2021-05-21 06:15:47 -07:00
|
|
|
// Package filtering implements a DNS request and response filter.
|
|
|
|
|
package filtering
|
2018-08-30 07:25:33 -07:00
|
|
|
|
|
|
|
|
import (
|
2021-01-29 06:09:31 -07:00
|
|
|
"context"
|
2018-08-30 07:25:33 -07:00
|
|
|
"fmt"
|
2018-10-29 05:46:58 -07:00
|
|
|
"net"
|
2018-08-30 07:25:33 -07:00
|
|
|
"net/http"
|
2019-07-05 07:35:40 -07:00
|
|
|
"os"
|
2019-10-22 04:58:20 -07:00
|
|
|
"runtime"
|
2020-05-12 14:46:35 -07:00
|
|
|
"runtime/debug"
|
2018-08-30 07:25:33 -07:00
|
|
|
"strings"
|
2019-10-09 09:51:26 -07:00
|
|
|
"sync"
|
2021-05-24 04:48:42 -07:00
|
|
|
"sync/atomic"
|
2019-06-18 06:18:13 -07:00
|
|
|
|
2021-04-12 08:31:45 -07:00
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
2021-04-20 06:26:19 -07:00
|
|
|
"github.com/AdguardTeam/AdGuardHome/internal/aghstrings"
|
2019-04-18 04:31:13 -07:00
|
|
|
"github.com/AdguardTeam/dnsproxy/upstream"
|
2019-08-22 05:09:43 -07:00
|
|
|
"github.com/AdguardTeam/golibs/cache"
|
2019-02-25 06:44:22 -07:00
|
|
|
"github.com/AdguardTeam/golibs/log"
|
2019-05-15 06:46:11 -07:00
|
|
|
"github.com/AdguardTeam/urlfilter"
|
2019-11-27 05:11:46 -07:00
|
|
|
"github.com/AdguardTeam/urlfilter/filterlist"
|
|
|
|
|
"github.com/AdguardTeam/urlfilter/rules"
|
2019-05-22 02:38:17 -07:00
|
|
|
"github.com/miekg/dns"
|
2018-08-30 07:25:33 -07:00
|
|
|
)
|
|
|
|
|
|
2019-07-23 02:21:37 -07:00
|
|
|
// ServiceEntry - blocked service array element
|
|
|
|
|
type ServiceEntry struct {
|
|
|
|
|
Name string
|
2019-11-27 05:11:46 -07:00
|
|
|
Rules []*rules.NetworkRule
|
2019-07-23 02:21:37 -07:00
|
|
|
}
|
|
|
|
|
|
2021-05-21 06:15:47 -07:00
|
|
|
// Settings are custom filtering settings for a client.
|
|
|
|
|
type Settings struct {
|
2020-06-23 04:36:26 -07:00
|
|
|
ClientName string
|
2021-01-20 07:27:53 -07:00
|
|
|
ClientIP net.IP
|
2020-06-23 04:36:26 -07:00
|
|
|
ClientTags []string
|
|
|
|
|
|
|
|
|
|
ServicesRules []ServiceEntry
|
2021-03-25 10:30:30 -07:00
|
|
|
|
|
|
|
|
FilteringEnabled bool
|
|
|
|
|
SafeSearchEnabled bool
|
|
|
|
|
SafeBrowsingEnabled bool
|
|
|
|
|
ParentalEnabled bool
|
2019-05-28 04:14:12 -07:00
|
|
|
}
|
|
|
|
|
|
2021-02-04 10:35:13 -07:00
|
|
|
// Resolver is the interface for net.Resolver to simplify testing.
|
|
|
|
|
type Resolver interface {
|
2021-03-11 02:17:54 -07:00
|
|
|
LookupIP(ctx context.Context, network, host string) (ips []net.IP, err error)
|
2021-02-04 10:35:13 -07:00
|
|
|
}
|
|
|
|
|
|
2018-11-30 03:32:51 -07:00
|
|
|
// Config allows you to configure DNS filtering with New() or just change variables directly.
|
|
|
|
|
type Config struct {
|
2021-05-24 04:48:42 -07:00
|
|
|
// enabled is used to be returned within Settings.
|
|
|
|
|
//
|
|
|
|
|
// It is of type uint32 to be accessed by atomic.
|
|
|
|
|
enabled uint32
|
|
|
|
|
|
2021-03-23 02:32:07 -07:00
|
|
|
ParentalEnabled bool `yaml:"parental_enabled"`
|
|
|
|
|
SafeSearchEnabled bool `yaml:"safesearch_enabled"`
|
|
|
|
|
SafeBrowsingEnabled bool `yaml:"safebrowsing_enabled"`
|
2019-05-28 04:14:12 -07:00
|
|
|
|
2019-08-22 05:09:43 -07:00
|
|
|
SafeBrowsingCacheSize uint `yaml:"safebrowsing_cache_size"` // (in bytes)
|
|
|
|
|
SafeSearchCacheSize uint `yaml:"safesearch_cache_size"` // (in bytes)
|
|
|
|
|
ParentalCacheSize uint `yaml:"parental_cache_size"` // (in bytes)
|
|
|
|
|
CacheTime uint `yaml:"cache_time"` // Element's TTL (in minutes)
|
|
|
|
|
|
2019-07-29 01:37:16 -07:00
|
|
|
Rewrites []RewriteEntry `yaml:"rewrites"`
|
|
|
|
|
|
2020-02-18 10:17:35 -07:00
|
|
|
// Names of services to block (globally).
|
|
|
|
|
// Per-client settings can override this configuration.
|
|
|
|
|
BlockedServices []string `yaml:"blocked_services"`
|
|
|
|
|
|
2021-04-12 08:31:45 -07:00
|
|
|
// EtcHosts is a container of IP-hostname pairs taken from the operating
|
|
|
|
|
// system configuration files (e.g. /etc/hosts).
|
|
|
|
|
EtcHosts *aghnet.EtcHostsContainer `yaml:"-"`
|
2020-03-20 05:05:43 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
// Called when the configuration is changed by HTTP request
|
|
|
|
|
ConfigModified func() `yaml:"-"`
|
2018-11-30 03:32:51 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
// Register an HTTP handler
|
|
|
|
|
HTTPRegister func(string, string, func(http.ResponseWriter, *http.Request)) `yaml:"-"`
|
2021-02-04 10:35:13 -07:00
|
|
|
|
|
|
|
|
// CustomResolver is the resolver used by DNSFilter.
|
2021-04-07 10:16:06 -07:00
|
|
|
CustomResolver Resolver `yaml:"-"`
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2018-09-14 06:50:56 -07:00
|
|
|
// LookupStats store stats collected during safebrowsing or parental checks
|
2018-08-30 07:25:33 -07:00
|
|
|
type LookupStats struct {
|
|
|
|
|
Requests uint64 // number of HTTP requests that were sent
|
|
|
|
|
CacheHits uint64 // number of lookups that didn't need HTTP requests
|
|
|
|
|
Pending int64 // number of currently pending HTTP requests
|
|
|
|
|
PendingMax int64 // maximum number of pending HTTP requests
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-22 06:34:36 -07:00
|
|
|
// Stats store LookupStats for safebrowsing, parental and safesearch
|
2018-08-30 07:25:33 -07:00
|
|
|
type Stats struct {
|
|
|
|
|
Safebrowsing LookupStats
|
|
|
|
|
Parental LookupStats
|
2019-02-22 06:34:36 -07:00
|
|
|
Safesearch LookupStats
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
// Parameters to pass to filters-initializer goroutine
|
|
|
|
|
type filtersInitializerParams struct {
|
2020-02-26 09:58:25 -07:00
|
|
|
allowFilters []Filter
|
|
|
|
|
blockFilters []Filter
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
type hostChecker struct {
|
2021-05-21 06:15:47 -07:00
|
|
|
check func(host string, qtype uint16, setts *Settings) (res Result, err error)
|
2021-03-25 10:30:30 -07:00
|
|
|
name string
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// DNSFilter matches hostnames and DNS requests against filtering rules.
|
|
|
|
|
type DNSFilter struct {
|
2020-02-26 09:58:25 -07:00
|
|
|
rulesStorage *filterlist.RuleStorage
|
|
|
|
|
filteringEngine *urlfilter.DNSEngine
|
2020-12-21 07:48:07 -07:00
|
|
|
rulesStorageAllow *filterlist.RuleStorage
|
|
|
|
|
filteringEngineAllow *urlfilter.DNSEngine
|
2020-02-26 09:58:25 -07:00
|
|
|
engineLock sync.RWMutex
|
2019-05-15 06:46:11 -07:00
|
|
|
|
2019-10-16 02:57:49 -07:00
|
|
|
parentalServer string // access via methods
|
|
|
|
|
safeBrowsingServer string // access via methods
|
|
|
|
|
parentalUpstream upstream.Upstream
|
|
|
|
|
safeBrowsingUpstream upstream.Upstream
|
2019-10-09 09:51:26 -07:00
|
|
|
|
2021-05-24 04:48:42 -07:00
|
|
|
Config // for direct access by library users, even a = assignment
|
|
|
|
|
// confLock protects Config.
|
2019-10-09 09:51:26 -07:00
|
|
|
confLock sync.RWMutex
|
|
|
|
|
|
|
|
|
|
// Channel for passing data to filters-initializer goroutine
|
|
|
|
|
filtersInitializerChan chan filtersInitializerParams
|
|
|
|
|
filtersInitializerLock sync.Mutex
|
2021-01-29 06:09:31 -07:00
|
|
|
|
|
|
|
|
// resolver only looks up the IP address of the host while safe search.
|
|
|
|
|
//
|
|
|
|
|
// TODO(e.burkov): Use upstream that configured in dnsforward instead.
|
|
|
|
|
resolver Resolver
|
2021-03-25 10:30:30 -07:00
|
|
|
|
|
|
|
|
hostCheckers []hostChecker
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2019-01-24 10:11:01 -07:00
|
|
|
// Filter represents a filter list
|
2018-11-30 03:24:42 -07:00
|
|
|
type Filter struct {
|
2019-09-04 04:12:00 -07:00
|
|
|
ID int64 // auto-assigned when filter is added (see nextFilterID)
|
|
|
|
|
Data []byte `yaml:"-"` // List of rules divided by '\n'
|
|
|
|
|
FilePath string `yaml:"-"` // Path to a filtering rules file
|
2018-11-30 03:24:42 -07:00
|
|
|
}
|
|
|
|
|
|
2018-09-14 06:50:56 -07:00
|
|
|
// Reason holds an enum detailing why it was filtered or not filtered
|
2018-08-30 07:25:33 -07:00
|
|
|
type Reason int
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
// reasons for not filtering
|
2019-01-24 10:11:01 -07:00
|
|
|
|
|
|
|
|
// NotFilteredNotFound - host was not find in any checks, default value for result
|
|
|
|
|
NotFilteredNotFound Reason = iota
|
2020-12-21 07:48:07 -07:00
|
|
|
// NotFilteredAllowList - the host is explicitly allowed
|
|
|
|
|
NotFilteredAllowList
|
2020-12-17 03:32:46 -07:00
|
|
|
// NotFilteredError is returned when there was an error during
|
2020-12-14 10:12:57 -07:00
|
|
|
// checking. Reserved, currently unused.
|
|
|
|
|
NotFilteredError
|
2018-08-30 07:25:33 -07:00
|
|
|
|
|
|
|
|
// reasons for filtering
|
2019-01-24 10:11:01 -07:00
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
// FilteredBlockList - the host was matched to be advertising host
|
|
|
|
|
FilteredBlockList
|
2019-01-24 10:11:01 -07:00
|
|
|
// FilteredSafeBrowsing - the host was matched to be malicious/phishing
|
|
|
|
|
FilteredSafeBrowsing
|
|
|
|
|
// FilteredParental - the host was matched to be outside of parental control settings
|
|
|
|
|
FilteredParental
|
|
|
|
|
// FilteredInvalid - the request was invalid and was not processed
|
|
|
|
|
FilteredInvalid
|
|
|
|
|
// FilteredSafeSearch - the host was replaced with safesearch variant
|
|
|
|
|
FilteredSafeSearch
|
2019-07-23 02:21:37 -07:00
|
|
|
// FilteredBlockedService - the host is blocked by "blocked services" settings
|
|
|
|
|
FilteredBlockedService
|
2019-07-29 01:37:16 -07:00
|
|
|
|
2020-12-28 08:41:50 -07:00
|
|
|
// Rewritten is returned when there was a rewrite by a legacy DNS
|
|
|
|
|
// rewrite rule.
|
|
|
|
|
Rewritten
|
|
|
|
|
|
|
|
|
|
// RewrittenAutoHosts is returned when there was a rewrite by autohosts
|
|
|
|
|
// rules (/etc/hosts and so on).
|
|
|
|
|
RewrittenAutoHosts
|
|
|
|
|
|
|
|
|
|
// RewrittenRule is returned when a $dnsrewrite filter rule was applied.
|
|
|
|
|
//
|
|
|
|
|
// TODO(a.garipov): Remove Rewritten and RewrittenAutoHosts by merging
|
|
|
|
|
// their functionality into RewrittenRule.
|
|
|
|
|
//
|
|
|
|
|
// See https://github.com/AdguardTeam/AdGuardHome/issues/2499.
|
|
|
|
|
RewrittenRule
|
2018-08-30 07:25:33 -07:00
|
|
|
)
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// TODO(a.garipov): Resync with actual code names or replace completely
|
|
|
|
|
// in HTTP API v1.
