]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
644dd1da | 22 | #pragma once |
23 | #include "iputils.hh" | |
24 | #include "dns.hh" | |
39ec5d29 | 25 | #include "dnsparser.hh" |
644dd1da | 26 | #include <map> |
27 | ||
28 | /* This class implements a filtering policy that is able to fully implement RPZ, but is not bound to it. | |
29 | In other words, it is generic enough to support RPZ, but could get its data from other places. | |
30 | ||
31 | ||
32 | We know the following actions: | |
33 | ||
34 | No action - just pass it on | |
35 | Drop - drop a query, no response | |
36 | NXDOMAIN - fake up an NXDOMAIN for the query | |
37 | NODATA - just return no data for this qtype | |
38 | Truncate - set TC bit | |
39 | Modified - "we fake an answer for you" | |
40 | ||
41 | These actions can be caused by the following triggers: | |
42 | ||
43 | qname - the query name | |
44 | client-ip - the IP address of the requestor | |
45 | response-ip - an IP address in the response | |
46 | ns-name - the name of a server used in the delegation | |
47 | ns-ip - the IP address of a server used in the delegation | |
48 | ||
49 | This means we get several hook points: | |
50 | 1) when the query comes in: qname & client-ip | |
51 | 2) during processing: ns-name & ns-ip | |
52 | 3) after processing: response-ip | |
53 | ||
54 | Triggers meanwhile can apply to: | |
55 | Verbatim domain names | |
56 | Wildcard versions (*.domain.com does NOT match domain.com) | |
57 | Netmasks (IPv4 and IPv6) | |
644dd1da | 58 | Finally, triggers are grouped in different zones. The "first" zone that has a match |
59 | is consulted. Then within that zone, rules again have precedences. | |
60 | */ | |
61 | ||
62 | ||
63 | class DNSFilterEngine | |
64 | { | |
65 | public: | |
39ec5d29 | 66 | enum class PolicyKind { NoAction, Drop, NXDOMAIN, NODATA, Truncate, Custom}; |
67 | struct Policy | |
68 | { | |
69 | bool operator==(const Policy& rhs) const | |
70 | { | |
71 | return d_kind == rhs.d_kind; // XXX check d_custom too! | |
72 | } | |
73 | PolicyKind d_kind; | |
74 | std::shared_ptr<DNSRecordContent> d_custom; | |
83971888 | 75 | std::string d_name; |
3876ee44 | 76 | int d_ttl; |
39ec5d29 | 77 | }; |
644dd1da | 78 | |
79 | DNSFilterEngine(); | |
80 | void clear(); | |
81 | void clear(int zone); | |
82 | void addClientTrigger(const Netmask& nm, Policy pol, int zone=0); | |
83 | void addQNameTrigger(const DNSName& nm, Policy pol, int zone=0); | |
84 | void addNSTrigger(const DNSName& dn, Policy pol, int zone=0); | |
85 | void addResponseTrigger(const Netmask& nm, Policy pol, int zone=0); | |
86 | ||
39ec5d29 | 87 | bool rmClientTrigger(const Netmask& nm, Policy pol, int zone=0); |
88 | bool rmQNameTrigger(const DNSName& nm, Policy pol, int zone=0); | |
89 | bool rmNSTrigger(const DNSName& dn, Policy pol, int zone=0); | |
90 | bool rmResponseTrigger(const Netmask& nm, Policy pol, int zone=0); | |
91 | ||
92 | ||
644dd1da | 93 | Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm) const; |
94 | Policy getProcessingPolicy(const DNSName& qname) const; | |
95 | Policy getPostPolicy(const vector<DNSRecord>& records) const; | |
96 | ||
0e760497 | 97 | size_t size() { |
98 | return d_zones.size(); | |
99 | } | |
644dd1da | 100 | private: |
101 | void assureZones(int zone); | |
102 | struct Zone { | |
103 | std::map<DNSName, Policy> qpolName; | |
0e760497 | 104 | NetmaskTree<Policy> qpolAddr; |
644dd1da | 105 | std::map<DNSName, Policy> propolName; |
0e760497 | 106 | NetmaskTree<Policy> postpolAddr; |
644dd1da | 107 | }; |
108 | vector<Zone> d_zones; | |
109 | ||
110 | }; |