New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist: DSTPortRule #6813
dnsdist: DSTPortRule #6813
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for this pull request! Code looks good, would you mind adding the new rule to g_consoleKeywords
in dnsdist-console.cc
so the completion is working?
pdns/dnsdistdist/dnsdist-rules.hh
Outdated
} | ||
private: | ||
uint16_t d_port; | ||
uint16_t d_port_htons; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given how cheap htons()
is, keeping the two values here feels a bit wrong.
I felt like the rule should match the entire local address, not just the port... and/or match the object returned from addLocal() (if it does return something) |
Unless I'm mistaken, you can already use |
Yeah, but somehow it's weird that you cannot do both things with one matcher. I'd kinda expect something like this: LocalRule("*:443") |
@zeha while I don't disagree with one potentially being nice - the already existing combo of using a NetmaskGroupRule for that purpose seems just as easy to combine into whatever you want and might provide more re-use for some people. FWIW we use NMGs to shove a number of destination addresses into a single group, so re-using that group for any port matching we do would still be nice for us. The semantics of something like
|
pdns/dnsdistdist/dnsdist-rules.hh
Outdated
} | ||
private: | ||
uint16_t d_port; | ||
uint16_t d_port_htons; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You removed the code using this member, but somehow forgot to remove the member itself ;-)
Unless someone is really motivated to work on the more advanced |
Agreed |
Short description
Allows matching based on the destination port of the question. This allows one to apply more powerful rules to ports bound for DoT for instance.
Checklist
I have: