styx/testdata/policy/bogons.rego

package styx

import input.request as http_request

default permit := false
default reject := 0
default template := ""

# Bogon networks
bogons := [
    "0.0.0.0/8",          # "This" network
    "10.0.0.0/8",         # RFC1918 Private-use networks
    "100.64.0.0/10",      # Carrier-grade NAT
    "127.0.0.0/8",        # Loopback
    "169.254.0.0/16",     # Link local
    "172.16.0.0/12",      # RFC1918 Private-use networks
    "192.0.0.0/24",       # IETF protocol assignments
    "192.0.2.0/24",       # TEST-NET-1
    "192.168.0.0/16",     # RFC1918 Private-use networks
    "198.18.0.0/15",      # Network interconnect device benchmark testing
    "198.51.100.0/24",    # TEST-NET-2
    "203.0.113.0/24",     # TEST-NET-3
    "224.0.0.0/4",        # Multicast
    "240.0.0.0/4",        # Reserved for future use
    "255.255.255.255/32", # Limited broadcast
]

# Resolve HTTP host to IPs
addrs := styx.lookup_ip_addr(http_request.host)

template := "template/blocked.html" if {
    some cidr in bogons
    net.cidr_contains(cidr, http_request.host)
}

template := "template/blocked.html" if {
    some addr in addrs
    some cidr in bogons
    net.cidr_contains(cidr, addr)
}

permit if {
    template == ""
}

errors contains "Bogon destination not allowed" if {
    template != ""
}

errors contains "Could not lookup host" if {
    count(addrs) == 0
}

errors contains addr if {
    some addr in addrs
    some cidr in bogons
    net.cidr_contains(cidr, addr)
}