From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 5 Apr 2022 08:01:19 +0000 (+0200)
Subject: Add an (optional) table of domains to addProxyMapping().
X-Git-Tag: rec-4.7.0-beta1~5^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20bfad6d3159065eb7196339a8403ee47179e6e9;p=thirdparty%2Fpdns.git

Add an (optional) table of domains to addProxyMapping().

The table is used to construct a DNSSuffixMatchGroup. Only apply mapping
if the qname in the query matches the DNSSuffixMatchGroup.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 89f03882db..7eff2aa6e8 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -925,7 +925,23 @@ void startDoResolve(void* p)
 #ifdef HAVE_FSTRM
     sr.setFrameStreamServers(t_frameStreamServers);
 #endif
-    sr.setQuerySource(dc->d_mappedSource, g_useIncomingECS && !dc->d_ednssubnet.source.empty() ? boost::optional<const EDNSSubnetOpts&>(dc->d_ednssubnet) : boost::none);
+    bool useMapped = true;
+    // If proxy by table is active and had a match, we only want to use the mapped address if it also has a domain match
+    // (if a domain suffix match table is present in the config)
+    if (t_proxyMapping && dc->d_source != dc->d_mappedSource) {
+      if (auto it = t_proxyMapping->lookup(dc->d_source)) {
+        if (it->second.suffixMatchNode) {
+          if (!it->second.suffixMatchNode->check(dc->d_mdp.d_qname)) {
+            // No match in domains, use original source
+            useMapped = false;
+          }
+        }
+        // No suffix match node defined, use mapped address
+      }
+      // lookup failing cannot happen as dc->d_source != dc->d_mappedSource
+    }
+    sr.setQuerySource(useMapped ? dc->d_mappedSource : dc->d_source, g_useIncomingECS && !dc->d_ednssubnet.source.empty() ? boost::optional<const EDNSSubnetOpts&>(dc->d_ednssubnet) : boost::none);
+
     sr.setQueryReceivedOverTCP(dc->d_tcp);
 
     bool tracedQuery = false; // we could consider letting Lua know about this too
@@ -2151,7 +2167,7 @@ static void handleNewUDPQuestion(int fd, FDMultiplexer::funcparam_t& var)
       ComboAddress mappedSource = source;
       if (t_proxyMapping) {
         if (auto it = t_proxyMapping->lookup(source)) {
-          mappedSource = it->second;
+          mappedSource = it->second.address;
         }
       }
       if (t_remotes) {
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc
index 70d2017175..305afe588a 100644
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -725,11 +725,18 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de
     lci.allowAdditionalQTypes.insert_or_assign(qtype, pair(targets, mode));
   });
 
-  Lua->writeFunction("addProxyMapping", [&proxyMapping](const string& netmaskArg, const string& addressArg) {
+  Lua->writeFunction("addProxyMapping", [&proxyMapping](const string& netmaskArg, const string& addressArg, boost::optional<std::vector<pair<int,std::string>>> smnStrings) {
     try {
       Netmask netmask(netmaskArg);
       ComboAddress address(addressArg);
-      proxyMapping.insert_or_assign(netmask, address);
+      boost::optional<SuffixMatchNode> smn;
+      if (smnStrings) {
+        smn = boost::make_optional(SuffixMatchNode{});
+        for (const auto& el : *smnStrings) {
+          smn->add(el.second);
+        }
+      }
+      proxyMapping.insert_or_assign(netmask, {address, smn});
     }
     catch (std::exception& e) {
       g_log << Logger::Error << "Error processing addProxyMapping: " << e.what() << endl;
diff --git a/pdns/rec-lua-conf.hh b/pdns/rec-lua-conf.hh
index 482ffaa499..33faf1d101 100644
--- a/pdns/rec-lua-conf.hh
+++ b/pdns/rec-lua-conf.hh
@@ -72,7 +72,13 @@ enum class AdditionalMode : uint8_t
   ResolveDeferred
 };
 
-using ProxyMapping = NetmaskTree<ComboAddress, Netmask>;
+struct ProxyByTableValue
+{
+  ComboAddress address;
+  boost::optional<SuffixMatchNode> suffixMatchNode;
+};
+
+using ProxyMapping = NetmaskTree<ProxyByTableValue, Netmask>;
 
 class LuaConfigItems
 {
diff --git a/pdns/recursordist/rec-tcp.cc b/pdns/recursordist/rec-tcp.cc
index 406d9df933..c472365306 100644
--- a/pdns/recursordist/rec-tcp.cc
+++ b/pdns/recursordist/rec-tcp.cc
@@ -263,7 +263,7 @@ static void handleRunningTCPQuestion(int fd, FDMultiplexer::funcparam_t& var)
       conn->d_mappedSource = conn->d_source;
       if (t_proxyMapping) {
         if (auto it = t_proxyMapping->lookup(conn->d_source)) {
-          conn->d_mappedSource = it->second;
+          conn->d_mappedSource = it->second.address;
         }
       }
       if (t_allowFrom && !t_allowFrom->match(&conn->d_mappedSource)) {
@@ -625,7 +625,7 @@ void handleNewTCPQuestion(int fd, FDMultiplexer::funcparam_t&)
     ComboAddress mappedSource = addr;
     if (!fromProxyProtocolSource && t_proxyMapping) {
       if (auto it = t_proxyMapping->lookup(addr)) {
-        mappedSource = it->second;
+        mappedSource = it->second.address;
       }
     }
     if (!fromProxyProtocolSource && t_allowFrom && !t_allowFrom->match(&mappedSource)) {