add support for parsing IP aliases

GyulyVGC · GyulyVGC · commit 810cfb7351de · 2025-08-12T16:04:09.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -48,6 +48,7 @@ actix-cors = "0.7.1"
 rand = "0.9.1"
 env_logger = "0.11.8"
 async-trait = "0.1.88"
+ipnetwork = "0.21.1"
 
 [build-dependencies]
 tonic-build = "0.13.1"
diff --git a/src/db/datastore_wrapper.rs b/src/db/datastore_wrapper.rs
@@ -5,6 +5,7 @@ use crate::db::installation_code::InstallationCode;
 use crate::db::tables::DbTable;
 use crate::firewall::firewall::Firewall;
 use crate::proto::appguard::{AppGuardIpInfo, Log};
+use ipnetwork::IpNetwork;
 use nullnet_libdatastore::{
     AdvanceFilter, BatchCreateBody, BatchCreateRequest, BatchDeleteBody, BatchDeleteRequest,
     BatchUpdateBody, BatchUpdateRequest, CreateBody, CreateParams, CreateRequest, DeleteQuery,
@@ -16,6 +17,8 @@ use nullnet_libdatastore::{DatastoreClient, DatastoreConfig};
 use nullnet_liberror::{location, Error, ErrorHandler, Location};
 use serde_json::{json, Value};
 use std::collections::HashMap;
+use std::net::IpAddr;
+use std::str::FromStr;
 
 #[derive(Debug, Clone)]
 pub struct DatastoreWrapper {
@@ -1059,12 +1062,12 @@ impl DatastoreWrapper {
         Ok(count)
     }
 
-    pub(crate) async fn get_ip_alias(
+    pub(crate) async fn get_ip_aliases(
         &mut self,
         token: String,
         name: &str,
-    ) -> Result<Vec<String>, Error> {
-        let table = "device_aliases";
+    ) -> Result<Vec<IpNetwork>, Error> {
+        let table = DbTable::Alias.to_str();
 
         let filter = AdvanceFilter {
             r#type: String::from("criteria"),
@@ -1081,13 +1084,15 @@ impl DatastoreWrapper {
                 r#type: String::from("root"),
             }),
             body: Some(GetByFilterBody {
-                pluck: vec!["value".to_string()],
+                pluck: vec!["ip".to_string(), "prefix".to_string()],
                 advance_filters: vec![filter],
                 order_by: String::new(),
                 limit: 1,
                 offset: 0,
                 order_direction: String::new(),
-                joins: vec![],
+                joins: vec![
+                    // TODO: join with ip_aliases table
+                ],
                 multiple_sort: vec![],
                 pluck_object: HashMap::default(),
                 date_format: String::new(),
@@ -1102,29 +1107,34 @@ impl DatastoreWrapper {
         Self::internal_ip_alias_parse_response_data(result)
     }
 
-    fn internal_ip_alias_parse_response_data(data: String) -> Result<Vec<String>, Error> {
+    fn internal_ip_alias_parse_response_data(data: String) -> Result<Vec<IpNetwork>, Error> {
         let array_val = serde_json::from_str::<serde_json::Value>(&data).handle_err(location!())?;
         let array = array_val
             .as_array()
             .ok_or("Failed to parse response")
             .handle_err(location!())?;
 
-        let i = array
-            .first()
-            .ok_or("No alias found")
-            .handle_err(location!())?;
+        let mut ret_val = Vec::new();
 
-        let Some(map) = i.as_object() else {
-            return Err("Failed to parse response").handle_err(location!());
-        };
-        let Some(alias_val) = map.get("value") else {
-            return Err("Failed to parse response").handle_err(location!());
-        };
-        let Some(alias) = alias_val.as_str() else {
-            return Err("Failed to parse response").handle_err(location!());
-        };
-
-        let ret_val = alias.split_whitespace().map(|s| s.to_string()).collect();
+        for i in array {
+            let Some(map) = i.as_object() else { continue };
+            let Some(ip_val) = map.get("ip") else {
+                continue;
+            };
+            let Some(ip_addr) = ip_val.as_str().and_then(|ip| IpAddr::from_str(ip).ok()) else {
+                continue;
+            };
+            let Some(prefix_val) = map.get("prefix") else {
+                continue;
+            };
+            let Some(prefix) = prefix_val.as_u64().and_then(|int| u8::try_from(int).ok()) else {
+                continue;
+            };
+            let Ok(ip_network) = IpNetwork::new(ip_addr, prefix) else {
+                continue;
+            };
+            ret_val.push(ip_network);
+        }
 
         Ok(ret_val)
     }
diff --git a/src/db/entries.rs b/src/db/entries.rs
@@ -70,6 +70,7 @@ impl DbEntry {
                 log::info!("Firewall inserted in datastore");
             }
             DbEntry::DeniedIp((_, denied_ip, _)) => {
+                // todo: change this to a custom query to aliases
                 let _ = ds.insert(self, token.as_str()).await?;
                 log::info!(
                     "Denied IP inserted in datastore: {} {:?}",
@@ -118,7 +119,7 @@ impl DbEntry {
             DbEntry::TcpConnection(_) => DbTable::TcpConnection,
             // DbEntry::Blacklist(_) => DbTable::Blacklist,
             DbEntry::Firewall(_) => DbTable::Firewall,
-            DbEntry::DeniedIp(_) => DbTable::DeniedIp,
+            DbEntry::DeniedIp(_) => DbTable::Alias,
             DbEntry::Config(_) => DbTable::Config,
         }
     }
@@ -190,7 +191,7 @@ impl EntryIds {
             DbTable::IpInfo
             // | DbTable::Blacklist
             | DbTable::Firewall
-            | DbTable::DeniedIp
+            | DbTable::Alias
             | DbTable::Config => return Err("Not applicable").handle_err(location!()),
         }
         .lock()
diff --git a/src/db/tables.rs b/src/db/tables.rs
@@ -8,7 +8,7 @@ pub enum DbTable {
     SmtpResponse,
     // Blacklist,
     Firewall,
-    DeniedIp,
+    Alias,
     Config,
 }
 
