bool inserted = false;
std::unique_lock<std::mutex> lock(d_mutex);
+ if (d_excludedSubnets.match(addr)) {
+ /* do not add a block for excluded subnets */
+ return inserted;
+ }
+
const container_t::iterator it = d_entries.find(addr);
if (it != d_entries.end()) {
if (it->d_until < until) {
~DynBPFFilter()
{
}
+ void excludeRange(const Netmask& range)
+ {
+ d_excludedSubnets.addMask(range);
+ }
+ void includeRange(const Netmask& range)
+ {
+ d_excludedSubnets.addMask(range, false);
+ }
/* returns true if the addr wasn't already blocked, false otherwise */
bool block(const ComboAddress& addr, const struct timespec& until);
void purgeExpired(const struct timespec& now);
container_t d_entries;
std::mutex d_mutex;
std::shared_ptr<BPFFilter> d_bpf;
+ NetmaskGroup d_excludedSubnets;
};
#endif /* HAVE_EBPF */
dbpf->purgeExpired(now);
}
});
+
+ g_lua.registerFunction<void(std::shared_ptr<DynBPFFilter>::*)(boost::variant<std::string, std::vector<std::pair<int, std::string>>>)>("excludeRange", [](std::shared_ptr<DynBPFFilter> dbpf, boost::variant<std::string, std::vector<std::pair<int, std::string>>> ranges) {
+ if (ranges.type() == typeid(std::vector<std::pair<int, std::string>>)) {
+ for (const auto& range : *boost::get<std::vector<std::pair<int, std::string>>>(&ranges)) {
+ dbpf->excludeRange(Netmask(range.second));
+ }
+ }
+ else {
+ dbpf->excludeRange(Netmask(*boost::get<std::string>(&ranges)));
+ }
+ });
+
+ g_lua.registerFunction<void(std::shared_ptr<DynBPFFilter>::*)(boost::variant<std::string, std::vector<std::pair<int, std::string>>>)>("includeRange", [](std::shared_ptr<DynBPFFilter> dbpf, boost::variant<std::string, std::vector<std::pair<int, std::string>>> ranges) {
+ if (ranges.type() == typeid(std::vector<std::pair<int, std::string>>)) {
+ for (const auto& range : *boost::get<std::vector<std::pair<int, std::string>>>(&ranges)) {
+ dbpf->includeRange(Netmask(range.second));
+ }
+ }
+ else {
+ dbpf->includeRange(Netmask(*boost::get<std::string>(&ranges)));
+ }
+ });
#endif /* HAVE_EBPF */
}
Represents an dynamic eBPF filter, allowing the use of ephemeral rules to an existing eBPF filter.
+ .. method:: DynBPFFilter:excludeRange(netmasks)
+
+ .. versionadded:: 1.3.3
+
+ Exclude this range, or list of ranges, meaning that no dynamic block will ever be inserted for clients in that range. Default to empty, meaning rules are applied to all ranges. When used in combination with :meth:`DynBPFFilter:includeRange`, the more specific entry wins.
+
+ :param int netmasks: A netmask, or list of netmasks, as strings, like for example "192.0.2.1/24"
+
+ .. method:: DynBPFFilter:includeRange(netmasks)
+
+ .. versionadded:: 1.3.3
+
+ Include this range, or list of ranges, meaning that rules will be applied to this range. When used in combination with :meth:`DynBPFFilter:excludeRange`, the more specific entry wins.
+
+ :param int netmasks: A netmask, or list of netmasks, as strings, like for example "192.0.2.1/24"
projects / thirdparty / pdns.git / commitdiff
