From 804646924e25913f3d85a1e096054278f3f9a917 Mon Sep 17 00:00:00 2001
From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Mon, 30 Aug 2021 11:57:12 +0200
Subject: [PATCH] use the right address in a bunch more places

---
 modules/pipebackend/pipebackend.cc |  2 +-
 pdns/dnspacket.cc                  |  4 ++--
 pdns/lua-auth4.cc                  |  6 +++---
 pdns/nameserver.cc                 |  2 +-
 pdns/packethandler.cc              | 23 ++++++++++-------------
 5 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/modules/pipebackend/pipebackend.cc b/modules/pipebackend/pipebackend.cc
index a5981c797d..b540a4c308 100644
--- a/modules/pipebackend/pipebackend.cc
+++ b/modules/pipebackend/pipebackend.cc
@@ -172,7 +172,7 @@ void PipeBackend::lookup(const QType& qtype, const DNSName& qname, int zoneId, D
       if (pkt_p) {
         localIP = pkt_p->getLocal().toString();
         realRemote = pkt_p->getRealRemote();
-        remoteIP = pkt_p->getRemote().toString();
+        remoteIP = pkt_p->getInnerRemote().toString();
       }
       // abi-version = 1
       // type    qname           qclass  qtype   id      remote-ip-address
diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index fb260e9395..ba687a0566 100644
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -553,7 +553,7 @@ try
   d_wrapped=true;
   if(length < 12) { 
     g_log << Logger::Debug << "Ignoring packet: too short from "
-      << getRemote() << endl;
+      << getRemoteString() << endl;
     return -1;
   }
 
@@ -608,7 +608,7 @@ try
 
   if(!ntohs(d.qdcount)) {
     if(!d_tcp) {
-      g_log << Logger::Debug << "No question section in packet from " << getRemote() <<", RCode="<<RCode::to_s(d.rcode)<<endl;
+      g_log << Logger::Debug << "No question section in packet from " << getRemoteString() <<", RCode="<<RCode::to_s(d.rcode)<<endl;
       return -1;
     }
   }
diff --git a/pdns/lua-auth4.cc b/pdns/lua-auth4.cc
index 2045d9e1b5..3df7d21e8e 100644
--- a/pdns/lua-auth4.cc
+++ b/pdns/lua-auth4.cc
@@ -41,10 +41,10 @@ void AuthLua4::postPrepareContext() {
   d_lw->registerFunction<DNSPacket, int(const char *, size_t)>("parse", [](DNSPacket &p, const char *mesg, size_t len){ return p.parse(mesg, len); });
   d_lw->registerFunction<DNSPacket, const std::string()>("getString", [](DNSPacket &p) { return p.getString(); });
   d_lw->registerFunction<DNSPacket, void(const ComboAddress&)>("setRemote", [](DNSPacket &p, const ComboAddress &ca) { p.setRemote(&ca); });
-  d_lw->registerFunction<DNSPacket, ComboAddress()>("getRemote", [](DNSPacket &p) { return p.getRemote(); });
+  d_lw->registerFunction<DNSPacket, ComboAddress()>("getRemote", [](DNSPacket &p) { return p.getInnerRemote(); });
   d_lw->registerFunction<DNSPacket, Netmask()>("getRealRemote", [](DNSPacket &p) { return p.getRealRemote(); });
   d_lw->registerFunction<DNSPacket, ComboAddress()>("getLocal", [](DNSPacket &p) { return p.getLocal(); });
-  d_lw->registerFunction<DNSPacket, unsigned int()>("getRemotePort", [](DNSPacket &p) { return p.getRemotePort(); });
+  d_lw->registerFunction<DNSPacket, unsigned int()>("getRemotePort", [](DNSPacket &p) { return p.getInnerRemote().getPort(); });
   d_lw->registerFunction<DNSPacket, std::tuple<const std::string, unsigned int>()>("getQuestion", [](DNSPacket &p) { return std::make_tuple(p.qdomain.toString(), static_cast<unsigned int>(p.qtype.getCode())); });
   d_lw->registerFunction<DNSPacket, void(bool)>("setA", [](DNSPacket &p, bool a) { return p.setA(a); });
   d_lw->registerFunction<DNSPacket, void(unsigned int)>("setID", [](DNSPacket &p, unsigned int id) { return p.setID(static_cast<uint16_t>(id)); });
@@ -153,7 +153,7 @@ bool AuthLua4::updatePolicy(const DNSName &qname, const QType& qtype, const DNSN
   upq.qtype = qtype.getCode();
   upq.zonename = zonename;
   upq.local = packet.getLocal();
-  upq.remote = packet.getRemote();
+  upq.remote = packet.getInnerRemote();
   upq.realRemote = packet.getRealRemote();
   upq.tsigName = packet.getTSIGKeyname();
   upq.peerPrincipal = packet.d_peer_principal;
diff --git a/pdns/nameserver.cc b/pdns/nameserver.cc
index 8f2bcd5778..56c1fca68e 100644
--- a/pdns/nameserver.cc
+++ b/pdns/nameserver.cc
@@ -327,7 +327,7 @@ bool UDPNameserver::receive(DNSPacket& packet, std::string& buffer)
 
   if(packet.parse(&buffer.at(0), (size_t) len)<0) {
     S.inc("corrupt-packets");
-    S.ringAccount("remotes-corrupt", packet.d_remote);
+    S.ringAccount("remotes-corrupt", packet.getInnerRemote());
 
