From: Otto Moerbeek Date: Thu, 4 Sep 2025 10:04:04 +0000 (+0200) Subject: Allow clearing of specific entries in cookie table using rec_control X-Git-Tag: rec-5.4.0-alpha1~279^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d9704e079c7733f6cb948a050b65607bb420215f;p=thirdparty%2Fpdns.git Allow clearing of specific entries in cookie table using rec_control Signed-off-by: Otto Moerbeek --- diff --git a/pdns/recursordist/docs/manpages/rec_control.1.rst b/pdns/recursordist/docs/manpages/rec_control.1.rst index 921fe4a9f1..1a57f0e85e 100644 --- a/pdns/recursordist/docs/manpages/rec_control.1.rst +++ b/pdns/recursordist/docs/manpages/rec_control.1.rst @@ -70,6 +70,9 @@ add-ta *DOMAIN* *DSRECORD* current-queries Shows the currently active queries. +clear-cookies [*IP*...] + Remove entries from cookie table. If *IP* is ``*``, remove all. + clear-dont-throttle-names *NAME* [*NAME*...] Remove names that are not allowed to be throttled. If *NAME* is ``*``, remove all diff --git a/pdns/recursordist/lwres.cc b/pdns/recursordist/lwres.cc index 79ec624987..08020a56e6 100644 --- a/pdns/recursordist/lwres.cc +++ b/pdns/recursordist/lwres.cc @@ -70,10 +70,29 @@ bool g_ECSHardening; static LockGuarded s_cookiestore; -void clearCookies() +uint64_t clearCookies(vector::iterator begin, vector::iterator end) { auto lock = s_cookiestore.lock(); - lock->clear(); + uint64_t count = 0; + if (begin == end) { + return 0; + } + if (*begin == "*") { + count = lock->size(); + lock->clear(); + } + else { + while (begin != end) { + try { + count += lock->erase(ComboAddress(*begin, 53)); + } + catch (const PDNSException &) { + ; + } + ++begin; + } + } + return count; } void pruneCookies(time_t cutoff) diff --git a/pdns/recursordist/lwres.hh b/pdns/recursordist/lwres.hh index 6a7e7007ae..2faada4dfe 100644 --- a/pdns/recursordist/lwres.hh +++ b/pdns/recursordist/lwres.hh @@ -100,6 +100,6 @@ LWResult::Result arecvfrom(PacketBuffer& packet, int flags, const ComboAddress& LWResult::Result asyncresolve(const OptLog& log, const ComboAddress& address, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional& srcmask, const ResolveContext& context, const std::shared_ptr>>& outgoingLoggers, const std::shared_ptr>>& fstrmLoggers, const std::set& exportTypes, LWResult* lwr, bool* chained); uint64_t dumpCookies(int fileDesc); -void clearCookies(); +uint64_t clearCookies(vector::iterator begin, vector::iterator end); void pruneCookies(time_t cutoff); void enableOutgoingCookies(bool flag); diff --git a/pdns/recursordist/rec_channel_rec.cc b/pdns/recursordist/rec_channel_rec.cc index ddcfa817be..1640f4733f 100644 --- a/pdns/recursordist/rec_channel_rec.cc +++ b/pdns/recursordist/rec_channel_rec.cc @@ -1888,7 +1888,7 @@ static RecursorControlChannel::Answer help() "add-nta DOMAIN [REASON] add a Negative Trust Anchor for DOMAIN with the comment REASON\n" "add-ta DOMAIN DSRECORD add a Trust Anchor for DOMAIN with data DSRECORD\n" "current-queries show currently active queries\n" - // "clear-cookies clear cookie table\n" XXX undocumented for now + "clear-cookies [IP...] clear entries from cookie table, if IP is '*' remove all entries\n" "clear-dont-throttle-names [N...] remove names that are not allowed to be throttled. If N is '*', remove all\n" "clear-dont-throttle-netmasks [N...]\n" " remove netmasks that are not allowed to be throttled. If N is '*', remove all\n" @@ -2108,8 +2108,8 @@ RecursorControlChannel::Answer RecursorControlParser::getAnswer(int socket, cons return doDumpCache(socket, begin, end); } if (cmd == "clear-cookies") { - clearCookies(); - return {0, ""}; + auto count = clearCookies(begin, end); + return {0, "Cleared " + std::to_string(count) + " entr" + addS(count, "y", "ies") + " from cookies table\n"}; } if (cmd == "dump-cookies") { return doDumpToFile(socket, pleaseDumpCookiesMap, cmd, false);