From cb3656cb575785060e07325ba1b4c4ccef049947 Mon Sep 17 00:00:00 2001 From: Nick Peng Date: Tue, 18 Jun 2019 22:23:03 +0800 Subject: [PATCH] Change config accept-ip to whitelist-ip --- ReadMe.md | 10 +++++----- ReadMe_en.md | 9 +++++---- etc/smartdns/smartdns.conf | 16 ++++++++-------- src/dns_client.h | 6 +++--- src/dns_conf.c | 23 ++++++++++++----------- src/dns_conf.h | 8 ++++---- src/dns_server.c | 4 ++-- 7 files changed, 39 insertions(+), 37 deletions(-) diff --git a/ReadMe.md b/ReadMe.md index 82439c9..4c736fe 100644 --- a/ReadMe.md +++ b/ReadMe.md @@ -560,17 +560,17 @@ https://github.com/pymumu/smartdns/releases |audit-size|审计大小|128K|数字+K,M,G|audit-size 128K |audit-num|审计归档个数|2|数字|audit-num 2 |conf-file|附加配置文件|无|文件路径|conf-file /etc/smartdns/smartdns.more.conf -|server|上游UDP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1 -|server-tcp|上游TCP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53 -|server-tls|上游TLS DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[host-name]`:TLS SNI名称。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853 -|server-https|上游HTTPS DNS|无|可重复
`https://[host][:port]/path`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[host-name]`:TLS SNI名称
`[http-host]`:http协议头主机名。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-accept-ip]`:accept-ip参数指定仅接受accept-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query +|server|上游UDP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1 +|server-tcp|上游TCP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53 +|server-tls|上游TLS DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[host-name]`:TLS SNI名称。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:awhitelistip参数指定仅接受awhitelistip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853 +|server-https|上游HTTPS DNS|无|可重复
`https://[host][:port]/path`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[host-name]`:TLS SNI名称
`[http-host]`:http协议头主机名。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query |address|指定域名IP地址|无|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6]
`-`表示忽略
`#`表示返回SOA
`4`表示IPV4
`6`表示IPV6| address /www.example.com/1.2.3.4 |nameserver|指定域名使用server组解析|无|nameserver /domain/[group\|-], `group`为组名,`-`表示忽略此规则,配套server中的`-group`参数使用| nameserver /www.example.com/office |ipset|域名IPSET|None|ipset /domain/[ipset\|-], `-`表示忽略|ipset /www.example.com/pass |ipset-timeout|设置IPSET超时功能启用|auto|[yes]|ipset-timeout yes |bogus-nxdomain|假冒IP地址过滤|无|[ip/subnet],可重复| bogus-nxdomain 1.2.3.4/16 |ignore-ip|忽略IP地址|无|[ip/subnet],可重复| ignore-ip 1.2.3.4/16 -|accept-ip|接受IP地址|无|[ip/subnet],可重复| accept-ip 1.2.3.4/16 +|whitelist-ip|白名单IP地址|无|[ip/subnet],可重复| whitelist-ip 1.2.3.4/16 |blacklist-ip|黑名单IP地址|无|[ip/subnet],可重复| blacklist-ip 1.2.3.4/16 |force-AAAA-SOA|强制AAAA地址返回SOA|no|[yes\|no]|force-AAAA-SOA yes |prefetch-domain|域名预先获取功能|no|[yes\|no]|prefetch-domain yes diff --git a/ReadMe_en.md b/ReadMe_en.md index ae9d8a9..8f36726 100755 --- a/ReadMe_en.md +++ b/ReadMe_en.md @@ -555,16 +555,17 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use |audit-size|audit log size|128K|number+K,M,G|audit-size 128K |audit-num|archived audit log number|2|Integer|audit-num 2 |conf-file|additional conf file|None|File path|conf-file /etc/smartdns/smartdns.more.conf -|server|Upstream UDP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip -|server-tcp|Upstream TCP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53 -|server-tls|Upstream TLS DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[host-name]`:TLS Server name.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853 -|server-https|Upstream HTTPS DNS server|None|Repeatable
`https://[host][:port]/path`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[host-name]`:TLS Server name
