PROXYv2 is in use.
Since allowing usage of the PROXYv2 protocol for all clients would be a security
-vulnerability, the resolver requires you to specify explicitly which clients
+vulnerability, because clients would then be able to spoof their IP addresses via
+the PROXYv2 header, the resolver requires you to specify explicitly which clients
are allowed to send PROXYv2 headers via the :func:`net.proxy_allowed` function.
PROXYv2 queries from clients who are not explicitly allowed to use this protocol
by specifying the network mask using the CIDR notation
(e.g. ``172.22.0.0/16``). IPv4 as well as IPv6 addresses are supported.
+ If you wish to allow all clients to use PROXYv2 (e.g. because you have this
+ kind of security handled on another layer of your network infrastructure),
+ you can specify a netmask of ``/0``. Please note that this setting is
+ address-family-specific, so this needs to be applied to both IPv4 and IPv6
+ separately.
+
Subsequent calls to the function overwrite the effects of all previous calls.
Providing a table of strings as the function parameter allows multiple
distinct addresses to use the PROXYv2 protocol.
net.proxy_allowed({
'172.22.0.1', '172.18.1.0/24'
}) -- allows both of the above at once
+ net.proxy_allowed({ 'fe80::/10' } -- allows everyone at IPv6 link-local
+ net.proxy_allowed({
+ '::/0', '0.0.0.0/0'
+ }) -- allows everyone
+ net.proxy_allowed('::/0') -- allows all IPv6 (but no IPv4)
net.proxy_allowed({}) -- prevents everyone from using PROXYv2
net.proxy_allowed() -- returns a list of all currently allowed addresses
projects / thirdparty / knot-resolver.git / commitdiff
