git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 4 May 2026 12:38:58 +0000 (14:38 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 4 May 2026 12:38:58 +0000 (14:38 +0200)
commit	25cc156cc20953779dfcd6fe40071bdc3b2129df
tree	3ee36ca511af53f8d6260d9ac4e920b41c803ed7	tree \| snapshot
parent	e448c772e59577ef31f8ad6c3dbcb2bf62f8777e	commit \| diff

dnsdist: Fix `BPFFilter::addRangeRule`

Reported by Prasanna Dabi (thanks!):
"The eBPF DDoS mitigation implementation in dnsdist contains a critical logic error that prevents new range-based block rules from being applied. When the BPFFilter::addRangeRule() function is called to block a subnet, it first checks the eBPF map to determine if the rule already exists. If the subnet is not currently in the map, the bpf_lookup_elem call returns -1. In this failure state, the local CounterAndActionValue value struct remains in its default, zeroed-out state, where the action field is automatically set to BPFFilter::MatchAction::Pass.

The conditional check intended to skip redundant rules contains a logic typo: it evaluates value.action == BPFFilter::MatchAction::Pass instead of comparing the requested action parameter.Because the default state of the unpopulated struct is always Pass, the condition (res == -1 && value.action == BPFFilter::MatchAction::Pass) evaluates to true for every new rule attempt.This causes the daemon to throw a std::runtime_error and reject the mitigation."

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

pdns/dnsdistdist/bpf-filter.cc		diff \| blob \| blame \| history
regression-tests.dnsdist/test_EBPF.py		diff \| blob \| blame \| history