From: Remi Gacogne Date: Fri, 15 Apr 2022 10:19:46 +0000 (+0200) Subject: dnsdist: Properly use eBPF when the DynBlock is not set X-Git-Tag: auth-4.8.0-alpha0~129^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11544%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Properly use eBPF when the DynBlock is not set When the DynBlock rule does not set a specific action we use the default one, set with `setDynBlocksAction()`, so we should follow the same logic when determining whether to insert an eBPF block. --- diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index 5a4a2ddaa8..c638c21100 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -138,9 +138,6 @@ Rings g_rings; QueryCount g_qcount; GlobalStateHolder g_dstates; -GlobalStateHolder> g_dynblockNMG; -GlobalStateHolder> g_dynblockSMT; -DNSAction::Action g_dynBlockAction = DNSAction::Action::Drop; bool g_servFailOnNoPolicy{false}; bool g_truncateTC{false}; diff --git a/pdns/dnsdistdist/dnsdist-dynblocks.cc b/pdns/dnsdistdist/dnsdist-dynblocks.cc index 3aa0078308..30d4f2ccfd 100644 --- a/pdns/dnsdistdist/dnsdist-dynblocks.cc +++ b/pdns/dnsdistdist/dnsdist-dynblocks.cc @@ -2,6 +2,10 @@ #include "dnsdist.hh" #include "dnsdist-dynblocks.hh" +GlobalStateHolder> g_dynblockNMG; +GlobalStateHolder> g_dynblockSMT; +DNSAction::Action g_dynBlockAction = DNSAction::Action::Drop; + void DynBlockRulesGroup::apply(const struct timespec& now) { counts_t counts; @@ -174,6 +178,18 @@ bool DynBlockRulesGroup::checkIfResponseCodeMatches(const Rings::Response& respo return false; } +/* return the actual action that will be taken by that block: + - either the one set on that block, if any + - or the one set with setDynBlocksAction in g_dynBlockAction +*/ +static DNSAction::Action getActualAction(const DynBlock& block) +{ + if (block.action != DNSAction::Action::None) { + return block.action; + } + return g_dynBlockAction; +} + void DynBlockRulesGroup::addOrRefreshBlock(boost::optional >& blocks, const struct timespec& now, const AddressAndPortRange& requestor, const DynBlockRule& rule, bool& updated, bool warning) { /* network exclusions are address-based only (no port) */ @@ -224,14 +240,15 @@ void DynBlockRulesGroup::addOrRefreshBlock(boost::optionalsupportsMatchAction(action)) { + BPFFilter::MatchAction bpfAction = actualAction == DNSAction::Action::Drop ? BPFFilter::MatchAction::Drop : BPFFilter::MatchAction::Truncate; + if (g_defaultBPFFilter->supportsMatchAction(bpfAction)) { /* the current BPF filter implementation only supports full addresses (/32 or /128) and no port */ - g_defaultBPFFilter->block(requestor.getNetwork(), action); + g_defaultBPFFilter->block(requestor.getNetwork(), bpfAction); bpf = true; } } diff --git a/pdns/dnsdistdist/test-dnsdistdynblocks_hh.cc b/pdns/dnsdistdist/test-dnsdistdynblocks_hh.cc index bfb9c87e84..6640ef08f0 100644 --- a/pdns/dnsdistdist/test-dnsdistdynblocks_hh.cc +++ b/pdns/dnsdistdist/test-dnsdistdynblocks_hh.cc @@ -9,8 +9,6 @@ #include "dnsdist-rings.hh" Rings g_rings; -GlobalStateHolder> g_dynblockNMG; -GlobalStateHolder> g_dynblockSMT; shared_ptr g_defaultBPFFilter{nullptr}; BOOST_AUTO_TEST_SUITE(dnsdistdynblocks_hh)