From: Remi Gacogne Date: Tue, 24 Dec 2024 11:17:36 +0000 (+0100) Subject: dnsdist: Stop using `LimitTTLResponseAction` to limit TTL X-Git-Tag: dnsdist-2.0.0-alpha1~160^2~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8042f9d4535ba4ee4a8b430d9bead0cde129fbc;p=thirdparty%2Fpdns.git dnsdist: Stop using `LimitTTLResponseAction` to limit TTL --- diff --git a/pdns/dnsdistdist/dnsdist-dnsparser.cc b/pdns/dnsdistdist/dnsdist-dnsparser.cc index bfe0be3e07..81db3d9151 100644 --- a/pdns/dnsdistdist/dnsdist-dnsparser.cc +++ b/pdns/dnsdistdist/dnsdist-dnsparser.cc @@ -213,6 +213,28 @@ namespace PacketMangling memcpy(packet, &header, sizeof(header)); return true; } + + void restrictDNSPacketTTLs(PacketBuffer& packet, uint32_t minimumValue, uint32_t maximumValue, const std::unordered_set& types) + { + auto visitor = [minimumValue, maximumValue, types](uint8_t section, uint16_t qclass, uint16_t qtype, uint32_t ttl) { + if (!types.empty() && qclass == QClass::IN && types.count(qtype) == 0) { + return ttl; + } + + if (minimumValue > 0) { + if (ttl < minimumValue) { + ttl = minimumValue; + } + } + if (ttl > maximumValue) { + ttl = maximumValue; + } + return ttl; + }; + // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast) + editDNSPacketTTL(reinterpret_cast(packet.data()), packet.size(), visitor); + } + } void setResponseHeadersFromConfig(dnsheader& dnsheader, const ResponseConfig& config) diff --git a/pdns/dnsdistdist/dnsdist-dnsparser.hh b/pdns/dnsdistdist/dnsdist-dnsparser.hh index 67d74a3442..cbb0ff79ea 100644 --- a/pdns/dnsdistdist/dnsdist-dnsparser.hh +++ b/pdns/dnsdistdist/dnsdist-dnsparser.hh @@ -59,6 +59,7 @@ namespace PacketMangling { bool editDNSHeaderFromPacket(PacketBuffer& packet, const std::function& editFunction); bool editDNSHeaderFromRawPacket(void* packet, const std::function& editFunction); + void restrictDNSPacketTTLs(PacketBuffer& packet, uint32_t minimumValue, uint32_t maximumValue = std::numeric_limits::max(), const std::unordered_set& types = {}); } struct ResponseConfig diff --git a/pdns/dnsdistdist/dnsdist-lua-actions.cc b/pdns/dnsdistdist/dnsdist-lua-actions.cc index 8f7b3a674b..17bc184dc6 100644 --- a/pdns/dnsdistdist/dnsdist-lua-actions.cc +++ b/pdns/dnsdistdist/dnsdist-lua-actions.cc @@ -131,6 +131,49 @@ private: int d_msec; }; +class LimitTTLResponseAction : public DNSResponseAction, public boost::noncopyable +{ +public: + LimitTTLResponseAction() {} + + LimitTTLResponseAction(uint32_t min, uint32_t max = std::numeric_limits::max(), const std::unordered_set& types = {}) : + d_types(types), d_min(min), d_max(max) + { + } + + DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override + { + dnsdist::PacketMangling::restrictDNSPacketTTLs(dr->getMutableData(), d_min, d_max, d_types); + return DNSResponseAction::Action::None; + } + + std::string toString() const override + { + std::string result = "limit ttl (" + std::to_string(d_min) + " <= ttl <= " + std::to_string(d_max); + if (!d_types.empty()) { + bool first = true; + result += ", types in ["; + for (const auto& type : d_types) { + if (first) { + first = false; + } + else { + result += " "; + } + result += type.toString(); + } + result += "]"; + } + result += +")"; + return result; + } + +private: + std::unordered_set d_types; + uint32_t d_min{0}; + uint32_t d_max{std::numeric_limits::max()}; +}; + class