Support IP accept list

src/dns_client.h

@@ -22,6 +22,7 @@ typedef enum dns_result_type {
 #define DNSSERVER_FLAG_BLACKLIST_IP (0x1 << 0)
 #define DNSSERVER_FLAG_CHECK_EDNS (0x1 << 1)
 #define DNSSERVER_FLAG_CHECK_TTL (0x1 << 2)
+#define DNSSERVER_FLAG_ACCEPT_IP (0x1 << 3)
 
 int dns_client_init(void);
 

src/dns_conf.c

@@ -9,7 +9,7 @@
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
- #include <libgen.h>
+#include <libgen.h>
 
 #define DEFAULT_DNS_CACHE_SIZE 512
 
@@ -168,10 +168,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 	/* clang-format off */
 	static struct option long_options[] = {
 		{"blacklist-ip", no_argument, NULL, 'b'}, /* filtering with blacklist-ip */
-#ifdef FEATURE_CHECK_EDNS
+#ifdef FEATURE_CHECK_EDNS		
 		/* experimental feature */
 		{"check-edns", no_argument, NULL, 'e'},   /* check edns */
-#endif
+#endif 
 		{"spki-pin", required_argument, NULL, 'p'}, /* check SPKI pin */
 		{"host-name", required_argument, NULL, 'h'}, /* host name */
 		{"http-host", required_argument, NULL, 'H'}, /* http host */
@@ -236,6 +236,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
 			result_flag |= DNSSERVER_FLAG_CHECK_EDNS;
 			break;
 		}
+		case 'a': {
+			result_flag |= DNSSERVER_FLAG_ACCEPT_IP;
+			break;
+		}		
 		case 'h': {
 			strncpy(server->hostname, optarg, DNS_MAX_CNAME_LEN);
 			break;
@@ -886,6 +890,12 @@ static int _config_iplist_rule(char *subnet, enum address_rule rule)
 		break;
 	case ADDRESS_RULE_IP_IGNORE:
 		ip_rule->ip_ignore = 1;
+		break;
+	case ADDRESS_RULE_IP_ACCEPT:
+		ip_rule->ip_accept = 1;
+		break;
+	default:
+		return -1;
 	}
 
 	return 0;
@@ -918,6 +928,15 @@ static int _conf_ip_ignore(void *data, int argc, char *argv[])
 	return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_IGNORE);
 }
 
+static int _conf_ip_accept(void *data, int argc, char *argv[])
+{
+	if (argc <= 1) {
+		return -1;
+	}
+
+	return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_ACCEPT);
+}
+
 static int _conf_edns_client_subnet(void *data, int argc, char *argv[])
 {
 	char *slash = NULL;
@@ -1024,6 +1043,7 @@ static struct config_item _config_item[] = {
 	CONF_CUSTOM("blacklist-ip", _config_blacklist_ip, NULL),
 	CONF_CUSTOM("bogus-nxdomain", _conf_bogus_nxdomain, NULL),
 	CONF_CUSTOM("ignore-ip", _conf_ip_ignore, NULL),
+	CONF_CUSTOM("accept-ip", _conf_ip_accept, NULL),
 	CONF_CUSTOM("edns-client-subnet", _conf_edns_client_subnet, NULL),
 	CONF_CUSTOM("conf-file", config_addtional_file, NULL),
 	CONF_END(),

src/dns_conf.h

@@ -116,12 +116,14 @@ enum address_rule {
 	ADDRESS_RULE_BLACKLIST = 1,
 	ADDRESS_RULE_BOGUS = 2,
 	ADDRESS_RULE_IP_IGNORE = 3,
+	ADDRESS_RULE_IP_ACCEPT = 4,
 };
 
 struct dns_ip_address_rule {
 	unsigned int blacklist : 1;
 	unsigned int bogus : 1;
 	unsigned int ip_ignore : 1;
+	unsigned int ip_accept : 1;
 };
 
 struct dns_edns_client_subnet {

src/dns_server.c

@@ -962,11 +962,11 @@ static int _dns_server_ip_rule_check(struct dns_request *request, unsigned char
 	}
 
 	if (node == NULL) {
-		return -1;
+		goto rule_not_found;
 	}
 
 	if (node->data == NULL) {
-		return -1;
+		goto rule_not_found;
 	}
 
 	/* bogux-nxdomain */
@@ -986,7 +986,17 @@ static int _dns_server_ip_rule_check(struct dns_request *request, unsigned char
 	if (rule->ip_ignore) {
 		goto skip;
 	}
+	
+rule_not_found:
+	if (result_flag & DNSSERVER_FLAG_ACCEPT_IP) {
+		if (rule == NULL) {
+			goto skip;
+		}
 
+		if (!rule->ip_accept) {
+			goto skip;
+		}
+	}
 	return -1;
 skip:
 	return -2;