[thirdparty/pdns.git] / pdns / filterpo.hh

/*
 * This file is part of PowerDNS or dnsdist.
 * Copyright -- PowerDNS.COM B.V. and its contributors
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of version 2 of the GNU General Public License as
 * published by the Free Software Foundation.
 *
 * In addition, for the avoidance of any doubt, permission is granted to
 * link this program with OpenSSL and to (re)distribute the binaries
 * produced as the result of such linking.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
#pragma once
#include "iputils.hh"
#include "dns.hh"
#include "dnsparser.hh"
#include <map>

/* This class implements a filtering policy that is able to fully implement RPZ, but is not bound to it.
   In other words, it is generic enough to support RPZ, but could get its data from other places.


   We know the following actions:
   
   No action - just pass it on
   Drop - drop a query, no response
   NXDOMAIN - fake up an NXDOMAIN for the query 
   NODATA - just return no data for this qtype
   Truncate - set TC bit
   Modified - "we fake an answer for you"

   These actions can be caused by the following triggers:
   
   qname - the query name
   client-ip - the IP address of the requestor
   response-ip - an IP address in the response
   ns-name - the name of a server used in the delegation
   ns-ip - the IP address of a server used in the delegation

   This means we get several hook points:
   1) when the query comes in: qname & client-ip
   2) during processing: ns-name & ns-ip
   3) after processing: response-ip

   Triggers meanwhile can apply to:
   Verbatim domain names
   Wildcard versions (*.domain.com does NOT match domain.com)
   Netmasks (IPv4 and IPv6)
   Finally, triggers are grouped in different zones. The "first" zone that has a match
   is consulted. Then within that zone, rules again have precedences. 
*/


class DNSFilterEngine
{
public:
  enum class PolicyKind { NoAction, Drop, NXDOMAIN, NODATA, Truncate, Custom};
  struct Policy
  {
    bool operator==(const Policy& rhs) const
    {
      return d_kind == rhs.d_kind; // XXX check d_custom too!
    }
    PolicyKind d_kind;
    std::shared_ptr<DNSRecordContent> d_custom;
    std::string d_name;
    int d_ttl;
  };

  DNSFilterEngine();
  void clear();
  void clear(int zone);
  void addClientTrigger(const Netmask& nm, Policy pol, int zone=0);
  void addQNameTrigger(const DNSName& nm, Policy pol, int zone=0);
  void addNSTrigger(const DNSName& dn, Policy pol, int zone=0);
  void addResponseTrigger(const Netmask& nm, Policy pol, int zone=0);

  bool rmClientTrigger(const Netmask& nm, Policy pol, int zone=0);
  bool rmQNameTrigger(const DNSName& nm, Policy pol, int zone=0);
  bool rmNSTrigger(const DNSName& dn, Policy pol, int zone=0);
  bool rmResponseTrigger(const Netmask& nm, Policy pol, int zone=0);


  Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm) const;
  Policy getProcessingPolicy(const DNSName& qname) const;
  Policy getPostPolicy(const vector<DNSRecord>& records) const;

  size_t size() {
    return d_zones.size();
  }
private:
  void assureZones(int zone);
  struct Zone {
    std::map<DNSName, Policy> qpolName;
    NetmaskTree<Policy> qpolAddr;
    std::map<DNSName, Policy> propolName;
    NetmaskTree<Policy> postpolAddr;
  };
  vector<Zone> d_zones;

};
Commit	Line	Data
12471842 PL	1	/*
	2	* This file is part of PowerDNS or dnsdist.
	3	* Copyright -- PowerDNS.COM B.V. and its contributors
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of version 2 of the GNU General Public License as
	7	* published by the Free Software Foundation.
	8	*
	9	* In addition, for the avoidance of any doubt, permission is granted to
	10	* link this program with OpenSSL and to (re)distribute the binaries
	11	* produced as the result of such linking.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
	21	*/
644dd1da	22	#pragma once
	23	#include "iputils.hh"
	24	#include "dns.hh"
39ec5d29	25	#include "dnsparser.hh"
644dd1da	26	#include <map>
	27
	28	/* This class implements a filtering policy that is able to fully implement RPZ, but is not bound to it.
	29	In other words, it is generic enough to support RPZ, but could get its data from other places.
	30
	31
	32	We know the following actions:
	33
	34	No action - just pass it on
	35	Drop - drop a query, no response
	36	NXDOMAIN - fake up an NXDOMAIN for the query
	37	NODATA - just return no data for this qtype
	38	Truncate - set TC bit
	39	Modified - "we fake an answer for you"
	40
	41	These actions can be caused by the following triggers:
	42
	43	qname - the query name
	44	client-ip - the IP address of the requestor
	45	response-ip - an IP address in the response
	46	ns-name - the name of a server used in the delegation
	47	ns-ip - the IP address of a server used in the delegation
	48
	49	This means we get several hook points:
	50	1) when the query comes in: qname & client-ip
	51	2) during processing: ns-name & ns-ip
	52	3) after processing: response-ip
	53
	54	Triggers meanwhile can apply to:
	55	Verbatim domain names
	56	Wildcard versions (*.domain.com does NOT match domain.com)
	57	Netmasks (IPv4 and IPv6)
644dd1da	58	Finally, triggers are grouped in different zones. The "first" zone that has a match
	59	is consulted. Then within that zone, rules again have precedences.
	60	*/
	61
	62
	63	class DNSFilterEngine
	64	{
	65	public:
39ec5d29	66	enum class PolicyKind { NoAction, Drop, NXDOMAIN, NODATA, Truncate, Custom};
	67	struct Policy
	68	{
	69	bool operator==(const Policy& rhs) const
	70	{
	71	return d_kind == rhs.d_kind; // XXX check d_custom too!
	72	}
	73	PolicyKind d_kind;
	74	std::shared_ptr<DNSRecordContent> d_custom;
83971888	75	std::string d_name;
3876ee44	76	int d_ttl;
39ec5d29	77	};
644dd1da	78
	79	DNSFilterEngine();
	80	void clear();
	81	void clear(int zone);
	82	void addClientTrigger(const Netmask& nm, Policy pol, int zone=0);
	83	void addQNameTrigger(const DNSName& nm, Policy pol, int zone=0);
	84	void addNSTrigger(const DNSName& dn, Policy pol, int zone=0);
	85	void addResponseTrigger(const Netmask& nm, Policy pol, int zone=0);
	86
39ec5d29	87	bool rmClientTrigger(const Netmask& nm, Policy pol, int zone=0);
	88	bool rmQNameTrigger(const DNSName& nm, Policy pol, int zone=0);
	89	bool rmNSTrigger(const DNSName& dn, Policy pol, int zone=0);
	90	bool rmResponseTrigger(const Netmask& nm, Policy pol, int zone=0);
	91
	92
644dd1da	93	Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm) const;
	94	Policy getProcessingPolicy(const DNSName& qname) const;
	95	Policy getPostPolicy(const vector<DNSRecord>& records) const;
	96
0e760497	97	size_t size() {
	98	return d_zones.size();
	99	}
644dd1da	100	private:
	101	void assureZones(int zone);
	102	struct Zone {
	103	std::map<DNSName, Policy> qpolName;
0e760497	104	NetmaskTree<Policy> qpolAddr;
644dd1da	105	std::map<DNSName, Policy> propolName;
0e760497	106	NetmaskTree<Policy> postpolAddr;
644dd1da	107	};
	108	vector<Zone> d_zones;
	109
	110	};