From 187731f80e9acd1dd848ae795edcb45ebefd81a4 Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Tue, 31 Aug 2021 20:20:08 +0100 Subject: [PATCH 1/6] Reverse DNS for IP networl.mask match --- configure.ac | 10 ++++++++ src/hostspec.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 69 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index d904c78..88c763a 100644 --- a/configure.ac +++ b/configure.ac @@ -101,6 +101,16 @@ if test x"$transparent_enabled" = x"yes"; then AC_DEFINE(TRANSPARENT_PROXY) fi +dnl Include support for reverse dns to match IP network/mask ? +AH_TEMPLATE([RDNS_ENABLE], + [Include support for reverse dns to match IP network/mask.]) +TP_ARG_ENABLE(rdns, + [Enable support for reverse dns to match IP network/mask (default is YES)], + yes) +if test x"$rdns__enabled" = x"yes"; then + AC_DEFINE(RDNS_ENABLE) +fi + dnl Let user decide whether he wants support for manpages dnl Which require either pod2man or a tarball release AH_TEMPLATE([MANPAGE_SUPPORT], diff --git a/src/hostspec.c b/src/hostspec.c index adbad53..6a94400 100644 --- a/src/hostspec.c +++ b/src/hostspec.c @@ -2,6 +2,18 @@ #include "hostspec.h" #include "heap.h" #include "network.h" +#ifdef RDNS_ENABLE +#include "log.h" +#endif + +static int dotted_mask(char *bitmask_string, unsigned char array[]) +{ + unsigned char v4bits[4]; + if (1 != inet_pton (AF_INET, bitmask_string, v4bits)) return -1; + memset (array, 0xff, IPV6_LEN-4); + memcpy (array + IPV6_LEN-4, v4bits, 4); + return 0; +} /* * Fills in the netmask array given a numeric value. @@ -13,13 +25,17 @@ */ static int fill_netmask_array (char *bitmask_string, int v6, - unsigned char array[], size_t len) + unsigned char array[]) { unsigned int i; unsigned long int mask; char *endptr; errno = 0; /* to distinguish success/failure after call */ + if (strchr (bitmask_string, '.')) { + if (v6) return -1; /* ipv6 doesn't supported dotted netmasks */ + return dotted_mask(bitmask_string, array); + } mask = strtoul (bitmask_string, &endptr, 10); /* check for various conversion errors */ @@ -35,11 +51,11 @@ fill_netmask_array (char *bitmask_string, int v6, } /* check valid range for a bit mask */ - if (mask > (8 * len)) + if (mask > (8 * IPV6_LEN)) return -1; /* we have a valid range to fill in the array */ - for (i = 0; i != len; ++i) { + for (i = 0; i != IPV6_LEN; ++i) { if (mask >= 8) { array[i] = 0xff; mask -= 8; @@ -88,7 +104,7 @@ int hostspec_parse(char *location, struct hostspec *h) { v6 = 0; if (fill_netmask_array - (mask, v6, &(h->address.ip.mask[0]), IPV6_LEN) + (mask, v6, &(h->address.ip.mask[0])) < 0) goto err; @@ -146,6 +162,42 @@ static int numeric_match(const uint8_t addr[], const struct hostspec *h) return 1; } +#ifdef RDNS_ENABLE +static int reverse_dns_numeric_match(const char *ip, const struct hostspec *h) +{ + int ret; + struct addrinfo *res, *ressave; + uint8_t numeric_addr[IPV6_LEN]; + char ipbuf[512]; + + errno = 0; + + ret =getaddrinfo (ip, NULL, NULL, &res); + + ressave = res; + + if (ret != 0) { + if (ret == EAI_SYSTEM) + log_message (LOG_ERR, "Could not retrieve address info for %s : %s",ip,strerror(errno)); + else + log_message (LOG_ERR, "Could not retrieve address info for %s : %s",ip,gai_strerror(errno)); + } else { + do { + /* return if IP matches */ + get_ip_string (res->ai_addr, ipbuf, sizeof (ipbuf)); + full_inet_pton (ipbuf, &numeric_addr); + if (numeric_match (numeric_addr, h)) { + break; + } + } while ((res = res->ai_next) != NULL); + } + + freeaddrinfo (ressave); + + return numeric_match (numeric_addr, h); +} +#endif + /* check whether ip matches hostspec. return 1 on