}
}
-void BPFFilter::block(const Netmask& addr, BPFFilter::MatchAction action)
+void BPFFilter::block(const Netmask& addr, bool force, BPFFilter::MatchAction action)
{
CounterAndActionValue value;
}
res = bpf_lookup_elem(map.d_fd.getHandle(), &key, &value);
- if (res != -1 && value.action == action) {
+ if (res != -1 && value.action == action && !force) {
throw std::runtime_error("Trying to block an already blocked netmask: " + addr.toString());
}
value.counter = 0;
value.action = action;
- res = bpf_update_elem(map.d_fd.getHandle(), &key, &value, BPF_NOEXIST);
+ res = bpf_update_elem(map.d_fd.getHandle(), &key, &value, force ? BPF_ANY : BPF_NOEXIST);
if (res == 0) {
++map.d_count;
}
throw std::runtime_error("eBPF support not enabled");
}
-void BPFFilter::block(const Netmask&, BPFFilter::MatchAction)
+void BPFFilter::block(const Netmask&, bool, BPFFilter::MatchAction)
{
throw std::runtime_error("eBPF support not enabled");
}
void addSocket(int sock);
void removeSocket(int sock);
void block(const ComboAddress& addr, MatchAction action);
- void block(const Netmask& address, BPFFilter::MatchAction action);
+ void block(const Netmask& address, bool force, BPFFilter::MatchAction action);
void block(const DNSName& qname, MatchAction action, uint16_t qtype=255);
void unblock(const ComboAddress& addr);
void allow(const Netmask& address);
}
}
});
- luaCtx.registerFunction<void (std::shared_ptr<BPFFilter>::*)(const string& range, boost::optional<uint32_t> action)>("blockRange", [](std::shared_ptr<BPFFilter> bpf, const string& range, boost::optional<uint32_t> action) {
+ luaCtx.registerFunction<void (std::shared_ptr<BPFFilter>::*)(const string& range, boost::optional<bool> force, boost::optional<uint32_t> action)>("blockRange", [](std::shared_ptr<BPFFilter> bpf, const string& range, boost::optional<bool> force, boost::optional<uint32_t> action) {
if (!bpf) {
return;
}
-
- if (!action) {
- return bpf->block(Netmask(range), BPFFilter::MatchAction::Drop);
- }
BPFFilter::MatchAction match;
- switch (*action) {
+ switch (action.value_or(1)) {
case 0:
match = BPFFilter::MatchAction::Pass;
break;
default:
throw std::runtime_error("Unsupported action for BPFFilter::block");
}
- return bpf->block(Netmask(range), match);
+ return bpf->block(Netmask(range), force.value_or(false), match);
});
luaCtx.registerFunction<void(std::shared_ptr<BPFFilter>::*)(const DNSName& qname, boost::optional<uint16_t> qtype, boost::optional<uint32_t> action)>("blockQName", [](std::shared_ptr<BPFFilter> bpf, const DNSName& qname, boost::optional<uint16_t> qtype, boost::optional<uint32_t> action) {
if (bpf) {
:param ComboAddress address: The address to block
- .. method:: BPFFilter:blockRange(Netmask)
+ .. method:: BPFFilter:blockRange(Netmask [, force=false])
.. versionchanged:: 1.8.0
DNSDist eBPF code first checks if an exact IP match is found, then if a range matches, and finally if a DNSName does.
:param string Netmask: The ip range to block
+ :param bool force: When ``force`` is set to true, DNSDist always accepts adding a new item to BPF maps, even if the item to be added may already be included in the larger network range.
.. method:: BPFFilter:blockQName(name [, qtype=255])