From: Marek VavruĊĦa Date: Fri, 3 Jul 2015 14:27:34 +0000 (+0200) Subject: block: improved suffix match, added doc X-Git-Tag: v1.0.0-beta1~90 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c25d6ce194ed7a4b16f63edbb2260de6fd0f3a3d;p=thirdparty%2Fknot-resolver.git block: improved suffix match, added doc --- diff --git a/modules/block/README.rst b/modules/block/README.rst index 2d2536c91..cd95296c1 100644 --- a/modules/block/README.rst +++ b/modules/block/README.rst @@ -74,6 +74,16 @@ Properties Policy to block queries based on the QNAME suffix match. +.. function:: block.suffix_common(action, suffix_table[, common_suffix]) + + :param action: action if the pattern matches QNAME + :param suffix_table: table of valid suffixes + :param common_suffix: common suffix of entries in suffix_table + + Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise). + +.. tip:: If you want to match suffixes only, prefix the strings with `.`, e.g. `.127.in-addr.arpa.` instead of `127.in-addr.arpa`. + .. _`Aho-Corasick`: https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_string_matching_algorithm .. _`@jgrahamc`: https://github.com/jgrahamc/aho-corasick-lua diff --git a/modules/block/block.lua b/modules/block/block.lua index 776f25364..0e5905898 100644 --- a/modules/block/block.lua +++ b/modules/block/block.lua @@ -6,41 +6,41 @@ local block = { -- Private, local, broadcast, test and special zones private_zones = { -- RFC1918 - '10.in-addr.arpa.', - '16.172.in-addr.arpa.', - '17.172.in-addr.arpa.', - '18.172.in-addr.arpa.', - '19.172.in-addr.arpa.', - '20.172.in-addr.arpa.', - '21.172.in-addr.arpa.', - '22.172.in-addr.arpa.', - '23.172.in-addr.arpa.', - '24.172.in-addr.arpa.', - '25.172.in-addr.arpa.', - '26.172.in-addr.arpa.', - '27.172.in-addr.arpa.', - '28.172.in-addr.arpa.', - '29.172.in-addr.arpa.', - '30.172.in-addr.arpa.', - '31.172.in-addr.arpa.', - '168.192.in-addr.arpa.', + '.10.in-addr.arpa.', + '.16.172.in-addr.arpa.', + '.17.172.in-addr.arpa.', + '.18.172.in-addr.arpa.', + '.19.172.in-addr.arpa.', + '.20.172.in-addr.arpa.', + '.21.172.in-addr.arpa.', + '.22.172.in-addr.arpa.', + '.23.172.in-addr.arpa.', + '.24.172.in-addr.arpa.', + '.25.172.in-addr.arpa.', + '.26.172.in-addr.arpa.', + '.27.172.in-addr.arpa.', + '.28.172.in-addr.arpa.', + '.29.172.in-addr.arpa.', + '.30.172.in-addr.arpa.', + '.31.172.in-addr.arpa.', + '.168.192.in-addr.arpa.', -- RFC5735, RFC5737 - '0.in-addr.arpa.', - '127.in-addr.arpa.', - '254.169.in-addr.arpa.', - '2.0.192.in-addr.arpa.', - '100.51.198.in-addr.arpa.', - '113.0.203.in-addr.arpa.', + '.0.in-addr.arpa.', + '.127.in-addr.arpa.', + '.254.169.in-addr.arpa.', + '.2.0.192.in-addr.arpa.', + '.100.51.198.in-addr.arpa.', + '.113.0.203.in-addr.arpa.', '255.255.255.255.in-addr.arpa.', -- IPv6 local, example '0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.', '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.', - 'd.f.ip6.arpa.', - '8.e.f.ip6.arpa.', - '9.e.f.ip6.arpa.', - 'a.e.f.ip6.arpa.', - 'b.e.f.ip6.arpa.', - '8.b.d.0.1.0.0.2.ip6.arpa', + '.d.f.ip6.arpa.', + '.8.e.f.ip6.arpa.', + '.9.e.f.ip6.arpa.', + '.a.e.f.ip6.arpa.', + '.b.e.f.ip6.arpa.', + '.8.b.d.0.1.0.0.2.ip6.arpa', } } @@ -58,12 +58,14 @@ function block.suffix(action, zone_list) end -- @function Check for common suffix first, then suffix match (specialized version of suffix match) -function block.suffix_common(action, common_suffix, suffix_list) - local common_len = common_suffix:len() +function block.suffix_common(action, suffix_list, common_suffix) return function(pkt, qname) -- Preliminary check - if qname:sub(-common_len) ~= common_suffix then - return nil + if common_suffix ~= nil then + local common_len = common_suffix:len() + if qname:sub(-common_len) ~= common_suffix then + return nil + end end -- String match for i = 1, #suffix_list do @@ -127,7 +129,7 @@ block.layer = { } -- @var Default rules -block.rules = { block.suffix_common(block.DENY, '.arpa.', block.private_zones) } +block.rules = { block.suffix_common(block.DENY, block.private_zones, '.arpa.') } -- @function Add rule to block list function block.add(block, rule)