2021-06-18 15:55:01 +01:00
|
|
|
package dnsforward
|
|
|
|
|
|
|
|
import (
|
2024-09-30 18:17:20 +01:00
|
|
|
"context"
|
2021-06-18 15:55:01 +01:00
|
|
|
"fmt"
|
2024-09-30 18:17:20 +01:00
|
|
|
"log/slog"
|
2021-06-18 15:55:01 +01:00
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
|
2023-10-11 15:31:41 +01:00
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/ipset"
|
2021-06-18 15:55:01 +01:00
|
|
|
"github.com/AdguardTeam/golibs/errors"
|
2024-09-30 18:17:20 +01:00
|
|
|
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
2021-06-18 15:55:01 +01:00
|
|
|
"github.com/miekg/dns"
|
|
|
|
)
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
// ipsetHandler is the ipset context. ipsetMgr can be nil.
|
|
|
|
type ipsetHandler struct {
|
2023-10-11 15:31:41 +01:00
|
|
|
ipsetMgr ipset.Manager
|
2024-09-30 18:17:20 +01:00
|
|
|
logger *slog.Logger
|
2021-06-18 15:55:01 +01:00
|
|
|
}
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
// newIpsetHandler returns a new initialized [ipsetHandler]. It is not safe for
|
|
|
|
// concurrent use.
|
|
|
|
func newIpsetHandler(
|
|
|
|
ctx context.Context,
|
|
|
|
logger *slog.Logger,
|
|
|
|
ipsetList []string,
|
|
|
|
) (h *ipsetHandler, err error) {
|
|
|
|
h = &ipsetHandler{
|
|
|
|
logger: logger,
|
|
|
|
}
|
|
|
|
conf := &ipset.Config{
|
|
|
|
Logger: logger,
|
|
|
|
Lines: ipsetList,
|
|
|
|
}
|
|
|
|
h.ipsetMgr, err = ipset.NewManager(ctx, conf)
|
|
|
|
if errors.Is(err, os.ErrInvalid) ||
|
|
|
|
errors.Is(err, os.ErrPermission) ||
|
|
|
|
errors.Is(err, errors.ErrUnsupported) {
|
2021-12-27 17:54:00 +00:00
|
|
|
// ipset cannot currently be initialized if the server was installed
|
|
|
|
// from Snap or when the user or the binary doesn't have the required
|
|
|
|
// permissions, or when the kernel doesn't support netfilter.
|
2021-06-18 15:55:01 +01:00
|
|
|
//
|
|
|
|
// Log and go on.
|
|
|
|
//
|
2021-12-27 17:54:00 +00:00
|
|
|
// TODO(a.garipov): The Snap problem can probably be solved if we add
|
|
|
|
// the netlink-connector interface plug.
|
2024-09-30 18:17:20 +01:00
|
|
|
logger.WarnContext(ctx, "cannot initialize", slogutil.KeyError, err)
|
2021-06-18 15:55:01 +01:00
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
return h, nil
|
2021-06-18 15:55:01 +01:00
|
|
|
} else if err != nil {
|
2024-09-30 18:17:20 +01:00
|
|
|
return nil, fmt.Errorf("initializing ipset: %w", err)
|
2021-06-18 15:55:01 +01:00
|
|
|
}
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
return h, nil
|
2021-06-18 15:55:01 +01:00
|
|
|
}
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
// close closes the Linux Netfilter connections. close can be called on a nil
|
|
|
|
// handler.
|
|
|
|
func (h *ipsetHandler) close() (err error) {
|
|
|
|
if h != nil && h.ipsetMgr != nil {
|
|
|
|
return h.ipsetMgr.Close()
|
2021-06-18 15:55:01 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
// dctxIsFilled returns true if dctx has enough information to process.
