rec: RPZ updates are done zone by zone, zones are now shared pointers

author Remi Gacogne <remi.gacogne@powerdns.com>

Thu, 6 Apr 2017 12:21:32 +0000 (14:21 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 26 Apr 2017 09:34:22 +0000 (11:34 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Thu, 6 Apr 2017 12:21:32 +0000 (14:21 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 26 Apr 2017 09:34:22 +0000 (11:34 +0200)
diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc

index d87c55ccc02020713060f5a96af2857ca73756c6..8a5b1e184096f1d6a402a3f4b123f5a4c38698fc 100644 (file)
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -61,11 +61,12 @@ DNSFilterEngine::Policy DNSFilterEngine::getProcessingPolicy(const DNSName& qnam
    //  cout<<"Got question for nameserver name "<<qname<<endl;
    Policy pol;
    for(const auto& z : d_zones) {
-    if(z.name && discardedPolicies.find(*z.name) != discardedPolicies.end()) {
+    const auto zoneName = z->getName();
+    if(zoneName && discardedPolicies.find(*zoneName) != discardedPolicies.end()) {
        continue;
      }
  
-    if(findNamedPolicy(z.propolName, qname, pol)) {
+    if(findNamedPolicy(z->d_propolName, qname, pol)) {
        //      cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
        return pol;
      }
@@ -77,11 +78,12 @@ DNSFilterEngine::Policy DNSFilterEngine::getProcessingPolicy(const ComboAddress&
  {
    //  cout<<"Got question for nameserver IP "<<address.toString()<<endl;
    for(const auto& z : d_zones) {
-    if(z.name && discardedPolicies.find(*z.name) != discardedPolicies.end()) {
+    const auto zoneName = z->getName();
+    if(zoneName && discardedPolicies.find(*zoneName) != discardedPolicies.end()) {
        continue;
      }
  
-    if(auto fnd=z.propolNSAddr.lookup(address)) {
+    if(auto fnd=z->d_propolNSAddr.lookup(address)) {
        //      cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
        return fnd->second;;
      }
@@ -94,16 +96,17 @@ DNSFilterEngine::Policy DNSFilterEngine::getQueryPolicy(const DNSName& qname, co
    //  cout<<"Got question for "<<qname<<" from "<<ca.toString()<<endl;
    Policy pol;
    for(const auto& z : d_zones) {
-    if(z.name && discardedPolicies.find(*z.name) != discardedPolicies.end()) {
+    const auto zoneName = z->getName();
+    if(zoneName && discardedPolicies.find(*zoneName) != discardedPolicies.end()) {
        continue;
      }
  
-    if(findNamedPolicy(z.qpolName, qname, pol)) {
+    if(findNamedPolicy(z->d_qpolName, qname, pol)) {
        //      cerr<<"Had a hit on the name of the query"<<endl;
        return pol;
      }
      
-    if(auto fnd=z.qpolAddr.lookup(ca)) {
+    if(auto fnd=z->d_qpolAddr.lookup(ca)) {
        //       cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
        return fnd->second;
      }
@@ -132,11 +135,12 @@ DNSFilterEngine::Policy DNSFilterEngine::getPostPolicy(const vector<DNSRecord>&
        continue;
  
      for(const auto& z : d_zones) {
-      if(z.name && discardedPolicies.find(*z.name) != discardedPolicies.end()) {
+      const auto zoneName = z->getName();
+      if(zoneName && discardedPolicies.find(*zoneName) != discardedPolicies.end()) {
          continue;
        }
  
-      if(auto fnd=z.postpolAddr.lookup(ca))
+      if(auto fnd=z->d_postpolAddr.lookup(ca))
         return fnd->second;
      }
    }
@@ -149,98 +153,62 @@ void DNSFilterEngine::assureZones(size_t zone)
      d_zones.resize(zone+1);
  }
  
-void DNSFilterEngine::clear(size_t zone)
+void DNSFilterEngine::Zone::addClientTrigger(const Netmask& nm, Policy pol)
  {
-  assureZones(zone);
-  auto& z = d_zones[zone];
-  z.qpolAddr.clear();
-  z.postpolAddr.clear();
-  z.propolName.clear();
-  z.propolNSAddr.clear();
-  z.qpolName.clear();
+  pol.d_name = d_name;
+  d_qpolAddr.insert(nm).second=pol;
  }
  
