From: Remi Gacogne Date: Tue, 13 Feb 2024 09:04:08 +0000 (+0100) Subject: dnsdist: Clarify that setSuffixMatchRule blocks per suffix, not labels X-Git-Tag: dnsdist-1.9.0~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13780%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Clarify that setSuffixMatchRule blocks per suffix, not labels --- diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 82e6dcc051..020f3be429 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -1796,7 +1796,7 @@ faster than the existing rules. Set a Lua visitor function that will be called for each label of every domain seen in queries and responses. The function receives a :class:`StatNode` object representing the stats of the parent, a :class:`StatNodeStats` one with the stats of the current label and a second :class:`StatNodeStats` with the stats of the current node plus all its children. Note that this function will not be called if a FFI version has been set using :meth:`DynBlockRulesGroup:setSuffixMatchRuleFFI` - If the function returns true, the current label will be blocked according to the `seconds`, `reason`, `blockingTime` and `action` parameters. Since 1.7.0, the function can return an additional string, in addition to the boolean, which will be set as the ``reason`` for the dynamic block. + If the function returns ``true``, the current suffix will be added to the block list, meaning that the exact name and all its sub-domains will be blocked according to the `seconds`, `reason`, `blockingTime` and `action` parameters. Since 1.7.0, the function can return an additional string, in addition to the boolean, which will be set as the ``reason`` for the dynamic block. Selected domains can be excluded from this processing using the :meth:`DynBlockRulesGroup:excludeDomains` method. This replaces the existing :func:`addDynBlockSMT` function. @@ -1812,7 +1812,7 @@ faster than the existing rules. .. versionadded:: 1.4.0 Set a Lua FFI visitor function that will be called for each label of every domain seen in queries and responses. The function receives a `dnsdist_ffi_stat_node_t` object containing the stats of the parent, a second one with the stats of the current label and one with the stats of the current node plus all its children. - If the function returns true, the current label will be blocked according to the `seconds`, `reason`, `blockingTime` and `action` parameters. + If the function returns ``true``, the current suffix will be added to the block list, meaning that the exact name and all its sub-domains will be blocked according to the `seconds`, `reason`, `blockingTime` and `action` parameters. Selected domains can be excluded from this processing using the :meth:`DynBlockRulesGroup:excludeDomains` method. :param int seconds: Number of seconds the rate has been exceeded