     return false; // unable to parse
   }
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index fee18b5a2c..72b83250c2 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -941,13 +941,11 @@ int PacketHandler::trySuperMaster(const DNSPacket& p, const DNSName& tsigkeyname
 
 int PacketHandler::trySuperMasterSynchronous(const DNSPacket& p, const DNSName& tsigkeyname)
 {
-  ComboAddress remote = p.getRemote();
-  // this uses the outer (non-PROXY) remote on purpose
+  ComboAddress remote = p.getInnerRemote();
   if(p.hasEDNSSubnet() && pdns::isAddressTrustedNotificationProxy(remote)) {
     remote = p.getRealRemote().getNetwork();
   }
   else {
-    // but we fall back to the inner (PROXY) remote if there is no ECS forwarded by a trusted proxy
     remote = p.getInnerRemote();
   }
   remote.setPort(53);
@@ -1069,13 +1067,12 @@ int PacketHandler::processNotify(const DNSPacket& p)
     return RCode::Refused;
   }
 
-  // this uses the outer (non-PROXY) remote on purpose
-  if(pdns::isAddressTrustedNotificationProxy(p.getRemote())) {
+  if(pdns::isAddressTrustedNotificationProxy(p.getInnerRemote())) {
     if(di.masters.empty()) {
-      g_log<<Logger::Warning<<"Received NOTIFY for "<<p.qdomain<<" from trusted-notification-proxy "<<p.getRemote()<<", zone does not have any masters defined (Refused)"<<endl;
+      g_log<<Logger::Warning<<"Received NOTIFY for "<<p.qdomain<<" from trusted-notification-proxy "<<p.getRemoteString()<<", zone does not have any masters defined (Refused)"<<endl;
       return RCode::Refused;
     }
-    g_log<<Logger::Notice<<"Received NOTIFY for "<<p.qdomain<<" from trusted-notification-proxy "<<p.getRemote()<<endl;
+    g_log<<Logger::Notice<<"Received NOTIFY for "<<p.qdomain<<" from trusted-notification-proxy "<<p.getRemoteString()<<endl;
   }
   else if(::arg().mustDo("primary") && di.kind == DomainInfo::Master) {
     g_log<<Logger::Warning<<"Received NOTIFY for "<<p.qdomain<<" from "<<p.getRemoteString()<<" but we are master (Refused)"<<endl;
@@ -1279,7 +1276,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
   
   if(p.d.qr) { // QR bit from dns packet (thanks RA from N)
     if(d_logDNSDetails)
-      g_log<<Logger::Error<<"Received an answer (non-query) packet from "<<p.getRemote()<<", dropping"<<endl;
+      g_log<<Logger::Error<<"Received an answer (non-query) packet from "<<p.getRemoteString()<<", dropping"<<endl;
     S.inc("corrupt-packets");
     S.ringAccount("remotes-corrupt", p.d_remote);
     return nullptr;
@@ -1287,7 +1284,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
 
   if(p.d.tc) { // truncated query. MOADNSParser would silently parse this packet in an incomplete way.
     if(d_logDNSDetails)
-      g_log<<Logger::Error<<"Received truncated query packet from "<<p.getRemote()<<", dropping"<<endl;
+      g_log<<Logger::Error<<"Received truncated query packet from "<<p.getRemoteString()<<", dropping"<<endl;
     S.inc("corrupt-packets");
     S.ringAccount("remotes-corrupt", p.d_remote);
     return nullptr;
@@ -1335,7 +1332,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
 
     if(!validDNSName(p.qdomain)) {
       if(d_logDNSDetails)
-        g_log<<Logger::Error<<"Received a malformed qdomain from "<<p.getRemote()<<", '"<<p.qdomain<<"': sending servfail"<<endl;
+        g_log<<Logger::Error<<"Received a malformed qdomain from "<<p.getRemoteString()<<", '"<<p.qdomain<<"': sending servfail"<<endl;
       S.inc("corrupt-packets");
       S.ringAccount("remotes-corrupt", p.d_remote);
       S.inc("servfail-packets");
@@ -1365,13 +1362,13 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
         return nullptr;
       }
       
-      g_log<<Logger::Error<<"Received an unknown opcode "<<p.d.opcode<<" from "<<p.getRemote()<<" for "<<p.qdomain<<endl;
+      g_log<<Logger::Error<<"Received an unknown opcode "<<p.d.opcode<<" from "<<p.getRemoteString()<<" for "<<p.qdomain<<endl;
 
       r->setRcode(RCode::NotImp); 
       return r; 
     }
 
-    // g_log<<Logger::Warning<<"Query for '"<<p.qdomain<<"' "<<p.qtype.toString()<<" from "<<p.getRemote()<< " (tcp="<<p.d_tcp<<")"<<endl;
+    // g_log<<Logger::Warning<<"Query for '"<<p.qdomain<<"' "<<p.qtype.toString()<<" from "<<p.getRemoteString()<< " (tcp="<<p.d_tcp<<")"<<endl;
     
     if(p.qtype.getCode()==QType::IXFR) {
       r->setRcode(RCode::Refused);
@@ -1470,7 +1467,7 @@ std::unique_ptr<DNSPacket> PacketHandler::doQuestion(DNSPacket& p)
 
     // this TRUMPS a cname!
     if(p.qtype.getCode() == QType::RRSIG) {
-      g_log<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p.getRemote()<<endl;
+      g_log<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p.getRemoteString()<<endl;
       r->setRcode(RCode::Refused);
       goto sendit;
     }
-- 
2.47.2