|
2019-10-09 09:51:26 -07:00
|
|
|
var reasonNames = []string{
|
2020-12-17 03:32:46 -07:00
|
|
|
NotFilteredNotFound: "NotFilteredNotFound",
|
2020-12-21 07:48:07 -07:00
|
|
|
NotFilteredAllowList: "NotFilteredWhiteList",
|
2020-12-17 03:32:46 -07:00
|
|
|
NotFilteredError: "NotFilteredError",
|
2019-10-09 09:51:26 -07:00
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
FilteredBlockList: "FilteredBlackList",
|
2020-12-17 03:32:46 -07:00
|
|
|
FilteredSafeBrowsing: "FilteredSafeBrowsing",
|
|
|
|
|
FilteredParental: "FilteredParental",
|
|
|
|
|
FilteredInvalid: "FilteredInvalid",
|
|
|
|
|
FilteredSafeSearch: "FilteredSafeSearch",
|
|
|
|
|
FilteredBlockedService: "FilteredBlockedService",
|
2019-10-09 09:51:26 -07:00
|
|
|
|
2020-12-28 08:41:50 -07:00
|
|
|
Rewritten: "Rewrite",
|
|
|
|
|
RewrittenAutoHosts: "RewriteEtcHosts",
|
|
|
|
|
RewrittenRule: "RewriteRule",
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
|
|
|
|
|
2019-08-19 14:55:32 -07:00
|
|
|
func (r Reason) String() string {
|
2020-12-21 07:48:07 -07:00
|
|
|
if r < 0 || int(r) >= len(reasonNames) {
|
2019-10-09 09:51:26 -07:00
|
|
|
return ""
|
|
|
|
|
}
|
2020-12-21 07:48:07 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
return reasonNames[r]
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-20 07:32:41 -07:00
|
|
|
// In returns true if reasons include r.
|
|
|
|
|
func (r Reason) In(reasons ...Reason) bool {
|
|
|
|
|
for _, reason := range reasons {
|
|
|
|
|
if r == reason {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-24 04:48:42 -07:00
|
|
|
// SetEnabled sets the status of the *DNSFilter.
|
|
|
|
|
func (d *DNSFilter) SetEnabled(enabled bool) {
|
|
|
|
|
var i int32
|
|
|
|
|
if enabled {
|
|
|
|
|
i = 1
|
|
|
|
|
}
|
|
|
|
|
atomic.StoreUint32(&d.enabled, uint32(i))
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
// GetConfig - get configuration
|
2021-05-24 04:48:42 -07:00
|
|
|
func (d *DNSFilter) GetConfig() (s Settings) {
|
|
|
|
|
d.confLock.RLock()
|
|
|
|
|
defer d.confLock.RUnlock()
|
|
|
|
|
|
|
|
|
|
return Settings{
|
|
|
|
|
FilteringEnabled: atomic.LoadUint32(&d.Config.enabled) == 1,
|
|
|
|
|
SafeSearchEnabled: d.Config.SafeSearchEnabled,
|
|
|
|
|
SafeBrowsingEnabled: d.Config.SafeBrowsingEnabled,
|
|
|
|
|
ParentalEnabled: d.Config.ParentalEnabled,
|
|
|
|
|
}
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// WriteDiskConfig - write configuration
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) WriteDiskConfig(c *Config) {
|
2020-01-16 02:51:35 -07:00
|
|
|
d.confLock.Lock()
|
2019-10-09 09:51:26 -07:00
|
|
|
*c = d.Config
|
2020-01-16 02:51:35 -07:00
|
|
|
c.Rewrites = rewriteArrayDup(d.Config.Rewrites)
|
2020-02-18 10:17:35 -07:00
|
|
|
// BlockedServices
|
2020-01-16 02:51:35 -07:00
|
|
|
d.confLock.Unlock()
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
2019-07-29 01:37:16 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
// SetFilters - set new filters (synchronously or asynchronously)
|
|
|
|
|
// When filters are set asynchronously, the old filters continue working until the new filters are ready.
|
|
|
|
|
// In this case the caller must ensure that the old filter files are intact.
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) SetFilters(blockFilters, allowFilters []Filter, async bool) error {
|
2019-10-09 09:51:26 -07:00
|
|
|
if async {
|
|
|
|
|
params := filtersInitializerParams{
|
2020-02-26 09:58:25 -07:00
|
|
|
allowFilters: allowFilters,
|
|
|
|
|
blockFilters: blockFilters,
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
2019-07-29 01:37:16 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
d.filtersInitializerLock.Lock() // prevent multiple writers from adding more than 1 task
|
|
|
|
|
// remove all pending tasks
|
|
|
|
|
stop := false
|
|
|
|
|
for !stop {
|
|
|
|
|
select {
|
|
|
|
|
case <-d.filtersInitializerChan:
|
|
|
|
|
//
|
|
|
|
|
default:
|
|
|
|
|
stop = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
d.filtersInitializerChan <- params
|
|
|
|
|
d.filtersInitializerLock.Unlock()
|
|
|
|
|
return nil
|
2019-07-23 01:43:30 -07:00
|
|
|
}
|
2019-10-09 09:51:26 -07:00
|
|
|
|
2020-02-26 09:58:25 -07:00
|
|
|
err := d.initFiltering(allowFilters, blockFilters)
|
2019-10-09 09:51:26 -07:00
|
|
|
if err != nil {
|
|
|
|
|
log.Error("Can't initialize filtering subsystem: %s", err)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Starts initializing new filters by signal from channel
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) filtersInitializer() {
|
2019-10-09 09:51:26 -07:00
|
|
|
for {
|
|
|
|
|
params := <-d.filtersInitializerChan
|
2020-02-26 09:58:25 -07:00
|
|
|
err := d.initFiltering(params.allowFilters, params.blockFilters)
|
2019-10-09 09:51:26 -07:00
|
|
|
if err != nil {
|
|
|
|
|
log.Error("Can't initialize filtering subsystem: %s", err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Close - close the object
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) Close() {
|
2020-03-05 03:12:21 -07:00
|
|
|
d.engineLock.Lock()
|
|
|
|
|
defer d.engineLock.Unlock()
|
2020-02-26 09:58:25 -07:00
|
|
|
d.reset()
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) reset() {
|
2020-12-07 05:38:05 -07:00
|
|
|
var err error
|
|
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
if d.rulesStorage != nil {
|
2020-12-07 05:38:05 -07:00
|
|
|
err = d.rulesStorage.Close()
|
|
|
|
|
if err != nil {
|
2021-05-21 06:15:47 -07:00
|
|
|
log.Error("filtering: rulesStorage.Close: %s", err)
|
2020-12-07 05:38:05 -07:00
|
|
|
}
|
2019-07-23 01:43:30 -07:00
|
|
|
}
|
2020-12-07 05:38:05 -07:00
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
if d.rulesStorageAllow != nil {
|
|
|
|
|
err = d.rulesStorageAllow.Close()
|
2020-12-07 05:38:05 -07:00
|
|
|
if err != nil {
|
2021-05-21 06:15:47 -07:00
|
|
|
log.Error("filtering: rulesStorageAllow.Close: %s", err)
|
2020-12-07 05:38:05 -07:00
|
|
|
}
|
2020-02-26 09:58:25 -07:00
|
|
|
}
|
2019-07-23 01:43:30 -07:00
|
|
|
}
|
|
|
|
|
|
2019-06-27 00:48:12 -07:00
|
|
|
type dnsFilterContext struct {
|
2019-08-22 05:09:43 -07:00
|
|
|
safebrowsingCache cache.Cache
|
|
|
|
|
parentalCache cache.Cache
|
|
|
|
|
safeSearchCache cache.Cache
|
2019-06-24 09:00:03 -07:00
|
|
|
}
|
|
|
|
|
|
2021-05-21 06:15:47 -07:00
|
|
|
var gctx dnsFilterContext
|
2018-08-30 07:25:33 -07:00
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// ResultRule contains information about applied rules.
|
|
|
|
|
type ResultRule struct {
|
|
|
|
|
// FilterListID is the ID of the rule's filter list.
|
|
|
|
|
FilterListID int64 `json:",omitempty"`
|
|
|
|
|
// Text is the text of the rule.
|
|
|
|
|
Text string `json:",omitempty"`
|
|
|
|
|
// IP is the host IP. It is nil unless the rule uses the
|
|
|
|
|
// /etc/hosts syntax or the reason is FilteredSafeSearch.
|
|
|
|
|
IP net.IP `json:",omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Result contains the result of a request check.
|
|
|
|
|
//
|
|
|
|
|
// All fields transitively have omitempty tags so that the query log
|
|
|
|
|
// doesn't become too large.
|
|
|
|
|
//
|
|
|
|
|
// TODO(a.garipov): Clarify relationships between fields. Perhaps
|
|
|
|
|
// replace with a sum type or an interface?
|
2018-08-30 07:25:33 -07:00
|
|
|
type Result struct {
|
2020-12-17 03:32:46 -07:00
|
|
|
// IsFiltered is true if the request is filtered.
|
|
|
|
|
IsFiltered bool `json:",omitempty"`
|
2019-07-29 01:37:16 -07:00
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// Reason is the reason for blocking or unblocking the request.
|
|
|
|
|
Reason Reason `json:",omitempty"`
|
2020-04-16 08:56:47 -07:00
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// Rules are applied rules. If Rules are not empty, each rule
|
|
|
|
|
// is not nil.
|
|
|
|
|
Rules []*ResultRule `json:",omitempty"`
|
|
|
|
|
|
|
|
|
|
// ReverseHosts is the reverse lookup rewrite result. It is
|
2020-12-28 08:41:50 -07:00
|
|
|
// empty unless Reason is set to RewrittenAutoHosts.
|
2020-11-06 07:34:40 -07:00
|
|
|
ReverseHosts []string `json:",omitempty"`
|
2020-04-16 08:56:47 -07:00
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// IPList is the lookup rewrite result. It is empty unless
|
2020-12-28 08:41:50 -07:00
|
|
|
// Reason is set to RewrittenAutoHosts or Rewritten.
|
2020-12-17 03:32:46 -07:00
|
|
|
IPList []net.IP `json:",omitempty"`
|
|
|
|
|
|
|
|
|
|
// CanonName is the CNAME value from the lookup rewrite result.
|
2020-12-28 08:41:50 -07:00
|
|
|
// It is empty unless Reason is set to Rewritten or RewrittenRule.
|
2020-12-17 03:32:46 -07:00
|
|
|
CanonName string `json:",omitempty"`
|
2019-07-23 02:21:37 -07:00
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// ServiceName is the name of the blocked service. It is empty
|
|
|
|
|
// unless Reason is set to FilteredBlockedService.
|
|
|
|
|
ServiceName string `json:",omitempty"`
|
2020-12-21 07:48:07 -07:00
|
|
|
|
|
|
|
|
// DNSRewriteResult is the $dnsrewrite filter rule result.
|
|
|
|
|
DNSRewriteResult *DNSRewriteResult `json:",omitempty"`
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// Matched returns true if any match at all was found regardless of
|
|
|
|
|
// whether it was filtered or not.
|
2018-08-30 07:25:33 -07:00
|
|
|
func (r Reason) Matched() bool {
|
|
|
|
|
return r != NotFilteredNotFound
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// CheckHostRules tries to match the host against filtering rules only.
|
2021-05-21 06:15:47 -07:00
|
|
|
func (d *DNSFilter) CheckHostRules(host string, qtype uint16, setts *Settings) (Result, error) {
|
2019-12-23 05:59:49 -07:00
|
|
|
if !setts.FilteringEnabled {
|
|
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
return d.matchHost(host, qtype, setts)
|
2019-12-23 05:59:49 -07:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
// CheckHost tries to match the host against filtering rules, then safebrowsing
|
|
|
|
|
// and parental control rules, if they are enabled.
|
|
|
|
|
func (d *DNSFilter) CheckHost(
|
|
|
|
|
host string,
|
|
|
|
|
qtype uint16,
|
2021-05-21 06:15:47 -07:00
|
|
|
setts *Settings,
|
2021-03-25 10:30:30 -07:00
|
|
|
) (res Result, err error) {
|
|
|
|
|
// Sometimes clients try to resolve ".", which is a request to get root
|
|
|
|
|
// servers.
|
2018-08-30 07:25:33 -07:00
|
|
|
if host == "" {
|
2018-10-04 21:31:56 -07:00
|
|
|
return Result{Reason: NotFilteredNotFound}, nil
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
2020-03-20 05:05:43 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
host = strings.ToLower(host)
|
2019-02-22 06:34:36 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
res = d.processRewrites(host, qtype)
|
|
|
|
|
if res.Reason == Rewritten {
|
|
|
|
|
return res, nil
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
for _, hc := range d.hostCheckers {
|
|
|
|
|
res, err = hc.check(host, qtype, setts)
|
2018-08-30 07:25:33 -07:00
|
|
|
if err != nil {
|
2021-03-25 10:30:30 -07:00
|
|
|
return Result{}, fmt.Errorf("%s: %w", hc.name, err)
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
2020-09-11 05:52:46 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
if res.Reason.Matched() {
|
|
|
|
|
return res, nil
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-15 09:00:31 -07:00
|
|
|
// checkEtcHosts compares the host against our /etc/hosts table. The err is
|
2021-03-25 10:30:30 -07:00
|
|
|
// always nil, it is only there to make this a valid hostChecker function.
|
2021-04-15 09:00:31 -07:00
|
|
|
func (d *DNSFilter) checkEtcHosts(
|
2021-03-25 10:30:30 -07:00
|
|
|
host string,
|
|
|
|
|
qtype uint16,
|
2021-05-21 06:15:47 -07:00
|
|
|
_ *Settings,
|
2021-03-25 10:30:30 -07:00
|
|
|
) (res Result, err error) {
|
2021-04-12 08:31:45 -07:00
|
|
|
if d.Config.EtcHosts == nil {
|
2021-03-25 10:30:30 -07:00
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-12 08:31:45 -07:00
|
|
|
ips := d.Config.EtcHosts.Process(host, qtype)
|
2020-11-06 07:34:40 -07:00
|
|
|
if ips != nil {
|
2021-03-25 10:30:30 -07:00
|
|
|
res = Result{
|
|
|
|
|
Reason: RewrittenAutoHosts,
|
|
|
|
|
IPList: ips,
|
|
|
|
|
}
|
2020-11-06 07:34:40 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
return res, nil
|
2020-11-06 07:34:40 -07:00
|
|
|
}
|
|
|
|
|
|
2021-04-12 08:31:45 -07:00
|
|
|
revHosts := d.Config.EtcHosts.ProcessReverse(host, qtype)
|
2020-11-06 07:34:40 -07:00
|
|
|
if len(revHosts) != 0 {
|
2021-03-25 10:30:30 -07:00
|
|
|
res = Result{
|
|
|
|
|
Reason: RewrittenAutoHosts,
|
|
|
|
|
}
|
2020-11-06 07:34:40 -07:00
|
|
|
|
|
|
|
|
// TODO(a.garipov): Optimize this with a buffer.
|
2021-03-25 10:30:30 -07:00
|
|
|
res.ReverseHosts = make([]string, len(revHosts))
|
2020-11-06 07:34:40 -07:00
|
|
|
for i := range revHosts {
|
2021-03-25 10:30:30 -07:00
|
|
|
res.ReverseHosts[i] = revHosts[i] + "."
|
2020-11-06 07:34:40 -07:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
return res, nil
|
2020-11-06 07:34:40 -07:00
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
return Result{}, nil
|
2020-11-06 07:34:40 -07:00
|
|
|
}
|
|
|
|
|
|
2019-07-29 01:37:16 -07:00
|
|
|
// Process rewrites table
|
2020-01-16 02:51:35 -07:00
|
|
|
// . Find CNAME for a domain name (exact match or by wildcard)
|
2020-05-26 01:42:42 -07:00
|
|
|
// . if found and CNAME equals to domain name - this is an exception; exit
|
2019-07-29 01:37:16 -07:00
|
|
|
// . if found, set domain name to canonical name
|
2020-01-16 02:51:35 -07:00
|
|
|
// . repeat for the new domain name (Note: we return only the last CNAME)
|
|
|
|
|
// . Find A or AAAA record for a domain name (exact match or by wildcard)
|
2020-06-03 02:04:23 -07:00
|
|
|
// . if found, set IP addresses (IPv4 or IPv6 depending on qtype) in Result.IPList array
|
2020-12-21 07:48:07 -07:00
|
|
|
func (d *DNSFilter) processRewrites(host string, qtype uint16) (res Result) {
|
2019-10-09 09:51:26 -07:00
|
|
|
d.confLock.RLock()
|
|
|
|
|
defer d.confLock.RUnlock()
|
|
|
|
|
|
2020-01-16 02:51:35 -07:00
|
|
|
rr := findRewrites(d.Rewrites, host)
|
|
|
|
|
if len(rr) != 0 {
|
2020-12-28 08:41:50 -07:00
|
|
|
res.Reason = Rewritten
|
2019-07-29 01:37:16 -07:00
|
|
|
}
|
|
|
|
|
|
2021-04-20 06:26:19 -07:00
|
|
|
cnames := aghstrings.NewSet()
|
2020-01-16 02:51:35 -07:00
|
|
|
origHost := host
|
|
|
|
|
for len(rr) != 0 && rr[0].Type == dns.TypeCNAME {
|
2021-04-20 06:26:19 -07:00
|
|
|
log.Debug("rewrite: CNAME for %s is %s", host, rr[0].Answer)
|
2020-05-26 01:42:42 -07:00
|
|
|
|
|
|
|
|
if host == rr[0].Answer { // "host == CNAME" is an exception
|
2020-12-21 07:48:07 -07:00
|
|
|
res.Reason = NotFilteredNotFound
|
|
|
|
|
|
2020-05-26 01:42:42 -07:00
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-16 02:51:35 -07:00
|
|
|
host = rr[0].Answer
|
2021-04-20 06:26:19 -07:00
|
|
|
if cnames.Has(host) {
|
|
|
|
|
log.Info("rewrite: breaking CNAME redirection loop: %s. Question: %s", host, origHost)
|
|
|
|
|
|
2020-01-16 02:51:35 -07:00
|
|
|
return res
|
2019-07-29 01:37:16 -07:00
|
|
|
}
|
2021-04-20 06:26:19 -07:00
|
|
|
|
|
|
|
|
cnames.Add(host)
|
2020-01-16 02:51:35 -07:00
|
|
|
res.CanonName = rr[0].Answer
|
|
|
|
|
rr = findRewrites(d.Rewrites, host)
|
2019-07-29 01:37:16 -07:00
|
|
|
}
|
|
|
|
|
|
2020-01-16 02:51:35 -07:00
|
|
|
for _, r := range rr {
|
2020-06-03 02:04:23 -07:00
|
|
|
if (r.Type == dns.TypeA && qtype == dns.TypeA) ||
|
|
|
|
|
(r.Type == dns.TypeAAAA && qtype == dns.TypeAAAA) {
|
|
|
|
|
|
|
|
|
|
if r.IP == nil { // IP exception
|
|
|
|
|
res.Reason = 0
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-16 02:51:35 -07:00
|
|
|
res.IPList = append(res.IPList, r.IP)
|
2021-04-20 06:26:19 -07:00
|
|
|
log.Debug("rewrite: A/AAAA for %s is %s", host, r.IP)
|
2020-01-16 02:51:35 -07:00
|
|
|
}
|
2019-07-29 01:37:16 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
// matchBlockedServicesRules checks the host against the blocked services rules
|
|
|
|
|
// in settings, if any. The err is always nil, it is only there to make this
|
|
|
|
|
// a valid hostChecker function.
|
|
|
|
|
func matchBlockedServicesRules(
|
|
|
|
|
host string,
|
|
|
|
|
_ uint16,
|
2021-05-21 06:15:47 -07:00
|
|
|
setts *Settings,
|
2021-03-25 10:30:30 -07:00
|
|
|
) (res Result, err error) {
|
|
|
|
|
svcs := setts.ServicesRules
|
|
|
|
|
if len(svcs) == 0 {
|
|
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
2019-07-23 02:21:37 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
req := rules.NewRequestForHostname(host)
|
2019-07-23 02:21:37 -07:00
|
|
|
for _, s := range svcs {
|
|
|
|
|
for _, rule := range s.Rules {
|
|
|
|
|
if rule.Match(req) {
|
|
|
|
|
res.Reason = FilteredBlockedService
|
|
|
|
|
res.IsFiltered = true
|
|
|
|
|
res.ServiceName = s.Name
|
2020-12-17 03:32:46 -07:00
|
|
|
|
|
|
|
|
ruleText := rule.Text()
|
|
|
|
|
res.Rules = []*ResultRule{{
|
|
|
|
|
FilterListID: int64(rule.GetFilterListID()),
|
|
|
|
|
Text: ruleText,
|
|
|
|
|
}}
|
|
|
|
|
|
|
|
|
|
log.Debug("blocked services: matched rule: %s host: %s service: %s",
|
|
|
|
|
ruleText, host, s.Name)
|
|
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
return res, nil
|
2019-07-23 02:21:37 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-03-25 10:30:30 -07:00
|
|
|
|
|
|
|
|
return res, nil
|
2019-07-23 02:21:37 -07:00
|
|
|
}
|
|
|
|
|
|
2018-08-30 07:25:33 -07:00
|
|
|
//
|
|
|
|
|
// Adding rule and matching against the rules
|
|
|
|
|
//
|
|
|
|
|
|
2020-11-06 02:15:08 -07:00
|
|
|
// fileExists returns true if file exists.
|
2019-07-05 07:35:40 -07:00
|
|
|
func fileExists(fn string) bool {
|
|
|
|
|
_, err := os.Stat(fn)
|
2020-11-06 02:15:08 -07:00
|
|
|
return err == nil
|
2019-07-05 07:35:40 -07:00
|
|
|
}
|
|
|
|
|
|
2020-02-26 09:58:25 -07:00
|
|
|
func createFilteringEngine(filters []Filter) (*filterlist.RuleStorage, *urlfilter.DNSEngine, error) {
|
2019-11-27 05:11:46 -07:00
|
|
|
listArray := []filterlist.RuleList{}
|
2020-02-26 09:58:25 -07:00
|
|
|
for _, f := range filters {
|
2019-11-27 05:11:46 -07:00
|
|
|
var list filterlist.RuleList
|
2019-07-05 07:35:40 -07:00
|
|
|
|
2020-02-26 09:58:25 -07:00
|
|
|
if f.ID == 0 {
|
2019-11-27 05:11:46 -07:00
|
|
|
list = &filterlist.StringRuleList{
|
2019-07-04 04:00:20 -07:00
|
|
|
ID: 0,
|
2020-02-26 09:58:25 -07:00
|
|
|
RulesText: string(f.Data),
|
2019-10-22 04:58:20 -07:00
|
|
|
IgnoreCosmetic: true,
|
2019-07-04 04:00:20 -07:00
|
|
|
}
|
2020-02-26 09:58:25 -07:00
|
|
|
} else if !fileExists(f.FilePath) {
|
2019-11-27 05:11:46 -07:00
|
|
|
list = &filterlist.StringRuleList{
|
2020-02-26 09:58:25 -07:00
|
|
|
ID: int(f.ID),
|
2019-10-22 04:58:20 -07:00
|
|
|
IgnoreCosmetic: true,
|
|
|
|
|
}
|
|
|
|
|
} else if runtime.GOOS == "windows" {
|
|
|
|
|
// On Windows we don't pass a file to urlfilter because
|
2020-11-06 02:15:08 -07:00
|
|
|
// it's difficult to update this file while it's being
|
|
|
|
|
// used.
|
2021-05-21 04:55:42 -07:00
|
|
|
data, err := os.ReadFile(f.FilePath)
|
2019-10-22 04:58:20 -07:00
|
|
|
if err != nil {
|
2021-05-21 04:55:42 -07:00
|
|
|
return nil, nil, fmt.Errorf("reading filter content: %w", err)
|
2019-10-22 04:58:20 -07:00
|
|
|
}
|
2021-05-21 04:55:42 -07:00
|
|
|
|
2019-11-27 05:11:46 -07:00
|
|
|
list = &filterlist.StringRuleList{
|
2020-02-26 09:58:25 -07:00
|
|
|
ID: int(f.ID),
|
2019-10-22 04:58:20 -07:00
|
|
|
RulesText: string(data),
|
|
|
|
|
IgnoreCosmetic: true,
|
2019-07-05 07:35:40 -07:00
|
|
|
}
|
2019-07-04 04:00:20 -07:00
|
|
|
} else {
|
|
|
|
|
var err error
|
2020-02-26 09:58:25 -07:00
|
|
|
list, err = filterlist.NewFileRuleList(int(f.ID), f.FilePath, true)
|
2019-07-04 04:00:20 -07:00
|
|
|
if err != nil {
|
2020-11-05 05:20:57 -07:00
|
|
|
return nil, nil, fmt.Errorf("filterlist.NewFileRuleList(): %s: %w", f.FilePath, err)
|
2019-07-04 04:00:20 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
listArray = append(listArray, list)
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-27 05:11:46 -07:00
|
|
|
rulesStorage, err := filterlist.NewRuleStorage(listArray)
|
2019-05-15 06:46:11 -07:00
|
|
|
if err != nil {
|
2020-11-05 05:20:57 -07:00
|
|
|
return nil, nil, fmt.Errorf("filterlist.NewRuleStorage(): %w", err)
|
2019-05-15 06:46:11 -07:00
|
|
|
}
|
2019-10-09 09:51:26 -07:00
|
|
|
filteringEngine := urlfilter.NewDNSEngine(rulesStorage)
|
2020-02-26 09:58:25 -07:00
|
|
|
return rulesStorage, filteringEngine, nil
|
|
|
|
|
}
|
2019-10-09 09:51:26 -07:00
|
|
|
|
2020-11-06 02:15:08 -07:00
|
|
|
// Initialize urlfilter objects.
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) initFiltering(allowFilters, blockFilters []Filter) error {
|
2020-02-26 09:58:25 -07:00
|
|
|
rulesStorage, filteringEngine, err := createFilteringEngine(blockFilters)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2020-12-21 07:48:07 -07:00
|
|
|
rulesStorageAllow, filteringEngineAllow, err := createFilteringEngine(allowFilters)
|
2020-02-26 09:58:25 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2019-10-09 09:51:26 -07:00
|
|
|
}
|
2020-08-26 08:58:21 -07:00
|
|
|
|
|
|
|
|
d.engineLock.Lock()
|
|
|
|
|
d.reset()
|
2019-10-09 09:51:26 -07:00
|
|
|
d.rulesStorage = rulesStorage
|
|
|
|
|
d.filteringEngine = filteringEngine
|
2020-12-21 07:48:07 -07:00
|
|
|
d.rulesStorageAllow = rulesStorageAllow
|
|
|
|
|
d.filteringEngineAllow = filteringEngineAllow
|
2020-08-26 08:58:21 -07:00
|
|
|
d.engineLock.Unlock()
|
2020-05-12 14:46:35 -07:00
|
|
|
|
|
|
|
|
// Make sure that the OS reclaims memory as soon as possible
|
|
|
|
|
debug.FreeOSMemory()
|
2019-10-09 09:51:26 -07:00
|
|
|
log.Debug("initialized filtering engine")
|
|
|
|
|
|
2018-11-30 03:48:53 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
// matchHostProcessAllowList processes the allowlist logic of host
|
|
|
|
|
// matching.
|
|
|
|
|
func (d *DNSFilter) matchHostProcessAllowList(host string, dnsres urlfilter.DNSResult) (res Result, err error) {
|
|
|
|
|
var rule rules.Rule
|
|
|
|
|
if dnsres.NetworkRule != nil {
|
|
|
|
|
rule = dnsres.NetworkRule
|
|
|
|
|
} else if len(dnsres.HostRulesV4) > 0 {
|
|
|
|
|
rule = dnsres.HostRulesV4[0]
|
|
|
|
|
} else if len(dnsres.HostRulesV6) > 0 {
|
|
|
|
|
rule = dnsres.HostRulesV6[0]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if rule == nil {
|
|
|
|
|
return Result{}, fmt.Errorf("invalid dns result: rules are empty")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.Debug("Filtering: found allowlist rule for host %q: %q list_id: %d",
|
|
|
|
|
host, rule.Text(), rule.GetFilterListID())
|
|
|
|
|
|
|
|
|
|
return makeResult(rule, NotFilteredAllowList), nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-26 03:03:36 -07:00
|
|
|
// matchHostProcessDNSResult processes the matched DNS filtering result.
|
|
|
|
|
func (d *DNSFilter) matchHostProcessDNSResult(
|
|
|
|
|
qtype uint16,
|
|
|
|
|
dnsres urlfilter.DNSResult,
|
|
|
|
|
) (res Result) {
|
|
|
|
|
if dnsres.NetworkRule != nil {
|
|
|
|
|
reason := FilteredBlockList
|
|
|
|
|
if dnsres.NetworkRule.Whitelist {
|
|
|
|
|
reason = NotFilteredAllowList
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return makeResult(dnsres.NetworkRule, reason)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if qtype == dns.TypeA && dnsres.HostRulesV4 != nil {
|
|
|
|
|
rule := dnsres.HostRulesV4[0]
|
|
|
|
|
res = makeResult(rule, FilteredBlockList)
|
|
|
|
|
res.Rules[0].IP = rule.IP.To4()
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if qtype == dns.TypeAAAA && dnsres.HostRulesV6 != nil {
|
|
|
|
|
rule := dnsres.HostRulesV6[0]
|
|
|
|
|
res = makeResult(rule, FilteredBlockList)
|
|
|
|
|
res.Rules[0].IP = rule.IP.To16()
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if dnsres.HostRulesV4 != nil || dnsres.HostRulesV6 != nil {
|
|
|
|
|
// Question type doesn't match the host rules. Return the first
|
|
|
|
|
// matched host rule, but without an IP address.
|
|
|
|
|
var rule rules.Rule
|
|
|
|
|
if dnsres.HostRulesV4 != nil {
|
|
|
|
|
rule = dnsres.HostRulesV4[0]
|
|
|
|
|
} else if dnsres.HostRulesV6 != nil {
|
|
|
|
|
rule = dnsres.HostRulesV6[0]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res = makeResult(rule, FilteredBlockList)
|
|
|
|
|
res.Rules[0].IP = net.IP{}
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Result{}
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-06 02:15:08 -07:00
|
|
|
// matchHost is a low-level way to check only if hostname is filtered by rules,
|
|
|
|
|
// skipping expensive safebrowsing and parental lookups.
|
2021-03-25 10:30:30 -07:00
|
|
|
func (d *DNSFilter) matchHost(
|
|
|
|
|
host string,
|
|
|
|
|
qtype uint16,
|
2021-05-21 06:15:47 -07:00
|
|
|
setts *Settings,
|
2021-03-25 10:30:30 -07:00
|
|
|
) (res Result, err error) {
|
|
|
|
|
if !setts.FilteringEnabled {
|
|
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
d.engineLock.RLock()
|
2020-01-30 09:06:09 -07:00
|
|
|
// Keep in mind that this lock must be held no just when calling Match()
|
|
|
|
|
// but also while using the rules returned by it.
|
2019-10-09 09:51:26 -07:00
|
|
|
defer d.engineLock.RUnlock()
|
2020-02-26 09:58:25 -07:00
|
|
|
|
2020-11-24 09:55:05 -07:00
|
|
|
ureq := urlfilter.DNSRequest{
|
|
|
|
|
Hostname: host,
|
|
|
|
|
SortedClientTags: setts.ClientTags,
|
2021-01-20 07:27:53 -07:00
|
|
|
// TODO(e.burkov): Wait for urlfilter update to pass net.IP.
|
|
|
|
|
ClientIP: setts.ClientIP.String(),
|
|
|
|
|
ClientName: setts.ClientName,
|
|
|
|
|
DNSType: qtype,
|
2020-11-24 09:55:05 -07:00
|
|
|
}
|
2020-06-23 04:36:26 -07:00
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
if d.filteringEngineAllow != nil {
|
|
|
|
|
dnsres, ok := d.filteringEngineAllow.MatchRequest(ureq)
|
2020-02-26 09:58:25 -07:00
|
|
|
if ok {
|
2020-12-21 07:48:07 -07:00
|
|
|
return d.matchHostProcessAllowList(host, dnsres)
|
2020-02-26 09:58:25 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-15 06:46:11 -07:00
|
|
|
if d.filteringEngine == nil {
|
|
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
dnsres, ok := d.filteringEngine.MatchRequest(ureq)
|
|
|
|
|
|
2021-03-26 03:03:36 -07:00
|
|
|
// Check DNS rewrites first, because the API there is a bit awkward.
|
2020-12-21 07:48:07 -07:00
|
|
|
if dnsr := dnsres.DNSRewrites(); len(dnsr) > 0 {
|
|
|
|
|
res = d.processDNSRewrites(dnsr)
|
2020-12-28 08:41:50 -07:00
|
|
|
if res.Reason == RewrittenRule && res.CanonName == host {
|
2021-03-26 03:03:36 -07:00
|
|
|
// A rewrite of a host to itself. Go on and try
|
|
|
|
|
// matching other things.
|
2020-12-21 07:48:07 -07:00
|
|
|
} else {
|
|
|
|
|
return res, nil
|
|
|
|
|
}
|
|
|
|
|
} else if !ok {
|
2019-05-15 06:46:11 -07:00
|
|
|
return Result{}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-26 03:03:36 -07:00
|
|
|
res = d.matchHostProcessDNSResult(qtype, dnsres)
|
|
|
|
|
if len(res.Rules) > 0 {
|
|
|
|
|
r := res.Rules[0]
|
|
|
|
|
log.Debug(
|
|
|
|
|
"filtering: found rule %q for host %q, filter list id: %d",
|
|
|
|
|
r.Text,
|
|
|
|
|
host,
|
|
|
|
|
r.FilterListID,
|
|
|
|
|
)
|
2020-01-30 09:06:09 -07:00
|
|
|
}
|
2019-05-15 06:46:11 -07:00
|
|
|
|
2021-03-26 03:03:36 -07:00
|
|
|
return res, nil
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
|
|
|
|
|
2020-12-17 03:32:46 -07:00
|
|
|
// makeResult returns a properly constructed Result.
