From: Y7n05h <Y7n05h@protonmail.com>
Date: Wed, 27 Apr 2022 09:52:27 +0000 (+0800)
Subject: dnsdist: add parameter in blockRange
X-Git-Tag: auth-4.8.0-alpha0~66^2~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b1419e5e2e7799fafbf057595113c5de5d23289a;p=thirdparty%2Fpdns.git

dnsdist: add parameter in blockRange

Signed-off-by: Y7n05h <Y7n05h@protonmail.com>
---

diff --git a/pdns/bpf-filter.cc b/pdns/bpf-filter.cc
index 00f93802db..7c41faa444 100644
--- a/pdns/bpf-filter.cc
+++ b/pdns/bpf-filter.cc
@@ -511,7 +511,7 @@ void BPFFilter::unblock(const ComboAddress& addr)
   }
 }
 
-void BPFFilter::block(const Netmask& addr, BPFFilter::MatchAction action)
+void BPFFilter::block(const Netmask& addr, bool force, BPFFilter::MatchAction action)
 {
   CounterAndActionValue value;
 
@@ -525,14 +525,14 @@ void BPFFilter::block(const Netmask& addr, BPFFilter::MatchAction action)
     }
 
     res = bpf_lookup_elem(map.d_fd.getHandle(), &key, &value);
-    if (res != -1 && value.action == action) {
+    if (res != -1 && value.action == action && !force) {
       throw std::runtime_error("Trying to block an already blocked netmask: " + addr.toString());
     }
 
     value.counter = 0;
     value.action = action;
 
-    res = bpf_update_elem(map.d_fd.getHandle(), &key, &value, BPF_NOEXIST);
+    res = bpf_update_elem(map.d_fd.getHandle(), &key, &value, force ? BPF_ANY : BPF_NOEXIST);
     if (res == 0) {
       ++map.d_count;
     }
@@ -900,7 +900,7 @@ void BPFFilter::unblock(const DNSName&, uint16_t)
   throw std::runtime_error("eBPF support not enabled");
 }
 
-void BPFFilter::block(const Netmask&, BPFFilter::MatchAction)
+void BPFFilter::block(const Netmask&, bool, BPFFilter::MatchAction)
 {
   throw std::runtime_error("eBPF support not enabled");
 }
diff --git a/pdns/bpf-filter.hh b/pdns/bpf-filter.hh
index 6c04418ea6..c2ee359feb 100644
--- a/pdns/bpf-filter.hh
+++ b/pdns/bpf-filter.hh
@@ -69,7 +69,7 @@ public:
   void addSocket(int sock);
   void removeSocket(int sock);
   void block(const ComboAddress& addr, MatchAction action);
-  void block(const Netmask& address, BPFFilter::MatchAction action);
+  void block(const Netmask& address, bool force, BPFFilter::MatchAction action);
   void block(const DNSName& qname, MatchAction action, uint16_t qtype=255);
   void unblock(const ComboAddress& addr);
   void allow(const Netmask& address);
diff --git a/pdns/dnsdist-lua-bindings.cc b/pdns/dnsdist-lua-bindings.cc
index adba3e165f..9910873231 100644
--- a/pdns/dnsdist-lua-bindings.cc
+++ b/pdns/dnsdist-lua-bindings.cc
@@ -500,16 +500,12 @@ void setupLuaBindings(LuaContext& luaCtx, bool client)
         }
       }
     });
-  luaCtx.registerFunction<void (std::shared_ptr<BPFFilter>::*)(const string& range, boost::optional<uint32_t> action)>("blockRange", [](std::shared_ptr<BPFFilter> bpf, const string& range, boost::optional<uint32_t> action) {
+  luaCtx.registerFunction<void (std::shared_ptr<BPFFilter>::*)(const string& range, boost::optional<bool> force, boost::optional<uint32_t> action)>("blockRange", [](std::shared_ptr<BPFFilter> bpf, const string& range, boost::optional<bool> force, boost::optional<uint32_t> action) {
     if (!bpf) {
       return;
     }
-
-    if (!action) {
-      return bpf->block(Netmask(range), BPFFilter::MatchAction::Drop);
-    }
     BPFFilter::MatchAction match;
-    switch (*action) {
+    switch (action.value_or(1)) {
     case 0:
       match = BPFFilter::MatchAction::Pass;
       break;
@@ -522,7 +518,7 @@ void setupLuaBindings(LuaContext& luaCtx, bool client)
     default:
       throw std::runtime_error("Unsupported action for BPFFilter::block");
     }
-    return bpf->block(Netmask(range), match);
+    return bpf->block(Netmask(range), force.value_or(false), match);
   });
   luaCtx.registerFunction<void(std::shared_ptr<BPFFilter>::*)(const DNSName& qname, boost::optional<uint16_t> qtype, boost::optional<uint32_t> action)>("blockQName", [](std::shared_ptr<BPFFilter> bpf, const DNSName& qname, boost::optional<uint16_t> qtype, boost::optional<uint32_t> action) {
       if (bpf) {
diff --git a/pdns/dnsdistdist/docs/reference/ebpf.rst b/pdns/dnsdistdist/docs/reference/ebpf.rst
index 74eba1873e..2c4c1d37c8 100644
--- a/pdns/dnsdistdist/docs/reference/ebpf.rst
+++ b/pdns/dnsdistdist/docs/reference/ebpf.rst
@@ -81,7 +81,7 @@ These are all the functions, objects and methods related to the :doc:`../advance
 
     :param ComboAddress address: The address to block
 
-  .. method:: BPFFilter:blockRange(Netmask)
+  .. method:: BPFFilter:blockRange(Netmask [, force=false])
 
   .. versionchanged:: 1.8.0
 
@@ -90,6 +90,7 @@ These are all the functions, objects and methods related to the :doc:`../advance
     DNSDist eBPF code first checks if an exact IP match is found, then if a range matches, and finally if a DNSName does.
 
     :param string Netmask: The ip range to block
+    :param bool force: When ``force`` is set to true, DNSDist always accepts adding a new item to BPF maps, even if the item to be added may already be included in the larger network range.
 
   .. method:: BPFFilter:blockQName(name [, qtype=255])