lib/rules forwarding: per-IP .tls

We planned it that way for the new config schema - and, why not.

diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c
index f1fa6f3a3301692f6b6b3fb70399892a8cf517cb..42c6190adfb109e55797d8c74f73a9ccef1c66ef 100644 (file)
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -723,7 +723,7 @@ static int net_tls_client(lua_State *L)
        /* check that only allowed keys are present */
        {
                const char *bad_key = lua_table_checkindices(L, (const char *[])
-                       { "1", "hostname", "ca_file", "pin_sha256", "insecure", NULL });
+                       { "1", "hostname", "ca_file", "pin_sha256", "insecure", "tls", NULL });
                if (bad_key)
                        lua_error_p(L, "found unexpected key '%s'", bad_key);
        }

diff --git a/lib/rules/api.h b/lib/rules/api.h
index 71549d7fcf3fe28a8a29df6b4d51ce75b3e3e987..8af5e92463b1465ab94041cbf8ad23506e95bec4 100644 (file)
--- a/lib/rules/api.h
+++ b/lib/rules/api.h
@@ -134,7 +134,7 @@ struct kr_rule_fwd_flags {
        /// Beware of ABI: this struct is memcpy'd to/from rule DB.
        bool
                is_auth : 1,
-               is_tcp  : 1, /// forced TCP (e.g. DoT)
+               is_tcp  : 1, /// forced TCP; unused, not needed for DoT
                is_nods : 1; /// disable local DNSSEC validation
 };
 typedef struct kr_rule_fwd_flags kr_rule_fwd_flags_t;

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index b4030375aab1a5de0e58df0c90467f5ee4721e6e..443fc0b03cb018606cbcdb199f95bed1794f09c2 100644 (file)
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -863,24 +863,25 @@ Throws lua exceptions when detecting something fishy.
 \param subtree plain string
 \param options
   .auth targets are authoritative (false by default = resolver)
-  .tls use DoT (false by default, only for resolvers)
   .dnssec if overridden to false, don't validate DNSSEC locally
     - for resolvers we still do *not* send CD=1 upstream,
       i.e. we trust their DNSSEC validation.
     - for auths this inserts a negative trust anchor
       Beware that setting .set_insecure() *later* would override that.
-\param targets same format as policy.TLS_FORWARD()
+\param targets same format as policy.TLS_FORWARD() except that `tls = true`
+               can be specified for each address (defaults to false)
 --]]
 function policy.rule_forward_add(subtree, options, targets)
-       local port_default = 53
-       if options.tls or false then
-               port_default = 853
-               -- lots of code; easiest to just call it this way; checks and throws
-               policy.TLS_FORWARD(targets)
-       end
-
        local targets_2 = {}
        for _, target in ipairs(targets) do
+               local port_default = 53
+               if target.tls or false then
+                       port_default = 853
+                       -- lots of code; easiest to just call it this way; checks and throws
+                       -- The extra .tls field gets ignored.
+                       policy.TLS_FORWARD({target})
+               end
+
                -- this also throws on failure
                local sock = addr2sock(target[1], port_default)
                if options.auth then
@@ -894,9 +895,9 @@ function policy.rule_forward_add(subtree, options, targets)
 
        local subtree_dname = todname(subtree)
        assert(ffi.C.kr_rule_forward(subtree_dname,
-                       { is_tcp = options.tls
-                       , is_nods = options.dnssec == false
-                       , is_auth = options.auth
+                       {
+                               is_nods = options.dnssec == false,
+                               is_auth = options.auth,
                        },
                        targets_3
                ) == 0)