dns_filter: add support for wildcard name in DNS filter inline table #34588
Conversation
|
Hi @StupidScience, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
Assigning Yanjun for a first-pass review as a code-owner: |
|
Assigning to Yan for a review (after Yanjun's pass). |
|
Thanks @StupidScience for working on this! |
|
/retest |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
896b29a
to
5107d49
Compare
|
@yanjunxiang-google sorry, original error that is exposed (on screenshot) did not give me a good idea on what's wrong (it was speling) so I thought it was some CI infra failure. Should be fixed now. |
|
/retest |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
5107d49
to
c91b812
Compare
|
@yanjunxiang-google all checks have passed finally |
|
@yanjunxiang-google PTAL |
changelogs/current.yaml
Outdated
| @@ -226,6 +226,10 @@ new_features: | |||
| change: | | |||
| Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>` | |||
| to bypass the overload manager for a listener. When set to true, the listener will not be subject to overload protection. | |||
| - area: dns_filter | |||
| change: | | |||
| Added support wildcard names in :ref:`inline_dns_table | |||
There was a problem hiding this comment.
Can we change to this: Added support for wildcard resolving when DNS filter is working in server mode?
There was a problem hiding this comment.
Addressed this, please take a look
| @@ -89,6 +89,19 @@ absl::string_view getDomainSuffix(const absl::string_view name) { | |||
| return name.substr(pos + 1); | |||
| } | |||
|
|
|||
| absl::string_view getVirtualDomainName(const absl::string_view domain_name) { | |||
There was a problem hiding this comment.
Should we call this function getWildcardDomainName?
There was a problem hiding this comment.
That would be incorrect. It returns not only wildcard domain names but any name.
I'm not quite happy with naming here tho. Will smth like sanitizeVirtualDomainName make intent more clear?
There was a problem hiding this comment.
It's okay to me then.
| // wildcard usages are not considered as valid ones, i.e. **.foo.com, *foo.bar.com, foo*.bar.com | ||
| // are all invalid. | ||
| if (domain_name.starts_with("*.")) { | ||
| return domain_name.substr(1); |
There was a problem hiding this comment.
What if the domain_name is invalid, like just "*.". This will return an empty string. Can we handle it correctly?
There was a problem hiding this comment.
If domain is *. it will return just .. You can see that in tests.
While working on these code I made few assumptions and cut the corners sometimes. Mostly because current code does not have any validation for passed domain names and in proto validations are: length >= 1 + header value regex, that's probably incorrect.
I did not want to increase the scope of my changes so decided not to cover validations. It is probably should be addressed, likely in different PR tho
| ENVOY_LOG(trace, "Loading configuration for domain: {}. Suffix: {}", domain_name, suffix); | ||
| const absl::string_view virtual_domain_name = | ||
| Utils::getVirtualDomainName(virtual_domain.name()); | ||
| const absl::string_view suffix = Utils::getDomainSuffix(virtual_domain_name); |
There was a problem hiding this comment.
Should we getDomainSuffix(virtual_domain.name()),
or getDomainSuffix( Utils::getVirtualDomainName(virtual_domain.name()))
Can these two return different result in some cases?
There was a problem hiding this comment.
Yeah, I thought about this (getting suffix of "initial" input domain name). But with current implementation result should always be the same and for me it makes more sense to extract suffix after manipulations
| inline_dns_table: | ||
| external_retry_count: 0 | ||
| virtual_domains: | ||
| - name: "*.foobaz.com" |
There was a problem hiding this comment.
Can we add some tests for invalid virtual_domain test, like ".com", ".", "com", and see whether there is any issue?
There was a problem hiding this comment.
As I mentioned above, invalid domains will be accepted by envoy and (do not) work due to lack of validations.
Just answering how it will work:
.comwill behave exactly as*.comand I'm not sure whether it is bug or feature with the current state.will be accepted. We can test if that will work as catch-all wildcard for queries ended with period likefoo.bar.. Shall we?comin general looks like valid record
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
4fbc543
to
a593ea9
Compare
|
/retest |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
a593ea9
to
a79085d
Compare
|
/retest |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
a79085d
to
d2b0cc8
Compare
|
@StupidScience can you update the doc for the /wait |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
d2b0cc8
to
e3f648d
Compare
|
@yanavlasov thanks for feedback. Added this info as well as info about matching precedence. Can you think of any other info that should be covered? |
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
41e4799
to
6897ad0
Compare
|
LGTM from me. Will wait for LGTM from @yanjunxiang-google and then submit @StupidScience please resolve the merge error. /wait |
|
@StupidScience Could you please also add a couple of integration test cases here: It will help show how the wildcard domain name works end-to-end. |
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
…ard names behaviour Signed-off-by: Anton Kaymakchi <anton.kaymakchi@transferwise.com>
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
StupidScience
force-pushed
the
dns-filter-wildcard
branch
from
6897ad0
to
957d8bc
Compare
|
@yanjunxiang-google added integration test, please check if that's smth you had in mind? |
|
LGTM |
Looks good. Thanks for adding this feature! |
|
LGTM. @StupidScience please resolve merge error. /wait |
Signed-off-by: Anton Kaymakchi <tonysignal@gmail.com>
|
@yanavlasov done |
Commit Message: Add support for wildcard name in DNS filter inline table
Additional Description:
Risk Level: Medium
Testing: I ran only unit tests relevant to dns_filter
Docs Changes: -
Release Notes: Added support wildcard names in :ref:
inline_dns_table <envoy_v3_api_field_extensions.filters.udp.dns_filter.v3.DnsFilterConfig.ServerContextConfig.inline_dns_table>.Platform Specific Features: N/A
Fixes #32941