ipset bugfix and add timeout feature

2019-02-14 23:37:23 +08:00
parent e1ffe29fca
commit a1150a7ceb
9 changed files with 55 additions and 18 deletions
--- a/src/dns_cache.c
+++ b/src/dns_cache.c
@@ -147,7 +147,7 @@ int dns_cache_insert(char *domain, char *cname, int cname_ttl, int ttl, dns_type
 	dns_cache->cname[0] = 0;
 	dns_cache->qtype = qtype;
 	dns_cache->ttl = ttl;
-	dns_cache->hitnum = 6;
+	dns_cache->hitnum = 2;
 	atomic_set(&dns_cache->ref, 1);
 	time(&dns_cache->insert_time);
 	if (qtype == DNS_T_A) {
--- a/src/dns_conf.c
+++ b/src/dns_conf.c
@@ -45,6 +45,8 @@ int dns_conf_rr_ttl_min;
 int dns_conf_rr_ttl_max;
 int dns_conf_force_AAAA_SOA;

+int dns_conf_ipset_timeout_enable;
+
 struct dns_edns_client_subnet dns_conf_ipv4_ecs;
 struct dns_edns_client_subnet dns_conf_ipv6_ecs;

@@ -706,6 +708,7 @@ struct config_item config_item[] = {
 	CONF_CUSTOM("server-tcp", config_server_tcp, NULL),
 	CONF_CUSTOM("server-tls", config_server_tls, NULL),
 	CONF_CUSTOM("address", config_address, NULL),
+	CONF_YESNO("ipset-timeout", &dns_conf_ipset_timeout_enable),
 	CONF_CUSTOM("ipset", config_ipset, NULL),
 	CONF_INT("tcp-idle-time", &dns_conf_tcp_idle_time, 0, 3600),
 	CONF_INT("cache-size", &dns_conf_cachesize, 0, CONF_INT_MAX),
--- a/src/dns_conf.h
+++ b/src/dns_conf.h
@@ -133,6 +133,7 @@ extern int dns_conf_rr_ttl;
 extern int dns_conf_rr_ttl_min;
 extern int dns_conf_rr_ttl_max;
 extern int dns_conf_force_AAAA_SOA;
+extern int dns_conf_ipset_timeout_enable;

 extern struct dns_edns_client_subnet dns_conf_ipv4_ecs;
 extern struct dns_edns_client_subnet dns_conf_ipv6_ecs;
--- a/src/dns_server.c
+++ b/src/dns_server.c
@@ -408,6 +408,10 @@ static int _dns_reply(struct dns_request *request)
 	int ret = 0;
 	int encode_len = 0;

+	if (request->client == NULL) {
+		return 0;
+	}
+
 	_dns_server_audit_log(request);

 	memset(&head, 0, sizeof(head));
@@ -490,14 +494,14 @@ static int _dns_setup_ipset(struct dns_request *request)
 	}

 	if (request->has_ipv4 && request->qtype == DNS_T_A) {
-		ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN);
+		ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
 	}

 	if (request->has_ipv6 && request->qtype == DNS_T_AAAA) {
 		if (request->has_ipv4) {
-			ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN);
+			ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
 		}
-		ret |= ipset_add(ipset_rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN);
+		ret |= ipset_add(ipset_rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
 	}

 	tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, result: %d", request->domain, ipset_rule->ipsetname, ret);
@@ -548,7 +552,12 @@ int _dns_server_request_complete(struct dns_request *request)

 			if ((request->ping_ttl_v4 + (dns_conf_dualstack_ip_selection_threshold * 10)) < request->ping_ttl_v6 || request->ping_ttl_v6 < 0) {
 				tlog(TLOG_DEBUG, "Force IPV4 perfered.");
-				dns_cache_insert(request->domain, cname, cname_ttl, request->ttl_v4, DNS_T_A, request->ipv4_addr, DNS_RR_A_LEN);
+				if (request->prefetch) {
+					dns_cache_replace(request->domain, cname, cname_ttl, request->ttl_v4, DNS_T_A, request->ipv4_addr, DNS_RR_A_LEN);
+				} else {
+					dns_cache_insert(request->domain, cname, cname_ttl, request->ttl_v4, DNS_T_A, request->ipv4_addr, DNS_RR_A_LEN);
+				}
+
 				return _dns_server_reply_SOA(DNS_RC_NOERROR, request, NULL);
 			}

@@ -575,15 +584,16 @@ int _dns_server_request_complete(struct dns_request *request)
 		}
 	}

-	if (request->prefetch) {
-		return 0;
-	}
-
 	if (request->has_soa) {
 		tlog(TLOG_INFO, "result: %s, qtype: %d, SOA", request->domain, request->qtype);
 	}

 	_dns_setup_ipset(request);
+
+	if (request->prefetch) {
+		return 0;
+	}
+
 	_dns_reply(request);

 	return 0;
@@ -1594,6 +1604,8 @@ static int _dns_server_prefetch_request(char *domain, dns_type_t qtype)
 	hash_init(request->ip_map);
 	strncpy(request->domain, domain, DNS_MAX_CNAME_LEN);

