From: Otto Date: Mon, 6 Dec 2021 16:10:08 +0000 (+0100) Subject: Supply from address from the recursorcache to the postresolve_ffi API. X-Git-Tag: auth-4.7.0-alpha1~111^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e76b8a0d60888499d0f469632aa234cffb08b431;p=thirdparty%2Fpdns.git Supply from address from the recursorcache to the postresolve_ffi API. --- diff --git a/pdns/lua-recursor4-ffi.hh b/pdns/lua-recursor4-ffi.hh index 7cbcb351d1..a607fd25bd 100644 --- a/pdns/lua-recursor4-ffi.hh +++ b/pdns/lua-recursor4-ffi.hh @@ -121,4 +121,6 @@ extern "C" bool pdns_postresolve_ffi_handle_set_record(pdns_postresolve_ffi_handle_t* ref, unsigned int i, const char* content, size_t contentLen, bool raw) __attribute__((visibility("default"))); void pdns_postresolve_ffi_handle_clear_records(pdns_postresolve_ffi_handle_t* ref) __attribute__((visibility("default"))); bool pdns_postresolve_ffi_handle_add_record(pdns_postresolve_ffi_handle_t* ref, const char* name, uint16_t type, uint32_t ttl, const char* content, size_t contentLen, pdns_record_place_t place, bool raw) __attribute__((visibility("default"))); + const char* pdns_postresolve_ffi_handle_get_authip(pdns_postresolve_ffi_handle_t* ref) __attribute__((visibility("default"))); + void pdns_postresolve_ffi_handle_get_authip_raw(pdns_postresolve_ffi_handle_t* ref, const void** addr, size_t* addrSize) __attribute__((visibility("default"))); } diff --git a/pdns/lua-recursor4.cc b/pdns/lua-recursor4.cc index 4fa6b16e2a..e009963016 100644 --- a/pdns/lua-recursor4.cc +++ b/pdns/lua-recursor4.cc @@ -1167,3 +1167,12 @@ bool pdns_postresolve_ffi_handle_add_record(pdns_postresolve_ffi_handle_t* ref, } } +const char* pdns_postresolve_ffi_handle_get_authip(pdns_postresolve_ffi_handle_t* ref) +{ + return ref->insert(ref->handle.d_dq.fromAuthIP->toString())->c_str(); +} + +void pdns_postresolve_ffi_handle_get_authip_raw(pdns_postresolve_ffi_handle_t* ref, const void** addr, size_t* addrSize) +{ + return pdns_ffi_comboaddress_to_raw(*ref->handle.d_dq.fromAuthIP, addr, addrSize); +} diff --git a/pdns/lua-recursor4.hh b/pdns/lua-recursor4.hh index 46ee88116f..45d7cdb209 100644 --- a/pdns/lua-recursor4.hh +++ b/pdns/lua-recursor4.hh @@ -94,6 +94,7 @@ public: const uint16_t qtype; const ComboAddress& local; const ComboAddress& remote; + const ComboAddress* fromAuthIP{nullptr}; const struct dnsheader* dh{nullptr}; const bool isTcp; const std::vector>* ednsOptions{nullptr}; diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index a77e2a36a7..ca53869b5e 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1806,6 +1806,7 @@ static void startDoResolve(void *p) dq.extendedErrorCode = &dc->d_extendedErrorCode; dq.extendedErrorExtra = &dc->d_extendedErrorExtra; dq.meta = std::move(dc->d_meta); + dq.fromAuthIP = &sr.d_fromAuthIP; RunningResolveGuard tcpGuard(dc); diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc index e3df984796..159698db2b 100644 --- a/pdns/recursor_cache.cc +++ b/pdns/recursor_cache.cc @@ -100,7 +100,7 @@ static void updateDNSSECValidationStateFromCache(boost::optional& state, } } -time_t MemRecursorCache::handleHit(MapCombo::LockedContent& content, MemRecursorCache::OrderedTagIterator_t& entry, const DNSName& qname, uint32_t& origTTL, vector* res, vector>* signatures, std::vector>* authorityRecs, bool* variable, boost::optional& state, bool* wasAuth, DNSName* fromAuthZone) +time_t MemRecursorCache::handleHit(MapCombo::LockedContent& content, MemRecursorCache::OrderedTagIterator_t& entry, const DNSName& qname, uint32_t& origTTL, vector* res, vector>* signatures, std::vector>* authorityRecs, bool* variable, boost::optional& state, bool* wasAuth, DNSName* fromAuthZone, ComboAddress* fromAuthIP) { // MUTEX SHOULD BE ACQUIRED (as indicated by the reference to the content which is