From: Oto Šťáva <oto.stava@nic.cz>
Date: Fri, 4 Feb 2022 08:16:23 +0000 (+0100)
Subject: daemon/bindings doc: PROXYv2 clarifications
X-Git-Tag: v5.5.0~11^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e093ea41bde38708318ef53904c4f232a7ea1c57;p=thirdparty%2Fknot-resolver.git

daemon/bindings doc: PROXYv2 clarifications
---

diff --git a/daemon/bindings/net_server.rst b/daemon/bindings/net_server.rst
index 1b549edd9..c31353ed2 100644
--- a/daemon/bindings/net_server.rst
+++ b/daemon/bindings/net_server.rst
@@ -79,7 +79,8 @@ For example, :ref:`Views and ACLs <mod-view>` are able to work properly when
 PROXYv2 is in use.
 
 Since allowing usage of the PROXYv2 protocol for all clients would be a security
-vulnerability, the resolver requires you to specify explicitly which clients
+vulnerability, because clients would then be able to spoof their IP addresses via
+the PROXYv2 header, the resolver requires you to specify explicitly which clients
 are allowed to send PROXYv2 headers via the :func:`net.proxy_allowed` function.
 
 PROXYv2 queries from clients who are not explicitly allowed to use this protocol
@@ -92,6 +93,12 @@ will be discarded.
    by specifying the network mask using the CIDR notation
    (e.g. ``172.22.0.0/16``). IPv4 as well as IPv6 addresses are supported.
 
+   If you wish to allow all clients to use PROXYv2 (e.g. because you have this
+   kind of security handled on another layer of your network infrastructure),
+   you can specify a netmask of ``/0``. Please note that this setting is
+   address-family-specific, so this needs to be applied to both IPv4 and IPv6
+   separately.
+
    Subsequent calls to the function overwrite the effects of all previous calls.
    Providing a table of strings as the function parameter allows multiple
    distinct addresses to use the PROXYv2 protocol.
@@ -109,6 +116,11 @@ Examples:
 	net.proxy_allowed({
 		'172.22.0.1', '172.18.1.0/24'
 	})                                 -- allows both of the above at once
+	net.proxy_allowed({ 'fe80::/10' }  -- allows everyone at IPv6 link-local
+	net.proxy_allowed({
+		'::/0', '0.0.0.0/0'
+	})                                 -- allows everyone
+	net.proxy_allowed('::/0')          -- allows all IPv6 (but no IPv4)
 	net.proxy_allowed({})              -- prevents everyone from using PROXYv2
 	net.proxy_allowed()                -- returns a list of all currently allowed addresses