}
#endif /* HAVE_FSTRM */
+static void rpzPrimary(LuaConfigItems& lci, luaConfigDelayedThreads& delayedThreads, const boost::variant<string, std::vector<std::pair<int, string> > >& masters_, const string& zoneName, boost::optional<rpzOptions_t> options)
+{
+ boost::optional<DNSFilterEngine::Policy> defpol;
+ bool defpolOverrideLocal = true;
+ std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+ TSIGTriplet tt;
+ uint32_t refresh=0;
+ size_t maxReceivedXFRMBytes = 0;
+ uint16_t axfrTimeout = 20;
+ uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
+ ComboAddress localAddress;
+ std::vector<ComboAddress> masters;
+ if (masters_.type() == typeid(string)) {
+ masters.push_back(ComboAddress(boost::get<std::string>(masters_), 53));
+ }
+ else {
+ for (const auto& master : boost::get<std::vector<std::pair<int, std::string>>>(masters_)) {
+ masters.push_back(ComboAddress(master.second, 53));
+ }
+ }
+
+ size_t zoneIdx;
+ std::string dumpFile;
+ std::shared_ptr<SOARecordContent> sr = nullptr;
+
+ try {
+ std::string seedFile;
+ std::string polName(zoneName);
+
+ if (options) {
+ auto& have = *options;
+ parseRPZParameters(have, zone, polName, defpol, defpolOverrideLocal, maxTTL);
+
+ if(have.count("tsigname")) {
+ tt.name=DNSName(toLower(boost::get<string>(have["tsigname"])));
+ tt.algo=DNSName(toLower(boost::get<string>(have[ "tsigalgo"])));
+ if(B64Decode(boost::get<string>(have[ "tsigsecret"]), tt.secret))
+ throw std::runtime_error("TSIG secret is not valid Base-64 encoded");
+ }
+
+ if(have.count("refresh")) {
+ refresh = boost::get<uint32_t>(have["refresh"]);
+ if (refresh == 0) {
+ g_log<<Logger::Warning<<"rpzMaster refresh value of 0 ignored"<<endl;
+ }
+ }
+
+ if(have.count("maxReceivedMBytes")) {
+ maxReceivedXFRMBytes = static_cast<size_t>(boost::get<uint32_t>(have["maxReceivedMBytes"]));
+ }
+
+ if(have.count("localAddress")) {
+ localAddress = ComboAddress(boost::get<string>(have["localAddress"]));
+ }
+
+ if(have.count("axfrTimeout")) {
+ axfrTimeout = static_cast<uint16_t>(boost::get<uint32_t>(have["axfrTimeout"]));
+ }
+
+ if(have.count("seedFile")) {
+ seedFile = boost::get<std::string>(have["seedFile"]);
+ }
+
+ if(have.count("dumpFile")) {
+ dumpFile = boost::get<std::string>(have["dumpFile"]);
+ }
+ }
+
+ if (localAddress != ComboAddress()) {
+ // We were passed a localAddress, check if its AF matches the masters'
+ for (const auto& master : masters) {
+ if (localAddress.sin4.sin_family != master.sin4.sin_family) {
+ throw PDNSException("Master address("+master.toString()+") is not of the same Address Family as the local address ("+localAddress.toString()+").");
+ }
+ }
+ }
+
+ DNSName domain(zoneName);
+ zone->setDomain(domain);
+ zone->setName(polName);
+ zoneIdx = lci.dfe.addZone(zone);
+
+ if (!seedFile.empty()) {
+ g_log<<Logger::Info<<"Pre-loading RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"'"<<endl;
+ try {
+ sr = loadRPZFromFile(seedFile, zone, defpol, defpolOverrideLocal, maxTTL);
+
+ if (zone->getDomain() != domain) {
+ throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") does not match the one passed in parameter (" + domain.toString() + ")");
+ }
+
+ if (sr == nullptr) {
+ throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") has no SOA record");
+ }
+ }
+ catch(const std::exception& e) {
+ g_log<<Logger::Warning<<"Unable to pre-load RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"': "<<e.what()<<endl;
+ }
+ }
+ }
+ catch(const std::exception& e) {
+ g_log<<Logger::Error<<"Problem configuring 'rpzMaster': "<<e.what()<<endl;
+ exit(1); // FIXME proper exit code?
+ }
+ catch(const PDNSException& e) {
+ g_log<<Logger::Error<<"Problem configuring 'rpzMaster': "<<e.reason<<endl;
+ exit(1); // FIXME proper exit code?
