Github
/
FTL
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More --filter-AAAA caching improvements. 

Cache answers before filtering and filter coming out of the cache.

Signed-off-by: DL6ER <dl6er@dl6er.de>
This commit is contained in:
Simon Kelley 2023-03-20 17:14:17 +00:00 committed by DL6ER
parent 68242de9e6
commit 875d5184ba
No known key found for this signature in database
GPG Key ID: 00135ACBD90B28DD
2 changed files with 38 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/dnsmasq/forward.c
View File

@ -826,16 +826,6 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
}
}
/* Before extract_addresses() */
if (rcode == NOERROR)
{
if (option_bool(OPT_FILTER_A))
n = rrfilter(header, n, RRFILTER_A);
if (option_bool(OPT_FILTER_AAAA))
n = rrfilter(header, n, RRFILTER_AAAA);
}
switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
{
case 1:
@ -872,6 +862,15 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
break;
}
if (rcode == NOERROR)
{
if (option_bool(OPT_FILTER_A))
n = rrfilter(header, n, RRFILTER_A);
if (option_bool(OPT_FILTER_AAAA))
n = rrfilter(header, n, RRFILTER_AAAA);
}
if (doctored)
cache_secure = 0;
}

38
src/dnsmasq/rfc1035.c
View File

@ -893,7 +893,18 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t
return 2;
}
else
log_query(flags | F_FORWARD | secflag | F_UPSTREAM, name, &addr, NULL, aqtype);
{
int negflag = F_UPSTREAM;
/* We're filtering this RRtype. It will be removed from the
returned packet in process_reply() but gets cached here anyway
and will be filtered again on the way out of the cache. Here,
we just need to alter the logging. */
if (((flags & F_IPV4) && option_bool(OPT_FILTER_A)) || ((flags & F_IPV6) && option_bool(OPT_FILTER_AAAA)))
negflag = F_NEG | F_CONFIG;
log_query(negflag | flags | F_FORWARD | secflag, name, &addr, NULL, aqtype);
}
}
p1 = endrr;
@ -1876,8 +1887,21 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
if (!(crecp->flags & F_DNSSECOK))
sec_data = 0;
if (crecp->flags & F_NEG)
if (!(crecp->flags & (F_HOSTS | F_DHCP)))
auth = 0;
if ((((flag & F_IPV4) && option_bool(OPT_FILTER_A)) || ((flag & F_IPV6) && option_bool(OPT_FILTER_AAAA))) &&
!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG | F_NEG)))
{
/* We have a cached answer but we're filtering it. */
ans = 1;
sec_data = 0;
if (!dryrun)
log_query(F_NEG | F_CONFIG | flag, name, NULL, NULL, 0);
}
else if (crecp->flags & F_NEG)
{
ans = 1;
auth = 0;
@ -1897,9 +1921,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
!is_same_net(crecp->addr.addr4, local_addr, local_netmask))
continue;
if (!(crecp->flags & (F_HOSTS | F_DHCP)))
auth = 0;
ans = 1;
if (!dryrun)
{
@ -1945,13 +1966,12 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
that may be enough to tell us if the answer should be NODATA and save the round trip.
Cached NXDOMAIN has already been handled, so here we look for any record for the domain,
since its existence allows us to return a NODATA answer. Note that we never set the AD flag,
since we didn't authentucate the record. We do set the AA flag since this answer comes from
local config. */
since we didn't authentucate the record. */
if (cache_find_by_name(NULL, name, now, F_IPV4 | F_IPV6 | F_SRV))
{
ans = 1;
sec_data = 0;
sec_data = auth = 0;
if (!dryrun)
log_query(F_NEG | F_CONFIG | flag, name, NULL, NULL, 0);