Documentation ¶
Overview ¶
Package filtering implements a DNS request and response filter.
Index ¶
- Constants
- func BlockedSvcKnown(s string) (ok bool)
- func InitModule()
- func ValidateUpdateIvl(i uint32) bool
- type Config
- type DNSFilter
- func (d *DNSFilter) ApplyBlockedServices(setts *Settings, list []string)
- func (d *DNSFilter) CheckHost(host string, qtype uint16, setts *Settings) (res Result, err error)
- func (d *DNSFilter) CheckHostRules(host string, rrtype uint16, setts *Settings) (Result, error)
- func (d *DNSFilter) Close()
- func (d *DNSFilter) EnableFilters(async bool)
- func (d *DNSFilter) GetConfig() (s Settings)
- func (d *DNSFilter) RegisterFilteringHandlers()
- func (d *DNSFilter) SafeSearchDomain(host string) (string, bool)
- func (d *DNSFilter) SetEnabled(enabled bool)
- func (d *DNSFilter) SetFilters(blockFilters, allowFilters []Filter, async bool) error
- func (d *DNSFilter) SetParentalUpstream(u upstream.Upstream)
- func (d *DNSFilter) SetSafeBrowsingUpstream(u upstream.Upstream)
- func (d *DNSFilter) Start()
- func (d *DNSFilter) WriteDiskConfig(c *Config)
- type DNSRewriteResult
- type DNSRewriteResultResponse
- type Filter
- type FilterYAML
- type LegacyRewrite
- type LookupStats
- type Reason
- type Resolver
- type Result
- type ResultRule
- type ServiceEntry
- type Settings
- type Stats
Constants ¶
const ( CustomListID = -iota SysHostsListID BlockedSvcsListID ParentalListID SafeBrowsingListID SafeSearchListID )
The IDs of built-in filter lists.
Keep in sync with client/src/helpers/constants.js.
Variables ¶
This section is empty.
Functions ¶
func BlockedSvcKnown ¶
BlockedSvcKnown - return TRUE if a blocked service name is known
func ValidateUpdateIvl ¶ added in v0.107.14
ValidateUpdateIvl returns false if i is not a valid filters update interval.
Types ¶
type Config ¶
type Config struct { FilteringEnabled bool `yaml:"filtering_enabled"` // whether or not use filter lists FiltersUpdateIntervalHours uint32 `yaml:"filters_update_interval"` // time period to update filters (in hours) ParentalEnabled bool `yaml:"parental_enabled"` SafeSearchEnabled bool `yaml:"safesearch_enabled"` SafeBrowsingEnabled bool `yaml:"safebrowsing_enabled"` SafeBrowsingCacheSize uint `yaml:"safebrowsing_cache_size"` // (in bytes) SafeSearchCacheSize uint `yaml:"safesearch_cache_size"` // (in bytes) ParentalCacheSize uint `yaml:"parental_cache_size"` // (in bytes) CacheTime uint `yaml:"cache_time"` // Element's TTL (in minutes) Rewrites []*LegacyRewrite `yaml:"rewrites"` // Names of services to block (globally). // Per-client settings can override this configuration. BlockedServices []string `yaml:"blocked_services"` // EtcHosts is a container of IP-hostname pairs taken from the operating // system configuration files (e.g. /etc/hosts). EtcHosts *aghnet.HostsContainer `yaml:"-"` // Called when the configuration is changed by HTTP request ConfigModified func() `yaml:"-"` // Register an HTTP handler HTTPRegister aghhttp.RegisterFunc `yaml:"-"` // CustomResolver is the resolver used by DNSFilter. CustomResolver Resolver `yaml:"-"` // HTTPClient is the client to use for updating the remote filters. HTTPClient *http.Client `yaml:"-"` // DataDir is used to store filters' contents. DataDir string `yaml:"-"` // Filters are the blocking filter lists. Filters []FilterYAML `yaml:"-"` // WhitelistFilters are the allowing filter lists. WhitelistFilters []FilterYAML `yaml:"-"` // UserRules is the global list of custom rules. UserRules []string `yaml:"-"` // contains filtered or unexported fields }
Config allows you to configure DNS filtering with New() or just change variables directly.
