From b48ba8cb0abb29556d635fb2b427b3934da30c98 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Fri, 5 Jun 2026 05:01:18 +0000 Subject: [PATCH] review feedback --- internal/firewall/iptables/iptables.go | 3 ++- internal/restrictednet/https.go | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/internal/firewall/iptables/iptables.go b/internal/firewall/iptables/iptables.go index 44d9ab1f..a6b40cf7 100644 --- a/internal/firewall/iptables/iptables.go +++ b/internal/firewall/iptables/iptables.go @@ -2,6 +2,7 @@ package iptables import ( "context" + "errors" "fmt" "io" "net/netip" @@ -181,7 +182,7 @@ func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context, protocol, intf string, source, destination netip.AddrPort, remove bool, ) error { if source.Addr().BitLen() != destination.Addr().BitLen() { - return fmt.Errorf("source and destination address families do not match") + return errors.New("source and destination address families do not match") } interfaceFlag := "-o " + intf diff --git a/internal/restrictednet/https.go b/internal/restrictednet/https.go index 02863455..f3b71a43 100644 --- a/internal/restrictednet/https.go +++ b/internal/restrictednet/https.go @@ -69,12 +69,23 @@ func newHTTPSClient(destinationTLSName string, connection net.Conn) *http.Client httpTransport.Proxy = nil httpTransport.MaxIdleConns = 1 httpTransport.MaxIdleConnsPerHost = 1 + httpTransport.MaxConnsPerHost = 1 httpTransport.IdleConnTimeout = time.Second httpTransport.TLSClientConfig = &tls.Config{ MinVersion: tls.VersionTLS12, ServerName: destinationTLSName, } - httpTransport.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) { + + expectedAddress := net.JoinHostPort(destinationTLSName, "443") + httpTransport.DialContext = func(_ context.Context, network, address string) (net.Conn, error) { + switch network { + case "tcp", "tcp4", "tcp6": + default: + return nil, fmt.Errorf("unexpected dial network %q", network) + } + if address != expectedAddress { + return nil, fmt.Errorf("unexpected dial address %q (expected %q)", address, expectedAddress) + } return connection, nil }