Allow blocking of specified IP ranges

[captncraig]

We are using blackbox exporter as a library, in a kubernetes cluster, and some of our targets are specified by other teams, or even our customers. We would like to ensure there is no way that probes can interact with internal cluster components, or certain sensitive services in this network.

Firewall rules, NetworkPolicy, and so forth have been explored extensively, and have proven difficult if not impossible to implement the levels of granularity we need. The solution we would like to explore next is implementing this blocking in-app, by having bbe check a blocklist before dialing out. It needs to be done after dns resolution, so we can't simply filter our targets before calling the probers.

I have implemented this in my fork, by providing a custom dialer function that can be overridden by a user of the library. This would allow us to inject a custom dialer that respects the cidr blocks we want to deny any access to.

Is this something that this project would consider accepting? I am not sure if this is the best way to go about it, or if it would make sense to put full IP blocking functionality into blackbox exporter itself.

[mem]

@roidelapluie I know this is a very niche requirement, but I was hoping that you would provide your thoughts on this.

[roidelapluie]

It's not niche, but it should be implemented consistently across all probes. Also I think allowlisting could be useful as well. I'd like to see a design document about allow/deny lists in blackbox exporter so we can design this correctly.