2023-06-24 07:12:11 +07:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
#
|
|
|
|
# A plugin for the Unbound DNS resolver to resolve DNS records in
|
|
|
|
# multicast DNS [RFC 6762] via Avahi.
|
|
|
|
# Modified by chayleaf to resolve addresses and import them into
|
|
|
|
# nftables.
|
|
|
|
#
|
|
|
|
# Copyright (C) 2018-2019 Internet Real-Time Lab, Columbia University
|
|
|
|
# http://www.cs.columbia.edu/irt/
|
|
|
|
#
|
|
|
|
# Written by Jan Janak <janakj@cs.columbia.edu>
|
|
|
|
#
|
|
|
|
# Permission is hereby granted, free of charge, to any person
|
|
|
|
# obtaining a copy of this software and associated documentation files
|
|
|
|
# (the "Software"), to deal in the Software without restriction,
|
|
|
|
# including without limitation the rights to use, copy, modify, merge,
|
|
|
|
# publish, distribute, sublicense, and/or sell copies of the Software,
|
|
|
|
# and to permit persons to whom the Software is furnished to do so,
|
|
|
|
# subject to the following conditions:
|
|
|
|
#
|
|
|
|
# The above copyright notice and this permission notice shall be
|
|
|
|
# included in all copies or substantial portions of the Software.
|
|
|
|
#
|
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
|
|
|
|
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
|
|
|
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
|
|
|
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
# SOFTWARE.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Dependendies:
|
|
|
|
# Unbound with pythonmodule configured for Python 3
|
|
|
|
# dnspython [http://www.dnspython.org]
|
|
|
|
# pydbus [https://github.com/LEW21/pydbus]
|
|
|
|
#
|
|
|
|
# To enable Python 3 support, configure Unbound as follows:
|
|
|
|
# PYTHON_VERSION=3 ./configure --with-pythonmodule
|
|
|
|
#
|
|
|
|
# The plugin in meant to be used as a fallback resolver that resolves
|
|
|
|
# records in multicast DNS if the upstream server cannot be reached or
|
|
|
|
# provides no answer (NXDOMAIN).
|
|
|
|
#
|
|
|
|
# mDNS requests for negative records, i.e., records for which Avahi
|
|
|
|
# returns no answer (NXDOMAIN), are expensive. Since there is no
|
|
|
|
# single authoritative server in mDNS, such requests terminate only
|
|
|
|
# via a timeout. The timeout is about a second (if MDNS_TIMEOUT is not
|
|
|
|
# configured), or the value configured via MDNS_TIMEOUT. The
|
|
|
|
# corresponding Unbound thread will be blocked for this amount of
|
|
|
|
# time. For this reason, it is important to configure an appropriate
|
|
|
|
# number of threads in unbound.conf and limit the RR types and names
|
|
|
|
# that will be resolved via Avahi via the environment variables
|
|
|
|
# described later.
|
|
|
|
#
|
|
|
|
# An example unbound.conf with the plugin enabled:
|
|
|
|
#
|
|
|
|
# | server:
|
|
|
|
# | module-config: "validator python iterator"
|
|
|
|
# | num-threads: 32
|
|
|
|
# | cache-max-negative-ttl: 60
|
|
|
|
# | cache-max-ttl: 60
|
|
|
|
# | python:
|
|
|
|
# | python-script: path/to/this/file
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# The plugin can also be run interactively. Provide the name and
|
|
|
|
# record type to be resolved as command line arguments and the
|
|
|
|
# resolved record will be printed to standard output:
|
|
|
|
#
|
|
|
|
# $ ./avahi-resolver.py voip-phx4.phxnet.org A
|
|
|
|
# voip-phx4.phxnet.org. 120 IN A 10.4.3.2
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# The behavior of the plugin can be controlled via the following
