From e837def9f5bd089546c3e8dd888cedd447534d0e Mon Sep 17 00:00:00 2001
From: tarik02 <taras.fomin@gmail.com>
Date: Sun, 1 Dec 2024 12:00:15 +0200
Subject: [PATCH 1/3] feat: ip filter

---
 gateway.go | 14 ++++++++++++++
 setup.go   | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/gateway.go b/gateway.go
index c57913e..d7ab13d 100644
--- a/gateway.go
+++ b/gateway.go
@@ -70,6 +70,7 @@ type Gateway struct {
 	secondNS         string
 	configFile       string
 	configContext    string
+	prefixes         []netip.Prefix
 	ExternalAddrFunc func(request.Request) []dns.RR
 
 	Fall fall.F
@@ -176,6 +177,9 @@ func (gw *Gateway) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Ms
 	var ipv6Addrs []netip.Addr
 
 	for _, addr := range addrs {
+		if len(gw.prefixes) > 0 && !matchIpNetPrefix(addr, gw.prefixes) {
+			continue
+		}
 		if addr.Is4() {
 			ipv4Addrs = append(ipv4Addrs, addr)
 		}
@@ -318,3 +322,13 @@ func stripClosingDot(s string) string {
 	}
 	return s
 }
+
+// Returns true if the IP matches at least one of the IP network prefixes
+func matchIpNetPrefix(ip netip.Addr, prefixes []netip.Prefix) bool {
+	for _, prefix := range prefixes {
+		if prefix.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/setup.go b/setup.go
index 805de0a..59816bc 100644
--- a/setup.go
+++ b/setup.go
@@ -2,6 +2,7 @@ package gateway
 
 import (
 	"context"
+	"net/netip"
 
 	"strconv"
 
@@ -104,6 +105,18 @@ func parse(c *caddy.Controller) (*Gateway, error) {
 				if len(args) == 2 {
 					gw.configContext = args[1]
 				}
+			case "prefixes":
+				args := c.RemainingArgs()
+				if len(args) == 0 {
+					return nil, c.ArgErr()
+				}
+				for _, arg := range args {
+					prefix, err := netip.ParsePrefix(arg)
+					if err != nil {
+						return nil, c.Errf("Invalid if prefix: %s", arg)
+					}
+					gw.prefixes = append(gw.prefixes, prefix)
+				}
 			default:
 				return nil, c.Errf("Unknown property '%s'", c.Val())
 			}

From a6f5ee326f97b6f6262540d24d8b3bc10676a2ae Mon Sep 17 00:00:00 2001
From: tarik02 <taras.fomin@gmail.com>
Date: Sun, 1 Dec 2024 12:19:36 +0200
Subject: [PATCH 2/3] update helm chart

---
 charts/k8s-gateway/templates/configmap.yaml | 3 +++
 charts/k8s-gateway/values.yaml              | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/charts/k8s-gateway/templates/configmap.yaml b/charts/k8s-gateway/templates/configmap.yaml
index abba5d1..4ae1bdb 100644
--- a/charts/k8s-gateway/templates/configmap.yaml
+++ b/charts/k8s-gateway/templates/configmap.yaml
@@ -29,6 +29,9 @@ data:
           {{- if .Values.watchedResources }}
           resources {{ join " " .Values.watchedResources }}
           {{- end }}
+          {{- if Values.prefixes }}
+          prefixes {{ join " " .Values.prefixes }}
+          {{- end }}
           {{- if .Values.fallthrough.enabled }}
           fallthrough {{- range .Values.fallthrough.zones }} {{ . }} {{- end }}
           {{- end }}
diff --git a/charts/k8s-gateway/values.yaml b/charts/k8s-gateway/values.yaml
index a43482e..6ef736a 100644
--- a/charts/k8s-gateway/values.yaml
+++ b/charts/k8s-gateway/values.yaml
@@ -22,6 +22,9 @@ watchedResources: []
 # Service name of a secondary DNS server (should be `serviceName.namespace`)
 secondary: ""
 
+# List of IP CIDRs to filter
+prefixes: []
+
 # Enabled fallthrough for k8s_gateway
 fallthrough:
   enabled: false

From 2e6efa10e38c00cb1297f3267acd21bbc2a7c0e1 Mon Sep 17 00:00:00 2001
From: tarik02 <taras.fomin@gmail.com>
Date: Sun, 1 Dec 2024 12:30:38 +0200
Subject: [PATCH 3/3] oops

---
 charts/k8s-gateway/templates/configmap.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/k8s-gateway/templates/configmap.yaml b/charts/k8s-gateway/templates/configmap.yaml
index 4ae1bdb..794da1b 100644
--- a/charts/k8s-gateway/templates/configmap.yaml
+++ b/charts/k8s-gateway/templates/configmap.yaml
@@ -29,7 +29,7 @@ data:
           {{- if .Values.watchedResources }}
           resources {{ join " " .Values.watchedResources }}
           {{- end }}
-          {{- if Values.prefixes }}
+          {{- if .Values.prefixes }}
           prefixes {{ join " " .Values.prefixes }}
           {{- end }}
           {{- if .Values.fallthrough.enabled }}