[WIP] Add experimental XPF support #5594
Conversation
pdns/xpf.hh
Outdated
| * along with this program; if not, write to the Free Software | ||
| * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | ||
| */ | ||
| #ifndef PDNS_XPF_HH |
rgacogne
changed the title
|
Rebased on master, and made the XPF code point configurable in dnsdist and the rec. |
| @@ -295,20 +296,29 @@ void MOADNSParser::init(bool query, const char *packet, unsigned int len) | |||
|
|
|||
| d_answers.push_back(make_pair(dr, pr.d_pos)); | |||
|
|
|||
| /* XXX: XPF records should be allowed after TSIG as soon as the actual XPF option code has been assigned: | |||
There was a problem hiding this comment.
Why would assignment change this rule?
There was a problem hiding this comment.
Because this function is used in the auth, rec and dnsdist so using a variable is painful, while of course not impossible. This becomes very easy once we have a fixed value to allow.
pdns/xpf.cc
Outdated
|
|
||
| #include "xpf.hh" | ||
|
|
||
| std::string generateXPFPayload(bool tcp, const ComboAddress& remote, const ComboAddress& local) |
There was a problem hiding this comment.
Maybe rename remote/local to source/destination? That mirrors the XPF spec text and seems less confusing to me.
There was a problem hiding this comment.
Looks better indeed, I'll do it after your changes have landed on this branch.
pdns/qtype.hh
Outdated
| @@ -125,7 +125,8 @@ public: | |||
| CAA=257, | |||
| DLV=32769, | |||
| ADDR=65400, | |||
| ALIAS=65401 | |||
| ALIAS=65401, | |||
| XPF=65422 | |||
There was a problem hiding this comment.
Hmm, I guess that would break mastermake. Now I see why fixing sdig is harder.
pdns/qtype.hh
Outdated
| @@ -217,6 +218,7 @@ private: | |||
| qtype_insert("DLV", 32769); | |||
| qtype_insert("ADDR", 65400); | |||
| qtype_insert("ALIAS", 65401); | |||
| qtype_insert("XPF", 65422); | |||
| The server will trust XPF records found in queries sent from those netmasks (both IPv4 and IPv6), | ||
| and will adjust queries' source and destination accordingly. This is especially useful when the recursor | ||
| is placed behind a proxy like dnsdist. | ||
| Note that the `allow-from`_ setting is still applied to the original source address, and thus access restriction |
There was a problem hiding this comment.
'original source address' is a bit confusing, but I'm struggling to find better words.
There was a problem hiding this comment.
"IP header source address", possibly? (If that is the correct interpretation)
The note removes what seems like probably the single most obvious application for this. Maybe name some example(s) where it can be used?
It's a bit trickier for sdig, though.
make XPF code point configurable in sdig remove XPF from dnsrecords and qtype check argument count for sdig modifiers
Short description
Don't merge this while it's still using a private code point!
This PR adds experimental support for
XPF1 to the recursor and dnsdist. It adds a new option to dnsdist to send the source and destination IPs and ports to the recursor via aXPFrecord.It also adds a new option to the recursor to whitelist the source IPs allowed to send
XPFrecords. Those records are then decoded before thegettaghook and the source and destination IPs are replaced by the one provided.The PR is based on and contains @Habbie's work to add
XPFsupport tosdigand the authoritative server'sbindbackend.Checklist
I have: