]>
Commit | Line | Data |
---|---|---|
644dd1da | 1 | #include "filterpo.hh" |
2 | #include <iostream> | |
3 | #include "namespaces.hh" | |
4 | #include "dnsrecords.hh" | |
5 | ||
6 | DNSFilterEngine::DNSFilterEngine() | |
7 | { | |
8 | } | |
9 | ||
10 | bool findNamedPolicy(const map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol) | |
11 | { | |
12 | DNSName s(qname); | |
13 | ||
14 | /* for www.powerdns.com, we need to check: | |
15 | www.powerdns.com. | |
16 | *.powerdns.com. | |
17 | powerdns.com. | |
18 | *.com. | |
19 | com. | |
20 | *. | |
21 | . */ | |
22 | ||
23 | bool first=true; | |
24 | do { | |
25 | auto iter = polmap.find(s); | |
26 | if(iter != polmap.end()) { | |
27 | pol=iter->second; | |
28 | return true; | |
29 | } | |
30 | if(!first) { | |
31 | iter = polmap.find(DNSName("*")+s); | |
32 | if(iter != polmap.end()) { | |
33 | pol=iter->second; | |
34 | return true; | |
35 | } | |
36 | } | |
37 | first=false; | |
38 | } while(s.chopOff()); | |
39 | return false; | |
40 | } | |
41 | ||
42 | DNSFilterEngine::Policy DNSFilterEngine::getProcessingPolicy(const DNSName& qname) const | |
43 | { | |
39ec5d29 | 44 | // cout<<"Got question for nameserver name "<<qname<<endl; |
83971888 | 45 | Policy pol{PolicyKind::NoAction, nullptr, "", 0}; |
644dd1da | 46 | for(const auto& z : d_zones) { |
47 | if(findNamedPolicy(z.propolName, qname, pol)) { | |
de0f72ba | 48 | // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl; |
644dd1da | 49 | return pol; |
50 | } | |
51 | } | |
52 | return pol; | |
53 | } | |
54 | ||
55 | ||
56 | DNSFilterEngine::Policy DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& ca) const | |
57 | { | |
de0f72ba | 58 | // cout<<"Got question for "<<qname<<" from "<<ca.toString()<<endl; |
644dd1da | 59 | |
83971888 | 60 | Policy pol{PolicyKind::NoAction, nullptr, "", 0}; |
644dd1da | 61 | for(const auto& z : d_zones) { |
62 | if(findNamedPolicy(z.qpolName, qname, pol)) { | |
de0f72ba | 63 | // cerr<<"Had a hit on the name of the query"<<endl; |
644dd1da | 64 | return pol; |
65 | } | |
66 | ||
0e760497 | 67 | if(auto fnd=z.qpolAddr.lookup(ca)) { |
68 | // cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl; | |
69 | return fnd->second; | |
644dd1da | 70 | } |
71 | } | |
72 | ||
39ec5d29 | 73 | return pol; |
644dd1da | 74 | } |
75 | ||
76 | DNSFilterEngine::Policy DNSFilterEngine::getPostPolicy(const vector<DNSRecord>& records) const | |
77 | { | |
78 | ComboAddress ca; | |
79 | ||
80 | for(const auto& r : records) { | |
589ad24b | 81 | if(r.d_place != DNSResourceRecord::ANSWER) |
644dd1da | 82 | continue; |
ba3c54cb RG |
83 | if(r.d_type == QType::A) { |
84 | if (auto rec = getRR<ARecordContent>(r)) { | |
85 | ca = rec->getCA(); | |
86 | } | |
87 | } | |
88 | else if(r.d_type == QType::AAAA) { | |
89 | if (auto rec = getRR<AAAARecordContent>(r)) { | |
90 | ca = rec->getCA(); | |
91 | } | |
92 | } | |
644dd1da | 93 | else |
94 | continue; | |
95 | ||
96 | for(const auto& z : d_zones) { | |
0e760497 | 97 | if(auto fnd=z.postpolAddr.lookup(ca)) |
98 | return fnd->second; | |
644dd1da | 99 | } |
100 | } | |
83971888 | 101 | return Policy{PolicyKind::NoAction, nullptr, "", 0}; |
644dd1da | 102 | } |
103 | ||
104 | void DNSFilterEngine::assureZones(int zone) | |
105 | { | |
106 | if((int)d_zones.size() <= zone) | |
107 | d_zones.resize(zone+1); | |
644dd1da | 108 | } |
109 | ||
7eafc52f | 110 | void DNSFilterEngine::clear(int zone) |
111 | { | |
112 | assureZones(zone); | |
113 | auto& z = d_zones[zone]; | |
114 | z.qpolAddr.clear(); | |
115 | z.postpolAddr.clear(); | |
116 | z.propolName.clear(); | |
117 | z.qpolName.clear(); | |
118 | } | |
119 | ||
644dd1da | 120 | void DNSFilterEngine::addClientTrigger(const Netmask& nm, Policy pol, int zone) |
121 | { | |
122 | assureZones(zone); | |
0e760497 | 123 | d_zones[zone].qpolAddr.insert(nm).second=pol; |
644dd1da | 124 | } |
125 | ||
126 | void DNSFilterEngine::addResponseTrigger(const Netmask& nm, Policy pol, int zone) | |
127 | { | |
128 | assureZones(zone); | |
0e760497 | 129 | d_zones[zone].postpolAddr.insert(nm).second=pol; |
644dd1da | 130 | } |
131 | ||
132 | void DNSFilterEngine::addQNameTrigger(const DNSName& n, Policy pol, int zone) | |
133 | { | |
134 | assureZones(zone); | |
135 | d_zones[zone].qpolName[n]=pol; | |
136 | } | |
137 | ||
138 | void DNSFilterEngine::addNSTrigger(const DNSName& n, Policy pol, int zone) | |
139 | { | |
140 | assureZones(zone); | |
141 | d_zones[zone].propolName[n]=pol; | |
142 | } | |
39ec5d29 | 143 | |
144 | bool DNSFilterEngine::rmClientTrigger(const Netmask& nm, Policy pol, int zone) | |
145 | { | |
146 | assureZones(zone); | |
147 | ||
148 | auto& qpols = d_zones[zone].qpolAddr; | |
0e760497 | 149 | qpols.erase(nm); |
39ec5d29 | 150 | return true; |
151 | } | |
152 | ||
153 | bool DNSFilterEngine::rmResponseTrigger(const Netmask& nm, Policy pol, int zone) | |
154 | { | |
155 | assureZones(zone); | |
156 | auto& postpols = d_zones[zone].postpolAddr; | |
0e760497 | 157 | postpols.erase(nm); |
39ec5d29 | 158 | return true; |
159 | } | |
160 | ||
161 | bool DNSFilterEngine::rmQNameTrigger(const DNSName& n, Policy pol, int zone) | |
162 | { | |
163 | assureZones(zone); | |
164 | d_zones[zone].qpolName.erase(n); // XXX verify we had identical policy? | |
165 | return true; | |
166 | } | |
167 | ||
168 | bool DNSFilterEngine::rmNSTrigger(const DNSName& n, Policy pol, int zone) | |
169 | { | |
170 | assureZones(zone); | |
171 | d_zones[zone].propolName.erase(n); // XXX verify policy matched? =pol; | |
172 | return true; | |
173 | } |