feat(userspace/falco): add configuration support for IPV6 webserver listen address

The IPV6 capabilities is provided through cpp-httplib. Signed-off-by: Samuel Gaist <samuel.gaist@idiap.ch>
2025-09-09 10:39:28 +00:00 · 2023-11-02 19:06:55 +01:00
parent fac48cd145
commit d074728994
3 changed files with 44 additions and 7 deletions
--- a/falco.yaml
+++ b/falco.yaml
@@ -492,7 +492,7 @@ webserver:
  # the appropriate number of threads based on the number of online cores in the system.
  threadiness: 0
  listen_port: 8765
-  # IPV4 only is supported
+  # Can be an IPV4 or IPV6 address, defaults to IPV4
  listen_address: 0.0.0.0
  k8s_healthz_endpoint: /healthz
  ssl_enabled: false
--- a/unit_tests/falco/test_configuration.cpp
+++ b/unit_tests/falco/test_configuration.cpp
@@ -182,7 +182,30 @@ TEST(Configuration, configuration_webserver_ip)
    std::vector<std::string> valid_addresses = {"127.0.0.1",
                                                "1.127.0.1",
                                                "1.1.127.1",
-                                                "1.1.1.127"};
+                                                "1.1.1.127",
+                                                "::",
+                                                "::1",
+                                                "1200:0000:AB00:1234:0000:2552:7777:1313",
+                                                "1200::AB00:1234:0000:2552:7777:1313",
+                                                "1200:0000:AB00:1234::2552:7777:1313",
+                                                "21DA:D3:0:2F3B:2AA:FF:FE28:9C5A",
+                                                "FE80:0000:0000:0000:0202:B3FF:FE1E:8329",
+                                                "0.0.0.0",
+                                                "9.255.255.255",
+                                                "11.0.0.0",
+                                                "126.255.255.255",
+                                                "129.0.0.0",
+                                                "169.253.255.255",
+                                                "169.255.0.0",
+                                                "172.15.255.255",
+                                                "172.32.0.0",
+                                                "191.0.1.255",
+                                                "192.88.98.255",
+                                                "192.88.100.0",
+                                                "192.167.255.255",
+                                                "192.169.0.0",
+                                                "198.17.255.255",
+                                                "223.255.255.255"};

    for (const std::string &address: valid_addresses) {
        std::string option = "webserver.listen_address=";
@@ -204,7 +227,22 @@ TEST(Configuration, configuration_webserver_ip)
                                                  "127. 0.0.1",
                                                  "127.0. 0.1",
                                                  "127.0.0. 1",
-                                                  "!27.0.0.1"};
+                                                  "!27.0.0.1",
+                                                  "1200: 0000:AB00:1234:0000:2552:7777:1313",
+                                                  "1200:0000: AB00:1234:0000:2552:7777:1313",
+                                                  "1200:0000:AB00: 1234:0000:2552:7777:1313",
+                                                  "1200:0000:AB00:1234: 0000:2552:7777:1313",
+                                                  "1200:0000:AB00:1234:0000: 2552:7777:1313",
+                                                  "1200:0000:AB00:1234:0000:2552: 7777:1313",
+                                                  "1200:0000:AB00:1234:0000:2552:7777: 1313",
+                                                  "1200:0000:AB00:1234:0000:2552:7777:131G",
+                                                  "1200:0000:AB00:1234:0000:2552:77Z7:1313",
+                                                  "1200:0000:AB00:1234:0000:2G52:7777:1313",
+                                                  "1200:0000:AB00:1234:0O00:2552:7777:1313",
+                                                  "1200:0000:AB00:H234:0000:2552:7777:1313",
+                                                  "1200:0000:IB00:1234:0000:2552:7777:1313",
+                                                  "1200:0O00:AB00:1234:0000:2552:7777:1313",
+                                                  "12O0:0000:AB00:1234:0000:2552:7777:1313",};

    for (const std::string &address: invalid_addresses) {
        std::string option = "webserver.listen_address=";
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@@ -33,9 +33,8 @@ limitations under the License.

 #include <re2/re2.h>

-// Reference: https://www.oreilly.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html
-static re2::RE2 ipv4_address_re("^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$");
-
+// Reference: https://digitalfortress.tech/tips/top-15-commonly-used-regex/
+static re2::RE2 ip_address_re("((^\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\s*$)|(^\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?\\s*$))");

 falco_configuration::falco_configuration():
 	m_json_output(false),
@@ -293,7 +292,7 @@ void falco_configuration::load_yaml(const std::string& config_name, const yaml_h
 	m_webserver_threadiness = config.get_scalar<uint32_t>("webserver.threadiness", 0);
 	m_webserver_listen_port = config.get_scalar<uint32_t>("webserver.listen_port", 8765);
 	m_webserver_listen_address = config.get_scalar<std::string>("webserver.listen_address", "0.0.0.0");
-	if(!re2::RE2::FullMatch(m_webserver_listen_address, ipv4_address_re))
+	if(!re2::RE2::FullMatch(m_webserver_listen_address, ip_address_re))
 	{
 		throw std::logic_error("Error reading config file (" + config_name + "): webserver listen address \"" + m_webserver_listen_address + "\" is not a valid IP address");
 	}