feature: support client ACL.

pymumu · Jan 7, 2024 · 8e8b246 · 8e8b246
1 parent 707a6db
commit 8e8b246
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/src/dns_conf.c b/src/dns_conf.c
@@ -2570,6 +2570,7 @@ static int _config_bind_ip(int argc, char *argv[], DNS_BIND_TYPE type)
  {"no-dualstack-selection", no_argument, NULL, 'D'},
  {"no-ip-alias", no_argument, NULL, 'a'},
  {"force-aaaa-soa", no_argument, NULL, 'F'},
+ {"acl", no_argument, NULL, 251},
  {"no-rules", no_argument, NULL, 252},
  {"no-serve-expired", no_argument, NULL, 253},
  {"force-https-soa", no_argument, NULL, 254},
@@ -2666,6 +2667,10 @@ static int _config_bind_ip(int argc, char *argv[], DNS_BIND_TYPE type)
  server_flag |= BIND_FLAG_FORCE_AAAA_SOA;
  break;
  }
+ case 251: {
+ server_flag |= BIND_FLAG_ACL;
+ break;
+ }
  case 252: {
  server_flag |= BIND_FLAG_NO_RULES;
  break;
@@ -4949,6 +4954,7 @@ static int _config_client_rules(void *data, int argc, char *argv[])
  {"no-dualstack-selection", no_argument, NULL, 'D'},
  {"no-ip-alias", no_argument, NULL, 'a'},
  {"force-aaaa-soa", no_argument, NULL, 'F'},
+ {"acl", no_argument, NULL, 251},
  {"no-rules", no_argument, NULL, 252},
  {"no-serve-expired", no_argument, NULL, 253},
  {"force-https-soa", no_argument, NULL, 254},
@@ -5019,6 +5025,10 @@ static int _config_client_rules(void *data, int argc, char *argv[])
  server_flag |= BIND_FLAG_FORCE_AAAA_SOA;
  break;
  }
+ case 251: {
+ server_flag |= BIND_FLAG_ACL;
+ break;
+ }
  case 252: {
  server_flag |= BIND_FLAG_NO_RULES;
  break;

diff --git a/src/dns_conf.h b/src/dns_conf.h
@@ -158,6 +158,7 @@ typedef enum {
 #define BIND_FLAG_FORCE_HTTPS_SOA (1 << 13)
 #define BIND_FLAG_NO_SERVE_EXPIRED (1 << 14)
 #define BIND_FLAG_NO_RULES (1 << 15)
+#define BIND_FLAG_ACL (1 << 16)
 
 enum response_mode_type {
  DNS_RESPONSE_MODE_FIRST_PING_IP = 0,

diff --git a/src/dns_server.c b/src/dns_server.c
@@ -5596,10 +5596,15 @@ static void _dns_server_request_set_client(struct dns_request *request, struct d
  _dns_server_conn_get(conn);
 }
 
-static void _dns_server_request_set_client_rules(struct dns_request *request, struct dns_client_rules *client_rule)
+static int _dns_server_request_set_client_rules(struct dns_request *request, struct dns_client_rules *client_rule)
 {
  if (client_rule == NULL) {
- return;
+ if (_dns_server_has_bind_flag(request, BIND_FLAG_ACL) == 0) {
+ request->send_tick = get_tick_count();
+ request->rcode = DNS_RC_REFUSED;
+ return -1;
+ }
+ return 0;
  }
 
  tlog(TLOG_DEBUG, "match client rule.\n");
@@ -5617,6 +5622,8 @@ static void _dns_server_request_set_client_rules(struct dns_request *request, st
  request->server_flags = flags->flags;
  }
  }
+
+ return 0;
 }
 
 static void _dns_server_request_set_id(struct dns_request *request, unsigned short id)
@@ -6202,7 +6209,6 @@ static int _dns_server_recv(struct dns_server_conn_head *conn, unsigned char *in
 
  memcpy(&request->localaddr, local, local_len);
  _dns_server_request_set_client(request, conn);
- _dns_server_request_set_client_rules(request, client_rules);
  _dns_server_request_set_client_addr(request, from, from_len);
  _dns_server_request_set_id(request, packet->head.id);
 
@@ -6228,6 +6234,13 @@ static int _dns_server_recv(struct dns_server_conn_head *conn, unsigned char *in
  goto errout;
  }
 
+
+ ret = _dns_server_request_set_client_rules(request, client_rules);
+ if (ret != 0) {
+ ret = 0;
+ goto errout;
+ }
+
  ret = _dns_server_do_query(request, 1);
  if (ret != 0) {
  tlog(TLOG_DEBUG, "do query %s failed.\n", request->domain);