l4dns

package
v0.0.0-...-6e5f5e3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 2, 2025 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type MatchDNS

type MatchDNS struct {
	// Allow contains an optional list of rules to match the question section of the DNS request message against.
	// The matcher returns false if not matched by any of them (in the absence of any deny rules).
	Allow MatchDNSRules `json:"allow,omitempty"`
	// Deny contains an optional list of rules to match the question section of the DNS request message against.
	// The matcher returns false if matched by any of them  (in the absence of any allow rules).
	Deny MatchDNSRules `json:"deny,omitempty"`

	// If DefaultDeny is true, DNS request messages that haven't been matched by any allow and deny rules are denied.
	// The default action is allow. Use it to make the filter more restrictive when the rules aren't exhaustive.
	DefaultDeny bool `json:"default_deny,omitempty"`
	// If PreferAllow is true, DNS request messages that have been matched by both allow and deny rules are allowed.
	// The default action is deny. Use it to make the filter less restrictive when the rules are mutually exclusive.
	PreferAllow bool `json:"prefer_allow,omitempty"`
}

MatchDNS is able to match connections that look like DNS protocol. Note: DNS messages sent via TCP are 2 bytes longer then those sent via UDP. Consequently, if Caddy listens on TCP, it has to proxy DNS messages to TCP upstreams only. The same is true for UDP. No TCP/UDP mixing is allowed. However, it's technically possible: an intermediary handler is required to add/strip 2 bytes before/after proxy. Please open a feature request and describe your use case if you need TCP/UDP mixing.

func (*MatchDNS) CaddyModule

func (m *MatchDNS) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (*MatchDNS) Match

func (m *MatchDNS) Match(cx *layer4.Connection) (bool, error)

Match returns true if the connection bytes represent a valid DNS request message.

func (*MatchDNS) Provision

func (m *MatchDNS) Provision(cx caddy.Context) error

Provision prepares m's allow and deny rules.

func (*MatchDNS) UnmarshalCaddyfile

func (m *MatchDNS) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

UnmarshalCaddyfile sets up the MatchDNS from Caddyfile tokens. Syntax:

dns {
	<allow|deny> <*|name> [<*|type> [<*|class>]]
	<allow_regexp|deny_regexp> <*|name_pattern> [<*|type_pattern> [<*|class_pattern>]]
	default_deny
	prefer_allow
}
dns

Note: multiple allow and deny options are allowed. If default_deny is set, DNS request messages that haven't been matched by any allow and deny rules are denied (the default action is allow). If prefer_allow is set, DNS request messages that have been matched by both allow and deny rules are allowed (the default action is deny). An asterisk should be used to skip filtering the corresponding question section field, i.e. it will match any value provided.

type MatchDNSRule

type MatchDNSRule struct {
	// Class may contain a value to match the question class. Use upper case letters, e.g. "IN", "CH", "ANY".
	// See the full list of valid class values in dns.StringToClass.
	Class string `json:"class,omitempty"`
	// ClassRegexp may contain a regular expression to match the question class. E.g. "^(IN|CH)$".
	// See the full list of valid class values in dns.StringToClass.
	ClassRegexp string `json:"class_regexp,omitempty"`
	// Name may contain a value to match the question domain name. E.g. "example.com.".
	// The domain name is provided in lower case ending with a dot.
	Name string `json:"name,omitempty"`
	// NameRegexp may contain a regular expression to match the question domain name.
	// E.g. "^(|[-0-9a-z]+\.)example\.com\.$". The domain name is provided in lower case ending with a dot.
	NameRegexp string `json:"name_regexp,omitempty"`
	// Type may contain a value to match the question type. Use upper case letters, e.g. "A", "MX", "NS".
	// See the full list of valid type values in dns.StringToType.
	Type string `json:"type,omitempty"`
	// TypeRegexp may contain a regular expression to match the question type. E.g. "^(MX|NS)$".
	// See the full list of valid type values in dns.StringToType.
	TypeRegexp string `json:"type_regexp,omitempty"`
	// contains filtered or unexported fields
}

MatchDNSRule represents a set of filters to match against the question section of a DNS request message. Full and regular expression matching filters are supported. If both filters are provided for a single field, the full matcher is evaluated first. An empty MatchDNSRule will match anything.

func (*MatchDNSRule) Match

func (r *MatchDNSRule) Match(cx context.Context, qClass string, qType string, qName string) bool

func (*MatchDNSRule) Provision

func (r *MatchDNSRule) Provision(_ caddy.Context) (err error)

type MatchDNSRules

type MatchDNSRules []*MatchDNSRule

MatchDNSRules may contain a number of MatchDNSRule instances. An empty MatchDNSRules instance won't match anything.

func (*MatchDNSRules) Match

func (rs *MatchDNSRules) Match(cx context.Context, qClass string, qType string, qName string) bool

func (*MatchDNSRules) Provision

func (rs *MatchDNSRules) Provision(cx caddy.Context) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL