Checkpoint

2025-10-01 21:10:48 +02:00
parent 03352e3312
commit a23259cfdc
52 changed files with 2214 additions and 39 deletions
--- a/testdata/policy/bogons.rego
+++ b/testdata/policy/bogons.rego
@@ -1,12 +1,58 @@
 package styx

-default permit := true
+import input.request as http_request

-reject = 404 if {
-    #some addr in net.lookup_ip_addr(input.http_request.host)
-    styx.in_networks("bogons", input.http_request.host)
+default permit := false
+default reject := 0
+default template := ""
+
+# Bogon networks
+bogons := [
+    "0.0.0.0/8",          # "This" network
+    "10.0.0.0/8",         # RFC1918 Private-use networks
+    "100.64.0.0/10",      # Carrier-grade NAT
+    "127.0.0.0/8",        # Loopback
+    "169.254.0.0/16",     # Link local
+    "172.16.0.0/12",      # RFC1918 Private-use networks
+    "192.0.0.0/24",       # IETF protocol assignments
+    "192.0.2.0/24",       # TEST-NET-1
+    "192.168.0.0/16",     # RFC1918 Private-use networks
+    "198.18.0.0/15",      # Network interconnect device benchmark testing
+    "198.51.100.0/24",    # TEST-NET-2
+    "203.0.113.0/24",     # TEST-NET-3
+    "224.0.0.0/4",        # Multicast
+    "240.0.0.0/4",        # Reserved for future use
+    "255.255.255.255/32", # Limited broadcast
+]
+
+# Resolve HTTP host to IPs
+addrs := styx.lookup_ip_addr(http_request.host)
+
+template := "template/blocked.html" if {
+    some cidr in bogons
+    net.cidr_contains(cidr, http_request.host)
+}
+
+template := "template/blocked.html" if {
+    some addr in addrs
+    some cidr in bogons
+    net.cidr_contains(cidr, addr)
+}
+
+permit if {
+    template == ""
 }

 errors contains "Bogon destination not allowed" if {
-    reject == 404
+    template != ""
+}
+
+errors contains "Could not lookup host" if {
+    count(addrs) == 0
+}
+
+errors contains addr if {
+    some addr in addrs
+    some cidr in bogons
+    net.cidr_contains(cidr, addr)
 }