Commit 9911c835 authored by Evan Hunt's avatar Evan Hunt
Browse files

add a parser to filter-aaaa.so and pass in the parameters

- make some cfg-parsing functions global so they can be run
  from filter-aaaa.so
- add filter-aaaa options to the hook module's parser
- mark filter-aaaa options in named.conf as obsolete, remove
  from named and checkconf, and update the filter-aaaa test not to
  use checkconf anymore
- remove filter-aaaa-related struct members from dns_view
parent d2f46443
......@@ -19,6 +19,10 @@
#include <isc/result.h>
#include <isc/util.h>
#include <isccfg/aclconf.h>
#include <isccfg/grammar.h>
#include <isccfg/namedconf.h>
#include <dns/result.h>
#include <dns/view.h>
......@@ -27,6 +31,13 @@
#include <ns/log.h>
#include <ns/query.h>
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
ns_hook_destroy_t hook_destroy;
ns_hook_register_t hook_register;
ns_hook_version_t hook_version;
......@@ -70,11 +81,120 @@ ns_hook_t filter_donesend = {
.callback = filter_query_done_send,
};
/*
* Configuration support.
*/
static dns_aaaa_t v4_aaaa;
static dns_aaaa_t v6_aaaa;
static dns_acl_t *aaaa_acl = NULL;
static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
static isc_result_t
parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_filter_aaaa(cfg_printer_t *pctx, const cfg_type_t *type) {
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_filter_aaaa = {
"filter_aaaa", parse_filter_aaaa, cfg_print_ustring,
doc_filter_aaaa, &cfg_rep_string, filter_aaaa_enums,
};
static cfg_clausedef_t param_clauses[] = {
{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
};
static cfg_clausedef_t *param_clausesets[] = {
param_clauses,
NULL
};
static cfg_type_t cfg_type_parameters = {
"filter-aaaa-params", cfg_parse_mapbody, cfg_print_mapbody,
cfg_doc_mapbody, &cfg_rep_map, param_clausesets
};
static isc_result_t
parse_filter_aaaa_on(const cfg_obj_t *param_obj, const char *param_name,
dns_aaaa_t *dstp)
{
const cfg_obj_t *obj = NULL;
isc_result_t result;
result = cfg_map_get(param_obj, param_name, &obj);
if (result != ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj)) {
*dstp = dns_aaaa_filter;
} else {
*dstp = dns_aaaa_ok;
}
} else if (strcasecmp(cfg_obj_asstring(obj), "break-dnssec") == 0) {
*dstp = dns_aaaa_break_dnssec;
} else {
result = ISC_R_UNEXPECTED;
}
return (result);
}
static isc_result_t
parse_parameters(const char *parameters, const void *cfg,
void *actx, ns_hookctx_t *hctx)
{
isc_result_t result = ISC_R_SUCCESS;
cfg_parser_t *parser = NULL;
cfg_obj_t *param_obj = NULL;
const cfg_obj_t *obj = NULL;
isc_buffer_t b;
CHECK(cfg_parser_create(hctx->mctx, hctx->lctx, &parser));
isc_buffer_constinit(&b, parameters, strlen(parameters));
isc_buffer_add(&b, strlen(parameters));
CHECK(cfg_parse_buffer(parser, &b, &cfg_type_parameters,
&param_obj));
CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v4", &v4_aaaa));
CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v6", &v6_aaaa));
obj = NULL;
result = cfg_map_get(param_obj, "filter-aaaa", &obj);
if (result == ISC_R_SUCCESS) {
CHECK(cfg_acl_fromconfig(obj, (const cfg_obj_t *) cfg,
hctx->lctx,
(cfg_aclconfctx_t *) actx,
hctx->mctx, 0, &aaaa_acl));
} else {
CHECK(dns_acl_any(hctx->mctx, &aaaa_acl));
}
cleanup:
if (param_obj != NULL) {
cfg_obj_destroy(parser, &param_obj);
}
if (parser != NULL) {
cfg_parser_destroy(&parser);
}
return (result);
}
/*
* Mandatory hook API functions.
*/
isc_result_t
hook_register(const char *parameters, const char *file, unsigned long line,
ns_hookctx_t *hctx, ns_hooktable_t *hooktable, void **instp)
const void *cfg, void *actx, ns_hookctx_t *hctx,
ns_hooktable_t *hooktable, void **instp)
{
UNUSED(parameters);
UNUSED(instp);
if (parameters != NULL) {
......@@ -83,6 +203,8 @@ hook_register(const char *parameters, const char *file, unsigned long line,
"loading params for 'filter-aaaa' "
"module from %s:%lu",
file, line);
parse_parameters(parameters, cfg, actx, hctx);
} else {
isc_log_write(hctx->lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_HOOKS, ISC_LOG_INFO,
......@@ -91,11 +213,6 @@ hook_register(const char *parameters, const char *file, unsigned long line,
file, line);
}
/*
* TODO:
* configure with parameters here
*/
ns_hook_add(hooktable, NS_QUERY_RESPOND_BEGIN,
&filter_respbegin);
ns_hook_add(hooktable, NS_QUERY_RESPOND_ANY_FOUND,
......@@ -118,6 +235,10 @@ void
hook_destroy(void **instp) {
UNUSED(instp);
if (aaaa_acl != NULL) {
dns_acl_detach(&aaaa_acl);
}
return;
}
......@@ -170,22 +291,19 @@ filter_prep_response_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
UNUSED(cbdata);
qctx->filter_aaaa = dns_aaaa_ok;
if (qctx->client->view->v4_aaaa != dns_aaaa_ok ||
qctx->client->view->v6_aaaa != dns_aaaa_ok)
{
if (v4_aaaa != dns_aaaa_ok || v6_aaaa != dns_aaaa_ok) {
result = ns_client_checkaclsilent(qctx->client, NULL,
qctx->client->view->aaaa_acl,
true);
aaaa_acl, true);
if (result == ISC_R_SUCCESS &&
qctx->client->view->v4_aaaa != dns_aaaa_ok &&
v4_aaaa != dns_aaaa_ok &&
is_v4_client(qctx->client))
{
qctx->filter_aaaa = qctx->client->view->v4_aaaa;
qctx->filter_aaaa = v4_aaaa;
} else if (result == ISC_R_SUCCESS &&
qctx->client->view->v6_aaaa != dns_aaaa_ok &&
v6_aaaa != dns_aaaa_ok &&
is_v6_client(qctx->client))
{
qctx->filter_aaaa = qctx->client->view->v6_aaaa;
qctx->filter_aaaa = v6_aaaa;
}
}
......