|
|
|
|
# environment variables:
|
|
|
|
#
|
|
|
|
# DBUS_SYSTEM_BUS_ADDRESS
|
|
|
|
#
|
|
|
|
# The address of the system DBus bus, in the format expected by DBus,
|
|
|
|
# e.g., unix:path=/run/avahi/system-bus.sock
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# DEBUG
|
|
|
|
#
|
|
|
|
# Set this environment variable to "yes", "true", "on", or "1" to
|
|
|
|
# enable debugging. In debugging mode, the plugin will output a lot
|
|
|
|
# more information about what it is doing either to the standard
|
|
|
|
# output (when run interactively) or to Unbound via log_info and
|
|
|
|
# log_error.
|
|
|
|
#
|
|
|
|
# By default debugging is disabled.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_TTL
|
|
|
|
#
|
|
|
|
# Avahi does not provide the TTL value for the records it returns.
|
|
|
|
# This environment variable can be used to configure the TTL value for
|
|
|
|
# such records.
|
|
|
|
#
|
|
|
|
# The default value is 120 seconds.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_TIMEOUT
|
|
|
|
#
|
|
|
|
# The maximum amount of time (in milliseconds) an Avahi request is
|
|
|
|
# allowed to run. This value sets the time it takes to resolve
|
|
|
|
# negative (non-existent) records in Avahi. If unset, the request
|
|
|
|
# terminates when Avahi sends the "AllForNow" signal, telling the
|
|
|
|
# client that more records are unlikely to arrive. This takes roughly
|
|
|
|
# about one second. You may need to configure a longer value here on
|
|
|
|
# slower networks, e.g., networks that relay mDNS packets such as
|
|
|
|
# MANETs.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_GETONE
|
|
|
|
#
|
|
|
|
# If set to "true", "1", or "on", an Avahi request will terminate as
|
|
|
|
# soon as at least one record has been found. If there are multiple
|
|
|
|
# nodes in the mDNS network publishing the same record, only one (or
|
|
|
|
# subset) will be returned.
|
|
|
|
#
|
|
|
|
# If set to "false", "0", or "off", the plugin will gather records for
|
|
|
|
# MDNS_TIMEOUT and return all records found. This is only useful in
|
|
|
|
# networks where multiple nodes are known to publish different records
|
|
|
|
# under the same name and the client needs to be able to obtain them
|
|
|
|
# all. When configured this way, all Avahi requests will always take
|
|
|
|
# MDNS_TIMEOUT to complete!
|
|
|
|
#
|
|
|
|
# This option is set to true by default.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_REJECT_TYPES
|
|
|
|
#
|
|
|
|
# A comma-separated list of record types that will NOT be resolved in
|
|
|
|
# mDNS via Avahi. Use this environment variable to prevent specific
|
|
|
|
# record types from being resolved via Avahi. For example, if your
|
|
|
|
# network does not support IPv6, you can put AAAA on this list.
|
|
|
|
#
|
|
|
|
# The default value is an empty list.
|
|
|
|
#
|
|
|
|