-void DNSFilterEngine::clear()
+void DNSFilterEngine::Zone::addResponseTrigger(const Netmask& nm, Policy pol)
  {
-  for(auto& z : d_zones) {
-    z.qpolAddr.clear();
-    z.postpolAddr.clear();
-    z.propolName.clear();
-    z.propolNSAddr.clear();
-    z.qpolName.clear();
-  }
-}
-
-void DNSFilterEngine::addClientTrigger(const Netmask& nm, Policy pol, size_t zone)
-{
-  assureZones(zone);
-  pol.d_name = d_zones[zone].name;
-  d_zones[zone].qpolAddr.insert(nm).second=pol;
+  pol.d_name = d_name;
+  d_postpolAddr.insert(nm).second=pol;
  }
  
-void DNSFilterEngine::addResponseTrigger(const Netmask& nm, Policy pol, size_t zone)
+void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy pol)
  {
-  assureZones(zone);
-  pol.d_name = d_zones[zone].name;
-  d_zones[zone].postpolAddr.insert(nm).second=pol;
+  pol.d_name = d_name;
+  d_qpolName[n]=pol;
  }
  
-void DNSFilterEngine::addQNameTrigger(const DNSName& n, Policy pol, size_t zone)
+void DNSFilterEngine::Zone::addNSTrigger(const DNSName& n, Policy pol)
  {
-  assureZones(zone);
-  pol.d_name = d_zones[zone].name;
-  d_zones[zone].qpolName[n]=pol;
+  pol.d_name = d_name;
+  d_propolName[n]=pol;
  }
  
-void DNSFilterEngine::addNSTrigger(const DNSName& n, Policy pol, size_t zone)
+void DNSFilterEngine::Zone::addNSIPTrigger(const Netmask& nm, Policy pol)
  {
-  assureZones(zone);
-  pol.d_name = d_zones[zone].name;
-  d_zones[zone].propolName[n]=pol;
+  pol.d_name = d_name;
+  d_propolNSAddr.insert(nm).second = pol;
  }
  
-void DNSFilterEngine::addNSIPTrigger(const Netmask& nm, Policy pol, size_t zone)
+bool DNSFilterEngine::Zone::rmClientTrigger(const Netmask& nm, Policy pol)
  {
-  assureZones(zone);
-  pol.d_name = d_zones[zone].name;
-  d_zones[zone].propolNSAddr.insert(nm).second = pol;
-}
-
-bool DNSFilterEngine::rmClientTrigger(const Netmask& nm, Policy pol, size_t zone)
-{
-  assureZones(zone);
-
-  auto& qpols = d_zones[zone].qpolAddr;
-  qpols.erase(nm);
+  d_qpolAddr.erase(nm);
    return true;
  }
  
-bool DNSFilterEngine::rmResponseTrigger(const Netmask& nm, Policy pol, size_t zone)
+bool DNSFilterEngine::Zone::rmResponseTrigger(const Netmask& nm, Policy pol)
  {
-  assureZones(zone);
-  auto& postpols = d_zones[zone].postpolAddr;
-  postpols.erase(nm);  
+  d_postpolAddr.erase(nm);
    return true;
  }
  
-bool DNSFilterEngine::rmQNameTrigger(const DNSName& n, Policy pol, size_t zone)
+bool DNSFilterEngine::Zone::rmQNameTrigger(const DNSName& n, Policy pol)
  {
-  assureZones(zone);
-  d_zones[zone].qpolName.erase(n); // XXX verify we had identical policy?
+  d_qpolName.erase(n); // XXX verify we had identical policy?
    return true;
  }
  
-bool DNSFilterEngine::rmNSTrigger(const DNSName& n, Policy pol, size_t zone)
+bool DNSFilterEngine::Zone::rmNSTrigger(const DNSName& n, Policy pol)
  {
-  assureZones(zone);
-  d_zones[zone].propolName.erase(n); // XXX verify policy matched? =pol;
+  d_propolName.erase(n); // XXX verify policy matched? =pol;
    return true;
  }
  
