Support dual stack ipset
This commit is contained in:
LoveSy
@@ -595,11 +595,40 @@ static int _conf_domain_rule_ipset(char *domain, const char *ipsetname)
|
||||
{
|
||||
struct dns_ipset_rule *ipset_rule = NULL;
|
||||
const char *ipset = NULL;
|
||||
char *copied_name = NULL;
|
||||
enum domain_rule type;
|
||||
int ignore_flag;
|
||||
|
||||
copied_name = strdup(ipsetname);
|
||||
|
||||
if (copied_name == NULL) {
|
||||
goto errout;
|
||||
}
|
||||
|
||||
for (char *tok = strtok(copied_name, ","); tok; tok = strtok(NULL, ",")) {
|
||||
if (tok[0] == '#') {
|
||||
if (strncmp(tok, "#6:", 3u) == 0) {
|
||||
type = DOMAIN_RULE_IPSET_IPV6;
|
||||
ignore_flag = DOMAIN_FLAG_IPSET_IPV6_IGN;
|
||||
} else if (strncmp(tok, "#4:", 3u) == 0) {
|
||||
type = DOMAIN_RULE_IPSET_IPV4;
|
||||
ignore_flag = DOMAIN_FLAG_IPSET_IPV4_IGN;
|
||||
} else {
|
||||
goto errout;
|
||||
}
|
||||
tok += 3;
|
||||
} else {
|
||||
type = DOMAIN_RULE_IPSET;
|
||||
ignore_flag = DOMAIN_FLAG_IPSET_IGN;
|
||||
}
|
||||
|
||||
if (strncmp(tok, "-", 1) == 0) {
|
||||
_config_domain_rule_flag_set(domain, ignore_flag, 0);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Process domain option */
|
||||
if (strncmp(ipsetname, "-", sizeof("-")) != 0) {
|
||||
/* new ipset domain */
|
||||
ipset = _dns_conf_get_ipset(ipsetname);
|
||||
ipset = _dns_conf_get_ipset(tok);
|
||||
if (ipset == NULL) {
|
||||
goto errout;
|
||||
}
|
||||
@@ -610,26 +639,26 @@ static int _conf_domain_rule_ipset(char *domain, const char *ipsetname)
|
||||
}
|
||||
|
||||
ipset_rule->ipsetname = ipset;
|
||||
} else {
|
||||
/* ignore this domain */
|
||||
if (_config_domain_rule_flag_set(domain, DOMAIN_FLAG_IPSET_IGNORE, 0) != 0) {
|
||||
|
||||
if (_config_domain_rule_add(domain, type, ipset_rule) != 0) {
|
||||
goto errout;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (_config_domain_rule_add(domain, DOMAIN_RULE_IPSET, ipset_rule) != 0) {
|
||||
goto errout;
|
||||
}
|
||||
goto clear;
|
||||
|
||||
return 0;
|
||||
errout:
|
||||
tlog(TLOG_ERROR, "add ipset %s failed", ipsetname);
|
||||
|
||||
if (ipset_rule) {
|
||||
free(ipset_rule);
|
||||
}
|
||||
|
||||
tlog(TLOG_ERROR, "add ipset %s failed", ipsetname);
|
||||
clear:
|
||||
if (copied_name) {
|
||||
free(copied_name);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -56,6 +56,8 @@ enum domain_rule {
|
||||
DOMAIN_RULE_ADDRESS_IPV4,
|
||||
DOMAIN_RULE_ADDRESS_IPV6,
|
||||
DOMAIN_RULE_IPSET,
|
||||
DOMAIN_RULE_IPSET_IPV4,
|
||||
DOMAIN_RULE_IPSET_IPV6,
|
||||
DOMAIN_RULE_NAMESERVER,
|
||||
DOMAIN_RULE_CHECKSPEED,
|
||||
DOMAIN_RULE_MAX,
|
||||
@@ -78,9 +80,11 @@ typedef enum {
|
||||
#define DOMAIN_FLAG_ADDR_IGN (1 << 3)
|
||||
#define DOMAIN_FLAG_ADDR_IPV4_IGN (1 << 4)
|
||||
#define DOMAIN_FLAG_ADDR_IPV6_IGN (1 << 5)
|
||||
#define DOMAIN_FLAG_IPSET_IGNORE (1 << 6)
|
||||
#define DOMAIN_FLAG_NAMESERVER_IGNORE (1 << 7)
|
||||
#define DOMAIN_FLAG_DUALSTACK_SELECT (1 << 8)
|
||||
#define DOMAIN_FLAG_IPSET_IGN (1 << 6)