# Example: MDNS_REJECT_TYPES=aaaa,mx,soa
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_ACCEPT_TYPES
|
|
|
|
#
|
|
|
|
# If set, a record type will be resolved via Avahi if and only if it
|
|
|
|
# is present on this comma-separated list. In other words, this is a
|
|
|
|
# whitelist.
|
|
|
|
#
|
|
|
|
# The default value is an empty list which means all record types will
|
|
|
|
# be resolved via Avahi.
|
|
|
|
#
|
|
|
|
# Example: MDNS_ACCEPT_TYPES=a,ptr,txt,srv,aaaa,cname
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_REJECT_NAMES
|
|
|
|
#
|
|
|
|
# If the name being resolved matches the regular expression in this
|
|
|
|
# environment variable, the name will NOT be resolved via Avahi. In
|
|
|
|
# other words, this environment variable provides a blacklist.
|
|
|
|
#
|
|
|
|
# The default value is empty--no names will be reject.
|
|
|
|
#
|
|
|
|
# Example: MDNS_REJECT_NAMES=(^|\.)example\.com\.$
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# MDNS_ACCEPT_NAMES
|
|
|
|
#
|
|
|
|
# If set to a regular expression, a name will be resolved via Avahi if
|
|
|
|
# and only if it matches the regular expression. In other words, this
|
|
|
|
# variable provides a whitelist.
|
|
|
|
#
|
|
|
|
# The default value is empty--all names will be resolved via Avahi.
|
|
|
|
#
|
|
|
|
# Example: MDNS_ACCEPT_NAMES=^.*\.example\.com\.$
|
|
|
|
#
|
|
|
|
|
|
|
|
import json
|
|
|
|
import ipaddress
|
|
|
|
import os
|
|
|
|
import subprocess
|
|
|
|
import pytricia
|
|
|
|
import re
|
|
|
|
import array
|
|
|
|
import threading
|
|
|
|
import traceback
|
|
|
|
import dns.rdata
|
|
|
|
import dns.rdatatype
|
|
|
|
import dns.rdataclass
|
|
|
|
from queue import Queue
|
|
|
|
from gi.repository import GLib
|
|
|
|
from pydbus import SystemBus
|
|
|
|
|
|
|
|
|
|
|
|
IF_UNSPEC = -1
|
|
|
|
PROTO_UNSPEC = -1
|
|
|
|
|
|
|
|
NFT_QUERIES = {}
|
2023-06-27 15:25:19 +07:00
|
|
|
# dynamic query update token
|
|
|
|
NFT_TOKEN = ""
|
2023-06-24 07:12:11 +07:00
|
|
|
|
|
|
|
sysbus = None
|
|
|
|
avahi = None
|
|
|
|
trampoline = dict()
|
|
|
|
thread_local = threading.local()
|
|
|
|
dbus_thread = None
|
|
|
|
dbus_loop = None
|
|
|
|
|
|
|
|
def is_valid_ip4(x):
|
|
|
|
try:
|
|
|
|
_ = ipaddress.IPv4Address(x)
|
|
|
|
return True
|
|
|
|
except ipaddress.AddressValueError:
|
|
|
|
return False
|
|
|
|
|
|
|
|
def is_valid_ip6(x):
|
|
|
|
try:
|
|
|
|
_ = ipaddress.IPv6Address(x)
|
|
|
|
return True
|
|
|
|
except ipaddress.AddressValueError:
|
|
|
|
return False
|
|
|
|
|
|
|
|
def str2bool(v):
|
|
|
|
if v.lower() in ['false', 'no', '0', 'off', '']:
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
def dbg(msg):
|
|
|
|
if DEBUG != False:
|
|
|
|
log_info('avahi-resolver: %s' % msg)
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# Although pydbus has an internal facility for handling signals, we
|
|
|
|
# cannot use that with Avahi. When responding from an internal cache,
|
|
|
|
# Avahi sends the first signal very quickly, before pydbus has had a
|
|
|
|
# chance to subscribe for the signal. This will result in lost signal
|
|
|
|
# and missed data:
|
|
|
|
#
|
|
|
|
# https://github.com/LEW21/pydbus/issues/87
|
|
|
|
#
|
|
|
|
# As a workaround, we subscribe to all signals before creating a
|
|
|
|
# record browser and do our own signal matching and dispatching via
|
|
|
|
# the following function.
|
|
|
|
#
|
|
|
|
def signal_dispatcher(connection, sender, path, interface, name, args):
|
|
|
|
o = trampoline.get(path, None)
|
|
|
|
if o is None:
|
|
|
|
return
|
|
|
|
|
|
|
|
if name == 'ItemNew': o.itemNew(*args)
|
|
|
|
elif name == 'ItemRemove': o.itemRemove(*args)
|
|
|
|
elif name == 'AllForNow': o.allForNow(*args)
|
|
|
|
elif name == 'Failure': o.failure(*args)
|
|
|
|
|
|
|
|
|
|
|
|
class RecordBrowser:
|
|
|
|
def __init__(self, callback, name, type_, timeout=None, getone=True):
|
|
|
|
self.callback = callback
|
|
|
|
self.records = []
|
|
|
|
self.error = None
|
|
|
|
self.getone = getone
|
|
|
|
|
|
|
|
self.timer = None if timeout is None else GLib.timeout_add(timeout, self.timedOut)
|
|
|
|
|
|
|
|
self.browser_path = avahi.RecordBrowserNew(IF_UNSPEC, PROTO_UNSPEC, name, dns.rdataclass.IN, type_, 0)
|
|
|
|
trampoline[self.browser_path] = self
|
|
|
|
self.browser = sysbus.get('.Avahi', self.browser_path)
|
|
|
|
self.dbg('Created RecordBrowser(name=%s, type=%s, getone=%s, timeout=%s)'
|
|
|
|
% (name, dns.rdatatype.to_text(type_), getone, timeout))
|
|
|
|
|
|
|
|
def dbg(self, msg):
|
|
|
|
dbg('[%s] %s' % (self.browser_path, msg))
|
|
|
|
|
|
|
|
def _done(self):
|
|
|
|
del trampoline[self.browser_path]
|
|
|
|
self.dbg('Freeing')
|
|
|
|
self.browser.Free()
|
|
|
|
|
|
|
|
if self.timer is not None:
|
|
|
|
self.dbg('Removing timer')
|
|
|
|
GLib.source_remove(self.timer)
|
|
|
|
|
|
|
|
self.callback(self.records, self.error)
|
|
|
|
|
|
|
|
def itemNew(self, interface, protocol, name, class_, type_, rdata, flags):
|
|
|
|
self.dbg('Got signal ItemNew')
|
|
|
|
self.records.append((name, class_, type_, rdata))
|
|
|
|
if self.getone:
|
|
|
|
self._done()
|
|
|
|
|
|
|
|
def itemRemove(self, interface, protocol, name, class_, type_, rdata, flags):
|
|
|
|
self.dbg('Got signal ItemRemove')
|
|
|
|
self.records.remove((name, class_, type_, rdata))
|
|
|
|
|
|
|
|
def failure(self, error):
|
|
|
|
self.dbg('Got signal Failure')
|
|
|
|
self.error = Exception(error)
|
|
|
|
self._done()
|
|
|
|
|
|
|
|
def allForNow(self):
|
|
|
|
self.dbg('Got signal AllForNow')
|
|
|
|
if self.timer is None:
|
|
|
|
self._done()
|
|
|
|
|
|
|
|
def timedOut(self):
|
|
|
|
self.dbg('Timed out')
|
|
|
|
self._done()
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# This function runs the main event loop for DBus (GLib). This
|
|
|
|
# function must be run in a dedicated worker thread.
|
|
|
|
#
|
|
|
|
def dbus_main():
|
|
|
|
global sysbus, avahi, dbus_loop
|
|
|
|
|
|
|
|
dbg('Connecting to system DBus')
|
|
|
|
sysbus = SystemBus()
|
|
|
|
|
|
|
|
dbg('Subscribing to .Avahi.RecordBrowser signals')
|
|
|
|
sysbus.con.signal_subscribe('org.freedesktop.Avahi',
|
|
|
|
'org.freedesktop.Avahi.RecordBrowser',
|
|
|
|
None, None, None, 0, signal_dispatcher)
|
|
|
|
|
|
|
|
avahi = sysbus.get('.Avahi', '/')
|
|
|
|
|
|
|
|
dbg("Connected to Avahi Daemon: %s (API %s) [%s]"
|
|
|
|
% (avahi.GetVersionString(), avahi.GetAPIVersion(), avahi.GetHostNameFqdn()))
|
|
|
|
|
|
|
|
dbg('Starting DBus main loop')
|
|
|
|
dbus_loop = GLib.MainLoop()
|
|
|
|
dbus_loop.run()
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# This function must be run in the DBus worker thread. It creates a
|
|
|
|
# new RecordBrowser instance and once it has finished doing it thing,
|
|
|
|
# it will send the result back to the original thread via the queue.
|
|
|
|
#
|
|
|
|
def start_resolver(queue, *args, **kwargs):
|
|
|
|
try:
|
|
|
|
RecordBrowser(lambda *v: queue.put_nowait(v), *args, **kwargs)
|
|
|
|
except Exception as e:
|
|
|
|
queue.put_nowait((None, e))
|
|
|
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# To resolve a request, we setup a queue, post a task to the DBus
|
|
|
|
# worker thread, and wait for the result (or error) to arrive over the
|
|
|
|
# queue. If the worker thread reports an error, raise the error as an
|
|
|
|
# exception.
|
|
|
|
#
|
|
|
|
def resolve(*args, **kwargs):
|
|
|
|
try:
|
|
|
|
queue = thread_local.queue
|
|
|
|
except AttributeError:
|
|
|
|
dbg('Creating new per-thread queue')
|
|
|
|
queue = Queue()
|
|
|
|
thread_local.queue = queue
|
|
|
|
|
|
|
|
GLib.idle_add(lambda: start_resolver(queue, *args, **kwargs))
|
|
|
|
|
|
|
|
records, error = queue.get()
|
|
|
|
queue.task_done()
|
|
|
|
|
|
|
|
if error is not None:
|
|
|
|
raise error
|
|
|
|
|
|
|
|
return records
|
|
|
|
|
|
|
|
|
|
|
|
def parse_type_list(lst):
|
|
|
|
return list(map(dns.rdatatype.from_text, [v.strip() for v in lst.split(',') if len(v)]))
|
|
|
|
|
|
|
|
def build_ipset(ips: list):
|
|
|
|
pyt = pytricia.PyTricia()
|
|
|
|
for ip in ips:
|
|
|
|
try:
|
|
|
|
pyt.insert(ip, None)
|
|
|
|
except:
|
|
|
|
with open('/var/lib/unbound/error.log', 'at') as f:
|
|
|
|
f.write(f'Warning: couldn\'t insert ip {ip}:\n')
|
|
|
|
traceback.print_exc(file=f)
|
|
|
|
return pyt
|
|
|
|
|
|
|
|
def add_ips(set: str, ipv6: bool, ips: list, flush: bool = False):
|
|
|
|
#with open('/var/lib/unbound/info.log', 'at') as f:
|
|
|
|
#print('set', set, 'ipv6', ipv6, 'ips', ips, file=f)
|
|
|
|
pyt = build_ipset(ips)
|
|
|
|
ruleset: list = [ ]
|
|
|
|
if flush:
|
|
|
|
ruleset.append({"flush":{"set":{"family":"inet","table":"global","name":set}}})
|
|
|
|
elems: list = []
|
|
|
|
if ipv6:
|
|
|
|
maxn = 128
|
|
|
|
is_valid = is_valid_ip6
|
|
|
|
else:
|
|
|
|
maxn = 32
|
|
|
|
is_valid = is_valid_ip4
|
|
|
|
for ip in pyt.keys():
|
|
|
|
try:
|
|
|
|
if pyt.parent(ip) != None:
|
|
|
|
continue
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
if '/' not in ip:
|
|
|
|
n = maxn
|
|
|
|
else:
|
|
|
|
ip, n0 = ip.split('/')
|
|
|
|
try:
|
|
|
|
n = int(n0)
|
|
|
|
except:
|
|
|
|
continue
|
|
|
|
if not is_valid(ip):
|
|
|
|
continue
|
|
|
|
if n == maxn:
|
|
|
|
elems.append(ip)
|
|
|
|
else:
|
|
|
|
elems.append({"prefix":{"addr":ip,"len":n}})
|
|
|
|
#with open('/var/lib/unbound/info.log', 'at') as f:
|
|
|
|
#print('elems', elems, file=f)
|
|
|
|
if len(elems) == 0:
|
|
|
|
return
|
|
|
|
ruleset.append({"add":{"element":{"family":"inet","table":"global","name":set,"elem":elems}}})
|
|
|
|
data = json.dumps({"nftables":ruleset}).encode('utf-8')
|
|
|
|
#with open('/var/lib/unbound/info.log', 'at') as f:
|
|
|
|
#print('data', data, file=f)
|
|
|
|
try:
|
|
|
|
out = subprocess.run([
|
|
|
|
'/run/current-system/sw/bin/nft',
|
|
|
|
'-j', '-f', '/dev/stdin'
|
|
|
|
], capture_output=True, input=data)
|
|
|
|
#with open('/var/lib/unbound/info.log', 'at') as f:
|
|
|
|
#print('out', out, file=f)
|
|
|
|
if out.returncode != 0:
|
|
|
|
with open('/var/lib/unbound/nftables.log', 'wb') as f:
|
|
|
|
f.write(b'Error running nftables ruleset. Ruleset:\n')
|
|
|
|
f.write(data)
|
|
|
|
f.write(b'\n')
|
|
|
|
f.write(b'stdout:\n')
|
|
|
|
f.write(out.stdout)
|
|
|
|
f.write(b'\nstderr:\n')
|
|
|
|
f.write(out.stderr)
|
|
|
|
f.write(b'\n')
|
|
|
|
except:
|
|
|
|
with open('/var/lib/unbound/error.log', 'at') as f:
|
|
|
|
f.write(f'While adding ips for set {set}:\n')
|
|
|
|
traceback.print_exc(file=f)
|
|
|
|
|
2023-06-27 15:25:19 +07:00
|
|
|
def add_split_domain(domains, splitDomain):
|
|
|
|
while splitDomain:
|
|
|
|
key = splitDomain[-1]
|
|
|
|
if key not in domains.keys():
|
|
|
|
domains[key] = {}
|
|
|
|
domains = domains[key]
|
|
|
|
splitDomain = splitDomain[:-1]
|
|
|
|
domains['__IsTrue__'] = True
|
|
|
|
|
2023-06-24 07:12:11 +07:00
|
|
|
def build_domains(domains):
|
|
|
|
ret = {}
|
|
|
|
for domain in domains:
|
2023-06-27 15:25:19 +07:00
|
|
|
add_split_domain(ret, domain.split('.'))
|
2023-06-24 07:12:11 +07:00
|
|
|
return ret
|
|
|
|
|
|
|
|
def lookup_domain(domains, domain):
|
|
|
|
splitDomain = domain.split('.')
|
|
|
|
while len(splitDomain):
|
|
|
|
key = splitDomain[-1]
|
|
|
|
splitDomain = splitDomain[:-1]
|
|
|
|
star = domains.get('*', None)
|
|
|
|
if star != None and star.get('__IsTrue__', False):
|
|
|
|
return True
|
|
|
|
domains = domains.get(key, None)
|
|
|
|
if domains == None:
|
|
|
|
return False
|
|
|
|
star = domains.get('*', None)
|
|
|
|
if star != None and star.get('__IsTrue__', False):
|
|
|
|
return True
|
|
|
|
return domains.get('__IsTrue__', False)
|
|
|
|
|
|
|
|
def init(*args, **kwargs):
|
|
|
|
global dbus_thread, DEBUG
|
|
|
|
global MDNS_TTL, MDNS_GETONE, MDNS_TIMEOUT
|
|
|
|
global MDNS_REJECT_TYPES, MDNS_ACCEPT_TYPES
|
|
|
|
global MDNS_REJECT_NAMES, MDNS_ACCEPT_NAMES
|
2023-06-27 15:25:19 +07:00
|
|
|
global NFT_QUERIES, NFT_TOKEN
|
2023-06-24 07:12:11 +07:00
|
|
|
|
2023-06-27 15:25:19 +07:00
|
|
|
NFT_TOKEN = os.environ.get('NFT_TOKEN', '')
|
2023-06-24 07:12:11 +07:00
|
|
|
nft_queries = os.environ.get('NFT_QUERIES', '')
|
|
|
|
if nft_queries:
|
|
|
|
for query in nft_queries.split(';'):
|
|
|
|
name, sets = query.split(':')
|
2023-06-27 15:25:19 +07:00
|
|
|
dynamic = False
|
|
|
|
if name.endswith('!'):
|
|
|
|
name = name.rstrip('!')
|
|
|
|
dynamic = True
|
2023-06-24 07:12:11 +07:00
|
|
|
set4, set6 = sets.split(',')
|
2023-06-27 15:25:19 +07:00
|
|
|
NFT_QUERIES[name] = { 'domains': [], 'ips4': [], 'ips6': [], 'name4': set4, 'name6': set6, 'dynamic': dynamic }
|
2023-06-24 07:12:11 +07:00
|
|
|
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
try:
|
|
|
|
domains = json.load(open(f'/etc/unbound/{k}_domains.json', 'rt', encoding='utf-8'))
|
|
|
|
v['domains'].extend(domains)
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
domains = json.load(open(f'/var/lib/unbound/{k}_domains.json', 'rt', encoding='utf-8'))
|
|
|
|
v['domains'].extend(domains)
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
v['domains'] = build_domains(v['domains'])
|
|
|
|
try:
|
|
|
|
ips = json.load(open(f'/etc/unbound/{k}_ips.json', 'rt', encoding='utf-8'))
|
|
|
|
v['ips4'].extend(filter(lambda x: '.' in x, ips))
|
|
|
|
v['ips6'].extend(filter(lambda x: ':' in x, ips))
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
try:
|
|
|
|
ips = json.load(open(f'/var/lib/unbound/{k}_ips.json', 'rt', encoding='utf-8'))
|
|
|
|
v['ips4'].extend(filter(lambda x: '.' in x, ips))
|
|
|
|
v['ips6'].extend(filter(lambda x: ':' in x, ips))
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
|
|
|
# cached resolved domains
|
|
|
|
try:
|
|
|
|
os.makedirs('/var/lib/unbound/domains4/', exist_ok=True)
|
|
|
|
for x in os.listdir('/var/lib/unbound/domains4/'):
|
|
|
|
with open('/var/lib/unbound/domains4/' + x, 'rt') as f:
|
|
|
|
data = f.read().split('\n')
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if lookup_domain(v['domains'], x):
|
|
|
|
v['ips4'].extend(data)
|
|
|
|
except:
|
|
|
|
with open('/var/lib/unbound/error.log', 'at') as f:
|
|
|
|
traceback.print_exc(file=f)
|
|
|
|
try:
|
|
|
|
os.makedirs('/var/lib/unbound/domains6/', exist_ok=True)
|
|
|
|
for x in os.listdir('/var/lib/unbound/domains6/'):
|
|
|
|
with open('/var/lib/unbound/domains6/' + x, 'rt') as f:
|
|
|
|
data = f.read().split('\n')
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if lookup_domain(v['domains'], x):
|
|
|
|
v['ips6'].extend(data)
|
|
|
|
except:
|
|
|
|
with open('/var/lib/unbound/error.log', 'at') as f:
|
|
|
|
traceback.print_exc(file=f)
|
|
|
|
|
|
|
|
# finally, add the ips to nftables
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if v['ips4'] and v['name4']:
|
|
|
|
add_ips(v['name4'], False, v['ips4'], flush=True)
|
|
|
|
if v['ips6'] and v['name6']:
|
|
|
|