@@ -23,7 +23,7 @@ impl DbTable {
             DbTable::SmtpResponse => "smtp_responses",
             // DbTable::Blacklist => "ip_blacklists",
             DbTable::Firewall => "app_firewalls",
-            DbTable::DeniedIp => "app_denied_ips",
+            DbTable::Alias => "aliases",
             DbTable::Config => "appguard_configs",
         }
     }
diff --git a/src/firewall/items/http_request.rs b/src/firewall/items/http_request.rs
@@ -8,7 +8,6 @@ use crate::helpers::get_header;
 use crate::proto::appguard::{AppGuardHttpRequest, AppGuardTcpInfo};
 use rpn_predicate_interpreter::PredicateEvaluator;
 use serde::{Deserialize, Serialize};
-use std::borrow::Cow;
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]
 #[allow(clippy::enum_variant_names)]
@@ -43,30 +42,30 @@ impl HttpRequestField {
         item: &'a AppGuardHttpRequest,
     ) -> Option<FirewallCompareType<'a>> {
         match self {
-            HttpRequestField::HttpRequestUrl(v) => Some(FirewallCompareType::String((
-                &item.original_url,
-                Cow::Borrowed(v),
-            ))),
-            HttpRequestField::HttpRequestMethod(v) => Some(FirewallCompareType::String((
-                &item.method,
-                Cow::Borrowed(v),
-            ))),
-            HttpRequestField::HttpRequestQuery(HeaderVal(k, v)) => get_header(&item.query, k)
-                .map(|query| FirewallCompareType::String((query, Cow::Borrowed(v)))),
+            HttpRequestField::HttpRequestUrl(v) => {
+                Some(FirewallCompareType::String((&item.original_url, v)))
+            }
+            HttpRequestField::HttpRequestMethod(v) => {
+                Some(FirewallCompareType::String((&item.method, v)))
+            }
+            HttpRequestField::HttpRequestQuery(HeaderVal(k, v)) => {
+                get_header(&item.query, k).map(|query| FirewallCompareType::String((query, v)))
+            }
             HttpRequestField::HttpRequestCookie(v) => get_header(&item.headers, "Cookie")
-                .map(|cookie| FirewallCompareType::String((cookie, Cow::Borrowed(v)))),
-            HttpRequestField::HttpRequestHeader(HeaderVal(k, v)) => get_header(&item.headers, k)
-                .map(|header| FirewallCompareType::String((header, Cow::Borrowed(v)))),
+                .map(|cookie| FirewallCompareType::String((cookie, v))),
+            HttpRequestField::HttpRequestHeader(HeaderVal(k, v)) => {
+                get_header(&item.headers, k).map(|header| FirewallCompareType::String((header, v)))
+            }
             HttpRequestField::HttpRequestBody(v) => item
                 .body
                 .as_ref()
-                .map(|body| FirewallCompareType::String((body, Cow::Borrowed(v)))),
+                .map(|body| FirewallCompareType::String((body, v))),
             HttpRequestField::HttpRequestBodyLen(v) => item
                 .body
                 .as_ref()
                 .map(|body| FirewallCompareType::Usize((body.len(), v))),
             HttpRequestField::HttpRequestUserAgent(v) => get_header(&item.headers, "User-Agent")
-                .map(|user_agent| FirewallCompareType::String((user_agent, Cow::Borrowed(v)))),
+                .map(|user_agent| FirewallCompareType::String((user_agent, v))),
         }
     }
 }
diff --git a/src/firewall/items/http_response.rs b/src/firewall/items/http_response.rs
@@ -8,7 +8,6 @@ use crate::helpers::get_header;
 use crate::proto::appguard::{AppGuardHttpResponse, AppGuardTcpInfo};
 use rpn_predicate_interpreter::PredicateEvaluator;
 use serde::{Deserialize, Serialize};
-use std::borrow::Cow;
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]
 #[allow(clippy::enum_variant_names)]
@@ -46,8 +45,9 @@ impl HttpResponseField {
                     None
                 }
             }
-            HttpResponseField::HttpResponseHeader(HeaderVal(k, v)) => get_header(&item.headers, k)
-                .map(|header| FirewallCompareType::String((header, Cow::Borrowed(v)))),
+            HttpResponseField::HttpResponseHeader(HeaderVal(k, v)) => {
+                get_header(&item.headers, k).map(|header| FirewallCompareType::String((header, v)))
+            }
         }
     }
 }
diff --git a/src/firewall/items/ip_info.rs b/src/firewall/items/ip_info.rs
@@ -3,7 +3,6 @@ use crate::firewall::rules::{FirewallCompareType, FirewallRuleField, FirewallRul
 use crate::proto::appguard::AppGuardIpInfo;
 use rpn_predicate_interpreter::PredicateEvaluator;
 use serde::{Deserialize, Serialize};
-use std::borrow::Cow;
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]
 #[serde(rename_all = "snake_case")]
@@ -40,35 +39,35 @@ impl IpInfoField {
             IpInfoField::Country(v) => item
                 .country
                 .as_ref()
-                .map(|country| FirewallCompareType::String((country, Cow::Borrowed(v)))),
+                .map(|country| FirewallCompareType::String((country, v))),
             IpInfoField::Asn(v) => item
                 .asn
                 .as_ref()
-                .map(|asn| FirewallCompareType::String((asn, Cow::Borrowed(v)))),
+                .map(|asn| FirewallCompareType::String((asn, v))),
             IpInfoField::Org(v) => item
                 .org
                 .as_ref()
-                .map(|org| FirewallCompareType::String((org, Cow::Borrowed(v)))),
+                .map(|org| FirewallCompareType::String((org, v))),
             IpInfoField::Continent(v) => item
                 .continent_code
                 .as_ref()
-                .map(|continent| FirewallCompareType::String((continent, Cow::Borrowed(v)))),
+                .map(|continent| FirewallCompareType::String((continent, v))),
             IpInfoField::City(v) => item
                 .city
                 .as_ref()
-                .map(|city| FirewallCompareType::String((city, Cow::Borrowed(v)))),
+                .map(|city| FirewallCompareType::String((city, v))),
             IpInfoField::Region(v) => item
                 .region
                 .as_ref()
-                .map(|region| FirewallCompareType::String((region, Cow::Borrowed(v)))),
+                .map(|region| FirewallCompareType::String((region, v))),
             IpInfoField::Postal(v) => item
                 .postal
                 .as_ref()
-                .map(|postal| FirewallCompareType::String((postal, Cow::Borrowed(v)))),
+                .map(|postal| FirewallCompareType::String((postal, v))),
             IpInfoField::Timezone(v) => item
                 .timezone
                 .as_ref()
-                .map(|timezone| FirewallCompareType::String((timezone, Cow::Borrowed(v)))),
+                .map(|timezone| FirewallCompareType::String((timezone, v))),
         }
     }
 }
diff --git a/src/firewall/items/smtp_request.rs b/src/firewall/items/smtp_request.rs
@@ -8,7 +8,6 @@ use crate::helpers::get_header;
 use crate::proto::appguard::{AppGuardSmtpRequest, AppGuardTcpInfo};
 use rpn_predicate_interpreter::PredicateEvaluator;
 use serde::{Deserialize, Serialize};
-use std::borrow::Cow;
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]
 #[allow(clippy::enum_variant_names)]
@@ -35,14 +34,15 @@ impl SmtpRequestField {
         item: &'a AppGuardSmtpRequest,
     ) -> Option<FirewallCompareType<'a>> {
         match self {
-            SmtpRequestField::SmtpRequestHeader(HeaderVal(k, v)) => get_header(&item.headers, k)
-                .map(|header| FirewallCompareType::String((header, Cow::Borrowed(v)))),
+            SmtpRequestField::SmtpRequestHeader(HeaderVal(k, v)) => {
+                get_header(&item.headers, k).map(|header| FirewallCompareType::String((header, v)))
+            }
             SmtpRequestField::SmtpRequestUserAgent(v) => get_header(&item.headers, "User-Agent")
-                .map(|user_agent| FirewallCompareType::String((user_agent, Cow::Borrowed(v)))),
+                .map(|user_agent| FirewallCompareType::String((user_agent, v))),
             SmtpRequestField::SmtpRequestBody(v) => item
                 .body
                 .as_ref()
-                .map(|body| FirewallCompareType::String((body, Cow::Borrowed(v)))),
+                .map(|body| FirewallCompareType::String((body, v))),
             SmtpRequestField::SmtpRequestBodyLen(l) => item
                 .body
                 .as_ref()
diff --git a/src/firewall/items/tcp_connection.rs b/src/firewall/items/tcp_connection.rs
@@ -3,9 +3,11 @@ use crate::firewall::rules::{
     FirewallCompareType, FirewallRuleDirection, FirewallRuleField, FirewallRuleWithDirection,
 };
 use crate::proto::appguard::AppGuardTcpConnection;
+use ipnetwork::IpNetwork;
 use rpn_predicate_interpreter::PredicateEvaluator;
 use serde::{Deserialize, Serialize};
-use std::borrow::Cow;
+use std::net::IpAddr;
+use std::str::FromStr;
 
