Merge pull request #1 from avivs14/add_support_for_rfc6598_shared_add…

…ress_space

Added support for RFC6598 - shared address space as a private ip address space

srealip.go

@@ -8,7 +8,20 @@ import (
 
 // isPrivateIP checks if input IP is under private CIDR blocks.
 func isPrivateIP(ip net.IP) bool {
-	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate()
+	return ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() || isInSharedAddressSpace(ip)
+}
+
+// isInSharedAddressSpace reports whether ip is in the shared address space, according to
+// RFC 6598- IANA-Reserved IPv4 Prefix for Shared Address Space
+func isInSharedAddressSpace(ip net.IP) bool {
+	if ip4 := ip.To4(); ip4 != nil {
+		// Following RFC 6598. Shared Address Space which says:
+		//   The Internet Assigned Numbers Authority (IANA) has reserved the
+		//   following block of IP address space for shared internets:
+		//     100.64.0.0    -   100.127.255.255  (100.64/10 prefix)
+		return ip4[0] == 100 && ip4[1]&0xc0 == 64
+	}
+	return false
 }
 
 // extractIpFromRemoteAddr extracts clean IP - without port and spaces

srealip_test.go

@@ -37,6 +37,9 @@ func TestIsPrivate(t *testing.T) {
 	privateAddr := "192.168.1.1"
 	assert.True(t, isPrivateIP(net.ParseIP(privateAddr)))
 
+	sharedAddr := "100.127.28.62"
+	assert.True(t, isPrivateIP(net.ParseIP(sharedAddr)))
+
 	invalidAddr := "string"
 	assert.False(t, isPrivateIP(net.ParseIP(invalidAddr)))
 
@@ -50,6 +53,7 @@ func TestSecureRealIp(t *testing.T) {
 	publicAddr3 := "119.15.55.11"
 	localAddr := "127.0.0.0"
 	privateAddr := "192.168.1.1"
+	sharedAddr := "100.127.28.62"
 	publicAddr1WithPort := fmt.Sprintf("%s:%d", publicAddr1, 80)
 	invalidAddr := "invalidStr"
 
@@ -62,6 +66,7 @@ func TestSecureRealIp(t *testing.T) {
 		"multiple X-Forwarded-For":        {request: newHttpRequest(publicAddr3, "", localAddr, publicAddr1, publicAddr2), expected: publicAddr2},
 		"Has local X-Forwarded-For":       {request: newHttpRequest(publicAddr3, "", publicAddr1, localAddr), expected: publicAddr1},
 		"Has private X-Forwarded-For":     {request: newHttpRequest(publicAddr3, "", publicAddr1, localAddr, privateAddr), expected: publicAddr1},
+		"Has shared X-Forwarded-For":      {request: newHttpRequest(publicAddr3, "", publicAddr1, sharedAddr, localAddr, privateAddr), expected: publicAddr1},
 		"Has X-Real-IP":                   {request: newHttpRequest(publicAddr3, publicAddr2, publicAddr1, localAddr), expected: publicAddr1},
 		"not IP X-Forwarded-For":          {request: newHttpRequest(publicAddr3, "", invalidAddr), expected: publicAddr3},
 		"not + vallid IP X-Forwarded-For": {request: newHttpRequest(publicAddr3, "", publicAddr2, privateAddr, invalidAddr), expected: publicAddr2},
@@ -87,6 +92,7 @@ func TestNaiveRealIp(t *testing.T) {
 	publicAddr4 := "119.16.55.11"
 	localAddr := "127.0.0.0"
 	privateAddr := "192.168.1.1"
+	sharedAddr := "100.127.28.62"
 	invalidAddr := "invalidStr"
 	publicAddr1WithPort := fmt.Sprintf("%s:%d", publicAddr1, 80)
 
@@ -98,6 +104,7 @@ func TestNaiveRealIp(t *testing.T) {
 		"X-Forwarded-For - one value":     {request: newHttpRequest(publicAddr1, "", publicAddr2), expected: publicAddr2},
 		"multiple X-Forwarded-For":        {request: newHttpRequest(publicAddr3, "", localAddr, publicAddr1, publicAddr2), expected: publicAddr1},
 		"Has private X-Forwarded-For":     {request: newHttpRequest(publicAddr3, "", privateAddr, publicAddr1, localAddr), expected: publicAddr1},
+		"Has shared X-Forwarded-For":      {request: newHttpRequest(publicAddr3, "", sharedAddr, publicAddr1, localAddr), expected: publicAddr1},
 		"not IP X-Forwarded-For":          {request: newHttpRequest(publicAddr3, "", invalidAddr), expected: publicAddr3},
 		"not + vallid IP X-Forwarded-For": {request: newHttpRequest(publicAddr3, "", privateAddr, publicAddr2, invalidAddr), expected: publicAddr2},
 		"not IP X-Forwarded-For then IP":  {request: newHttpRequest(publicAddr3, "", localAddr, invalidAddr, publicAddr1), expected: publicAddr1},