block: improved suffix match, added doc

diff --git a/modules/block/README.rst b/modules/block/README.rst
index 2d2536c915c4622e562b38fdb7a785c92abad65c..cd95296c1f42b7a90e210b8030bccc77a597d235 100644 (file)
--- a/modules/block/README.rst
+++ b/modules/block/README.rst
@@ -74,6 +74,16 @@ Properties
   
   Policy to block queries based on the QNAME suffix match.
 
+.. function:: block.suffix_common(action, suffix_table[, common_suffix])
+
+  :param action: action if the pattern matches QNAME
+  :param suffix_table: table of valid suffixes
+  :param common_suffix: common suffix of entries in suffix_table
+  
+  Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise).
+
+.. tip:: If you want to match suffixes only, prefix the strings with `.`, e.g. `.127.in-addr.arpa.` instead of `127.in-addr.arpa`.
+
 .. _`Aho-Corasick`: https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_string_matching_algorithm
 .. _`@jgrahamc`: https://github.com/jgrahamc/aho-corasick-lua
 

diff --git a/modules/block/block.lua b/modules/block/block.lua
index 776f25364a036121d3348994a5a91f99b0bea3ad..0e59058980e1a54ef686b133f906edacc33242f8 100644 (file)
--- a/modules/block/block.lua
+++ b/modules/block/block.lua
@@ -6,41 +6,41 @@ local block = {
        -- Private, local, broadcast, test and special zones 
        private_zones = {
                -- RFC1918
-               '10.in-addr.arpa.',
-               '16.172.in-addr.arpa.',
-               '17.172.in-addr.arpa.',
-               '18.172.in-addr.arpa.',
-               '19.172.in-addr.arpa.',
-               '20.172.in-addr.arpa.',
-               '21.172.in-addr.arpa.',
-               '22.172.in-addr.arpa.',
-               '23.172.in-addr.arpa.',
-               '24.172.in-addr.arpa.',
-               '25.172.in-addr.arpa.',
-               '26.172.in-addr.arpa.',
-               '27.172.in-addr.arpa.',
-               '28.172.in-addr.arpa.',
-               '29.172.in-addr.arpa.',
-               '30.172.in-addr.arpa.',
-               '31.172.in-addr.arpa.',
-               '168.192.in-addr.arpa.',
+               '.10.in-addr.arpa.',
+               '.16.172.in-addr.arpa.',
+               '.17.172.in-addr.arpa.',
+               '.18.172.in-addr.arpa.',
+               '.19.172.in-addr.arpa.',
+               '.20.172.in-addr.arpa.',
+               '.21.172.in-addr.arpa.',
+               '.22.172.in-addr.arpa.',
+               '.23.172.in-addr.arpa.',
+               '.24.172.in-addr.arpa.',
+               '.25.172.in-addr.arpa.',
+               '.26.172.in-addr.arpa.',
+               '.27.172.in-addr.arpa.',
+               '.28.172.in-addr.arpa.',
+               '.29.172.in-addr.arpa.',
+               '.30.172.in-addr.arpa.',
+               '.31.172.in-addr.arpa.',
+               '.168.192.in-addr.arpa.',
                -- RFC5735, RFC5737
-               '0.in-addr.arpa.',
-               '127.in-addr.arpa.',
-               '254.169.in-addr.arpa.',
-               '2.0.192.in-addr.arpa.',
-               '100.51.198.in-addr.arpa.',
-               '113.0.203.in-addr.arpa.',
+               '.0.in-addr.arpa.',
+               '.127.in-addr.arpa.',
+               '.254.169.in-addr.arpa.',
+               '.2.0.192.in-addr.arpa.',
+               '.100.51.198.in-addr.arpa.',
+               '.113.0.203.in-addr.arpa.',
                '255.255.255.255.in-addr.arpa.',
                -- IPv6 local, example
                '0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.',
                '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.',
-               'd.f.ip6.arpa.',
-               '8.e.f.ip6.arpa.',
-               '9.e.f.ip6.arpa.',
-               'a.e.f.ip6.arpa.',
-               'b.e.f.ip6.arpa.',
-               '8.b.d.0.1.0.0.2.ip6.arpa',
+               '.d.f.ip6.arpa.',
+               '.8.e.f.ip6.arpa.',
+               '.9.e.f.ip6.arpa.',
+               '.a.e.f.ip6.arpa.',
+               '.b.e.f.ip6.arpa.',
+               '.8.b.d.0.1.0.0.2.ip6.arpa',
        }
 }
 
@@ -58,12 +58,14 @@ function block.suffix(action, zone_list)
 end
 
 -- @function Check for common suffix first, then suffix match (specialized version of suffix match)
-function block.suffix_common(action, common_suffix, suffix_list)
-       local common_len = common_suffix:len()
+function block.suffix_common(action, suffix_list, common_suffix)
        return function(pkt, qname)
                -- Preliminary check
-               if qname:sub(-common_len) ~= common_suffix then
-                       return nil
+               if common_suffix ~= nil then
+                       local common_len = common_suffix:len()
+                       if qname:sub(-common_len) ~= common_suffix then
+                               return nil
+                       end
                end
                -- String match
                for i = 1, #suffix_list do
@@ -127,7 +129,7 @@ block.layer = {
 }
 
 -- @var Default rules
-block.rules = { block.suffix_common(block.DENY, '.arpa.', block.private_zones) }
+block.rules = { block.suffix_common(block.DENY, block.private_zones, '.arpa.') }
 
 -- @function Add rule to block list
 function block.add(block, rule)