Merge pull request #3100 from cortesi/block

Remove allowremote addon, add an improved take called block

3 files changed, 39 insertions, 33 deletions

diff --git a/mitmproxy/addons/__init__.py b/mitmproxy/addons/__init__.py
index 988bc904..838fba9b 100644
--- a/mitmproxy/addons/__init__.py
+++ b/mitmproxy/addons/__init__.py
@@ -1,6 +1,6 @@
-from mitmproxy.addons import allowremote
 from mitmproxy.addons import anticache
 from mitmproxy.addons import anticomp
+from mitmproxy.addons import block
 from mitmproxy.addons import browser
 from mitmproxy.addons import check_ca
 from mitmproxy.addons import clientplayback
@@ -25,7 +25,7 @@ def default_addons():
     return [
         core.Core(),
         browser.Browser(),
-        allowremote.AllowRemote(),
+        block.Block(),
         anticache.AntiCache(),
         anticomp.AntiComp(),
         check_ca.CheckCA(),
diff --git a/mitmproxy/addons/allowremote.py b/mitmproxy/addons/allowremote.py
deleted file mode 100644
index ad4c4940..00000000
--- a/mitmproxy/addons/allowremote.py
+++ /dev/null
@@ -1,31 +0,0 @@
-import ipaddress
-from mitmproxy import ctx
-
-
-class AllowRemote:
-    def load(self, loader):
-        loader.add_option(
-            "allow_remote", bool, False,
-            """
-            Allow remote clients to connect to proxy. If set to false,
-            client will not be able to connect to proxy unless it is on the same network
-            or the proxyauth option is set
-            """
-        )
-
-    def clientconnect(self, layer):
-        address = ipaddress.ip_address(layer.client_conn.address[0])
-        if isinstance(address, ipaddress.IPv6Address):
-            address = address.ipv4_mapped or address
-
-        accept_connection = (
-            ctx.options.allow_remote or
-            ipaddress.ip_address(address).is_private or
-            ctx.options.proxyauth is not None
-        )
-
-        if not accept_connection:
-            layer.reply.kill()
-            ctx.log.warn("Client connection was killed because allow_remote option is set to false, "
-                         "client IP was not a private IP and proxyauth was not set.\n"
-                         "To allow remote connections set allow_remote option to true or set proxyauth option.")
diff --git a/mitmproxy/addons/block.py b/mitmproxy/addons/block.py
new file mode 100644
index 00000000..a484f5c4
--- /dev/null
+++ b/mitmproxy/addons/block.py
@@ -0,0 +1,37 @@
+import ipaddress
+from mitmproxy import ctx
+
+
+class Block:
+    def load(self, loader):
+        loader.add_option(
+            "block_global", bool, True,
+            """
+            Block connections from globally reachable networks, as defined in
+            the IANA special purpose registries.
+            """
+        )
+        loader.add_option(
+            "block_private", bool, False,
+            """
+            Block connections from private networks, as defined in the IANA
+            special purpose registries. This option does not affect loopback
+            addresses.
+            """
+        )
+
+    def clientconnect(self, layer):
+        address = ipaddress.ip_address(layer.client_conn.address[0])
+        if isinstance(address, ipaddress.IPv6Address):
+            address = address.ipv4_mapped or address
+
+        ipa = ipaddress.ip_address(address)
+        if ipa.is_loopback:
+            return
+
+        if ctx.options.block_private and ipa.is_private:
+            ctx.log.warn("Client connection from %s killed by block_private" % address)
+            layer.reply.kill()
+        if ctx.options.block_global and ipa.is_global:
+            ctx.log.warn("Client connection from %s killed by block_global" % address)
+            layer.reply.kill()
\ No newline at end of file