+	request->domain_rule = _dns_server_get_domain_rule(request->domain);
+
 	tlog(TLOG_INFO, "prefetch domain %s, qtype = %d\n", request->domain, qtype);

 	_dns_server_request_get(request);
--- a/src/util.c
+++ b/src/util.c
@@ -1,4 +1,5 @@
 #include "util.h"
+#include "dns_conf.h"
 #include <arpa/inet.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -19,6 +20,7 @@
 #define IPSET_ATTR_IPADDR_IPV6 2
 #define IPSET_ATTR_PROTOCOL 1
 #define IPSET_ATTR_SETNAME 2
+#define IPSET_ATTR_TIMEOUT 6
 #define IPSET_ADD 9
 #define IPSET_DEL 10
 #define IPSET_MAXNAMELEN 32
@@ -246,11 +248,20 @@ static int _ipset_socket_init(void)
 	return 0;
 }

-static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int addr_len, int operate)
+static int _ipset_support_timeout(const char *ipsetname) 
+{
+	if (dns_conf_ipset_timeout_enable) {
+		return 0;
+	}
+	
+	return -1;
+}
+
+static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int addr_len, unsigned long timeout, int operate)
 {
 	struct nlmsghdr *netlink_head;
 	struct ipset_netlink_msg *netlink_msg;
-	struct ipset_netlink_attr *nested[2];
+	struct ipset_netlink_attr *nested[3];
 	char buffer[BUFF_SZ];
 	uint8_t proto;
 	ssize_t rc;
@@ -285,7 +296,7 @@ static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int
 	netlink_head = (struct nlmsghdr *)buffer;
 	netlink_head->nlmsg_len = NETLINK_ALIGN(sizeof(struct nlmsghdr));
 	netlink_head->nlmsg_type = operate | (NFNL_SUBSYS_IPSET << 8);
-	netlink_head->nlmsg_flags = NLM_F_REQUEST;
+	netlink_head->nlmsg_flags = NLM_F_REQUEST | NLM_F_REPLACE;

 	netlink_msg = (struct ipset_netlink_msg *)(buffer + netlink_head->nlmsg_len);
 	netlink_head->nlmsg_len += NETLINK_ALIGN(sizeof(struct ipset_netlink_msg));
@@ -303,9 +314,15 @@ static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int
 	nested[1] = (struct ipset_netlink_attr *)(buffer + NETLINK_ALIGN(netlink_head->nlmsg_len));
 	netlink_head->nlmsg_len += NETLINK_ALIGN(sizeof(struct ipset_netlink_attr));
 	nested[1]->type = NLA_F_NESTED | IPSET_ATTR_IP;
-	_ipset_add_attr(netlink_head, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER, addr_len, addr);

+	_ipset_add_attr(netlink_head, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER, addr_len, addr);
 	nested[1]->len = (void *)buffer + NETLINK_ALIGN(netlink_head->nlmsg_len) - (void *)nested[1];
+
+	if (timeout > 0 && _ipset_support_timeout(ipsetname) == 0) {
+		timeout = htonl(timeout);
+		_ipset_add_attr(netlink_head, IPSET_ATTR_TIMEOUT | NLA_F_NET_BYTEORDER, sizeof(timeout), &timeout);
+	}
+
 	nested[0]->len = (void *)buffer + NETLINK_ALIGN(netlink_head->nlmsg_len) - (void *)nested[0];

 	for (;;) {
@@ -326,17 +343,16 @@ static int _ipset_operate(const char *ipsetname, const unsigned char addr[], int
 	return rc;
 }

-int ipset_add(const char *ipsetname, const unsigned char addr[], int addr_len)
+int ipset_add(const char *ipsetname, const unsigned char addr[], int addr_len, unsigned long timeout)
 {
-	return _ipset_operate(ipsetname, addr, addr_len, IPSET_ADD);
+	return _ipset_operate(ipsetname, addr, addr_len, timeout, IPSET_ADD);
 }

 int ipset_del(const char *ipsetname, const unsigned char addr[], int addr_len)
 {
-	return _ipset_operate(ipsetname, addr, addr_len, IPSET_DEL);
+	return _ipset_operate(ipsetname, addr, addr_len, 0, IPSET_DEL);
 }

-
 #define THREAD_STACK_SIZE (16*1024)
 static pthread_mutex_t *lock_cs;
 static long *lock_count;
--- a/src/util.h
+++ b/src/util.h
@@ -22,7 +22,7 @@ char *reverse_string(char *output, char *input, int len);

 void print_stack(void);

-int ipset_add(const char *ipsetname, const unsigned char addr[], int addr_len);
+int ipset_add(const char *ipsetname, const unsigned char addr[], int addr_len, unsigned long timeout);

 int ipset_del(const char *ipsetname, const unsigned char addr[], int addr_len);