From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 4 Nov 2025 10:08:44 +0000 (+0100)
Subject: dnsdist: Add support for declaring TimedIP sets from YAML
X-Git-Tag: rec-5.4.0-alpha1~54^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b3ba60700190ef24f687e2aaaa31ec48977d3fe;p=thirdparty%2Fpdns.git

dnsdist: Add support for declaring TimedIP sets from YAML

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---

diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
index da4503ad65..078dc72646 100644
--- a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+++ b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
@@ -62,7 +62,7 @@ namespace dnsdist::configuration::yaml
 
 using XSKMap = std::vector<std::shared_ptr<XskSocket>>;
 
-using RegisteredTypes = std::variant<std::shared_ptr<DNSDistPacketCache>, std::shared_ptr<dnsdist::rust::settings::DNSSelector>, std::shared_ptr<dnsdist::rust::settings::DNSActionWrapper>, std::shared_ptr<dnsdist::rust::settings::DNSResponseActionWrapper>, std::shared_ptr<NetmaskGroup>, std::shared_ptr<KeyValueStore>, std::shared_ptr<KeyValueLookupKey>, std::shared_ptr<RemoteLoggerInterface>, std::shared_ptr<ServerPolicy>, std::shared_ptr<XSKMap>>;
+using RegisteredTypes = std::variant<std::shared_ptr<DNSDistPacketCache>, std::shared_ptr<dnsdist::rust::settings::DNSSelector>, std::shared_ptr<dnsdist::rust::settings::DNSActionWrapper>, std::shared_ptr<dnsdist::rust::settings::DNSResponseActionWrapper>, std::shared_ptr<NetmaskGroup>, std::shared_ptr<KeyValueStore>, std::shared_ptr<KeyValueLookupKey>, std::shared_ptr<RemoteLoggerInterface>, std::shared_ptr<ServerPolicy>, std::shared_ptr<TimedIPSetRule>, std::shared_ptr<XSKMap>>;
 static LockGuarded<std::unordered_map<std::string, RegisteredTypes>> s_registeredTypesMap;
 static std::atomic<bool> s_inConfigCheckMode;
 static std::atomic<bool> s_inClientMode;
@@ -1265,7 +1265,7 @@ bool loadConfigurationFromFile(const std::string& fileName, [[maybe_unused]] boo
 void addLuaBindingsForYAMLObjects([[maybe_unused]] LuaContext& luaCtx)
 {
 #if defined(HAVE_YAML_CONFIGURATION)
-  using ReturnValue = boost::optional<boost::variant<std::shared_ptr<DNSDistPacketCache>, std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction>, std::shared_ptr<DNSResponseAction>, std::shared_ptr<NetmaskGroup>, std::shared_ptr<KeyValueStore>, std::shared_ptr<KeyValueLookupKey>, std::shared_ptr<RemoteLoggerInterface>, std::shared_ptr<ServerPolicy>, std::shared_ptr<XSKMap>>>;
+  using ReturnValue = boost::optional<boost::variant<std::shared_ptr<DNSDistPacketCache>, std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction>, std::shared_ptr<DNSResponseAction>, std::shared_ptr<NetmaskGroup>, std::shared_ptr<KeyValueStore>, std::shared_ptr<KeyValueLookupKey>, std::shared_ptr<RemoteLoggerInterface>, std::shared_ptr<ServerPolicy>, std::shared_ptr<TimedIPSetRule>, std::shared_ptr<XSKMap>>>;
 
   luaCtx.writeFunction("getObjectFromYAMLConfiguration", [](const std::string& name) -> ReturnValue {
     auto map = s_registeredTypesMap.lock();
@@ -1300,6 +1300,9 @@ void addLuaBindingsForYAMLObjects([[maybe_unused]] LuaContext& luaCtx)
     if (auto* ptr = std::get_if<std::shared_ptr<ServerPolicy>>(&item->second)) {
       return ReturnValue(*ptr);
     }
+    if (auto* ptr = std::get_if<std::shared_ptr<TimedIPSetRule>>(&item->second)) {
+      return ReturnValue(*ptr);
+    }
     if (auto* ptr = std::get_if<std::shared_ptr<XSKMap>>(&item->second)) {
       return ReturnValue(*ptr);
     }
@@ -1636,6 +1639,16 @@ std::shared_ptr<DNSSelector> getKeyValueStoreRangeLookupSelector([[maybe_unused]
 #endif
 }
 
+std::shared_ptr<DNSSelector> getTimedIPSetSelector(const TimedIPSetSelectorConfiguration& config)
+{
+  auto obj = dnsdist::configuration::yaml::getRegisteredTypeByName<TimedIPSetRule>(std::string(config.set_name));
+  if (!obj) {
+    throw std::runtime_error("Uanble to find a timed IP set named '" + std::string(config.set_name));
+  }
+  auto selector = std::dynamic_pointer_cast<DNSRule>(obj);
+  return newDNSSelector(std::move(selector), config.name);
+}
+
 std::shared_ptr<DNSActionWrapper> getDnstapLogAction([[maybe_unused]] const DnstapLogActionConfiguration& config)
 {
 #if defined(DISABLE_PROTOBUF) || !defined(HAVE_FSTRM)
@@ -1870,6 +1883,17 @@ void registerNMGObjects(const ::rust::Vec<NetmaskGroupConfiguration>& nmgs)
   }
 }
 
+void registerTimedIPSetObjects(const ::rust::Vec<TimedIpSetConfiguration>& sets)
+{
+  for (const auto& timedIPSet : sets) {
+    auto obj = dnsdist::configuration::yaml::getRegisteredTypeByName<TimedIPSetRule>(std::string(timedIPSet.name));
+    if (!obj) {
+      obj = std::make_shared<TimedIPSetRule>();
+      dnsdist::configuration::yaml::registerType<TimedIPSetRule>(obj, timedIPSet.name);
+    }
+  }
+}
+
 std::shared_ptr<DNSSelector> getLuaSelector(const LuaSelectorConfiguration& config)
 {
   dnsdist::selectors::LuaSelectorFunction function;
diff --git a/pdns/dnsdistdist/dnsdist-rust-bridge.hh b/pdns/dnsdistdist/dnsdist-rust-bridge.hh
index 73071aea56..be86c01e14 100644
--- a/pdns/dnsdistdist/dnsdist-rust-bridge.hh
+++ b/pdns/dnsdistdist/dnsdist-rust-bridge.hh
@@ -34,11 +34,13 @@ struct ProtobufLoggerConfiguration;
 struct DnstapLoggerConfiguration;
 struct KeyValueStoresConfiguration;
 struct NetmaskGroupConfiguration;
+struct TimedIpSetConfiguration;
 
 void registerProtobufLogger(const ProtobufLoggerConfiguration& config);
 void registerDnstapLogger(const DnstapLoggerConfiguration& config);
 void registerKVSObjects(const KeyValueStoresConfiguration& config);
 void registerNMGObjects(const ::rust::Vec<NetmaskGroupConfiguration>& nmgs);
+void registerTimedIPSetObjects(const ::rust::Vec<TimedIpSetConfiguration>& sets);
 
 #include "dnsdist-rust-bridge-actions-generated.hh"
 #include "dnsdist-rust-bridge-selectors-generated.hh"
diff --git a/pdns/dnsdistdist/dnsdist-rust-lib/rust-middle-in.rs b/pdns/dnsdistdist/dnsdist-rust-lib/rust-middle-in.rs
index 8e12ed8e78..8bfac01e27 100644
--- a/pdns/dnsdistdist/dnsdist-rust-lib/rust-middle-in.rs
+++ b/pdns/dnsdistdist/dnsdist-rust-lib/rust-middle-in.rs
@@ -16,6 +16,7 @@
         fn registerDnstapLogger(config: &DnstapLoggerConfiguration);
         fn registerKVSObjects(config: &KeyValueStoresConfiguration);
         fn registerNMGObjects(nmgs: &Vec<NetmaskGroupConfiguration>);
+        fn registerTimedIPSetObjects(sets: &Vec<TimedIpSetConfiguration>);
     }
 }
 