|
2020-02-26 09:58:25 -07:00
|
|
|
func makeResult(rule rules.Rule, reason Reason) Result {
|
2020-12-17 03:32:46 -07:00
|
|
|
res := Result{
|
|
|
|
|
Reason: reason,
|
|
|
|
|
Rules: []*ResultRule{{
|
|
|
|
|
FilterListID: int64(rule.GetFilterListID()),
|
|
|
|
|
Text: rule.Text(),
|
|
|
|
|
}},
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 07:48:07 -07:00
|
|
|
if reason == FilteredBlockList {
|
2020-02-26 09:58:25 -07:00
|
|
|
res.IsFiltered = true
|
|
|
|
|
}
|
2020-12-17 03:32:46 -07:00
|
|
|
|
2020-02-26 09:58:25 -07:00
|
|
|
return res
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-06 02:15:08 -07:00
|
|
|
// InitModule manually initializes blocked services map.
|
2020-04-27 03:21:16 -07:00
|
|
|
func InitModule() {
|
|
|
|
|
initBlockedServices()
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-06 02:15:08 -07:00
|
|
|
// New creates properly initialized DNS Filter that is ready to be used.
|
2020-12-17 03:32:46 -07:00
|
|
|
func New(c *Config, blockFilters []Filter) *DNSFilter {
|
2021-02-04 10:35:13 -07:00
|
|
|
var resolver Resolver = net.DefaultResolver
|
2019-06-24 09:00:03 -07:00
|
|
|
if c != nil {
|
2019-08-22 05:09:43 -07:00
|
|
|
cacheConf := cache.Config{
|
|
|
|
|
EnableLRU: true,
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-15 02:10:43 -07:00
|
|
|
if gctx.safebrowsingCache == nil {
|
2019-08-22 05:09:43 -07:00
|
|
|
cacheConf.MaxSize = c.SafeBrowsingCacheSize
|
|
|
|
|
gctx.safebrowsingCache = cache.New(cacheConf)
|
2019-06-24 09:00:03 -07:00
|
|
|
}
|
2019-08-22 05:09:43 -07:00
|
|
|
|
2019-07-15 02:10:43 -07:00
|
|
|
if gctx.safeSearchCache == nil {
|
2019-08-22 05:09:43 -07:00
|
|
|
cacheConf.MaxSize = c.SafeSearchCacheSize
|
|
|
|
|
gctx.safeSearchCache = cache.New(cacheConf)
|
2019-06-24 09:00:03 -07:00
|
|
|
}
|
2019-08-22 05:09:43 -07:00
|
|
|
|
2019-07-15 02:10:43 -07:00
|
|
|
if gctx.parentalCache == nil {
|
2019-08-22 05:09:43 -07:00
|
|
|
cacheConf.MaxSize = c.ParentalCacheSize
|
|
|
|
|
gctx.parentalCache = cache.New(cacheConf)
|
2019-06-24 09:00:03 -07:00
|
|
|
}
|
2021-02-04 10:35:13 -07:00
|
|
|
|
|
|
|
|
if c.CustomResolver != nil {
|
|
|
|
|
resolver = c.CustomResolver
|
|
|
|
|
}
|
2019-06-24 09:00:03 -07:00
|
|
|
}
|
|
|
|
|
|
2021-01-29 06:09:31 -07:00
|
|
|
d := &DNSFilter{
|
2021-02-04 10:35:13 -07:00
|
|
|
resolver: resolver,
|
2021-01-29 06:09:31 -07:00
|
|
|
}
|
2018-08-30 07:25:33 -07:00
|
|
|
|
2021-03-25 10:30:30 -07:00
|
|
|
d.hostCheckers = []hostChecker{{
|
2021-04-15 09:00:31 -07:00
|
|
|
check: d.checkEtcHosts,
|
|
|
|
|
name: "etchosts",
|
2021-03-25 10:30:30 -07:00
|
|
|
}, {
|
|
|
|
|
check: d.matchHost,
|
|
|
|
|
name: "filtering",
|
|
|
|
|
}, {
|
|
|
|
|
check: matchBlockedServicesRules,
|
|
|
|
|
name: "blocked services",
|
|
|
|
|
}, {
|
|
|
|
|
check: d.checkSafeBrowsing,
|
|
|
|
|
name: "safe browsing",
|
|
|
|
|
}, {
|
|
|
|
|
check: d.checkParental,
|
|
|
|
|
name: "parental",
|
|
|
|
|
}, {
|
|
|
|
|
check: d.checkSafeSearch,
|
|
|
|
|
name: "safe search",
|
|
|
|
|
}}
|
|
|
|
|
|
2019-10-16 02:57:49 -07:00
|
|
|
err := d.initSecurityServices()
|
|
|
|
|
if err != nil {
|
2021-05-21 06:15:47 -07:00
|
|
|
log.Error("filtering: initialize services: %s", err)
|
2019-10-16 02:57:49 -07:00
|
|
|
return nil
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
2019-10-16 02:57:49 -07:00
|
|
|
|
2018-11-30 03:47:26 -07:00
|
|
|
if c != nil {
|
|
|
|
|
d.Config = *c
|
2020-01-16 02:51:35 -07:00
|
|
|
d.prepareRewrites()
|
2018-11-30 03:47:26 -07:00
|
|
|
}
|
2018-09-10 10:34:42 -07:00
|
|
|
|
2020-02-18 10:17:35 -07:00
|
|
|
bsvcs := []string{}
|
|
|
|
|
for _, s := range d.BlockedServices {
|
|
|
|
|
if !BlockedSvcKnown(s) {
|
2020-11-05 05:20:57 -07:00
|
|
|
log.Debug("skipping unknown blocked-service %q", s)
|
2020-02-18 10:17:35 -07:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
bsvcs = append(bsvcs, s)
|
|
|
|
|
}
|
|
|
|
|
d.BlockedServices = bsvcs
|
|
|
|
|
|
2020-02-26 09:58:25 -07:00
|
|
|
if blockFilters != nil {
|
2021-03-11 10:36:54 -07:00
|
|
|
err = d.initFiltering(nil, blockFilters)
|
2019-05-15 06:46:11 -07:00
|
|
|
if err != nil {
|
|
|
|
|
log.Error("Can't initialize filtering subsystem: %s", err)
|
2019-10-09 09:51:26 -07:00
|
|
|
d.Close()
|
2019-05-15 06:46:11 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-16 04:25:40 -07:00
|
|
|
return d
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-30 09:06:09 -07:00
|
|
|
// Start - start the module:
|
|
|
|
|
// . start async filtering initializer goroutine
|
|
|
|
|
// . register web handlers
|
2020-12-17 03:32:46 -07:00
|
|
|
func (d *DNSFilter) Start() {
|
2019-10-09 09:51:26 -07:00
|
|
|
d.filtersInitializerChan = make(chan filtersInitializerParams, 1)
|
|
|
|
|
go d.filtersInitializer()
|
2018-08-30 07:25:33 -07:00
|
|
|
|
2019-10-09 09:51:26 -07:00
|
|
|
if d.Config.HTTPRegister != nil { // for tests
|
|
|
|
|
d.registerSecurityHandlers()
|
|
|
|
|
d.registerRewritesHandlers()
|
2020-02-18 10:17:35 -07:00
|
|
|
d.registerBlockedServicesHandlers()
|
2019-05-15 06:46:11 -07:00
|
|
|
}
|
2018-08-30 07:25:33 -07:00
|
|
|
}
|
