src/acl/DestinationDomain.cc

   1 /*
   2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 28    Access Control */
  10
  11 #include "squid.h"
  12 #include "acl/DestinationDomain.h"
  13 #include "acl/DomainData.h"
  14 #include "acl/FilledChecklist.h"
  15 #include "acl/RegexData.h"
  16 #include "fqdncache.h"
  17 #include "HttpRequest.h"
  18
  19 static void LookupDone(const char *, const Dns::LookupDetails &, void *data);
  20
  21 static void
  22 StartLookup(ACLFilledChecklist &cl, const Acl::Node &)
  23 {
  24     fqdncache_nbgethostbyaddr(cl.dst_addr, LookupDone, &cl);
  25 }
  26
  27 static void
  28 LookupDone(const char *, const Dns::LookupDetails &details, void *data)
  29 {
  30     ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
  31     checklist->markDestinationDomainChecked();
  32     checklist->request->recordLookup(details);
  33     checklist->resumeNonBlockingCheck();
  34 }
  35
  36 /* Acl::DestinationDomainCheck */
  37
  38 const Acl::Options &
  39 Acl::DestinationDomainCheck::options()
  40 {
  41     static const Acl::BooleanOption LookupBanFlag("-n");
  42     static const Acl::Options MyOptions = { &LookupBanFlag };
  43     LookupBanFlag.linkWith(&lookupBanned);
  44     return MyOptions;
  45 }
  46
  47 int
  48 Acl::DestinationDomainCheck::match(ACLChecklist * const ch)
  49 {
  50     const auto checklist = Filled(ch);
  51
  52     assert(checklist != nullptr && checklist->request != nullptr);
  53
  54     if (data->match(checklist->request->url.host())) {
  55         return 1;
  56     }
  57
  58     if (lookupBanned) {
  59         debugs(28, 3, "No-lookup DNS ACL '" << name << "' for " << checklist->request->url.host());
  60         return 0;
  61     }
  62
  63     /* numeric IPA? no, trust the above result. */
  64     if (!checklist->request->url.hostIsNumeric()) {
  65         return 0;
  66     }
  67
  68     /* do we already have the rDNS? match on it if we do. */
  69     if (checklist->dst_rdns) {
  70         debugs(28, 3, "'" << name << "' match with stored rDNS '" << checklist->dst_rdns << "' for " << checklist->request->url.host());
  71         return data->match(checklist->dst_rdns);
  72     }
  73
  74     /* raw IP without rDNS? look it up and wait for the result */
  75     if (!checklist->dst_addr.fromHost(checklist->request->url.host())) {
  76         /* not a valid IPA */
  77         checklist->dst_rdns = xstrdup("invalid");
  78         return 0;
  79     }
  80
  81     const char *fqdn = fqdncache_gethostbyaddr(checklist->dst_addr, FQDN_LOOKUP_IF_MISS);
  82
  83     if (fqdn) {
  84         checklist->dst_rdns = xstrdup(fqdn);
  85         return data->match(fqdn);
  86     } else if (!checklist->destinationDomainChecked()) {
  87         debugs(28, 3, "Can't yet compare '" << name << "' ACL for " << checklist->request->url.host());
  88         if (checklist->goAsync(StartLookup, *this))
  89             return -1;
  90         // else fall through to "none" match, hiding the lookup failure (XXX)
  91     }
  92
  93     return data->match("none");
  94 }
  95