From: Otto Moerbeek Date: Tue, 2 Apr 2024 08:33:45 +0000 (+0200) Subject: Add test for proxy exception mechanism X-Git-Tag: rec-5.1.0-alpha1~65^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9351d37c4ad8ddfebf44839b94fdb6ded70a1dd3;p=thirdparty%2Fpdns.git Add test for proxy exception mechanism --- diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 3d3023ceec..dcf7d09755 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -17,7 +17,7 @@ Changed settings New Settings ^^^^^^^^^^^^ -- The :ref:`setting-proxy-protocol-exceptions` has been added. It allows to exclude specific listen addresses from requiring th e Proxy Protocol. +- The :ref:`setting-proxy-protocol-exceptions` has been added. It allows to exclude specific listen addresses from requiring the Proxy Protocol. 5.0.2 to 5.0.3, 4.9.3 to 4.9.4 and 4.8.6 to 4.8.7 ------------------------------------------------- diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index db062182fd..d151e0623b 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -2123,7 +2123,7 @@ static int serviceMain(Logr::log_t log) { std::vector vec; stringtok(vec, ::arg()["proxy-protocol-exceptions"], ", "); - for (const auto& sockAddrStr: vec) { + for (const auto& sockAddrStr : vec) { ComboAddress sockAddr(sockAddrStr, 53); g_proxyProtocolExceptions.emplace(sockAddr); } diff --git a/regression-tests.recursor-dnssec/test_ProxyProtocol.py b/regression-tests.recursor-dnssec/test_ProxyProtocol.py index f28020f58d..cdf71de143 100644 --- a/regression-tests.recursor-dnssec/test_ProxyProtocol.py +++ b/regression-tests.recursor-dnssec/test_ProxyProtocol.py @@ -603,3 +603,41 @@ class ProxyProtocolNotAllowedRecursorTest(ProxyProtocolRecursorTest): sender = getattr(self, method) res = sender(query, False, '127.0.0.42', '255.255.255.255', 0, 65535, [ [0, b'foo' ], [ 255, b'bar'] ]) self.assertEqual(res, None) + +class ProxyProtocolExceptionRecursorTest(ProxyProtocolRecursorTest): + _confdir = 'ProxyProtocolException' + _lua_dns_script_file = """ + + function preresolve(dq) + dq:addAnswer(pdns.A, '192.0.2.1', 60) + return true + end + """ + + _config_template = """ + proxy-protocol-from=127.0.0.1/32 + proxy-protocol-exceptions=127.0.0.1:%d + allow-from=127.0.0.0/24, ::1/128 +""" % (ProxyProtocolRecursorTest._recursorPort) + + def testNoHeaderProxyProtocol(self): + qname = 'no-header.proxy-protocol-not-allowed.recursor-tests.powerdns.com.' + expected = dns.rrset.from_text(qname, 0, dns.rdataclass.IN, 'A', '192.0.2.1') + + query = dns.message.make_query(qname, 'A', want_dnssec=True) + for method in ("sendUDPQuery", "sendTCPQuery"): + sender = getattr(self, method) + res = sender(query) + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertRRsetInAnswer(res, expected) + + def testIPv4ProxyProtocol(self): + qname = 'ipv4.proxy-protocol-not-allowed.recursor-tests.powerdns.com.' + expected = dns.rrset.from_text(qname, 0, dns.rdataclass.IN, 'A', '192.0.2.1') + + query = dns.message.make_query(qname, 'A', want_dnssec=True) + for method in ("sendUDPQueryWithProxyProtocol", "sendTCPQueryWithProxyProtocol"): + sender = getattr(self, method) + res = sender(query, False, '127.0.0.42', '255.255.255.255', 0, 65535, [ [0, b'foo' ], [ 255, b'bar'] ]) + self.assertEqual(res, None) +