-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns_filter: add support for wildcard name in DNS filter inline table #34588
Conversation
Hi @StupidScience, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
Assigning Yanjun for a first-pass review as a code-owner: |
Assigning to Yan for a review (after Yanjun's pass). |
Thanks @StupidScience for working on this! |
/retest |
896b29a
to
5107d49
Compare
@yanjunxiang-google sorry, original error that is exposed (on screenshot) did not give me a good idea on what's wrong (it was speling) so I thought it was some CI infra failure. Should be fixed now. |
/retest |
5107d49
to
c91b812
Compare
@yanjunxiang-google all checks have passed finally |
@yanjunxiang-google PTAL |
changelogs/current.yaml
Outdated
@@ -226,6 +226,10 @@ new_features: | |||
change: | | |||
Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>` | |||
to bypass the overload manager for a listener. When set to true, the listener will not be subject to overload protection. | |||
- area: dns_filter | |||
change: | | |||
Added support wildcard names in :ref:`inline_dns_table |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we change to this: Added support for wildcard resolving when DNS filter is working in server mode?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed this, please take a look
@@ -89,6 +89,19 @@ absl::string_view getDomainSuffix(const absl::string_view name) { | |||
return name.substr(pos + 1); | |||
} | |||
|
|||
absl::string_view getVirtualDomainName(const absl::string_view domain_name) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we call this function getWildcardDomainName?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be incorrect. It returns not only wildcard domain names but any name.
I'm not quite happy with naming here tho. Will smth like sanitizeVirtualDomainName
make intent more clear?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's okay to me then.
// wildcard usages are not considered as valid ones, i.e. **.foo.com, *foo.bar.com, foo*.bar.com | ||
// are all invalid. | ||
if (domain_name.starts_with("*.")) { | ||
return domain_name.substr(1); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the domain_name is invalid, like just "*.". This will return an empty string. Can we handle it correctly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If domain is *.
it will return just .
. You can see that in tests.
While working on these code I made few assumptions and cut the corners sometimes. Mostly because current code does not have any validation for passed domain names and in proto validations are: length >= 1 + header value regex, that's probably incorrect.
I did not want to increase the scope of my changes so decided not to cover validations. It is probably should be addressed, likely in different PR tho
ENVOY_LOG(trace, "Loading configuration for domain: {}. Suffix: {}", domain_name, suffix); | ||
const absl::string_view virtual_domain_name = | ||
Utils::getVirtualDomainName(virtual_domain.name()); | ||
const absl::string_view suffix = Utils::getDomainSuffix(virtual_domain_name); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we getDomainSuffix(virtual_domain.name()),
or getDomainSuffix( Utils::getVirtualDomainName(virtual_domain.name()))
Can these two return different result in some cases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I thought about this (getting suffix of "initial" input domain name). But with current implementation result should always be the same and for me it makes more sense to extract suffix after manipulations
inline_dns_table: | ||
external_retry_count: 0 | ||
virtual_domains: | ||
- name: "*.foobaz.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add some tests for invalid virtual_domain test, like ".com", ".", "com", and see whether there is any issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I mentioned above, invalid domains will be accepted by envoy and (do not) work due to lack of validations.
Just answering how it will work:
.com
will behave exactly as*.com
and I'm not sure whether it is bug or feature with the current state.
will be accepted. We can test if that will work as catch-all wildcard for queries ended with period likefoo.bar.
. Shall we?com
in general looks like valid record
4fbc543
to
a593ea9
Compare
/retest |
a593ea9
to
a79085d
Compare
/retest |
a79085d
to
d2b0cc8
Compare
@StupidScience can you update the doc for the /wait |
d2b0cc8
to
e3f648d
Compare
@yanavlasov thanks for feedback. Added this info as well as info about matching precedence. Can you think of any other info that should be covered? |
41e4799
to
6897ad0
Compare
LGTM from me. Will wait for LGTM from @yanjunxiang-google and then submit @StupidScience please resolve the merge error. /wait |
@StupidScience Could you please also add a couple of integration test cases here:
It will help show how the wildcard domain name works end-to-end. |
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
…ard names behaviour Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
6897ad0
to
957d8bc
Compare
@yanjunxiang-google added integration test, please check if that's smth you had in mind? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm api
LGTM |
Looks good. Thanks for adding this feature! |
LGTM. @StupidScience please resolve merge error. /wait |
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
@yanavlasov done |
Commit Message: Add support for wildcard name in DNS filter inline table
Additional Description:
Risk Level: Medium
Testing: I ran only unit tests relevant to dns_filter
Docs Changes: -
Release Notes: Added support wildcard names in :ref:
inline_dns_table <envoy_v3_api_field_extensions.filters.udp.dns_filter.v3.DnsFilterConfig.ServerContextConfig.inline_dns_table>
.Platform Specific Features: N/A
Fixes #32941