public:
// this action does not stop the processing
RemoteLogResponseAction(RemoteLogActionConfiguration& config) :
- d_tagsToExport(std::move(config.tagsToExport)), d_metas(std::move(config.metas)), d_logger(config.logger), d_alterFunc(std::move(config.alterResponseFunc)), d_serverID(config.serverID), d_ipEncryptKey(config.ipEncryptKey), d_exportExtendedErrorsToMeta(std::move(config.exportExtendedErrorsToMeta)), d_includeCNAME(config.includeCNAME)
+ d_tagsToExport(std::move(config.tagsToExport)), d_metas(std::move(config.metas)), d_logger(config.logger), d_alterFunc(std::move(config.alterResponseFunc)), d_serverID(config.serverID), d_ipEncryptKey(config.ipEncryptKey), d_ipEncryptMethod(config.ipEncryptMethod), d_exportExtendedErrorsToMeta(std::move(config.exportExtendedErrorsToMeta)), d_includeCNAME(config.includeCNAME)
{
+ if (!d_ipEncryptKey.empty() && d_ipEncryptMethod == "ipcrypt-pfx") {
+ d_ipcrypt2 = pdns::ipcrypt2::IPCrypt2(pdns::ipcrypt2::IPCryptMethod::pfx, d_ipEncryptKey);
+ }
}
DNSResponseAction::Action operator()(DNSResponse* response, std::string* ruleresult) const override
{
}
#ifdef HAVE_IPCIPHER
- if (!d_ipEncryptKey.empty()) {
+ if (!d_ipEncryptKey.empty() && d_ipEncryptMethod == "legacy") {
message.setRequestor(encryptCA(response->ids.origRemote, d_ipEncryptKey));
}
#endif /* HAVE_IPCIPHER */
+ if (d_ipcrypt2) {
+ auto encryptedAddress = d_ipcrypt2->encrypt(response->ids.origRemote);
+ encryptedAddress.setPort(response->ids.origRemote.getPort());
+ message.setRequestor(encryptedAddress);
+ }
if (d_tagsToExport) {
addTagsToProtobuf(message, *response, *d_tagsToExport);
std::optional<std::function<void(DNSResponse*, DNSDistProtoBufMessage*)>> d_alterFunc;
std::string d_serverID;
std::string d_ipEncryptKey;
+ std::string d_ipEncryptMethod;
+ std::optional<pdns::ipcrypt2::IPCrypt2> d_ipcrypt2{std::nullopt};
std::optional<std::string> d_exportExtendedErrorsToMeta{std::nullopt};
bool d_includeCNAME;
};
actionConfig.logger = std::move(logger);
actionConfig.serverID = std::string(config.server_id);
actionConfig.ipEncryptKey = std::string(config.ip_encrypt_key);
+ actionConfig.ipEncryptMethod = std::string(config.ip_encrypt_method);
actionConfig.includeCNAME = config.include_cname;
for (const auto& meta : config.metas) {
actionConfig.metas.emplace_back(std::string(meta.key), ProtoBufMetaKey(std::string(meta.value)));
config.includeCNAME = includeCNAME ? *includeCNAME : false;
getOptionalValue<std::string>(vars, "serverID", config.serverID);
getOptionalValue<std::string>(vars, "ipEncryptKey", config.ipEncryptKey);
+ getOptionalValue<std::string>(vars, "ipEncryptMethod", config.ipEncryptMethod);
getOptionalValue<std::string>(vars, "exportTags", tags);
getOptionalValue<std::string>(vars, "exportExtendedErrorsToMeta", config.exportExtendedErrorsToMeta);
}
}
}
+ if (std::find(s_validIpEncryptMethods.begin(), s_validIpEncryptMethods.end(), config.ipEncryptMethod) == s_validIpEncryptMethods.end()) {
+ throw std::runtime_error("Invalid IP Encryption method in RemoteLogResponseAction");
+ }
checkAllParametersConsumed("RemoteLogResponseAction", vars);
- name: "ip_encrypt_key"
type: "String"
default: ""
- description: "A key, that can be generated via the :func:`makeIPCipherKey` function, to encrypt the IP address of the requestor for anonymization purposes. The encryption is done using ipcrypt for IPv4 and a 128-bit AES ECB operation for IPv6"
+ description: "A key to encrypt the IP address of the requestor for anonymization purposes. For the \"legacy\" method, it can be generated via the :func:`makeIPCipherKey` function, The encryption method can be set using ``ip_encrypt_method``"
+ - name: "ip_encrypt_method"
+ type: "String"
+ default: "legacy"
+ description: "
+ The method to encrypt the IP addresses with.
+ * legacy: The encryption is done using ipcrypt for IPv4 and a 128-bit AES ECB operation for IPv6. This is the default.
+ * ipcrypt-pfx: IPCrypt2, using prefix-preserving encryption. See `the ipcrypt website <https://ipcrypt-std.github.io/>__`. ``ip_encrypt_key`` must be 32 bytes."
- name: "include_cname"
type: "bool"
default: "false"
projects / thirdparty / pdns.git / commitdiff