`[http-host]`:http header host.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-accept-ip]`: accept-ip parameter specifies that only the IP range configured in accept-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query +|server|Upstream UDP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip +|server-tcp|Upstream TCP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53 +|server-tls|Upstream TLS DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[host-name]`:TLS Server name.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853 +|server-https|Upstream HTTPS DNS server|None|Repeatable
`https://[host][:port]/path`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[host-name]`:TLS Server name
`[http-host]`:http header host.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query |address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4 |nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office |ipset|Domain IPSet|None|ipset /domain/[ipset\|-], `-` for ignore|ipset /www.example.com/pass |ipset-timeout|ipset timeout enable|auto|[yes]|ipset-timeout yes |bogus-nxdomain|bogus IP address|None|[IP/subnet], Repeatable| bogus-nxdomain 1.2.3.4/16 |ignore-ip|ignore ip address|None|[ip/subnet], Repeatable| ignore-ip 1.2.3.4/16 +|whitelist-ip|ip whitelist|None|[ip/subnet], Repeatable,When the filtering server responds IPs in the IP whitelist, only result in whitelist will be accepted| whitelist-ip 1.2.3.4/16 |blacklist-ip|ip blacklist|None|[ip/subnet], Repeatable,When the filtering server responds IPs in the IP blacklist, The result will be discarded directly| blacklist-ip 1.2.3.4/16 |force-AAAA-SOA|force AAAA query return SOA|no|[yes\|no]|force-AAAA-SOA yes |prefetch-domain|domain prefetch feature|no|[yes\|no]|prefetch-domain yes diff --git a/etc/smartdns/smartdns.conf b/etc/smartdns/smartdns.conf index de0d3b9..08e70f0 100644 --- a/etc/smartdns/smartdns.conf +++ b/etc/smartdns/smartdns.conf @@ -36,12 +36,12 @@ cache-size 512 # List of IPs that will be filtered when nameserver is configured -blacklist-ip parameter # blacklist-ip [ip/subnet] +# List of IPs that will be accepted when nameserver is configured -whitelist-ip parameter +# whitelist-ip [ip/subnet] + # List of IPs that will be ignored # ignore-ip [ip/subnet] -# List of IPs that will be accepted -# accept-ip [ip/subnet] - # force AAAA query return SOA # force-AAAA-SOA [yes|no] @@ -83,22 +83,22 @@ log-level info # audit-num 2 # remote udp dns server list -# server [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-check-edns] [-group [group] ...] [-exclude-default-group] +# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group] # default port is 53 # -blacklist-ip: filter result with blacklist ip -# -accept-ip: accept ip result with accept-ip list +# -whitelist-ip: filter result whth whitelist ip, result in whitelist-ip will be accepted. # -check-edns: result must exist edns RR, or discard result. # -group [group]: set server to group, use with nameserver /domain/group. # -exclude-default-group: exclude this server from default group. # server 8.8.8.8 -blacklist-ip -check-edns -group g1 -group g2 # remote tcp dns server list -# server-tcp [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-group [group] ...] [-exclude-default-group] +# server-tcp [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-group [group] ...] [-exclude-default-group] # default port is 53 # server-tcp 8.8.8.8 # remote tls dns server list -# server-tls [IP]:[PORT] [-blacklist-ip] [-accept-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] +# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] # -spki-pin: TLS spki pin to verify. # Get SPKI with this command: # echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 @@ -107,7 +107,7 @@ log-level info # server-tls 1.0.0.1 # remote https dns server list -# server-https https://[host]:[port]/path [-blacklist-ip] [-accept-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] +# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group] # -spki-pin: TLS spki pin to verify. # default port is 443 # server-https https://cloudflare-dns.com/dns-query diff --git a/src/dns_client.h b/src/dns_client.h index 0df1957..7dcb28b 100644 --- a/src/dns_client.h +++ b/src/dns_client.h @@ -20,9 +20,9 @@ typedef enum dns_result_type { } dns_result_type; #define DNSSERVER_FLAG_BLACKLIST_IP (0x1 << 0) -#define DNSSERVER_FLAG_CHECK_EDNS (0x1 << 1) -#define DNSSERVER_FLAG_CHECK_TTL (0x1 << 2) -#define DNSSERVER_FLAG_ACCEPT_IP (0x1 << 3) +#define DNSSERVER_FLAG_WHITELIST_IP (0x1 << 1) +#define DNSSERVER_FLAG_CHECK_EDNS (0x1 << 2) +#define DNSSERVER_FLAG_CHECK_TTL (0x1 << 3) int dns_client_init(void); diff --git a/src/dns_conf.c b/src/dns_conf.c index 9592a1c..c44466d 100644 --- a/src/dns_conf.c +++ b/src/dns_conf.c @@ -168,7 +168,8 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de /* clang-format off */ static struct option long_options[] = { {"blacklist-ip", no_argument, NULL, 'b'}, /* filtering with blacklist-ip */ -#ifdef FEATURE_CHECK_EDNS + {"whitelist-ip", no_argument, NULL, 'w'}, /* filtering with whitelist-ip */ +#ifdef FEATURE_CHECK_EDNS /* experimental feature */ {"check-edns", no_argument, NULL, 'e'}, /* check edns */ #endif @@ -232,12 +233,12 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de result_flag |= DNSSERVER_FLAG_BLACKLIST_IP; break; } - case 'e': { - result_flag |= DNSSERVER_FLAG_CHECK_EDNS; + case 'w': { + result_flag |= DNSSERVER_FLAG_WHITELIST_IP; break; } - case 'a': { - result_flag |= DNSSERVER_FLAG_ACCEPT_IP; + case 'e': { + result_flag |= DNSSERVER_FLAG_CHECK_EDNS; break; } case 'h': { @@ -885,15 +886,15 @@ static int _config_iplist_rule(char *subnet, enum address_rule rule) case ADDRESS_RULE_BLACKLIST: ip_rule->blacklist = 1; break; + case ADDRESS_RULE_WHITELIST: + ip_rule->whitelist = 1; + break; case ADDRESS_RULE_BOGUS: ip_rule->bogus = 1; break; case ADDRESS_RULE_IP_IGNORE: ip_rule->ip_ignore = 1; break; - case ADDRESS_RULE_IP_ACCEPT: - ip_rule->ip_accept = 1; - break; default: return -1; } @@ -928,13 +929,13 @@ static int _conf_ip_ignore(void *data, int argc, char *argv[]) return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_IGNORE); } -static int _conf_ip_accept(void *data, int argc, char *argv[]) +static int _conf_whitelist_ip(void *data, int argc, char *argv[]) { if (argc <= 1) { return -1; } - return _config_iplist_rule(argv[1], ADDRESS_RULE_IP_ACCEPT); + return _config_iplist_rule(argv[1], ADDRESS_RULE_WHITELIST); } static int _conf_edns_client_subnet(void *data, int argc, char *argv[]) @@ -1041,9 +1042,9 @@ static struct config_item _config_item[] = { CONF_INT("rr-ttl-max", &dns_conf_rr_ttl_max, 0, CONF_INT_MAX), CONF_YESNO("force-AAAA-SOA", &dns_conf_force_AAAA_SOA), CONF_CUSTOM("blacklist-ip", _config_blacklist_ip, NULL), + CONF_CUSTOM("whitelist-ip", _conf_whitelist_ip, NULL), CONF_CUSTOM("bogus-nxdomain", _conf_bogus_nxdomain, NULL), CONF_CUSTOM("ignore-ip", _conf_ip_ignore, NULL), - CONF_CUSTOM("accept-ip", _conf_ip_accept, NULL), CONF_CUSTOM("edns-client-subnet", _conf_edns_client_subnet, NULL), CONF_CUSTOM("conf-file", config_addtional_file, NULL), CONF_END(), diff --git a/src/dns_conf.h b/src/dns_conf.h index e8fa50d..9e524ad 100644 --- a/src/dns_conf.h +++ b/src/dns_conf.h @@ -114,16 +114,16 @@ struct dns_bogus_ip_address { enum address_rule { ADDRESS_RULE_BLACKLIST = 1, - ADDRESS_RULE_BOGUS = 2, - ADDRESS_RULE_IP_IGNORE = 3, - ADDRESS_RULE_IP_ACCEPT = 4, + ADDRESS_RULE_WHITELIST = 2, + ADDRESS_RULE_BOGUS = 3, + ADDRESS_RULE_IP_IGNORE = 4, }; struct dns_ip_address_rule { unsigned int blacklist : 1; + unsigned int whitelist : 1; unsigned int bogus : 1; unsigned int ip_ignore : 1; - unsigned int ip_accept : 1; }; struct dns_edns_client_subnet { diff --git a/src/dns_server.c b/src/dns_server.c index 1c5ea85..9c9fec1 100644 --- a/src/dns_server.c +++ b/src/dns_server.c @@ -988,12 +988,12 @@ static int _dns_server_ip_rule_check(struct dns_request *request, unsigned char } rule_not_found: - if (result_flag & DNSSERVER_FLAG_ACCEPT_IP) { + if (result_flag & DNSSERVER_FLAG_WHITELIST_IP) { if (rule == NULL) { goto skip; } - if (!rule->ip_accept) { + if (!rule->whitelist) { goto skip; } }