 #[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]
 #[serde(rename_all = "snake_case")]
@@ -40,8 +42,8 @@ impl TcpConnectionField {
                     FirewallRuleDirection::In => item.source_ip.as_ref(),
                     FirewallRuleDirection::Out => item.destination_ip.as_ref(),
                 };
-                if let Some(ip) = ip_opt {
-                    Some(FirewallCompareType::String((ip, a.to_ips(context).await?)))
+                if let Some(ip) = ip_opt.and_then(|ip| IpAddr::from_str(ip).ok()) {
+                    Some(FirewallCompareType::Ip((ip, a.to_ips(context).await?)))
                 } else {
                     None
                 }
@@ -51,8 +53,8 @@ impl TcpConnectionField {
                     FirewallRuleDirection::In => item.destination_ip.as_ref(),
                     FirewallRuleDirection::Out => item.source_ip.as_ref(),
                 };
-                if let Some(ip) = ip_opt {
-                    Some(FirewallCompareType::String((ip, a.to_ips(context).await?)))
+                if let Some(ip) = ip_opt.and_then(|ip| IpAddr::from_str(ip).ok()) {
+                    Some(FirewallCompareType::Ip((ip, a.to_ips(context).await?)))
                 } else {
                     None
                 }
@@ -67,10 +69,9 @@ impl TcpConnectionField {
                 FirewallRuleDirection::Out => item.source_port,
             }
             .map(|p| FirewallCompareType::U32((p, v))),
-            TcpConnectionField::Protocol(v) => Some(FirewallCompareType::String((
-                &item.protocol,
-                Cow::Borrowed(v),
-            ))),
+            TcpConnectionField::Protocol(v) => {
+                Some(FirewallCompareType::String((&item.protocol, v)))
+            }
         }
     }
 }
@@ -112,19 +113,26 @@ pub enum IpAlias {
 }
 
 impl IpAlias {
-    async fn to_ips(&self, context: &AppContext) -> Option<Cow<'_, [String]>> {
+    async fn to_ips(&self, context: &AppContext) -> Option<Vec<IpNetwork>> {
         match self {
             IpAlias::Name(name) => {
                 let token = context.root_token_provider.get().await.ok()?.jwt.clone();
                 context
                     .datastore
                     .clone()
-                    .get_ip_alias(token, name)
+                    .get_ip_aliases(token, name)
                     .await
                     .ok()
-                    .map(Cow::Owned)
             }
-            IpAlias::Addresses(addresses) => Some(Cow::Borrowed(addresses)),
+            IpAlias::Addresses(addresses) => {
+                let mut ipnetworks = Vec::new();
+                for address in addresses {
+                    if let Ok(cidr) = IpNetwork::from_str(address) {
+                        ipnetworks.push(cidr);
+                    }
+                }
+                Some(ipnetworks)
+            }
         }
     }
 }
diff --git a/src/firewall/rules.rs b/src/firewall/rules.rs

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,7 @@ impl DbEntry {`
`70`	`70`	`log::info!("Firewall inserted in datastore");`
`71`	`71`	`}`
`72`	`72`	`DbEntry::DeniedIp((_, denied_ip, _)) => {`
	`73`	`+ // todo: change this to a custom query to aliases`
`73`	`74`	`let _ = ds.insert(self, token.as_str()).await?;`
`74`	`75`	`log::info!(`
`75`	`76`	`"Denied IP inserted in datastore: {} {:?}",`
`@@ -118,7 +119,7 @@ impl DbEntry {`
`118`	`119`	`DbEntry::TcpConnection(_) => DbTable::TcpConnection,`
`119`	`120`	`// DbEntry::Blacklist(_) => DbTable::Blacklist,`
`120`	`121`	`DbEntry::Firewall(_) => DbTable::Firewall,`
`121`		`- DbEntry::DeniedIp(_) => DbTable::DeniedIp,`
	`122`	`+ DbEntry::DeniedIp(_) => DbTable::Alias,`
`122`	`123`	`DbEntry::Config(_) => DbTable::Config,`
`123`	`124`	`}`
`124`	`125`	`}`
`@@ -190,7 +191,7 @@ impl EntryIds {`
`190`	`191`	`DbTable::IpInfo`
`191`	`192`	`// \| DbTable::Blacklist`
`192`	`193`	`\| DbTable::Firewall`
`193`		`- \| DbTable::DeniedIp`
	`194`	`+ \| DbTable::Alias`
`194`	`195`	`\| DbTable::Config => return Err("Not applicable").handle_err(location!()),`
`195`	`196`	`}`
`196`	`197`	`.lock()`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@ pub enum DbTable {`
`8`	`8`	`SmtpResponse,`
`9`	`9`	`// Blacklist,`
`10`	`10`	`Firewall,`
`11`		`- DeniedIp,`
	`11`	`+ Alias,`
`12`	`12`	`Config,`
`13`	`13`	`}`
`14`	`14`
`@@ -23,7 +23,7 @@ impl DbTable {`
`23`	`23`	`DbTable::SmtpResponse => "smtp_responses",`
`24`	`24`	`// DbTable::Blacklist => "ip_blacklists",`
`25`	`25`	`DbTable::Firewall => "app_firewalls",`
`26`		`- DbTable::DeniedIp => "app_denied_ips",`
	`26`	`+ DbTable::Alias => "aliases",`
`27`	`27`	`DbTable::Config => "appguard_configs",`
`28`	`28`	`}`
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@ use crate::helpers::get_header;`
`8`	`8`	`use crate::proto::appguard::{AppGuardHttpResponse, AppGuardTcpInfo};`
`9`	`9`	`use rpn_predicate_interpreter::PredicateEvaluator;`
`10`	`10`	`use serde::{Deserialize, Serialize};`
`11`		`-use std::borrow::Cow;`
`12`	`11`
`13`	`12`	`#[derive(Debug, Serialize, Deserialize, PartialEq, Clone)]`
`14`	`13`	`#[allow(clippy::enum_variant_names)]`
`@@ -46,8 +45,9 @@ impl HttpResponseField {`
`46`	`45`	`None`
`47`	`46`	`}`
`48`	`47`	`}`
`49`		`- HttpResponseField::HttpResponseHeader(HeaderVal(k, v)) => get_header(&item.headers, k)`
`50`		`- .map(\|header\| FirewallCompareType::String((header, Cow::Borrowed(v)))),`
	`48`	`+ HttpResponseField::HttpResponseHeader(HeaderVal(k, v)) => {`
	`49`	`+ get_header(&item.headers, k).map(\|header\| FirewallCompareType::String((header, v)))`
	`50`	`+ }`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`	`}`