match, 0 on non-match */ int hostspec_match(const char *ip, const struct hostspec *h) { @@ -158,6 +210,9 @@ int hostspec_match(const char *ip, const struct hostspec *h) { if(is_numeric_addr) return 0; return string_match (ip, h->address.string); case HST_NUMERIC: +#ifdef RDNS_ENABLE + if(!is_numeric_addr) return reverse_dns_numeric_match(ip, h); +#endif return numeric_match (numeric_addr, h); case HST_NONE: return 0; From 5a892970ed47d386ca336895dae2fea594f6780e Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Tue, 31 Aug 2021 20:42:35 +0100 Subject: [PATCH 2/6] Remove duplication --- src/hostspec.c | 9 --------- 1 file changed, 9 deletions(-) diff --git a/src/hostspec.c b/src/hostspec.c index ec1961e..6a94400 100644 --- a/src/hostspec.c +++ b/src/hostspec.c @@ -15,15 +15,6 @@ static int dotted_mask(char *bitmask_string, unsigned char array[]) return 0; } -static int dotted_mask(char *bitmask_string, unsigned char array[]) -{ - unsigned char v4bits[4]; - if (1 != inet_pton (AF_INET, bitmask_string, v4bits)) return -1; - memset (array, 0xff, IPV6_LEN-4); - memcpy (array + IPV6_LEN-4, v4bits, 4); - return 0; -} - /* * Fills in the netmask array given a numeric value. * From e5e633e45a3d05023005c31152d94f995fc88345 Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Fri, 3 Sep 2021 17:50:25 +0100 Subject: [PATCH 3/6] Disable option as default --- configure.ac | 4 ++-- src/hostspec.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 88c763a..89d1c0c 100644 --- a/configure.ac +++ b/configure.ac @@ -105,8 +105,8 @@ dnl Include support for reverse dns to match IP network/mask ? AH_TEMPLATE([RDNS_ENABLE], [Include support for reverse dns to match IP network/mask.]) TP_ARG_ENABLE(rdns, - [Enable support for reverse dns to match IP network/mask (default is YES)], - yes) + [Enable support for reverse dns to match IP network/mask (default is NO)], + no) if test x"$rdns__enabled" = x"yes"; then AC_DEFINE(RDNS_ENABLE) fi diff --git a/src/hostspec.c b/src/hostspec.c index 6a94400..52f4a00 100644 --- a/src/hostspec.c +++ b/src/hostspec.c @@ -176,7 +176,7 @@ static int reverse_dns_numeric_match(const char *ip, const struct hostspec *h) ressave = res; - if (ret != 0) { + if (ret != 0) { if (ret == EAI_SYSTEM) log_message (LOG_ERR, "Could not retrieve address info for %s : %s",ip,strerror(errno)); else From 6a8db94ea4c6ece9306278bcb5cb11fcc0d1257e Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Fri, 3 Sep 2021 18:00:06 +0100 Subject: [PATCH 4/6] Add man page content --- configure.ac | 2 +- docs/man5/tinyproxy.conf.txt.in | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 89d1c0c..b206691 100644 --- a/configure.ac +++ b/configure.ac @@ -103,7 +103,7 @@ fi dnl Include support for reverse dns to match IP network/mask ? AH_TEMPLATE([RDNS_ENABLE], - [Include support for reverse dns to match IP network/mask.]) + [Include support for reverse dns to match IP network/mask. This is best used with nscd enabled to minimise DNS resolution delays]) TP_ARG_ENABLE(rdns, [Enable support for reverse dns to match IP network/mask (default is NO)], no) diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in index 758382c..e35b27b 100644 --- a/docs/man5/tinyproxy.conf.txt.in +++ b/docs/man5/tinyproxy.conf.txt.in @@ -200,6 +200,7 @@ Note that the upstream directive can also be used to null-route a specific target domain/host, e.g.: `upstream http 0.0.0.0:0 ".adserver.com"` +With RDNS enabled the site's IP address will also be matched against the or values in addition to the name or domain match =item B Tinyproxy creates one thread for each connected client. From 