diff --git a/pdns/dnsdistdist/dnsdist-rust-lib/rust-post-in.rs b/pdns/dnsdistdist/dnsdist-rust-lib/rust-post-in.rs
index 0b5c5123d5..796284a8f0 100644
--- a/pdns/dnsdistdist/dnsdist-rust-lib/rust-post-in.rs
+++ b/pdns/dnsdistdist/dnsdist-rust-lib/rust-post-in.rs
@@ -83,6 +83,7 @@ fn get_global_configuration_from_serde(
     config.ring_buffers = serde.ring_buffers;
     config.security_polling = serde.security_polling;
     config.snmp = serde.snmp;
+    config.timed_ip_sets = serde.timed_ip_sets;
     config.tuning = serde.tuning;
     config.webserver = serde.webserver;
     config.xsk = serde.xsk;
@@ -92,6 +93,8 @@ fn get_global_configuration_from_serde(
     dnsdistsettings::registerKVSObjects(&config.key_value_stores);
     // this needs to be done before the rules so that they can refer to the NMG objects
     dnsdistsettings::registerNMGObjects(&config.netmask_groups);
+    // this needs to be done before the rules so that they can refer to the TimeIPSet objects
+    dnsdistsettings::registerTimedIPSetObjects(&config.timed_ip_sets);
     // this needs to be done BEFORE the rules so that they can refer to the selectors
     // by name
     config.selectors = get_selectors_from_serde(&serde.selectors)?;
diff --git a/pdns/dnsdistdist/dnsdist-selectors-definitions.yml b/pdns/dnsdistdist/dnsdist-selectors-definitions.yml
index 9430c97a47..06250af11f 100644
--- a/pdns/dnsdistdist/dnsdist-selectors-definitions.yml
+++ b/pdns/dnsdistdist/dnsdist-selectors-definitions.yml
@@ -420,5 +420,13 @@ Set the ``source`` parameter to ``false`` to match against destination address i
     - name: "tcp"
       type: "bool"
       description: "Match TCP traffic if true, UDP traffic if false"
+- name: "TimedIPSet"
+  skip-cpp: true
+  skip-rust: true
+  description: "Can be used to handle IP addresses differently for a certain time"
+  parameters:
+    - name: "set_name"
+      type: "String"
+      description: "The Timed IP set to use"
 - name: "TrailingData"
   description: "Matches if the query has trailing data"
diff --git a/pdns/dnsdistdist/dnsdist-settings-definitions.yml b/pdns/dnsdistdist/dnsdist-settings-definitions.yml
index b0f7a70b3c..410f0500af 100644
--- a/pdns/dnsdistdist/dnsdist-settings-definitions.yml
+++ b/pdns/dnsdistdist/dnsdist-settings-definitions.yml
@@ -129,6 +129,10 @@ global:
       type: "SnmpConfiguration"
       default: true
       description: "SNMP-related settings"
+    - name: "timed_ip_sets"
+      type: "Vec<TimedIpSetConfiguration>"
+      default: true
+      description: "Runtime-modifiable IP address sets"
     - name: "tuning"
       type: "TuningConfiguration"
       default: true
@@ -2169,6 +2173,13 @@ response_rule:
       type: "ResponseAction"
       description: "The action taken if the selector matches"
 
+timed_ip_set:
+  description: "Runtime-modifiable IP address set"
+  parameters:
+    - name: "name"
+      type: "String"
+      description: "The name of this set"
+
 xsk:
   description: "An ``XSK`` / ``AF_XDP`` sockets map"
   parameters: