bool SyncRes::s_noEDNS;
-void accountAuthLatency(int usec, int family)
+static void accountAuthLatency(int usec, int family)
{
if(family == AF_INET) {
if(usec < 1000)
For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish.
*/
-int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res)
+int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res) const
{
/* what is your QUEST?
the goal is to get as many remotes as possible on the highest level of EDNS support
}while(subdomain.chopOff());
}
-SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname)
+SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname) const
{
SyncRes::domainmap_t::const_iterator ret;
do {
return false;
}
-bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b)
+bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b) const
{
return (a.isPartOf(b) && a.countLabels() > b.countLabels());
}
}
-recsig_t harvestRecords(const vector<DNSRecord>& records, const set<uint16_t>& types)
+static recsig_t harvestRecords(const vector<DNSRecord>& records, const set<uint16_t>& types)
{
recsig_t ret;
for(const auto& rec : records) {
}
}
-bool SyncRes::nameserversBlockedByRPZ(const NsSet& nameservers)
+bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers)
{
if(d_wantsRPZ) {
for (auto const &ns : nameservers) {
- d_appliedPolicy = g_luaconfs.getLocal()->dfe.getProcessingPolicy(ns.first, d_discardedPolicies);
+ d_appliedPolicy = dfe.getProcessingPolicy(ns.first, d_discardedPolicies);
if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
return true;
// Traverse all IP addresses for this NS to see if they have an RPN NSIP policy
for (auto const &address : ns.second.first) {
- d_appliedPolicy = g_luaconfs.getLocal()->dfe.getProcessingPolicy(address, d_discardedPolicies);
+ d_appliedPolicy = dfe.getProcessingPolicy(address, d_discardedPolicies);
if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
return true;
return false;
}
-bool SyncRes::nameserverIPBlockedByRPZ(const ComboAddress& remoteIP)
+bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress& remoteIP)
{
if (d_wantsRPZ) {
- d_appliedPolicy = g_luaconfs.getLocal()->dfe.getProcessingPolicy(remoteIP, d_discardedPolicies);
+ d_appliedPolicy = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies);
if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
LOG(" (blocked by RPZ policy '"+(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")+"')");
return true;
vector<DNSRecord>&ret,
unsigned int depth, set<GetBestNSAnswer>&beenthere)
{
+ auto luaconfsLocal = g_luaconfs.getLocal();
string prefix;
if(doLog()) {
prefix=d_prefix;
LOG(prefix<<qname<<": Cache consultations done, have "<<(unsigned int)nameservers.size()<<" NS to contact");
- if (nameserversBlockedByRPZ(nameservers)) {
+ if (nameserversBlockedByRPZ(luaconfsLocal->dfe, nameservers)) {
return -2;
}
LOG(", ");
}
LOG(remoteIP->toString());
- if(nameserverIPBlockedByRPZ(*remoteIP)) {
+ if(nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) {
hitPolicy = true;
}
}
nameservers.clear();
for (auto const &nameserver : nsset) {
if (d_wantsRPZ) {
- d_appliedPolicy = g_luaconfs.getLocal()->dfe.getProcessingPolicy(nameserver, d_discardedPolicies);
+ d_appliedPolicy = luaconfsLocal->dfe.getProcessingPolicy(nameserver, d_discardedPolicies);
if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
return -2;
};
typedef map<pair<DNSName,uint16_t>, BothRecordsAndSignatures> recsig_t;
-recsig_t harvestRecords(const std::vector<DNSRecord>& records, const std::set<uint16_t>& types);
-
-
struct NegCacheEntry
{
DNSName d_name;
d_lm = lm;
}
- bool doLog()
+ bool doLog() const
{
return d_lm != LogNone;
}
d_skipCNAMECheck = skip;
}
- int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res);
+ int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res) const;
static void doEDNSDumpAndClose(int fd);
unsigned int depth, set<GetBestNSAnswer>&beenthere);
int doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere);
bool doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res);
- domainmap_t::const_iterator getBestAuthZone(DNSName* qname);
+ domainmap_t::const_iterator getBestAuthZone(DNSName* qname) const;
bool doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res);
bool doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res);
void getBestNSFromCache(const DNSName &qname, const QType &qtype, vector<DNSRecord>&bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere);
DNSName getBestNSNamesFromCache(const DNSName &qname, const QType &qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere);
inline vector<DNSName> shuffleInSpeedOrder(NsSet &nameservers, const string &prefix);
- bool moreSpecificThan(const DNSName& a, const DNSName &b);
+ bool moreSpecificThan(const DNSName& a, const DNSName &b) const;
vector<ComboAddress> getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere);
- bool nameserversBlockedByRPZ(const NsSet& nameservers);
- bool nameserverIPBlockedByRPZ(const ComboAddress&);
+ bool nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers);
+ bool nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress&);
bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery);
vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet);
projects / thirdparty / pdns.git / commitdiff