......@@ -154,10 +154,7 @@ options {\n\
# fetch-glue <obsolete>;\n\
fetch-quota-params 100 0.1 0.3 0.7;\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
filter-aaaa-on-v4 no;\n\
filter-aaaa-on-v6 no;\n\
filter-aaaa { any; };\n"
fetches-per-zone 0;\n"
#ifdef HAVE_GEOIP
" geoip-use-ecs yes;\n"
#endif
......
......@@ -1538,7 +1538,7 @@ configure_dyndb(const cfg_obj_t *dyndb, isc_mem_t *mctx,
static isc_result_t
configure_hook(ns_hooktable_t *hooktable, const cfg_obj_t *hook,
ns_hookctx_t *hctx)
const cfg_obj_t *config, ns_hookctx_t *hctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *obj;
......@@ -1563,11 +1563,15 @@ configure_hook(ns_hooktable_t *hooktable, const cfg_obj_t *hook,
cfg_obj_asstring(obj),
cfg_obj_file(obj),
cfg_obj_line(obj),
config,
named_g_aclconfctx,
hctx, hooktable);
} else {
result = ns_hookmodule_load(library, NULL,
cfg_obj_file(hook),
cfg_obj_line(hook),
config,
named_g_aclconfctx,
hctx, hooktable);
}
......@@ -5134,46 +5138,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_quotatype_zone, r);
}
obj = NULL;
result = named_config_get(maps, "filter-aaaa-on-v4", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v4_aaaa = dns_aaaa_filter;
else
view->v4_aaaa = dns_aaaa_ok;
} else {
const char *v4_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v4_aaaastr, "break-dnssec") == 0) {
view->v4_aaaa = dns_aaaa_break_dnssec;
} else {
INSIST(0);
ISC_UNREACHABLE();
}
}
obj = NULL;
result = named_config_get(maps, "filter-aaaa-on-v6", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v6_aaaa = dns_aaaa_filter;
else
view->v6_aaaa = dns_aaaa_ok;
} else {
const char *v6_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v6_aaaastr, "break-dnssec") == 0) {
view->v6_aaaa = dns_aaaa_break_dnssec;
} else {
INSIST(0);
ISC_UNREACHABLE();
}
}
CHECK(configure_view_acl(vconfig, config, named_g_config,
"filter-aaaa", NULL, actx,
named_g_mctx, &view->aaaa_acl));
obj = NULL;
result = named_config_get(maps, "prefetch", &obj);
if (result == ISC_R_SUCCESS) {
......@@ -5368,7 +5332,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(ns_hook_createctx(mctx, &hctx));
}
CHECK(configure_hook(view->hooktable, hook, hctx));
CHECK(configure_hook(view->hooktable, hook, config, hctx));
}
#endif
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
filter-aaaa { none; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
/*
* While this matches the defaults, it is not a good configuration
* to have in named.conf as the two options contradict each other
* indicating a error on behalf of the operator.
*
* The default is to have filter-aaaa-on-v4 off, but if it is turned
* on then it applies to all IPv4 queries. This results in
* contradictory defaults.
*/
filter-aaaa-on-v4 no;
filter-aaaa { any; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 no;
};
view myview {
filter-aaaa { any; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { any; };
};
view myview {
filter-aaaa-on-v4 no;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { none; };
};
view myview {
filter-aaaa-on-v4 yes;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};
view myview {
filter-aaaa { none; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 break-dnssec;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 1.0.0.0/8; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
filter-aaaa { 1.0.0.0/8; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};
view myview {
filter-aaaa { 1.0.0.0/8; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { 1.0.0.0/8; };
};
view myview {
filter-aaaa-on-v4 yes;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
};
view myview {
filter-aaaa { 1.0.0.0/8; };
filter-aaaa-on-v4 yes;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 no;
};
view myview {
filter-aaaa { 1.0.0.0/8; };
filter-aaaa-on-v4 yes;
};
......@@ -20,12 +20,15 @@ options {
recursion no;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.1; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
acl filterees { 10.53.0.1; };
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa { filterees; };
};
key rndc_key {
secret "1234abcd8765";
......
......@@ -20,12 +20,13 @@ options {
recursion no;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
};
key rndc_key {
secret "1234abcd8765";
......
......@@ -20,12 +20,13 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.2; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;