306cdfe89133bbe6465a5263bf92ac5c5e0f2ed8 Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Fri, 3 Sep 2021 20:17:12 +0100 Subject: [PATCH 5/6] Use correct naming of DNS action --- configure.ac | 10 +++++----- docs/man5/tinyproxy.conf.txt.in | 2 +- src/hostspec.c | 10 +++++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/configure.ac b/configure.ac index b206691..cc79f13 100644 --- a/configure.ac +++ b/configure.ac @@ -102,13 +102,13 @@ if test x"$transparent_enabled" = x"yes"; then fi dnl Include support for reverse dns to match IP network/mask ? -AH_TEMPLATE([RDNS_ENABLE], - [Include support for reverse dns to match IP network/mask. This is best used with nscd enabled to minimise DNS resolution delays]) +AH_TEMPLATE([FDNS_ENABLE], + [Include support for forward dns to match IP network/mask. This is best used with nscd enabled to minimise DNS resolution delays]) TP_ARG_ENABLE(rdns, - [Enable support for reverse dns to match IP network/mask (default is NO)], + [Enable support for forward dns to match IP network/mask (default is NO)], no) -if test x"$rdns__enabled" = x"yes"; then - AC_DEFINE(RDNS_ENABLE) +if test x"$fdns__enabled" = x"yes"; then + AC_DEFINE(FDNS_ENABLE) fi dnl Let user decide whether he wants support for manpages diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in index e35b27b..53b472e 100644 --- a/docs/man5/tinyproxy.conf.txt.in +++ b/docs/man5/tinyproxy.conf.txt.in @@ -200,7 +200,7 @@ Note that the upstream directive can also be used to null-route a specific target domain/host, e.g.: `upstream http 0.0.0.0:0 ".adserver.com"` -With RDNS enabled the site's IP address will also be matched against the or values in addition to the name or domain match +With FDNS enabled the site's IP address will also be matched against the or values in addition to the name or domain match =item B Tinyproxy creates one thread for each connected client. diff --git a/src/hostspec.c b/src/hostspec.c index 52f4a00..fc48d43 100644 --- a/src/hostspec.c +++ b/src/hostspec.c @@ -2,7 +2,7 @@ #include "hostspec.h" #include "heap.h" #include "network.h" -#ifdef RDNS_ENABLE +#ifdef FDNS_ENABLE #include "log.h" #endif @@ -162,8 +162,8 @@ static int numeric_match(const uint8_t addr[], const struct hostspec *h) return 1; } -#ifdef RDNS_ENABLE -static int reverse_dns_numeric_match(const char *ip, const struct hostspec *h) +#ifdef FDNS_ENABLE +static int dns_numeric_match(const char *ip, const struct hostspec *h) { int ret; struct addrinfo *res, *ressave; @@ -210,8 +210,8 @@ int hostspec_match(const char *ip, const struct hostspec *h) { if(is_numeric_addr) return 0; return string_match (ip, h->address.string); case HST_NUMERIC: -#ifdef RDNS_ENABLE - if(!is_numeric_addr) return reverse_dns_numeric_match(ip, h); +#ifdef FDNS_ENABLE + if(!is_numeric_addr) return dns_numeric_match(ip, h); #endif return numeric_match (numeric_addr, h); case HST_NONE: From 56c0dd1c863b4371a9aec468139de9bc41131701 Mon Sep 17 00:00:00 2001 From: Markus Moeller Date: Sun, 12 Sep 2021 17:19:56 +0100 Subject: [PATCH 6/6] correct option name --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index cc79f13..a74e86b 100644 --- a/configure.ac +++ b/configure.ac @@ -104,7 +104,7 @@ fi dnl Include support for reverse dns to match IP network/mask ? AH_TEMPLATE([FDNS_ENABLE], [Include support for forward dns to match IP network/mask. This is best used with nscd enabled to minimise DNS resolution delays]) -TP_ARG_ENABLE(rdns, +TP_ARG_ENABLE(fdns, [Enable support for forward dns to match IP network/mask (default is NO)], no) if test x"$fdns__enabled" = x"yes"; then