|
||||
#define DOMAIN_FLAG_IPSET_IPV4_IGN (1 << 7)
|
||||
#define DOMAIN_FLAG_IPSET_IPV6_IGN (1 << 8)
|
||||
#define DOMAIN_FLAG_NAMESERVER_IGNORE (1 << 9)
|
||||
#define DOMAIN_FLAG_DUALSTACK_SELECT (1 << 10)
|
||||
|
||||
#define SERVER_FLAG_EXCLUDE_DEFAULT (1 << 0)
|
||||
|
||||
|
||||
112
src/dns_server.c
112
src/dns_server.c
@@ -681,7 +681,7 @@ static int _dns_server_reply_SOA(int rcode, struct dns_request *request)
|
||||
/* add ip to specific ipset */
|
||||
static int _dns_setup_ipset(struct dns_request *request)
|
||||
{
|
||||
struct dns_ipset_rule *ipset_rule = NULL;
|
||||
struct dns_ipset_rule *rule = NULL, *ipset_rule = NULL, *ipset_rule_v4 = NULL, *ipset_rule_v6 = NULL;
|
||||
struct dns_rule_flags *rule_flags = NULL;
|
||||
int ret = 0;
|
||||
|
||||
@@ -691,32 +691,56 @@ static int _dns_setup_ipset(struct dns_request *request)
|
||||
|
||||
/* check ipset rule */
|
||||
rule_flags = request->domain_rule.rules[DOMAIN_RULE_FLAGS];
|
||||
if (rule_flags) {
|
||||
if (rule_flags->flags & DOMAIN_FLAG_IPSET_IGNORE) {
|
||||
return 0;
|
||||
}
|
||||
if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IGN) != 0) {
|
||||
ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
|
||||
}
|
||||
if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV4_IGN) != 0) {
|
||||
ipset_rule_v4 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4];
|
||||
}
|
||||
if (!rule_flags || (rule_flags->flags & DOMAIN_FLAG_IPSET_IPV6_IGN) != 0) {
|
||||
ipset_rule_v6 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6];
|
||||
}
|
||||
|
||||
ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
|
||||
if (ipset_rule == NULL) {
|
||||
if (!(ipset_rule || ipset_rule_v4 || ipset_rule_v6)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* add IPV4 to ipset */
|
||||
if (request->has_ipv4 && request->qtype == DNS_T_A) {
|
||||
ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
|
||||
if (rule) {
|
||||
ret |= ipset_add(rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, IP: %d.%d.%d.%d, result: %d", request->domain,
|
||||
rule->ipsetname, request->ipv4_addr[0], request->ipv4_addr[1], request->ipv4_addr[2],
|
||||
request->ipv4_addr[3], ret);
|
||||
}
|
||||
}
|
||||
|
||||
/* add IPV6 to ipset */
|
||||
if (request->has_ipv6 && request->qtype == DNS_T_AAAA) {
|
||||
if (request->has_ipv4) {
|
||||
ret |= ipset_add(ipset_rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
|
||||
if (rule) {
|
||||
ret |= ipset_add(rule->ipsetname, request->ipv4_addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, IP: %d.%d.%d.%d, result: %d", request->domain,
|
||||
rule->ipsetname, request->ipv4_addr[0], request->ipv4_addr[1], request->ipv4_addr[2],
|
||||
request->ipv4_addr[3], ret);
|
||||
}
|
||||
}
|
||||
rule = ipset_rule_v6 ? ipset_rule_v6 : ipset_rule;
|
||||
if (rule) {
|
||||
ret |= ipset_add(rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
|
||||
tlog(TLOG_DEBUG,
|
||||
"IPSET-MATCH: domain:%s, ipset:%s, IP: "
