matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Added support for AAAA records to DNS cache for IPv6 addressing.

Browse Source
shw_dev
shw 8 years ago
parent 8546f6c416
commit af874c7395
1 changed files with 45 additions and 35 deletions
Show Stats Download Patch File Download Diff File

80
sgfw/dns.go
Unescape View File

@ -5,6 +5,7 @@ import (
"strings" "strings"
"sync" "sync"
"time" "time"
"encoding/binary"
// "github.com/subgraph/go-nfnetlink" // "github.com/subgraph/go-nfnetlink"
"github.com/google/gopacket/layers" "github.com/google/gopacket/layers"
@ -64,7 +65,7 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
return return
} }
q := dns.question[0] q := dns.question[0]
if q.Qtype == dnsTypeA { if q.Qtype == dnsTypeA || q.Qtype == dnsTypeAAAA {
srcip, _ := getPacketIPAddrs(pkt) srcip, _ := getPacketIPAddrs(pkt)
pinfo := getEmptyPInfo() pinfo := getEmptyPInfo()
if !isNSTrusted(srcip) { if !isNSTrusted(srcip) {
@ -76,7 +77,7 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
} }
} }
//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo) //log.Notice("XXX: PROCESS LOOKUP -> ", pinfo)
dc.processRecordA(q.Name, dns.answer, pinfo.Pid) dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return return
} }
log.Infof("Unhandled DNS message: %v", dns) log.Infof("Unhandled DNS message: %v", dns)
@ -106,51 +107,60 @@ func procDeathCallback(pid int, param interface{}) {
} }
} }
func (dc *dnsCache) processRecordA(name string, answers []dnsRR, pid int) { func (dc *dnsCache) processRecordAddress(name string, answers []dnsRR, pid int) {
dc.lock.Lock() dc.lock.Lock()
defer dc.lock.Unlock() defer dc.lock.Unlock()
for _, rr := range answers { for _, rr := range answers {
var aBytes []byte = nil
switch rec := rr.(type) { switch rec := rr.(type) {
case *dnsRR_A: case *dnsRR_A:
ip := net.IPv4(byte(rec.A>>24), byte(rec.A>>16), byte(rec.A>>8), byte(rec.A)).String() var ipA [4]byte
if strings.HasSuffix(name, ".") { aBytes = ipA[:]
name = name[:len(name)-1] binary.BigEndian.PutUint32(aBytes, rec.A)
} case *dnsRR_AAAA:
aBytes = rec.AAAA[:]
case *dnsRR_CNAME:
// Not that exotic; just ignore it
default:
log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
}
// Just in case. if aBytes == nil {
if pid < 0 { continue
pid = 0 }
}
log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
_, ok := dc.ipMap[pid] ip := net.IP(aBytes).String()
if !ok { if strings.HasSuffix(name, ".") {
dc.ipMap[pid] = make(map[string]dnsEntry) name = name[:len(name)-1]
} }
dc.ipMap[pid][ip] = newDNSEntry(name, rr.Header().TTL)
if pid > 0 { // Just in case.
log.Warning("Adding process to be monitored by DNS cache: ", pid) if pid < 0 {
pid = 0
}
log.Noticef("______ Adding to dns map: %s: %s -> pid %d", name, ip, pid)
_, ok := dc.ipMap[pid]
if !ok {
dc.ipMap[pid] = make(map[string]dnsEntry)
}
dc.ipMap[pid][ip] = newDNSEntry(name, rr.Header().TTL)
if pid > 0 {
log.Warning("Adding process to be monitored by DNS cache: ", pid)
if !monitoring {
mlock.Lock()
if !monitoring { if !monitoring {
mlock.Lock() monitoring = true
if !monitoring {
monitoring = true
// go checker(dc) // go checker(dc)
go pcoroner.MonitorThread(procDeathCallback, dc) go pcoroner.MonitorThread(procDeathCallback, dc)
}
mlock.Unlock()
} }
pcoroner.MonitorProcess(pid) mlock.Unlock()
}
if !FirewallConfig.LogRedact {
log.Infof("Adding %s: %s", name, ip)
} }
case *dnsRR_AAAA: pcoroner.MonitorProcess(pid)
log.Warning("AAAA record read from DNS; not supported.") }
case *dnsRR_CNAME: if !FirewallConfig.LogRedact {
// Not that exotic; just ignore it log.Infof("Adding %s: %s", name, ip)
default:
log.Warningf("Unexpected RR type in answer section of A response: %v", rec)
} }
} }
} }

Write Preview
Loading…
Cancel
Save