1 From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001
2 From: Mathias Kresin <dev@kresin.me>
3 Date: Sun, 24 Jul 2016 14:15:22 +0100
4 Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer.
7 man/dnsmasq.8 | 6 +++++-
8 src/auth.c | 61 ++++++++++++++++++++++++++++++++++++---------------------
10 src/option.c | 21 ++++++++++++++++++--
11 4 files changed, 64 insertions(+), 25 deletions(-)
13 diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
14 index ac8d921..8910947 100644
17 @@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that
18 setting this may affect DNS behaviour in bad ways, it is not an
19 extra-logging flag and should not be set in production.
21 -.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]]
22 +.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....]
23 Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
24 will be served. If subnet(s) are given, A and AAAA records must be in one of the
26 @@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which should not.
27 Interface-name and address-literal subnet specifications may be used
28 freely in the same --auth-zone declaration.
30 +It's possible to exclude certain IP addresses from responses. It can be
31 +used, to make sure that answers contain only global routeable IP
32 +addresses (by excluding loopback, RFC1918 and ULA addresses).
34 The subnet(s) are also used to define in-addr.arpa and
35 ip6.arpa domains which are served for reverse-DNS queries. If not
36 specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
37 diff --git a/src/auth.c b/src/auth.c
38 index 3c5c37f..f1ca2f5 100644
45 -static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
46 +static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
48 - struct addrlist *subnet;
50 - for (subnet = zone->subnet; subnet; subnet = subnet->next)
52 - if (!(subnet->flags & ADDRLIST_IPV6))
54 - struct in_addr netmask, addr = addr_u->addr.addr4;
56 - if (!(flag & F_IPV4))
59 - netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen));
61 - if (is_same_net(addr, subnet->addr.addr.addr4, netmask))
65 + if (!(list->flags & ADDRLIST_IPV6))
67 + struct in_addr netmask, addr = addr_u->addr.addr4;
69 + if (!(flag & F_IPV4))
72 + netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
74 + if (is_same_net(addr, list->addr.addr.addr4, netmask))
78 - else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen))
80 + else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
86 + } while ((list = list->next));
91 +static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
96 + return find_addrlist(zone->subnet, flag, addr_u);
99 +static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
101 + if (!zone->exclude)
104 + return find_addrlist(zone->exclude, flag, addr_u);
107 static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
109 - /* No zones specified, no filter */
110 + if (find_exclude(zone, flag, addr_u))
113 + /* No subnets specified, no filter */
117 diff --git a/src/dnsmasq.h b/src/dnsmasq.h
118 index 2bda5d0..27385a9 100644
121 @@ -340,6 +340,7 @@ struct auth_zone {
122 struct auth_name_list *next;
124 struct addrlist *subnet;
125 + struct addrlist *exclude;
126 struct auth_zone *next;
129 diff --git a/src/option.c b/src/option.c
130 index d8c57d6..6cedef3 100644
133 @@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
134 new = opt_malloc(sizeof(struct auth_zone));
135 new->domain = opt_string_alloc(arg);
137 + new->exclude = NULL;
138 new->interface_names = NULL;
139 new->next = daemon->auth_zones;
140 daemon->auth_zones = new;
141 @@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
142 while ((arg = comma))
145 + int is_exclude = 0;
147 struct addrlist *subnet = NULL;
148 struct all_addr addr;
149 @@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
150 if (prefix && !atoi_check(prefix, &prefixlen))
153 + if (strstr(arg, "exclude:") == arg)
159 if (inet_pton(AF_INET, arg, &addr.addr.addr4))
161 subnet = opt_malloc(sizeof(struct addrlist));
162 @@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
166 - subnet->next = new->subnet;
167 - new->subnet = subnet;
171 + subnet->next = new->exclude;
172 + new->exclude = subnet;
176 + subnet->next = new->subnet;
177 + new->subnet = subnet;