}
-int PacketHandler::processUpdate(DNSPacket& p) { // NOLINT(readability-function-cognitive-complexity)
+int PacketHandler::processUpdate(DNSPacket& packet) { // NOLINT(readability-function-cognitive-complexity)
if (! ::arg().mustDo("dnsupdate"))
return RCode::Refused;
- string msgPrefix="UPDATE (" + std::to_string(p.d.id) + ") from " + p.getRemoteString() + " for " + p.qdomain.toLogString() + ": ";
+ string msgPrefix="UPDATE (" + std::to_string(packet.d.id) + ") from " + packet.getRemoteString() + " for " + packet.qdomain.toLogString() + ": ";
g_log<<Logger::Info<<msgPrefix<<"Processing started."<<endl;
// if there is policy, we delegate all checks to it
// Check permissions - IP based
vector<string> allowedRanges;
- B.getDomainMetadata(p.qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
+ B.getDomainMetadata(packet.qdomain, "ALLOW-DNSUPDATE-FROM", allowedRanges);
if (! ::arg()["allow-dnsupdate-from"].empty())
stringtok(allowedRanges, ::arg()["allow-dnsupdate-from"], ", \t" );
ng.addMask(i);
}
- if ( ! ng.match(p.getInnerRemote())) {
+ if ( ! ng.match(packet.getInnerRemote())) {
g_log<<Logger::Error<<msgPrefix<<"Remote not listed in allow-dnsupdate-from or domainmetadata. Sending REFUSED"<<endl;
return RCode::Refused;
}
// Check permissions - TSIG based.
vector<string> tsigKeys;
- B.getDomainMetadata(p.qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
+ B.getDomainMetadata(packet.qdomain, "TSIG-ALLOW-DNSUPDATE", tsigKeys);
if (tsigKeys.size() > 0) {
bool validKey = false;
TSIGRecordContent trc;
DNSName inputkey;
string message;
- if (! p.getTSIGDetails(&trc, &inputkey)) {
+ if (! packet.getTSIGDetails(&trc, &inputkey)) {
g_log<<Logger::Error<<msgPrefix<<"TSIG key required, but packet does not contain key. Sending REFUSED"<<endl;
return RCode::Refused;
}
#ifdef ENABLE_GSS_TSIG
- if (g_doGssTSIG && p.d_tsig_algo == TSIG_GSS) {
- GssName inputname(p.d_peer_principal); // match against principal since GSS requires that
+ if (g_doGssTSIG && packet.d_tsig_algo == TSIG_GSS) {
+ GssName inputname(packet.d_peer_principal); // match against principal since GSS requires that
for(const auto& key: tsigKeys) {
if (inputname.match(key)) {
validKey = true;
return RCode::Refused;
}
- if (tsigKeys.size() == 0 && p.d_havetsig)
+ if (tsigKeys.size() == 0 && packet.d_havetsig)
g_log<<Logger::Warning<<msgPrefix<<"TSIG is provided, but domain is not secured with TSIG. Processing continues"<<endl;
}
// RFC2136 uses the same DNS Header and Message as defined in RFC1035.
// This means we can use the MOADNSParser to parse the incoming packet. The result is that we have some different
// variable names during the use of our MOADNSParser.
- MOADNSParser mdp(false, p.getString());
+ MOADNSParser mdp(false, packet.getString());
if (mdp.d_header.qdcount != 1) {
g_log<<Logger::Warning<<msgPrefix<<"Zone Count is not 1, sending FormErr"<<endl;
return RCode::FormErr;
}
- if (p.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
+ if (packet.qtype.getCode() != QType::SOA) { // RFC2136 2.3 - ZTYPE must be SOA
g_log<<Logger::Warning<<msgPrefix<<"Query ZTYPE is not SOA, sending FormErr"<<endl;
return RCode::FormErr;
}
- if (p.qclass != QClass::IN) {
+ if (packet.qclass != QClass::IN) {
g_log<<Logger::Warning<<msgPrefix<<"Class is not IN, sending NotAuth"<<endl;
return RCode::NotAuth;
}
DomainInfo di;
di.backend=nullptr;
- if(!B.getDomainInfo(p.qdomain, di) || !di.backend) {
- g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<p.qdomain<<"' (or backend does not support DNS update operation)"<<endl;
+ if(!B.getDomainInfo(packet.qdomain, di) || !di.backend) {
+ g_log<<Logger::Error<<msgPrefix<<"Can't determine backend for domain '"<<packet.qdomain<<"' (or backend does not support DNS update operation)"<<endl;
return RCode::NotAuth;
}
if (di.kind == DomainInfo::Secondary)
- return forwardPacket(msgPrefix, p, di);
+ return forwardPacket(msgPrefix, packet, di);
// Check if all the records provided are within the zone
for(const auto & answer : mdp.d_answers) {
std::lock_guard<std::mutex> l(s_rfc2136lock); //TODO: i think this lock can be per zone, not for everything
g_log<<Logger::Info<<msgPrefix<<"starting transaction."<<endl;
- if (!di.backend->startTransaction(p.qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
- g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<p.qdomain<<" does not support transaction. Can't do Update packet."<<endl;
+ if (!di.backend->startTransaction(packet.qdomain, -1)) { // Not giving the domain_id means that we do not delete the existing records.
+ g_log<<Logger::Error<<msgPrefix<<"Backend for domain "<<packet.qdomain<<" does not support transaction. Can't do Update packet."<<endl;
return RCode::NotImp;
}
if (rr->d_place == DNSResourceRecord::AUTHORITY) {
/* see if it's permitted by policy */
if (this->d_update_policy_lua != nullptr) {
- if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, p) == false) {
+ if (this->d_update_policy_lua->updatePolicy(rr->d_name, QType(rr->d_type), di.zone, packet) == false) {
g_log<<Logger::Warning<<msgPrefix<<"Refusing update for " << rr->d_name << "/" << QType(rr->d_type).toString() << ": Not permitted by policy"<<endl;
continue;
} else {
// Notify secondaries
if (di.kind == DomainInfo::Primary) {
vector<string> notify;
- B.getDomainMetadata(p.qdomain, "NOTIFY-DNSUPDATE", notify);
+ B.getDomainMetadata(packet.qdomain, "NOTIFY-DNSUPDATE", notify);
if (!notify.empty() && notify.front() == "1") {
Communicator.notifyDomain(di.zone, &B);
}
projects / thirdparty / pdns.git / commitdiff
