		default:
			return nil, fmt.Errorf("unsupported url %s", v)
		}
	}

	for _, v := range localFiles {
		if stat, err := os.Stat(v); os.IsNotExist(err) || stat.IsDir() || stat.Mode().Perm()&0o400 == 0 {
			return nil, fmt.Errorf("%s is not a readable file", v)
		}
	}

	if downloadConcurrency == 0 {
		downloadConcurrency = 1
	}

	workerPool, _ := ants.NewPool(int(downloadConcurrency))
	ctx, cancel := context.WithCancel(context.Background())

	return &Firehol{
		ctx:        ctx,
		ctxCancel:  cancel,
		logger:     logger.Named("firehol"),
		httpClient: network.MakeHTTPClient(nil),
		treeV4:     bool_tree.NewTreeV4(),
		treeV6:     bool_tree.NewTreeV6(),
		workerPool: workerPool,
		remoteURLs: remoteURLs,
		localFiles: localFiles,
	}, nil
}