Update address exclusion check

A list of excluded addresses can be provided with `--scan.bannedAddress` flag. The loopback and private IPs will be excluded by default. To let the private addresses a `--scan.allowPrivateAddresses` flag has to be set.
keep-network · Sep 28, 2022 · ba82128 · ba82128
1 parent b07c126
commit ba82128
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 6 deletions.
diff --git a/examples/docker-compose.yaml b/examples/docker-compose.yaml
@@ -34,3 +34,4 @@ services:
       - bootstrap-0.test.keep.network:9601
       - --source.address
       - bootstrap-1.test.keep.network:9601
+      - --scan.allowPrivateAddresses
diff --git a/main.go b/main.go
@@ -51,8 +51,6 @@ var (
 
 	scanPortRangeFlagValue string
 
-	excludedAddresses = []string{"127.0.0.1"}
-
 	labelChainAddress = model.MetaLabelPrefix + "chain_address"
 	labelNetworkID    = model.MetaLabelPrefix + "network_id"
 )
@@ -63,8 +61,10 @@ type sdConfig struct {
 
 	refreshInterval time.Duration
 
-	diagnosticsPortRange utils.Range
-	scanPortTimeout      time.Duration
+	diagnosticsPortRange  utils.Range
+	scanPortTimeout       time.Duration
+	bannedPeerAddresses   []string
+	allowPrivateAddresses bool
 
 	getDiagnosticsTimeout time.Duration
 
@@ -113,6 +113,16 @@ func init() {
 		"Timeout for single port scan.",
 	).Default("1s").DurationVar(&config.scanPortTimeout)
 
+	app.Flag(
+		"scan.bannedAddress",
+		"Addresses excluded from the discovery.",
+	).Default("").StringsVar(&config.bannedPeerAddresses)
+
+	app.Flag(
+		"scan.allowPrivateAddresses",
+		"Allow private peers addresses for discovery (useful for internal network testing).",
+	).Default("false").BoolVar(&config.allowPrivateAddresses)
+
 	app.Flag(
 		"diagnostics.timeout",
 		"Timeout for diagnostics endpoint call.",
@@ -274,6 +284,24 @@ func getDiagnostics(addressWithPort string) (clientinfo.Diagnostics, error) {
 	return diagnostics, nil
 }
 
+func isAddressExcluded(address string) bool {
+	if slices.Contains(config.bannedPeerAddresses, address) {
+		return true
+	}
+
+	if ip := net.ParseIP(address); ip != nil {
+		if ip.IsLoopback() {
+			return true
+		}
+
+		if ip.IsPrivate() && !config.allowPrivateAddresses {
+			return true
+		}
+	}
+
+	return false
+}
+
 // Run is an implementation of the Discovery interface.
 func (d *discovery) Run(ctx context.Context, ch chan<- []*targetgroup.Group) {
 discoveryLoop:
@@ -329,8 +357,8 @@ discoveryLoop:
 			// Loop all discovered network addresses of the peer.
 		addressLoop:
 			for _, networkAddress := range peer.NetworkAddresses {
-				// Check if the network address is excluded (e.g. it's an internal address).
-				if slices.Contains(excludedAddresses, networkAddress) {
+				// Check if the network address is excluded (banned, loopback or internal)
+				if isAddressExcluded(networkAddress) {
 					level.Warn(peerLogger).Log(
 						"msg", "address is excluded from scanning",
 						"networkAddress", networkAddress,