From: Reinier Schoof Date: Thu, 16 Aug 2018 11:21:07 +0000 (+0200) Subject: added :excludeRange and :includeRange methods to DynBPFFilter class X-Git-Tag: dnsdist-1.3.3~159^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee38369c9120bb72e0a3336c085fbfd8b0d48549;p=thirdparty%2Fpdns.git added :excludeRange and :includeRange methods to DynBPFFilter class --- diff --git a/pdns/dnsdist-dynbpf.cc b/pdns/dnsdist-dynbpf.cc index 7abddedf53..bdaa3c578a 100644 --- a/pdns/dnsdist-dynbpf.cc +++ b/pdns/dnsdist-dynbpf.cc @@ -28,6 +28,11 @@ bool DynBPFFilter::block(const ComboAddress& addr, const struct timespec& until) bool inserted = false; std::unique_lock lock(d_mutex); + if (d_excludedSubnets.match(addr)) { + /* do not add a block for excluded subnets */ + return inserted; + } + const container_t::iterator it = d_entries.find(addr); if (it != d_entries.end()) { if (it->d_until < until) { diff --git a/pdns/dnsdist-dynbpf.hh b/pdns/dnsdist-dynbpf.hh index 321e930bea..521006bd3d 100644 --- a/pdns/dnsdist-dynbpf.hh +++ b/pdns/dnsdist-dynbpf.hh @@ -41,6 +41,14 @@ public: ~DynBPFFilter() { } + void excludeRange(const Netmask& range) + { + d_excludedSubnets.addMask(range); + } + void includeRange(const Netmask& range) + { + d_excludedSubnets.addMask(range, false); + } /* returns true if the addr wasn't already blocked, false otherwise */ bool block(const ComboAddress& addr, const struct timespec& until); void purgeExpired(const struct timespec& now); @@ -63,6 +71,7 @@ private: container_t d_entries; std::mutex d_mutex; std::shared_ptr d_bpf; + NetmaskGroup d_excludedSubnets; }; #endif /* HAVE_EBPF */ diff --git a/pdns/dnsdist-lua-bindings.cc b/pdns/dnsdist-lua-bindings.cc index 334310d00f..0902c7d7e7 100644 --- a/pdns/dnsdist-lua-bindings.cc +++ b/pdns/dnsdist-lua-bindings.cc @@ -544,5 +544,27 @@ void setupLuaBindings(bool client) dbpf->purgeExpired(now); } }); + + g_lua.registerFunction::*)(boost::variant>>)>("excludeRange", [](std::shared_ptr dbpf, boost::variant>> ranges) { + if (ranges.type() == typeid(std::vector>)) { + for (const auto& range : *boost::get>>(&ranges)) { + dbpf->excludeRange(Netmask(range.second)); + } + } + else { + dbpf->excludeRange(Netmask(*boost::get(&ranges))); + } + }); + + g_lua.registerFunction::*)(boost::variant>>)>("includeRange", [](std::shared_ptr dbpf, boost::variant>> ranges) { + if (ranges.type() == typeid(std::vector>)) { + for (const auto& range : *boost::get>>(&ranges)) { + dbpf->includeRange(Netmask(range.second)); + } + } + else { + dbpf->includeRange(Netmask(*boost::get(&ranges))); + } + }); #endif /* HAVE_EBPF */ } diff --git a/pdns/dnsdistdist/docs/reference/ebpf.rst b/pdns/dnsdistdist/docs/reference/ebpf.rst index 482b1ff5c8..4c432a2351 100644 --- a/pdns/dnsdistdist/docs/reference/ebpf.rst +++ b/pdns/dnsdistdist/docs/reference/ebpf.rst @@ -95,3 +95,18 @@ These are all the functions, objects and methods related to the :doc:`../advance Represents an dynamic eBPF filter, allowing the use of ephemeral rules to an existing eBPF filter. + .. method:: DynBPFFilter:excludeRange(netmasks) + + .. versionadded:: 1.3.3 + + Exclude this range, or list of ranges, meaning that no dynamic block will ever be inserted for clients in that range. Default to empty, meaning rules are applied to all ranges. When used in combination with :meth:`DynBPFFilter:includeRange`, the more specific entry wins. + + :param int netmasks: A netmask, or list of netmasks, as strings, like for example "192.0.2.1/24" + + .. method:: DynBPFFilter:includeRange(netmasks) + + .. versionadded:: 1.3.3 + + Include this range, or list of ranges, meaning that rules will be applied to this range. When used in combination with :meth:`DynBPFFilter:excludeRange`, the more specific entry wins. + + :param int netmasks: A netmask, or list of netmasks, as strings, like for example "192.0.2.1/24"