move our RPZ blocking to the most GLORIOUS NetmaskTree (thanks Aki!)

diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc
index a46645534655cbb085465b19c3746be45246b64e..c50f7e55cd94191fe98d5b125f07035ad8b573d2 100644 (file)
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -64,11 +64,9 @@ DNSFilterEngine::Policy DNSFilterEngine::getQueryPolicy(const DNSName& qname, co
       return pol;
     }
     
-    for(const auto& qa : z.qpolAddr) {
-      if(qa.first.match(ca)) {
-       //      cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
-       return qa.second;
-      }
+    if(auto fnd=z.qpolAddr.lookup(ca)) {
+      //       cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
+      return fnd->second;
     }
   }
 
@@ -90,12 +88,8 @@ DNSFilterEngine::Policy DNSFilterEngine::getPostPolicy(const vector<DNSRecord>&
       continue;
 
     for(const auto& z : d_zones) {
-      for(const auto& qa : z.postpolAddr) {
-       if(qa.first.match(ca)) {
-         //      cerr<<"Had a hit on IP address in answer"<<endl;
-         return qa.second;
-       }
-      }
+      if(auto fnd=z.postpolAddr.lookup(ca))
+       return fnd->second;
     }
   }
   return Policy{PolicyKind::NoAction};
@@ -105,19 +99,18 @@ void DNSFilterEngine::assureZones(int zone)
 {
   if((int)d_zones.size() <= zone)
     d_zones.resize(zone+1);
-
 }
 
 void DNSFilterEngine::addClientTrigger(const Netmask& nm, Policy pol, int zone)
 {
   assureZones(zone);
-  d_zones[zone].qpolAddr.push_back({nm,pol});
+  d_zones[zone].qpolAddr.insert(nm).second=pol;
 }
 
 void DNSFilterEngine::addResponseTrigger(const Netmask& nm, Policy pol, int zone)
 {
   assureZones(zone);
-  d_zones[zone].postpolAddr.push_back({nm,pol});
+  d_zones[zone].postpolAddr.insert(nm).second=pol;
 }
 
 void DNSFilterEngine::addQNameTrigger(const DNSName& n, Policy pol, int zone)
@@ -137,7 +130,7 @@ bool DNSFilterEngine::rmClientTrigger(const Netmask& nm, Policy pol, int zone)
   assureZones(zone);
 
   auto& qpols = d_zones[zone].qpolAddr;
-  qpols.erase(remove(qpols.begin(), qpols.end(),pair<Netmask,Policy>(nm,pol)), qpols.end());
+  qpols.erase(nm);
   return true;
 }
 
@@ -145,7 +138,7 @@ bool DNSFilterEngine::rmResponseTrigger(const Netmask& nm, Policy pol, int zone)
 {
   assureZones(zone);
   auto& postpols = d_zones[zone].postpolAddr;
-  postpols.erase(remove(postpols.begin(), postpols.end(),pair<Netmask,Policy>(nm,pol)), postpols.end());
+  postpols.erase(nm);  
   return true;
 }
 

diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh
index 8633eb338ed2e8611ac1c1b3bfb20a4a4b661aaf..95810eb879515fdccf3895fa40de581ff6fb7b2d 100644 (file)
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -34,7 +34,6 @@
    Verbatim domain names
    Wildcard versions (*.domain.com does NOT match domain.com)
    Netmasks (IPv4 and IPv6)
-
    Finally, triggers are grouped in different zones. The "first" zone that has a match
    is consulted. Then within that zone, rules again have precedences. 
 */
@@ -72,13 +71,16 @@ public:
   Policy getProcessingPolicy(const DNSName& qname) const;
   Policy getPostPolicy(const vector<DNSRecord>& records) const;
 
+  size_t size() {
+    return d_zones.size();
+  }
 private:
   void assureZones(int zone);
   struct Zone {
     std::map<DNSName, Policy> qpolName;
-    std::vector<pair<Netmask, Policy>> qpolAddr;
+    NetmaskTree<Policy> qpolAddr;
     std::map<DNSName, Policy> propolName;
-    std::vector<pair<Netmask, Policy>> postpolAddr;
+    NetmaskTree<Policy> postpolAddr;
   };
   vector<Zone> d_zones;