-bool DNSFilterEngine::rmNSIPTrigger(const Netmask& nm, Policy pol, size_t zone)
+bool DNSFilterEngine::Zone::rmNSIPTrigger(const Netmask& nm, Policy pol)
  {
-  assureZones(zone);
-  auto& pols = d_zones[zone].propolNSAddr;
-  pols.erase(nm);
+  d_propolNSAddr.erase(nm);
    return true;
  }
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh

index fb9ee4c1c44c1379bc5ba25f613ab6875ab3319a..abf647e2ae3fa62f4ccebdc565a49dea03a26f35 100644 (file)
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -80,48 +80,85 @@ public:
      int32_t d_ttl;
    };
  
-  DNSFilterEngine();
-  void clear();
-  void clear(size_t zone);
-  void reserve(size_t zone, size_t entriesCount) {
-    assureZones(zone);
-    d_zones[zone].qpolName.reserve(entriesCount);
-  }
-  void addClientTrigger(const Netmask& nm, Policy pol, size_t zone);
-  void addQNameTrigger(const DNSName& nm, Policy pol, size_t zone);
-  void addNSTrigger(const DNSName& dn, Policy pol, size_t zone);
-  void addNSIPTrigger(const Netmask& nm, Policy pol, size_t zone);
-  void addResponseTrigger(const Netmask& nm, Policy pol, size_t zone);
+  class Zone {
+  public:
+    void clear()
+    {
+      d_qpolAddr.clear();
+      d_postpolAddr.clear();
+      d_propolName.clear();
+      d_qpolName.clear();
+    }
+    void reserve(size_t entriesCount)
+    {
+      d_qpolName.reserve(entriesCount);
+    }
+    void setName(const std::string& name)
+    {
+      d_name = std::make_shared<std::string>(name);
+    }
+    const std::shared_ptr<std::string> getName() const
+    {
+      return d_name;
+    }
  
-  bool rmClientTrigger(const Netmask& nm, Policy pol, size_t zone);
-  bool rmQNameTrigger(const DNSName& nm, Policy pol, size_t zone);
-  bool rmNSTrigger(const DNSName& dn, Policy pol, size_t zone);
-  bool rmNSIPTrigger(const Netmask& nm, Policy pol, size_t zone);
-  bool rmResponseTrigger(const Netmask& nm, Policy pol, size_t zone);
+    void addClientTrigger(const Netmask& nm, Policy pol);
+    void addQNameTrigger(const DNSName& nm, Policy pol);
+    void addNSTrigger(const DNSName& dn, Policy pol);
+    void addNSIPTrigger(const Netmask& nm, Policy pol);
+    void addResponseTrigger(const Netmask& nm, Policy pol);
  
+    bool rmClientTrigger(const Netmask& nm, Policy pol);
+    bool rmQNameTrigger(const DNSName& nm, Policy pol);
+    bool rmNSTrigger(const DNSName& dn, Policy pol);
+    bool rmNSIPTrigger(const Netmask& nm, Policy pol);
+    bool rmResponseTrigger(const Netmask& nm, Policy pol);
+
+    std::unordered_map<DNSName, Policy> d_qpolName;   // QNAME trigger (RPZ)
+    NetmaskTree<Policy> d_qpolAddr;         // Source address
+    std::unordered_map<DNSName, Policy> d_propolName; // NSDNAME (RPZ)
+    NetmaskTree<Policy> d_propolNSAddr;     // NSIP (RPZ)
+    NetmaskTree<Policy> d_postpolAddr;      // IP trigger (RPZ)
+    std::shared_ptr<std::string> d_name;
+  };
+
+  DNSFilterEngine();
+  void clear()
+  {
+    for(auto& z : d_zones) {
+      z->clear();
+    }
+  }
+  const std::shared_ptr<Zone> getZone(size_t zoneIdx) const
+  {
+    std::shared_ptr<Zone> result{nullptr};
+    if (zoneIdx < d_zones.size()) {
+      result = d_zones[zoneIdx];
+    }
+    return result;
+  }
+  size_t addZone(std::shared_ptr<Zone> newZone)
+  {
+    d_zones.push_back(newZone);
+    return (d_zones.size() - 1);
+  }
+  void setZone(size_t zoneIdx, std::shared_ptr<Zone> newZone)
+  {
+    if (newZone) {
+      assureZones(zoneIdx);
+      d_zones[zoneIdx] = newZone;
+    }
+  }
  
    Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies) const;
    Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies) const;
    Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies) const;
    Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies) const;
  
-  size_t size() {
+  size_t size() const {
      return d_zones.size();
    }
-  void setPolicyName(size_t zoneIdx, std::string name)
-  {
-    assureZones(zoneIdx);
-    d_zones[zoneIdx].name = std::make_shared<std::string>(name);
-  }
  private:
    void assureZones(size_t zone);
-  struct Zone {
-    std::unordered_map<DNSName, Policy> qpolName;   // QNAME trigger (RPZ)
-    NetmaskTree<Policy> qpolAddr;         // Source address
-    std::unordered_map<DNSName, Policy> propolName; // NSDNAME (RPZ)
-    NetmaskTree<Policy> propolNSAddr;     // NSIP (RPZ)
-    NetmaskTree<Policy> postpolAddr;      // IP trigger (RPZ)
-    std::shared_ptr<std::string> name;
-  };
-  vector<Zone> d_zones;
+  vector<std::shared_ptr<Zone>> d_zones;
  };
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc

index 5f816584aa3d118be69dfc182e421a5e8ebd9987..6c5e7e171e5d16c290fec63e05547be2dfdcd3b2 100644 (file)
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -114,19 +114,20 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
        try {
          boost::optional<DNSFilterEngine::Policy> defpol;
          std::string polName("rpzFile");
-        const size_t zoneIdx = lci.dfe.size();
+        std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
          uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
          if(options) {
            auto& have = *options;
            size_t zoneSizeHint = 0;
            parseRPZParameters(have, polName, defpol, maxTTL, zoneSizeHint);
            if (zoneSizeHint > 0) {
-            lci.dfe.reserve(zoneIdx, zoneSizeHint);
+            zone->reserve(zoneSizeHint);
            }
          }
          theL()<<Logger::Warning<<"Loading RPZ from file '"<<filename<<"'"<<endl;
-        lci.dfe.setPolicyName(zoneIdx, polName);
-        loadRPZFromFile(filename, lci.dfe, defpol, maxTTL, zoneIdx);
+        zone->setName(polName);
+        loadRPZFromFile(filename, zone, defpol, maxTTL);
+        lci.dfe.addZone(zone);
          theL()<<Logger::Warning<<"Done loading RPZ from file '"<<filename<<"'"<<endl;
        }
        catch(std::exception& e) {
@@ -134,22 +135,22 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
        }
      });
  
-  Lua.writeFunction("rpzMaster", [&lci, checkOnly](const string& master_, const string& zone_, const boost::optional<std::unordered_map<string,boost::variant<uint32_t, string>>>& options) {
+  Lua.writeFunction("rpzMaster", [&lci, checkOnly](const string& master_, const string& zoneName, const boost::optional<std::unordered_map<string,boost::variant<uint32_t, string>>>& options) {
        try {
          boost::optional<DNSFilterEngine::Policy> defpol;
+        std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
          TSIGTriplet tt;
          uint32_t refresh=0;
-        std::string polName(zone_);
+        std::string polName(zoneName);
          size_t maxReceivedXFRMBytes = 0;
          uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
          ComboAddress localAddress;
-        const size_t zoneIdx = lci.dfe.size();
          if(options) {
            auto& have = *options;
            size_t zoneSizeHint = 0;
            parseRPZParameters(have, polName, defpol, maxTTL, zoneSizeHint);
            if (zoneSizeHint > 0) {
-            lci.dfe.reserve(zoneIdx, zoneSizeHint);
+            zone->reserve(zoneSizeHint);
            }
            if(have.count("tsigname")) {
              tt.name=DNSName(toLower(boost::get<string>(constGet(have, "tsigname"))));
@@ -171,22 +172,23 @@ void loadRecursorLuaConfig(const std::string& fname, bool checkOnly)
          if (localAddress != ComboAddress() && localAddress.sin4.sin_family != master.sin4.sin_family)
            // We were passed a localAddress, check if its AF matches the master's
            throw PDNSException("Master address("+master.toString()+") is not of the same Address Family as the local address ("+localAddress.toString()+").");
-        DNSName zone(zone_);
-        lci.dfe.setPolicyName(zoneIdx, polName);
+        zone->setName(polName);
+        size_t zoneIdx = lci.dfe.addZone(zone);
  
          if (!checkOnly) {
-          auto sr=loadRPZFromServer(master, zone, lci.dfe, defpol, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes * 1024 * 1024, localAddress);
+          auto sr=loadRPZFromServer(master, DNSName(zoneName), zone, defpol, maxTTL, tt, maxReceivedXFRMBytes * 1024 * 1024, localAddress);
            if(refresh)
              sr->d_st.refresh=refresh;
-          std::thread t(RPZIXFRTracker, master, zone, defpol, maxTTL, zoneIdx, tt, sr, maxReceivedXFRMBytes * 1024 * 1024, localAddress);
+
+          std::thread t(RPZIXFRTracker, master, DNSName(zoneName), defpol, maxTTL, zoneIdx, tt, sr, maxReceivedXFRMBytes * 1024 * 1024, localAddress);
            t.detach();
          }
        }
        catch(std::exception& e) {
-        theL()<<Logger::Error<<"Unable to load RPZ zone '"<<zone_<<"' from '"<<master_<<"': "<<e.what()<<endl;
+        theL()<<Logger::Error<<"Unable to load RPZ zone '"<<zoneName<<"' from '"<<master_<<"': "<<e.what()<<endl;
        }
        catch(PDNSException& e) {
-        theL()<<Logger::Error<<"Unable to load RPZ zone '"<<zone_<<"' from '"<<master_<<"': "<<e.reason<<endl;
+        theL()<<Logger::Error<<"Unable to load RPZ zone '"<<zoneName<<"' from '"<<master_<<"': "<<e.reason<<endl;
        }
  
      });
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc

index 812ccb32f30ea763fa6c71f0164991d1690107c7..b3c28a8a68f4711417f4332d3db63aec141cb359 100644 (file)
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -2081,9 +2081,11 @@ BOOST_AUTO_TEST_CASE(test_nameserver_ipv4_rpz) {
  
    DNSFilterEngine::Policy pol;
    pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 32), pol);
    auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.setPolicyName(0, "Unit test policy 0");
-  luaconfsCopy.dfe.addNSIPTrigger(Netmask(ns, 32), pol, 0);
+  luaconfsCopy.dfe.addZone(zone);
    g_luaconfs.setState(luaconfsCopy);
  
    vector<DNSRecord> ret;
@@ -2121,9 +2123,11 @@ BOOST_AUTO_TEST_CASE(test_nameserver_ipv6_rpz) {
  
    DNSFilterEngine::Policy pol;
    pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 128), pol);
    auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.setPolicyName(0, "Unit test policy 0");
-  luaconfsCopy.dfe.addNSIPTrigger(Netmask(ns, 128), pol, 0);
+  luaconfsCopy.dfe.addZone(zone);
    g_luaconfs.setState(luaconfsCopy);
  
    vector<DNSRecord> ret;
@@ -2162,9 +2166,11 @@ BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz) {
  
    DNSFilterEngine::Policy pol;
    pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSTrigger(nsName, pol);
    auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.setPolicyName(0, "Unit test policy 0");
-  luaconfsCopy.dfe.addNSTrigger(nsName, pol, 0);
+  luaconfsCopy.dfe.addZone(zone);
    g_luaconfs.setState(luaconfsCopy);
  
    vector<DNSRecord> ret;
@@ -2203,10 +2209,12 @@ BOOST_AUTO_TEST_CASE(test_nameserver_name_rpz_disabled) {
  
    DNSFilterEngine::Policy pol;
    pol.d_kind = DNSFilterEngine::PolicyKind::Drop;
+  std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
+  zone->setName("Unit test policy 0");
+  zone->addNSIPTrigger(Netmask(ns, 128), pol);
+  zone->addNSTrigger(nsName, pol);
    auto luaconfsCopy = g_luaconfs.getCopy();
-  luaconfsCopy.dfe.setPolicyName(0, "Unit test policy 0");
-  luaconfsCopy.dfe.addNSIPTrigger(Netmask(ns, 128), pol, 0);
-  luaconfsCopy.dfe.addNSTrigger(nsName, pol, 0);
+  luaconfsCopy.dfe.addZone(zone);
    g_luaconfs.setState(luaconfsCopy);
  
    /* RPZ is disabled for this query, we should not be blocked */
diff --git a/pdns/reczones.cc b/pdns/reczones.cc

index d319c4663f434770023f7b59bb6cf5b695419087..5a97903bea2e0c34a657e87eb3afa45a2c536247 100644 (file)
--- a/pdns/reczones.cc
+++ b/pdns/reczones.cc
@@ -310,7 +310,7 @@ string reloadAuthAndForwards()
  }
  
  
-void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t polZone, const TSIGTriplet& tt, shared_ptr<SOARecordContent> oursr, size_t maxReceivedBytes, const ComboAddress& localAddress)
+void RPZIXFRTracker(const ComboAddress& master, const DNSName& zoneName, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, shared_ptr<SOARecordContent> oursr, size_t maxReceivedBytes, const ComboAddress& localAddress)
  {
    uint32_t refresh = oursr->d_st.refresh;
    for(;;) {
@@ -319,7 +319,7 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::opti
  
      sleep(refresh);
      
-    L<<Logger::Info<<"Getting IXFR deltas for "<<zone<<" from "<<master.toStringWithPort()<<", our serial: "<<getRR<SOARecordContent>(dr)->d_st.serial<<endl;
+    L<<Logger::Info<<"Getting IXFR deltas for "<<zoneName<<" from "<<master.toStringWithPort()<<", our serial: "<<getRR<SOARecordContent>(dr)->d_st.serial<<endl;
      vector<pair<vector<DNSRecord>, vector<DNSRecord> > > deltas;
  
      ComboAddress local(localAddress);
@@ -327,23 +327,27 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::opti
        local = getQueryLocalAddress(master.sin4.sin_family, 0);
  
      try {
-      deltas = getIXFRDeltas(master, zone, dr, tt, &local, maxReceivedBytes);
+      deltas = getIXFRDeltas(master, zoneName, dr, tt, &local, maxReceivedBytes);
      } catch(std::runtime_error& e ){
        L<<Logger::Warning<<e.what()<<endl;
        continue;
      }
      if(deltas.empty())
        continue;
-    L<<Logger::Info<<"Processing "<<deltas.size()<<" delta"<<addS(deltas)<<" for RPZ "<<zone<<endl;
+    L<<Logger::Info<<"Processing "<<deltas.size()<<" delta"<<addS(deltas)<<" for RPZ "<<zoneName<<endl;
+
+    auto luaconfsLocal = g_luaconfs.getLocal();
+    const std::shared_ptr<DNSFilterEngine::Zone> oldZone = luaconfsLocal->dfe.getZone(zoneIdx);
+    /* we need to make a _full copy_ of the zone we are going to work on */
+    std::shared_ptr<DNSFilterEngine::Zone> newZone = std::make_shared<DNSFilterEngine::Zone>(*oldZone);
  
-    auto luaconfsCopy = g_luaconfs.getCopy();
      int totremove=0, totadd=0;
      for(const auto& delta : deltas) {
        const auto& remove = delta.first;
        const auto& add = delta.second;
        if(remove.empty()) {
          L<<Logger::Warning<<"IXFR update is a whole new zone"<<endl;
-        luaconfsCopy.dfe.clear(polZone);
+        newZone->clear();
        }
        for(const auto& rr : remove) { // should always contain the SOA
          if(rr.d_type == QType::NS)
@@ -359,7 +363,7 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::opti
         else {
            totremove++;
           L<<Logger::Debug<<"Had removal of "<<rr.d_name<<endl;
-         RPZRecordToPolicy(rr, luaconfsCopy.dfe, false, defpol, maxTTL, polZone);
+         RPZRecordToPolicy(rr, newZone, false, defpol, maxTTL);
         }
        }
  
@@ -368,7 +372,7 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::opti
            continue;
         if(rr.d_type == QType::SOA) {
           auto newsr = getRR<SOARecordContent>(rr);
-         //      L<<Logger::Info<<"New SOA serial for "<<zone<<": "<<newsr->d_st.serial<<endl;
+         //      L<<Logger::Info<<"New SOA serial for "<<zoneName<<": "<<newsr->d_st.serial<<endl;
           if (newsr) {
             oursr = newsr;
           }
@@ -376,12 +380,19 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::opti
         else {
            totadd++;
           L<<Logger::Debug<<"Had addition of "<<rr.d_name<<endl;
-         RPZRecordToPolicy(rr, luaconfsCopy.dfe, true, defpol, maxTTL, polZone);
+         RPZRecordToPolicy(rr, newZone, true, defpol, maxTTL);
         }
        }
      }
-    L<<Logger::Info<<"Had "<<totremove<<" RPZ removal"<<addS(totremove)<<", "<<totadd<<" addition"<<addS(totadd)<<" for "<<zone<<" New serial: "<<oursr->d_st.serial<<endl;
-    g_luaconfs.setState(luaconfsCopy);
+    L<<Logger::Info<<"Had "<<totremove<<" RPZ removal"<<addS(totremove)<<", "<<totadd<<" addition"<<addS(totadd)<<" for "<<zoneName<<" New serial: "<<oursr->d_st.serial<<endl;
+
+    /* we need to replace the existing zone with the new one,
+       but we don't want to touch anything else, especially other zones,
+       since they might have been updated by another RPZ IXFR tracker thread.
+    */
+    g_luaconfs.modify([zoneIdx, &newZone](LuaConfigItems& lci) {
+                        lci.dfe.setZone(zoneIdx, newZone);
+                      });
    }
  }
  
diff --git a/pdns/rpzloader.cc b/pdns/rpzloader.cc

index 67c36f6ce05771386e1433d0386463f02902db1a..bddf4dd63e36f0d4c92f1ea8252d0903ea70361c 100644 (file)
--- a/pdns/rpzloader.cc
+++ b/pdns/rpzloader.cc
@@ -58,7 +58,7 @@ static Netmask makeNetmaskFromRPZ(const DNSName& name)
    return Netmask(v6);
  }
  
-void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place)
+void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL)
  {
    static const DNSName drop("rpz-drop."), truncate("rpz-tcp-only."), noaction("rpz-passthru.");
    static const DNSName rpzClientIP("rpz-client-ip"), rpzIP("rpz-ip"),
@@ -140,43 +140,43 @@ void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrR
    if(dr.d_name.isPartOf(rpzNSDname)) {
      DNSName filt=dr.d_name.makeRelative(rpzNSDname);
      if(addOrRemove)
-      target.addNSTrigger(filt, pol, place);
+      zone->addNSTrigger(filt, pol);
      else
-      target.rmNSTrigger(filt, pol, place);
+      zone->rmNSTrigger(filt, pol);
    } else       if(dr.d_name.isPartOf(rpzClientIP)) {
      DNSName filt=dr.d_name.makeRelative(rpzClientIP);
      auto nm=makeNetmaskFromRPZ(filt);
      if(addOrRemove)
-      target.addClientTrigger(nm, pol, place);
+      zone->addClientTrigger(nm, pol);
      else
-      target.rmClientTrigger(nm, pol, place);
+      zone->rmClientTrigger(nm, pol);
      
    } else       if(dr.d_name.isPartOf(rpzIP)) {
      // cerr<<"Should apply answer content IP policy: "<<dr.d_name<<endl;
      DNSName filt=dr.d_name.makeRelative(rpzIP);
      auto nm=makeNetmaskFromRPZ(filt);
      if(addOrRemove)
-      target.addResponseTrigger(nm, pol, place);
+      zone->addResponseTrigger(nm, pol);
      else
-      target.rmResponseTrigger(nm, pol, place);
+      zone->rmResponseTrigger(nm, pol);
    } else if(dr.d_name.isPartOf(rpzNSIP)) {
      DNSName filt=dr.d_name.makeRelative(rpzNSIP);
      auto nm=makeNetmaskFromRPZ(filt);
      if(addOrRemove)
-      target.addNSIPTrigger(nm, pol, place);
+      zone->addNSIPTrigger(nm, pol);
      else
-      target.rmNSIPTrigger(nm, pol, place);
+      zone->rmNSIPTrigger(nm, pol);
    } else {
      if(addOrRemove)
-      target.addQNameTrigger(dr.d_name, pol, place);
+      zone->addQNameTrigger(dr.d_name, pol);
      else
-      target.rmQNameTrigger(dr.d_name, pol, place);
+      zone->rmQNameTrigger(dr.d_name, pol);
    }
  }
  
-shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zone, DNSFilterEngine& target, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress)
+shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress)
  {
-  L<<Logger::Warning<<"Loading RPZ zone '"<<zone<<"' from "<<master.toStringWithPort()<<endl;
+  L<<Logger::Warning<<"Loading RPZ zone '"<<zoneName<<"' from "<<master.toStringWithPort()<<endl;
    if(!tt.name.empty())
      L<<Logger::Warning<<"With TSIG key '"<<tt.name<<"' of algorithm '"<<tt.algo<<"'"<<endl;
  
@@ -184,7 +184,7 @@ shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const
    if (local == ComboAddress())
      local = getQueryLocalAddress(master.sin4.sin_family, 0);
  
-  AXFRRetriever axfr(master, zone, tt, &local, maxReceivedBytes);
+  AXFRRetriever axfr(master, zoneName, tt, &local, maxReceivedBytes);
    unsigned int nrecords=0;
    Resolver::res_t nop;
    vector<DNSRecord> chunk;
@@ -196,13 +196,13 @@ shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const
         continue;
        }
  
-      dr.d_name.makeUsRelative(zone);
+      dr.d_name.makeUsRelative(zoneName);
        if(dr.d_type==QType::SOA) {
         sr = getRR<SOARecordContent>(dr);
         continue;
        }
  
-      RPZRecordToPolicy(dr, target, true, defpol, maxTTL, place);
+      RPZRecordToPolicy(dr, zone, true, defpol, maxTTL);
        nrecords++;
      } 
      if(last != time(0)) {
@@ -215,7 +215,7 @@ shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const
  }
  
  // this function is silent - you do the logging
-int loadRPZFromFile(const std::string& fname, DNSFilterEngine& target, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place)
+void loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL)
  {
    ZoneParserTNG zpt(fname);
    DNSResourceRecord drr;
@@ -233,13 +233,11 @@ int loadRPZFromFile(const std::string& fname, DNSFilterEngine& target, boost::op
        }
        else {
         dr.d_name=dr.d_name.makeRelative(domain);
-       RPZRecordToPolicy(dr, target, true, defpol, maxTTL, place);
+       RPZRecordToPolicy(dr, zone, true, defpol, maxTTL);
        }
      }
      catch(PDNSException& pe) {
        throw PDNSException("Issue parsing '"+drr.qname.toString()+"' '"+drr.content+"' at "+zpt.getLineOfFile()+": "+pe.reason);
      }
    }
-  
-  return place;
  }
diff --git a/pdns/rpzloader.hh b/pdns/rpzloader.hh

index 6026361bb9404be2b14e40fc569df5141086e6fb..83a367275a9964c83c22e419502be742007efcd0 100644 (file)
--- a/pdns/rpzloader.hh
+++ b/pdns/rpzloader.hh
@@ -24,7 +24,7 @@
  #include <string>
  #include "dnsrecords.hh"
  
-int loadRPZFromFile(const std::string& fname, DNSFilterEngine& target, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place);
-std::shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zone, DNSFilterEngine& target, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress);
-void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t place);
-void RPZIXFRTracker(const ComboAddress& master, const DNSName& zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t polZone, const TSIGTriplet &tt, shared_ptr<SOARecordContent> oursr, size_t maxReceivedBytes, const ComboAddress& localAddress);
+void loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
+std::shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress);
+void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
+void RPZIXFRTracker(const ComboAddress& master, const DNSName& zoneName, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t polZone, const TSIGTriplet &tt, shared_ptr<SOARecordContent> oursr, size_t maxReceivedBytes, const ComboAddress& localAddress);
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 6 Apr 2017 12:21:32 +0000 (14:21 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 26 Apr 2017 09:34:22 +0000 (11:34 +0200)
pdns/filterpo.cc		patch \| blob \| blame \| history
pdns/filterpo.hh		patch \| blob \| blame \| history
pdns/rec-lua-conf.cc		patch \| blob \| blame \| history
pdns/recursordist/test-syncres_cc.cc		patch \| blob \| blame \| history
pdns/reczones.cc		patch \| blob \| blame \| history
pdns/rpzloader.cc		patch \| blob \| blame \| history
pdns/rpzloader.hh		patch \| blob \| blame \| history