|
||||
"%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x, result: %d",
|
||||
request->domain, rule->ipsetname, request->ipv6_addr[0], request->ipv6_addr[1], request->ipv6_addr[2],
|
||||
request->ipv6_addr[3], request->ipv6_addr[4], request->ipv6_addr[5], request->ipv6_addr[6],
|
||||
request->ipv6_addr[7], request->ipv6_addr[8], request->ipv6_addr[9], request->ipv6_addr[10],
|
||||
request->ipv6_addr[11], request->ipv6_addr[12], request->ipv6_addr[13], request->ipv6_addr[14],
|
||||
request->ipv6_addr[15], ret);
|
||||
}
|
||||
ret |= ipset_add(ipset_rule->ipsetname, request->ipv6_addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
|
||||
}
|
||||
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH: domain:%s, ipset:%s, result: %d", request->domain, ipset_rule->ipsetname, ret);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -840,8 +864,7 @@ static int _dns_server_request_complete_AAAA(struct dns_request *request)
|
||||
}
|
||||
|
||||
/* if doing prefetch, update cache only */
|
||||
dns_cache_set_data_addr(cache_data, request->server_flags, cname, cname_ttl, request->ipv6_addr,
|
||||
DNS_T_AAAA);
|
||||
dns_cache_set_data_addr(cache_data, request->server_flags, cname, cname_ttl, request->ipv6_addr, DNS_T_AAAA);
|
||||
|
||||
request->has_soa = 0;
|
||||
} else {
|
||||
@@ -1806,7 +1829,7 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
|
||||
int i = 0;
|
||||
int j = 0;
|
||||
struct dns_rrs *rrs = NULL;
|
||||
struct dns_ipset_rule *ipset_rule = NULL;
|
||||
struct dns_ipset_rule *rule = NULL, *ipset_rule = NULL, *ipset_rule_v4 = NULL, *ipset_rule_v6 = NULL;
|
||||
struct dns_rule_flags *rule_flags = NULL;
|
||||
|
||||
if (_dns_server_has_bind_flag(request, BIND_FLAG_NO_RULE_IPSET) == 0) {
|
||||
@@ -1815,13 +1838,18 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
|
||||
/* check ipset rule */
|
||||
rule_flags = request->domain_rule.rules[DOMAIN_RULE_FLAGS];
|
||||
if (rule_flags) {
|
||||
if (rule_flags->flags & DOMAIN_FLAG_IPSET_IGNORE) {
|
||||
return 0;
|
||||
if ((rule_flags->flags & DOMAIN_FLAG_IPSET_IGN) == 0) {
|
||||
ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
|
||||
}
|
||||
if ((rule_flags->flags & DOMAIN_FLAG_IPSET_IPV4_IGN) == 0) {
|
||||
ipset_rule_v4 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4];
|
||||
}
|
||||
if ((rule_flags->flags & DOMAIN_FLAG_IPSET_IPV6_IGN) == 0) {
|
||||
ipset_rule_v6 = request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6];
|
||||
}
|
||||
}
|
||||
|
||||
ipset_rule = request->domain_rule.rules[DOMAIN_RULE_IPSET];
|
||||
if (ipset_rule == NULL) {
|
||||
if (!(ipset_rule || ipset_rule_v4 || ipset_rule_v6)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1840,11 +1868,14 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
|
||||
/* get A result */
|
||||
dns_get_A(rrs, name, DNS_MAX_CNAME_LEN, &ttl, addr);
|
||||
|
||||
/* add IPV4 to ipset */
|
||||
ipset_add(ipset_rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