TeeAction : public DNSAction { public: diff --git a/pdns/dnsdistdist/dnsdist-lua-ffi.cc b/pdns/dnsdistdist/dnsdist-lua-ffi.cc index 913f8d0572..4cff7f35be 100644 --- a/pdns/dnsdistdist/dnsdist-lua-ffi.cc +++ b/pdns/dnsdistdist/dnsdist-lua-ffi.cc @@ -789,9 +789,7 @@ void dnsdist_ffi_dnsresponse_set_max_ttl(dnsdist_ffi_dnsresponse_t* dr, uint32_t void dnsdist_ffi_dnsresponse_limit_ttl(dnsdist_ffi_dnsresponse_t* dr, uint32_t min, uint32_t max) { if (dr != nullptr && dr->dr != nullptr) { - std::string result; - LimitTTLResponseAction ac(min, max); - ac(dr->dr, &result); + dnsdist::PacketMangling::restrictDNSPacketTTLs(dr->dr->getMutableData(), min, max); } } diff --git a/pdns/dnsdistdist/dnsdist-lua.hh b/pdns/dnsdistdist/dnsdist-lua.hh index e2be6dca1e..4fc06767c2 100644 --- a/pdns/dnsdistdist/dnsdist-lua.hh +++ b/pdns/dnsdistdist/dnsdist-lua.hh @@ -102,64 +102,6 @@ private: std::optional d_rawTypeForAny{}; }; -class LimitTTLResponseAction : public DNSResponseAction, public boost::noncopyable -{ -public: - LimitTTLResponseAction() {} - - LimitTTLResponseAction(uint32_t min, uint32_t max = std::numeric_limits::max(), const std::unordered_set& types = {}) : - d_types(types), d_min(min), d_max(max) - { - } - - DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override - { - auto visitor = [&](uint8_t section, uint16_t qclass, uint16_t qtype, uint32_t ttl) { - if (!d_types.empty() && qclass == QClass::IN && d_types.count(qtype) == 0) { - return ttl; - } - - if (d_min > 0) { - if (ttl < d_min) { - ttl = d_min; - } - } - if (ttl > d_max) { - ttl = d_max; - } - return ttl; - }; - editDNSPacketTTL(reinterpret_cast(dr->getMutableData().data()), dr->getData().size(), visitor); - return DNSResponseAction::Action::None; - } - - std::string toString() const override - { - std::string result = "limit ttl (" + std::to_string(d_min) + " <= ttl <= " + std::to_string(d_max); - if (!d_types.empty()) { - bool first = true; - result += ", types in ["; - for (const auto& type : d_types) { - if (first) { - first = false; - } - else { - result += " "; - } - result += type.toString(); - } - result += "]"; - } - result += +")"; - return result; - } - -private: - std::unordered_set d_types; - uint32_t d_min{0}; - uint32_t d_max{std::numeric_limits::max()}; -}; - template using LuaArray = std::vector>; template diff --git a/pdns/dnsdistdist/dnsdist.cc b/pdns/dnsdistdist/dnsdist.cc index 99c8700b24..ee4f4d3316 100644 --- a/pdns/dnsdistdist/dnsdist.cc +++ b/pdns/dnsdistdist/dnsdist.cc @@ -520,9 +520,7 @@ bool processResponseAfterRules(PacketBuffer& response, DNSResponse& dnsResponse, } if (dnsResponse.ids.ttlCap > 0) { - std::string result; - LimitTTLResponseAction lrac(0, dnsResponse.ids.ttlCap, {}); - lrac(&dnsResponse, &result); + dnsdist::PacketMangling::restrictDNSPacketTTLs(dnsResponse.getMutableData(), 0, dnsResponse.ids.ttlCap); } if (dnsResponse.ids.d_extendedError) { @@ -1348,9 +1346,7 @@ static bool prepareOutgoingResponse(const ClientState& clientState, DNSQuestion& } if (dnsResponse.ids.ttlCap > 0) { - std::string result; - LimitTTLResponseAction ltrac(0, dnsResponse.ids.ttlCap, {}); - ltrac(&dnsResponse, &result); + dnsdist::PacketMangling::restrictDNSPacketTTLs(dnsResponse.getMutableData(), 0, dnsResponse.ids.ttlCap); } if (dnsResponse.ids.d_extendedError) {