type DNSFilter ¶
type DNSFilter struct { Config // for direct access by library users, even a = assignment // contains filtered or unexported fields }
DNSFilter matches hostnames and DNS requests against filtering rules.
func (*DNSFilter) ApplyBlockedServices ¶
ApplyBlockedServices - set blocked services settings for this DNS request
func (*DNSFilter) CheckHost ¶
func (d *DNSFilter) CheckHost( host string, qtype uint16, setts *Settings, ) (res Result, err error)
CheckHost tries to match the host against filtering rules, then safebrowsing and parental control rules, if they are enabled.
func (*DNSFilter) CheckHostRules ¶
CheckHostRules tries to match the host against filtering rules only.
func (*DNSFilter) EnableFilters ¶ added in v0.107.14
func (*DNSFilter) RegisterFilteringHandlers ¶ added in v0.107.14
func (d *DNSFilter) RegisterFilteringHandlers()
RegisterFilteringHandlers - register handlers
func (*DNSFilter) SafeSearchDomain ¶
SafeSearchDomain returns replacement address for search engine
func (*DNSFilter) SetEnabled ¶
SetEnabled sets the status of the *DNSFilter.
func (*DNSFilter) SetFilters ¶
SetFilters sets new filters, synchronously or asynchronously. When filters are set asynchronously, the old filters continue working until the new filters are ready.
In this case the caller must ensure that the old filter files are intact.
func (*DNSFilter) SetParentalUpstream ¶
SetParentalUpstream sets the parental upstream for *DNSFilter.
TODO(e.burkov): Remove this in v1 API to forbid the direct access.
func (*DNSFilter) SetSafeBrowsingUpstream ¶
SetSafeBrowsingUpstream sets the safe browsing upstream for *DNSFilter.
TODO(e.burkov): Remove this in v1 API to forbid the direct access.
func (*DNSFilter) Start ¶
func (d *DNSFilter) Start()
Start - start the module: . start async filtering initializer goroutine . register web handlers
func (*DNSFilter) WriteDiskConfig ¶
WriteDiskConfig - write configuration
type DNSRewriteResult ¶
type DNSRewriteResult struct { Response DNSRewriteResultResponse `json:",omitempty"` RCode rules.RCode `json:",omitempty"` }
DNSRewriteResult is the result of application of $dnsrewrite rules.
type DNSRewriteResultResponse ¶
DNSRewriteResultResponse is the collection of DNS response records the server returns.
type Filter ¶
type Filter struct { // FilePath is the path to a filtering rules list file. FilePath string `yaml:"-"` // Data is the content of the file. Data []byte `yaml:"-"` // ID is automatically assigned when filter is added using nextFilterID. ID int64 `yaml:"id"` }
Filter represents a filter list
type FilterYAML ¶ added in v0.107.14
type FilterYAML struct { Enabled bool URL string // URL or a file path Name string `yaml:"name"` RulesCount int `yaml:"-"` LastUpdated time.Time `yaml:"-"` Filter `yaml:",inline"` // contains filtered or unexported fields }
FilterYAML respresents a filter list in the configuration file.
TODO(e.burkov): Investigate if the field oredering is important.
func (*FilterYAML) Path ¶ added in v0.107.14
func (filter *FilterYAML) Path(dataDir string) string
Path to the filter contents
type LegacyRewrite ¶ added in v0.107.1
type LegacyRewrite struct { // Domain is the domain pattern for which this rewrite should work. Domain string `yaml:"domain"` // Answer is the IP address, canonical name, or one of the special // values: "A" or "AAAA". Answer string `yaml:"answer"` // IP is the IP address that should be used in the response if Type is // dns.TypeA or dns.TypeAAAA. IP net.IP `yaml:"-"` // Type is the DNS record type: A, AAAA, or CNAME. Type uint16 `yaml:"-"` }
LegacyRewrite is a single legacy DNS rewrite record.
Instances of *LegacyRewrite must never be nil.
type LookupStats ¶
type LookupStats struct { Requests uint64 // number of HTTP requests that were sent CacheHits uint64 // number of lookups that didn't need HTTP requests Pending int64 // number of currently pending HTTP requests PendingMax int64 // maximum number of pending HTTP requests }
LookupStats store stats collected during safebrowsing or parental checks
type Reason ¶
type Reason int
Reason holds an enum detailing why it was filtered or not filtered
const ( // NotFilteredNotFound - host was not find in any checks, default value for result NotFilteredNotFound Reason = iota // NotFilteredAllowList - the host is explicitly allowed NotFilteredAllowList // NotFilteredError is returned when there was an error during // checking. Reserved, currently unused. NotFilteredError // FilteredBlockList - the host was matched to be advertising host FilteredBlockList // FilteredSafeBrowsing - the host was matched to be malicious/phishing FilteredSafeBrowsing // FilteredParental - the host was matched to be outside of parental control settings FilteredParental // FilteredInvalid - the request was invalid and was not processed FilteredInvalid // FilteredSafeSearch - the host was replaced with safesearch variant FilteredSafeSearch // FilteredBlockedService - the host is blocked by "blocked services" settings FilteredBlockedService // Rewritten is returned when there was a rewrite by a legacy DNS rewrite // rule. Rewritten // RewrittenAutoHosts is returned when there was a rewrite by autohosts // rules (/etc/hosts and so on). RewrittenAutoHosts // RewrittenRule is returned when a $dnsrewrite filter rule was applied. // // TODO(a.garipov): Remove Rewritten and RewrittenAutoHosts by merging their // functionality into RewrittenRule. // // See https://github.com/AdguardTeam/AdGuardHome/issues/2499. RewrittenRule )
type Resolver ¶
type Resolver interface {
LookupIP(ctx context.Context, network, host string) (ips []net.IP, err error)
}
Resolver is the interface for net.Resolver to simplify testing.
type Result ¶
type Result struct { // DNSRewriteResult is the $dnsrewrite filter rule result. DNSRewriteResult *DNSRewriteResult `json:",omitempty"` // CanonName is the CNAME value from the lookup rewrite result. It is empty // unless Reason is set to Rewritten or RewrittenRule. CanonName string `json:",omitempty"` // ServiceName is the name of the blocked service. It is empty unless // Reason is set to FilteredBlockedService. ServiceName string `json:",omitempty"` // IPList is the lookup rewrite result. It is empty unless Reason is set to // Rewritten. IPList []net.IP `json:",omitempty"` // Rules are applied rules. If Rules are not empty, each rule is not nil. Rules []*ResultRule `json:",omitempty"` // Reason is the reason for blocking or unblocking the request. Reason Reason `json:",omitempty"` // IsFiltered is true if the request is filtered. IsFiltered bool `json:",omitempty"` }
Result contains the result of a request check.
All fields transitively have omitempty tags so that the query log doesn't become too large.
TODO(a.garipov): Clarify relationships between fields. Perhaps replace with a sum type or an interface?
type ResultRule ¶
type ResultRule struct { // Text is the text of the rule. Text string `json:",omitempty"` // IP is the host IP. It is nil unless the rule uses the // /etc/hosts syntax or the reason is FilteredSafeSearch. IP net.IP `json:",omitempty"` // FilterListID is the ID of the rule's filter list. FilterListID int64 `json:",omitempty"` }
ResultRule contains information about applied rules.
type ServiceEntry ¶
type ServiceEntry struct { Name string Rules []*rules.NetworkRule }
ServiceEntry - blocked service array element
type Settings ¶
type Settings struct { ClientName string ClientIP net.IP ClientTags []string ServicesRules []ServiceEntry ProtectionEnabled bool FilteringEnabled bool SafeSearchEnabled bool SafeBrowsingEnabled bool ParentalEnabled bool }
Settings are custom filtering settings for a client.
type Stats ¶
type Stats struct { Safebrowsing LookupStats Parental LookupStats Safesearch LookupStats }
Stats store LookupStats for safebrowsing, parental and safesearch