protected by a lock) time_t ttd = entry->d_ttd; @@ -143,6 +143,10 @@ time_t MemRecursorCache::handleHit(MapCombo::LockedContent& content, MemRecursor *fromAuthZone = entry->d_authZone; } + if (fromAuthIP) { + *fromAuthIP = entry->d_from; + } + moveCacheItemToBack(content.d_map, entry); return ttd; @@ -257,7 +261,7 @@ time_t MemRecursorCache::fakeTTD(MemRecursorCache::OrderedTagIterator_t& entry, return ttl; } // returns -1 for no hits -time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, bool requireAuth, vector* res, const ComboAddress& who, bool refresh, const OptTag& routingTag, vector>* signatures, std::vector>* authorityRecs, bool* variable, vState* state, bool* wasAuth, DNSName* fromAuthZone) +time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, bool requireAuth, vector* res, const ComboAddress& who, bool refresh, const OptTag& routingTag, vector>* signatures, std::vector>* authorityRecs, bool* variable, vState* state, bool* wasAuth, DNSName* fromAuthZone, ComboAddress* fromAuthIP) { boost::optional cachedState{boost::none}; uint32_t origTTL; @@ -283,11 +287,11 @@ time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, b auto entryA = getEntryUsingECSIndex(*map, now, qname, QType::A, requireAuth, who); if (entryA != map->d_map.end()) { - ret = handleHit(*map, entryA, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone); + ret = handleHit(*map, entryA, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone, fromAuthIP); } auto entryAAAA = getEntryUsingECSIndex(*map, now, qname, QType::AAAA, requireAuth, who); if (entryAAAA != map->d_map.end()) { - time_t ttdAAAA = handleHit(*map, entryAAAA, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone); + time_t ttdAAAA = handleHit(*map, entryAAAA, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone, fromAuthIP); if (ret > 0) { ret = std::min(ret, ttdAAAA); } @@ -305,7 +309,7 @@ time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, b else { auto entry = getEntryUsingECSIndex(*map, now, qname, qtype, requireAuth, who); if (entry != map->d_map.end()) { - time_t ret = handleHit(*map, entry, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone); + time_t ret = handleHit(*map, entry, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone, fromAuthIP); if (state && cachedState) { *state = *cachedState; } @@ -334,7 +338,7 @@ time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, b continue; } found = true; - ttd = handleHit(*map, firstIndexIterator, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone); + ttd = handleHit(*map, firstIndexIterator, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone, fromAuthIP); if (qt != QType::ANY && qt != QType::ADDR) { // normally if we have a hit, we are done break; @@ -372,7 +376,7 @@ time_t MemRecursorCache::get(time_t now, const DNSName& qname, const QType qt, b } found = true; - ttd = handleHit(*map, firstIndexIterator, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone); + ttd = handleHit(*map, firstIndexIterator, qname, origTTL, res, signatures, authorityRecs, variable, cachedState, wasAuth, fromAuthZone, fromAuthIP); if (qt != QType::ANY && qt != QType::ADDR) { // normally if we have a hit, we are done break; diff --git a/pdns/recursor_cache.hh b/pdns/recursor_cache.hh index bf5b281425..9c610f480d 100644 --- a/pdns/recursor_cache.hh +++ b/pdns/recursor_cache.hh @@ -57,7 +57,7 @@ public: typedef boost::optional OptTag; - time_t get(time_t, const DNSName& qname, const QType qt, bool requireAuth, vector* res, const ComboAddress& who, bool refresh = false, const OptTag& routingTag = boost::none, vector>* signatures = nullptr, std::vector>* authorityRecs = nullptr, bool* variable = nullptr, vState* state = nullptr, bool* wasAuth = nullptr, DNSName* fromAuthZone = nullptr); + time_t get(time_t, const DNSName& qname, const QType qt, bool requireAuth, vector* res, const ComboAddress& who, bool refresh = false, const OptTag& routingTag = boost::none, vector>* signatures = nullptr, std::vector>* authorityRecs = nullptr, bool* variable = nullptr, vState* state = nullptr, bool* wasAuth = nullptr, DNSName* fromAuthZone = nullptr, ComboAddress* fromAuthIP = nullptr); void replace(time_t, const DNSName& qname, const QType qt, const vector& content, const vector>& signatures, const std::vector>& authorityRecs, bool auth, const DNSName& authZone, boost::optional ednsmask = boost::none, const OptTag& routingTag = boost::none, vState state = vState::Indeterminate, boost::optional from = boost::none); @@ -252,7 +252,7 @@ private: Entries getEntries(MapCombo::LockedContent& content, const DNSName& qname, const QType qt, const OptTag& rtag); cache_t::const_iterator getEntryUsingECSIndex(MapCombo::LockedContent& content, time_t now, const DNSName& qname, QType qtype, bool requireAuth, const ComboAddress& who); - time_t handleHit(MapCombo::LockedContent& content, OrderedTagIterator_t& entry, const DNSName& qname, uint32_t& origTTL, vector* res, vector>* signatures, std::vector>* authorityRecs, bool* variable, boost::optional& state, bool* wasAuth, DNSName* authZone); + time_t handleHit(MapCombo::LockedContent& content, OrderedTagIterator_t& entry, const DNSName& qname, uint32_t& origTTL, vector* res, vector>* signatures, std::vector>* authorityRecs, bool* variable, boost::optional& state, bool* wasAuth, DNSName* authZone, ComboAddress* fromAuthIP); public: void preRemoval(MapCombo::LockedContent& map, const CacheEntry& entry) diff --git a/pdns/syncres.cc b/pdns/syncres.cc index df1f1bb500..1e4ab0a4bc 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1468,7 +1468,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType qtype, vector< QType foundQT = QType::ENT; /* we don't require auth data for forward-recurse lookups */ - if (g_recCache->get(d_now.tv_sec, qname, QType::CNAME, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth, &authZone) > 0) { + if (g_recCache->get(d_now.tv_sec, qname, QType::CNAME, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth, &authZone, &d_fromAuthIP) > 0) { foundName = qname; foundQT = QType::CNAME; } @@ -1484,7 +1484,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType qtype, vector< if (dnameName == qname && qtype != QType::DNAME) { // The client does not want a DNAME, but we've reached the QNAME already. So there is no match break; } - if (g_recCache->get(d_now.tv_sec, dnameName, QType::DNAME, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth, &authZone) > 0) { + if (g_recCache->get(d_now.tv_sec, dnameName, QType::DNAME, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth, &authZone, &d_fromAuthIP) > 0) { foundName = dnameName; foundQT = QType::DNAME; break; @@ -1870,7 +1870,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w uint32_t capTTL = std::numeric_limits::max(); bool wasCachedAuth; - if(g_recCache->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) { + if(g_recCache->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_refresh, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth, nullptr, &d_fromAuthIP) > 0) { LOG(prefix<replace(d_now.tv_sec, i->first.name, i->first.type, i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, auth, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, d_routingTag, recordState, remoteIP); diff --git a/pdns/syncres.hh b/pdns/syncres.hh index 7cd408d19f..856b275d93 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -799,6 +799,7 @@ public: DNSFilterEngine::Policy d_appliedPolicy; std::unordered_set d_policyTags; boost::optional d_routingTag; + ComboAddress d_fromAuthIP; RecEventTrace d_eventTrace; unsigned int d_authzonequeries;