net: support blocklist for net.Server · nodejs/node@b47888d

Original file line number	Diff line number	Diff line change
`@@ -1713,6 +1713,11 @@ changes:`
`1713`	`1713`	Default: `false`.
`1714`	`1714`	* `pauseOnConnect` {boolean} Indicates whether the socket should be
`1715`	`1715`	paused on incoming connections. Default: `false`.
	`1716`	+* `blockList` {net.BlockList} `blockList` can be used for disabling inbound
	`1717`	`+ access to specific IP addresses, IP ranges, or IP subnets. This does not`
	`1718`	`+ work if the server is behind a reverse proxy, NAT, etc. because the address`
	`1719`	`+ checked against the block list is the address of the proxy, or the one`
	`1720`	`+ specified by the NAT.`
`1716`	`1721`
`1717`	`1722`	* `connectionListener` {Function} Automatically set as a listener for the
`1718`	`1723`	[`'connection'`][] event.

Original file line number	Diff line number	Diff line change
`@@ -1791,6 +1791,13 @@ function Server(options, connectionListener) {`
`1791`	`1791`	`this.keepAlive = Boolean(options.keepAlive);`
`1792`	`1792`	`this.keepAliveInitialDelay = ~~(options.keepAliveInitialDelay / 1000);`
`1793`	`1793`	`this.highWaterMark = options.highWaterMark ?? getDefaultHighWaterMark();`
	`1794`	`+if (options.blockList) {`
	`1795`	`+// TODO: use BlockList.isBlockList (https://github.com/nodejs/node/pull/56078)`
	`1796`	`+if (!(options.blockList instanceof module.exports.BlockList)) {`
	`1797`	`+throw new ERR_INVALID_ARG_TYPE('options.blockList', 'net.BlockList', options.blockList);`
	`1798`	`+}`
	`1799`	`+this.blockList = options.blockList;`
	`1800`	`+}`
`1794`	`1801`	`}`
`1795`	`1802`	`ObjectSetPrototypeOf(Server.prototype, EventEmitter.prototype);`
`1796`	`1803`	`ObjectSetPrototypeOf(Server, EventEmitter);`
`@@ -2239,7 +2246,15 @@ function onconnection(err, clientHandle) {`
`2239`	`2246`	`clientHandle.close();`
`2240`	`2247`	`return;`
`2241`	`2248`	`}`
`2242`		`-`
	`2249`	`+if (self.blockList && typeof clientHandle.getpeername === 'function') {`
	`2250`	`+const remoteInfo = { __proto__: null };`
	`2251`	`+clientHandle.getpeername(remoteInfo);`
	`2252`	`+const addressType = isIP(remoteInfo.address);`
	`2253`	+if (addressType && self.blockList.check(remoteInfo.address, `ipv${addressType}`)) {
	`2254`	`+clientHandle.close();`
	`2255`	`+return;`
	`2256`	`+}`
	`2257`	`+}`
`2243`	`2258`	`const socket = new Socket({`
`2244`	`2259`	`handle: clientHandle,`
`2245`	`2260`	`allowHalfOpen: self.allowHalfOpen,`

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,19 @@`
	`1`	`+'use strict';`
	`2`	`+const common = require('../common');`
	`3`	`+const net = require('net');`
	`4`	`+`
	`5`	`+const blockList = new net.BlockList();`
	`6`	`+blockList.addAddress(common.localhostIPv4);`
	`7`	`+`
	`8`	`+const server = net.createServer({ blockList }, common.mustNotCall());`
	`9`	`+server.listen(0, common.localhostIPv4, common.mustCall(() => {`
	`10`	`+const adddress = server.address();`
	`11`	`+const socket = net.connect({`
	`12`	`+localAddress: common.localhostIPv4,`
	`13`	`+host: adddress.address,`
	`14`	`+port: adddress.port`
	`15`	`+});`
	`16`	`+socket.on('close', common.mustCall(() => {`
	`17`	`+server.close();`
	`18`	`+}));`
	`19`	`+}));`