|
|
|
|
func dctxIsFilled(dctx *dnsContext) (ok bool) {
|
2021-06-18 15:55:01 +01:00
|
|
|
return dctx != nil &&
|
|
|
|
dctx.responseFromUpstream &&
|
|
|
|
dctx.proxyCtx != nil &&
|
|
|
|
dctx.proxyCtx.Res != nil &&
|
|
|
|
dctx.proxyCtx.Req != nil &&
|
|
|
|
len(dctx.proxyCtx.Req.Question) > 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// skipIpsetProcessing returns true when the ipset processing can be skipped for
|
|
|
|
// this request.
|
2024-09-30 18:17:20 +01:00
|
|
|
func (h *ipsetHandler) skipIpsetProcessing(dctx *dnsContext) (ok bool) {
|
|
|
|
if h == nil || h.ipsetMgr == nil || !dctxIsFilled(dctx) {
|
2021-06-18 15:55:01 +01:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
qtype := dctx.proxyCtx.Req.Question[0].Qtype
|
|
|
|
|
|
|
|
return qtype != dns.TypeA && qtype != dns.TypeAAAA && qtype != dns.TypeANY
|
|
|
|
}
|
|
|
|
|
|
|
|
// ipFromRR returns an IP address from a DNS resource record.
|
|
|
|
func ipFromRR(rr dns.RR) (ip net.IP) {
|
|
|
|
switch a := rr.(type) {
|
|
|
|
case *dns.A:
|
|
|
|
return a.A
|
|
|
|
case *dns.AAAA:
|
|
|
|
return a.AAAA
|
|
|
|
default:
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ipsFromAnswer returns IPv4 and IPv6 addresses from a DNS answer.
|
|
|
|
func ipsFromAnswer(ans []dns.RR) (ip4s, ip6s []net.IP) {
|
|
|
|
for _, rr := range ans {
|
|
|
|
ip := ipFromRR(rr)
|
|
|
|
if ip == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if ip.To4() == nil {
|
|
|
|
ip6s = append(ip6s, ip)
|
|
|
|
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
ip4s = append(ip4s, ip)
|
|
|
|
}
|
|
|
|
|
|
|
|
return ip4s, ip6s
|
|
|
|
}
|
|
|
|
|
|
|
|
// process adds the resolved IP addresses to the domain's ipsets, if any.
|
2024-09-30 18:17:20 +01:00
|
|
|
func (h *ipsetHandler) process(dctx *dnsContext) (rc resultCode) {
|
|
|
|
// TODO(s.chzhen): Use passed context.
|
|
|
|
ctx := context.TODO()
|
|
|
|
h.logger.DebugContext(ctx, "started processing")
|
|
|
|
defer h.logger.DebugContext(ctx, "finished processing")
|
2023-07-03 12:10:40 +01:00
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
if h.skipIpsetProcessing(dctx) {
|
2021-06-18 15:55:01 +01:00
|
|
|
return resultCodeSuccess
|
|
|
|
}
|
|
|
|
|
|
|
|
req := dctx.proxyCtx.Req
|
|
|
|
host := req.Question[0].Name
|
|
|
|
host = strings.TrimSuffix(host, ".")
|
|
|
|
host = strings.ToLower(host)
|
|
|
|
|
|
|
|
ip4s, ip6s := ipsFromAnswer(dctx.proxyCtx.Res.Answer)
|
2024-09-30 18:17:20 +01:00
|
|
|
n, err := h.ipsetMgr.Add(ctx, host, ip4s, ip6s)
|
2021-06-18 15:55:01 +01:00
|
|
|
if err != nil {
|
|
|
|
// Consider ipset errors non-critical to the request.
|
2024-09-30 18:17:20 +01:00
|
|
|
h.logger.ErrorContext(ctx, "adding host ips", slogutil.KeyError, err)
|
2021-06-18 15:55:01 +01:00
|
|
|
|
|
|
|
return resultCodeSuccess
|
|
|
|
}
|
|
|
|
|
2024-09-30 18:17:20 +01:00
|
|
|
h.logger.DebugContext(ctx, "added new ipset entries", "num", n)
|
2021-06-18 15:55:01 +01:00
|
|
|
|
|
|
|
return resultCodeSuccess
|
|
|
|
}
|