|
||||
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d", request->domain,
|
||||
ipset_rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
|
||||
if (rule) {
|
||||
/* add IPV4 to ipset */
|
||||
ipset_add(rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d", request->domain,
|
||||
rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
|
||||
}
|
||||
} break;
|
||||
case DNS_T_AAAA: {
|
||||
unsigned char addr[16];
|
||||
@@ -1857,16 +1888,25 @@ static int _dns_server_setup_ipset_packet(struct dns_request *request, struct dn
|
||||
/* add IPV6 to ipset */
|
||||
if (request->has_ipv6) {
|
||||
if (request->has_ipv4) {
|
||||
ipset_add(ipset_rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
rule = ipset_rule_v4 ? ipset_rule_v4 : ipset_rule;
|
||||
if (rule) {
|
||||
/* add IPV4 to ipset */
|
||||
ipset_add(rule->ipsetname, addr, DNS_RR_A_LEN, request->ttl_v4 * 2);
|
||||
tlog(TLOG_DEBUG, "IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: %d.%d.%d.%d",
|
||||
request->domain, rule->ipsetname, addr[0], addr[1], addr[2], addr[3]);
|
||||
}
|
||||
}
|
||||
rule = ipset_rule_v6 ? ipset_rule_v6 : ipset_rule;
|
||||
if (rule) {
|
||||
ipset_add(rule->ipsetname, addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
|
||||
tlog(TLOG_DEBUG,
|
||||
"IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: "
|
||||
"%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x",
|
||||
request->domain, rule->ipsetname, addr[0], addr[1], addr[2], addr[3], addr[4], addr[5],
|
||||
addr[6], addr[7], addr[8], addr[9], addr[10], addr[11], addr[12], addr[13], addr[14],
|
||||
addr[15]);
|
||||
}
|
||||
ipset_add(ipset_rule->ipsetname, addr, DNS_RR_AAAA_LEN, request->ttl_v6 * 2);
|
||||
}
|
||||
|
||||
tlog(TLOG_DEBUG,
|
||||
"IPSET-MATCH-PASSTHROUTH: domain: %s, ipset: %s, IP: "
|
||||
"%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x:%.2x%.2x",
|
||||
request->domain, ipset_rule->ipsetname, addr[0], addr[1], addr[2], addr[3], addr[4], addr[5],
|
||||
addr[6], addr[7], addr[8], addr[9], addr[10], addr[11], addr[12], addr[13], addr[14], addr[15]);
|
||||
} break;
|
||||
default:
|
||||
break;
|
||||
@@ -2093,10 +2133,18 @@ static void _dns_server_update_rule_by_flags(struct dns_request *request)
|
||||
request->domain_rule.rules[DOMAIN_RULE_ADDRESS_IPV6] = NULL;
|
||||
}
|
||||
|
||||
if (flags & DOMAIN_FLAG_IPSET_IGNORE) {
|
||||
if (flags & DOMAIN_FLAG_IPSET_IGN) {
|
||||
request->domain_rule.rules[DOMAIN_RULE_IPSET] = NULL;
|
||||
}
|
||||
|
||||
if (flags & DOMAIN_FLAG_IPSET_IPV4_IGN) {
|
||||
request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV4] = NULL;
|
||||
}
|
||||
|
||||
if (flags & DOMAIN_FLAG_IPSET_IPV6_IGN) {
|
||||
request->domain_rule.rules[DOMAIN_RULE_IPSET_IPV6] = NULL;
|
||||
}
|
||||
|
||||
if (flags & DOMAIN_FLAG_NAMESERVER_IGNORE) {
|
||||
request->domain_rule.rules[DOMAIN_RULE_NAMESERVER] = NULL;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user