+ }
+
+ delayedThreads.rpzMasterThreads.push_back(std::make_tuple(masters, defpol, defpolOverrideLocal, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes, localAddress, axfrTimeout, refresh, sr, dumpFile));
+}
+
void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& delayedThreads)
{
LuaConfigItems lci;
});
Lua.writeFunction("rpzMaster", [&lci, &delayedThreads](const boost::variant<string, std::vector<std::pair<int, string> > >& masters_, const string& zoneName, boost::optional<rpzOptions_t> options) {
-
- boost::optional<DNSFilterEngine::Policy> defpol;
- bool defpolOverrideLocal = true;
- std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
- TSIGTriplet tt;
- uint32_t refresh=0;
- size_t maxReceivedXFRMBytes = 0;
- uint16_t axfrTimeout = 20;
- uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
- ComboAddress localAddress;
- std::vector<ComboAddress> masters;
- if (masters_.type() == typeid(string)) {
- masters.push_back(ComboAddress(boost::get<std::string>(masters_), 53));
- }
- else {
- for (const auto& master : boost::get<std::vector<std::pair<int, std::string>>>(masters_)) {
- masters.push_back(ComboAddress(master.second, 53));
- }
- }
-
- size_t zoneIdx;
- std::string dumpFile;
- std::shared_ptr<SOARecordContent> sr = nullptr;
-
- try {
- std::string seedFile;
- std::string polName(zoneName);
-
- if (options) {
- auto& have = *options;
- parseRPZParameters(have, zone, polName, defpol, defpolOverrideLocal, maxTTL);
-
- if(have.count("tsigname")) {
- tt.name=DNSName(toLower(boost::get<string>(have["tsigname"])));
- tt.algo=DNSName(toLower(boost::get<string>(have[ "tsigalgo"])));
- if(B64Decode(boost::get<string>(have[ "tsigsecret"]), tt.secret))
- throw std::runtime_error("TSIG secret is not valid Base-64 encoded");
- }
-
- if(have.count("refresh")) {
- refresh = boost::get<uint32_t>(have["refresh"]);
- if (refresh == 0) {
- g_log<<Logger::Warning<<"rpzMaster refresh value of 0 ignored"<<endl;
- }
- }
-
- if(have.count("maxReceivedMBytes")) {
- maxReceivedXFRMBytes = static_cast<size_t>(boost::get<uint32_t>(have["maxReceivedMBytes"]));
- }
-
- if(have.count("localAddress")) {
- localAddress = ComboAddress(boost::get<string>(have["localAddress"]));
- }
-
- if(have.count("axfrTimeout")) {
- axfrTimeout = static_cast<uint16_t>(boost::get<uint32_t>(have["axfrTimeout"]));
- }
-
- if(have.count("seedFile")) {
- seedFile = boost::get<std::string>(have["seedFile"]);
- }
-
- if(have.count("dumpFile")) {
- dumpFile = boost::get<std::string>(have["dumpFile"]);
- }
- }
-
- if (localAddress != ComboAddress()) {
- // We were passed a localAddress, check if its AF matches the masters'
- for (const auto& master : masters) {
- if (localAddress.sin4.sin_family != master.sin4.sin_family) {
- throw PDNSException("Master address("+master.toString()+") is not of the same Address Family as the local address ("+localAddress.toString()+").");
- }
- }
- }
-
- DNSName domain(zoneName);
- zone->setDomain(domain);
- zone->setName(polName);
- zoneIdx = lci.dfe.addZone(zone);
-
- if (!seedFile.empty()) {
- g_log<<Logger::Info<<"Pre-loading RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"'"<<endl;
- try {
- sr = loadRPZFromFile(seedFile, zone, defpol, defpolOverrideLocal, maxTTL);
-
- if (zone->getDomain() != domain) {
- throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") does not match the one passed in parameter (" + domain.toString() + ")");
- }
-
- if (sr == nullptr) {
- throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") has no SOA record");
- }
- }
- catch(const std::exception& e) {
- g_log<<Logger::Warning<<"Unable to pre-load RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"': "<<e.what()<<endl;
- }
- }
- }
- catch(const std::exception& e) {
- g_log<<Logger::Error<<"Problem configuring 'rpzMaster': "<<e.what()<<endl;
- exit(1); // FIXME proper exit code?
- }
- catch(const PDNSException& e) {
- g_log<<Logger::Error<<"Problem configuring 'rpzMaster': "<<e.reason<<endl;
- exit(1); // FIXME proper exit code?
