+ dnsfilter: use global and per-client BlockedServices array

2019-07-23 12:21:37 +03:00
parent 04a477c14a
commit e81a9c7d56
7 changed files with 156 additions and 4 deletions
--- a/dnsfilter/dnsfilter.go
+++ b/dnsfilter/dnsfilter.go
@@ -39,12 +39,19 @@ const defaultParentalURL = "%s://%s/check-parental-control-hash?prefixes=%s&sens
 const defaultParentalSensitivity = 13 // use "TEEN" by default
 const maxDialCacheSize = 2            // the number of host names for safebrowsing and parental control

+// ServiceEntry - blocked service array element
+type ServiceEntry struct {
+	Name  string
+	Rules []*urlfilter.NetworkRule
+}
+
 // RequestFilteringSettings is custom filtering settings
 type RequestFilteringSettings struct {
 	FilteringEnabled    bool
 	SafeSearchEnabled   bool
 	SafeBrowsingEnabled bool
 	ParentalEnabled     bool
+	ServicesRules       []ServiceEntry
 }

 // RewriteEntry is a rewrite array element
@@ -139,6 +146,8 @@ const (
 	FilteredInvalid
 	// FilteredSafeSearch - the host was replaced with safesearch variant
 	FilteredSafeSearch
+	// FilteredBlockedService - the host is blocked by "blocked services" settings
+	FilteredBlockedService

 	// ReasonRewrite - rewrite rule was applied
 	ReasonRewrite
@@ -155,6 +164,7 @@ func (i Reason) String() string {
 		"FilteredParental",
 		"FilteredInvalid",
 		"FilteredSafeSearch",
+		"FilteredBlockedService",

 		"Rewrite",
 	}
@@ -185,6 +195,9 @@ type Result struct {
 	// for ReasonRewrite:
 	CanonName string   `json:",omitempty"` // CNAME value
 	IPList    []net.IP `json:",omitempty"` // list of IP addresses
+
+	// for FilteredBlockedService:
+	ServiceName string `json:",omitempty"` // Name of the blocked service
 }

 // Matched can be used to see if any match at all was found, no matter filtered or not
@@ -209,7 +222,7 @@ func (d *Dnsfilter) CheckHost(host string, qtype uint16, clientAddr string) (Res
 	setts.SafeSearchEnabled = d.SafeSearchEnabled
 	setts.SafeBrowsingEnabled = d.SafeBrowsingEnabled
 	setts.ParentalEnabled = d.ParentalEnabled
-	if len(clientAddr) != 0 && d.FilterHandler != nil {
+	if d.FilterHandler != nil {
 		d.FilterHandler(clientAddr, &setts)
 	}

@@ -232,6 +245,13 @@ func (d *Dnsfilter) CheckHost(host string, qtype uint16, clientAddr string) (Res
 		}
 	}

+	if len(setts.ServicesRules) != 0 {
+		result = matchBlockedServicesRules(host, setts.ServicesRules)
+		if result.Reason.Matched() {
+			return result, nil
+		}
+	}
+
 	// check safeSearch if no match
 	if setts.SafeSearchEnabled {
 		result, err = d.checkSafeSearch(host)
@@ -326,6 +346,26 @@ func (d *Dnsfilter) processRewrites(host string, qtype uint16) Result {
 	return res
 }

+func matchBlockedServicesRules(host string, svcs []ServiceEntry) Result {
+	req := urlfilter.NewRequestForHostname(host)
+	res := Result{}
+
+	for _, s := range svcs {
+		for _, rule := range s.Rules {
+			if rule.Match(req) {
+				res.Reason = FilteredBlockedService
+				res.IsFiltered = true
+				res.ServiceName = s.Name
+				res.Rule = rule.Text()
+				log.Debug("Blocked Services: matched rule: %s  host: %s  service: %s",
+					res.Rule, host, s.Name)
+				return res
+			}
+		}
+	}
+	return res
+}
+
 func setCacheResult(cache *fastcache.Cache, host string, res Result) {
 	var buf bytes.Buffer
 	enc := gob.NewEncoder(&buf)