- }
-
- delayedThreads.rpzMasterThreads.push_back(std::make_tuple(masters, defpol, defpolOverrideLocal, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes, localAddress, axfrTimeout, refresh, sr, dumpFile));
- });
+ rpzPrimary(lci, delayedThreads, masters_, zoneName, options);
+ });
+ Lua.writeFunction("rpzPrimary", [&lci, &delayedThreads](const boost::variant<string, std::vector<std::pair<int, string> > >& masters_, const string& zoneName, boost::optional<rpzOptions_t> options) {
+ rpzPrimary(lci, delayedThreads, masters_, zoneName, options);
+ });
typedef vector<pair<int,boost::variant<string, vector<pair<int, string> > > > > argvec_t;
Lua.writeFunction("addSortList",
Configuring RPZ
---------------
-An RPZ can be loaded from file or slaved from a master. To load from file, use for example:
+An RPZ can be loaded from file or transferred from a primary. To load from file, use for example:
.. code-block:: Lua
rpzFile("dblfilename")
-To slave from a master and start IXFR to get updates, use for example:
+To transfer from a primary and start IXFR to get updates, use for example:
.. code-block:: Lua
- rpzMaster("192.0.2.4", "policy.rpz")
+ rpzPrimary("192.0.2.4", "policy.rpz")
In this example, 'policy.rpz' denotes the name of the zone to query for.
+.. note:: In versions before 4.5.0, ``rpzPrimary`` is called ``rpzMaster``. For backwards compatibility, version 4.5.0 does support ``rpzMaster`` as a synonym for ``rpzPrimary``.
+
+
The action to be taken on a match is defined by the zone itself, but in some cases it might be interesting to be able to override it, and always apply the same action
regardless of the one specified in the RPZ zone. To load from file and override the default action with a custom CNAME to badserver.example.com., use for example:
rpzFile("dblfilename", {defpol=Policy.Custom, defcontent="badserver.example.com"})
-To instead drop all queries matching a rule, while slaving from a master:
+To instead drop all queries matching a rule, while transferred from a primary.
.. code-block:: Lua
- rpzMaster("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
+ rpzPrimary("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
Note that since 4.2.0, it is possible for the override policy specified via 'defpol' to no longer be applied to local data entries present in the zone by setting the 'defpolOverrideLocalData' parameter to false.
-As of version 4.2.0, the first parameter of :func:`rpzMaster` can be a list of addresses for failover:
+As of version 4.2.0, the first parameter of :func:`rpzPrimary` can be a list of addresses for failover:
+
+.. code-block:: Lua
+
+ rpzPrimary({"192.0.2.4","192.0.2.5:5301"}, "policy.rpz", {defpol=Policy.Drop})
+
+In the example above, two addresses are specified and will be tried one after another until a response is obtained. The first address uses the default port (53) while the second one uses port 5301.
+(If no optional port is set, the default port 53 is used)
+
- rpzMaster({"192.0.2.4","192.0.2.5:5301"}, "policy.rpz", {defpol=Policy.Drop})
-
- In the example above, two addresses are specified and will be tried one after another until a response is obtained. The first address uses the default port (53) while the second one uses port 5301.
- (If no optional port is set, the default port 53 is used)
-
-
.. function:: rpzFile(filename, settings)
Load an RPZ from disk.
:param str filename: The filename to load
:param {} settings: A table to settings, see below
-.. function:: rpzMaster(address, name, settings)
+.. function:: rpzPrimary(address, name, settings)
- .. versionchanged:: 4.2.0:
+ .. versionchanged:: 4.2.0
The first parameter can be a list of addresses.
+ .. versionchanged:: 4.5.0
+
+ This function has been renamed from ``rpzMaster``.
+
Load an RPZ from AXFR and keep retrieving with IXFR.
:param str address: The IP address to transfer the RPZ from. Also accepts a list of addresses since 4.2.0 in which case they will be tried one after another in the submitted order until a response is obtained.
RPZ settings
------------
-These options can be set in the ``settings`` of both :func:`rpzMaster` and :func:`rpzFile`.
+These options can be set in the ``settings`` of both :func:`rpzPrimary` and :func:`rpzFile`.
defcontent
^^^^^^^^^^
^^^^^^^^^^^^
An indication of the number of expected entries in the zone, speeding up the loading of huge zones by reserving space in advance.
-Extra settings for rpzMaster
-----------------------------
-In addition to the settings above the settings for :func:`rpzMaster` may contain:
+Extra settings for rpzPrimary
+-----------------------------
+In addition to the settings above the settings for :func:`rpzPrimary` may contain:
tsigname
^^^^^^^^
projects / thirdparty / pdns.git / commitdiff