add_ips(v['name6'], True, v['ips6'], flush=True)
|
|
|
|
v['ips4'] = build_ipset(v['ips4'])
|
|
|
|
v['ips6'] = build_ipset(v['ips6'])
|
|
|
|
|
|
|
|
DEBUG = str2bool(os.environ.get('DEBUG', str(False)))
|
|
|
|
|
|
|
|
MDNS_TTL = int(os.environ.get('MDNS_TTL', 120))
|
|
|
|
dbg("TTL for records from Avahi: %d" % MDNS_TTL)
|
|
|
|
|
|
|
|
MDNS_REJECT_TYPES = parse_type_list(os.environ.get('MDNS_REJECT_TYPES', ''))
|
|
|
|
if MDNS_REJECT_TYPES:
|
|
|
|
dbg('Types NOT resolved via Avahi: %s' % MDNS_REJECT_TYPES)
|
|
|
|
|
|
|
|
MDNS_ACCEPT_TYPES = parse_type_list(os.environ.get('MDNS_ACCEPT_TYPES', ''))
|
|
|
|
if MDNS_ACCEPT_TYPES:
|
|
|
|
dbg('ONLY resolving the following types via Avahi: %s' % MDNS_ACCEPT_TYPES)
|
|
|
|
|
|
|
|
v = os.environ.get('MDNS_REJECT_NAMES', None)
|
|
|
|
MDNS_REJECT_NAMES = re.compile(v, flags=re.I | re.S) if v is not None else None
|
|
|
|
if MDNS_REJECT_NAMES is not None:
|
|
|
|
dbg('Names NOT resolved via Avahi: %s' % MDNS_REJECT_NAMES.pattern)
|
|
|
|
|
|
|
|
v = os.environ.get('MDNS_ACCEPT_NAMES', None)
|
|
|
|
MDNS_ACCEPT_NAMES = re.compile(v, flags=re.I | re.S) if v is not None else None
|
|
|
|
if MDNS_ACCEPT_NAMES is not None:
|
|
|
|
dbg('ONLY resolving the following names via Avahi: %s' % MDNS_ACCEPT_NAMES.pattern)
|
|
|
|
|
|
|
|
v = os.environ.get('MDNS_TIMEOUT', None)
|
|
|
|
MDNS_TIMEOUT = int(v) if v is not None else None
|
|
|
|
if MDNS_TIMEOUT is not None:
|
|
|
|
dbg('Avahi request timeout: %s' % MDNS_TIMEOUT)
|
|
|
|
|
|
|
|
MDNS_GETONE = str2bool(os.environ.get('MDNS_GETONE', str(True)))
|
|
|
|
dbg('Terminate Avahi requests on first record: %s' % MDNS_GETONE)
|
|
|
|
|
|
|
|
dbus_thread = threading.Thread(target=dbus_main)
|
|
|
|
dbus_thread.daemon = True
|
|
|
|
dbus_thread.start()
|
|
|
|
|
|
|
|
|
|
|
|
def deinit(*args, **kwargs):
|
|
|
|
dbus_loop.quit()
|
|
|
|
dbus_thread.join()
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
def inform_super(id, qstate, superqstate, qdata):
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
def get_rcode(msg):
|
|
|
|
if not msg:
|
|
|
|
return RCODE_SERVFAIL
|
|
|
|
|
|
|
|
return msg.rep.flags & 0xf
|
|
|
|
|
|
|
|
|
|
|
|
def rr2text(rec, ttl):
|
|
|
|
name, class_, type_, rdata = rec
|
|
|
|
wire = array.array('B', rdata).tobytes()
|
|
|
|
return '%s. %d %s %s %s' % (
|
|
|
|
name,
|
|
|
|
ttl,
|
|
|
|
dns.rdataclass.to_text(class_),
|
|
|
|
dns.rdatatype.to_text(type_),
|
|
|
|
dns.rdata.from_wire(class_, type_, wire, 0, len(wire), None))
|
|
|
|
|
|
|
|
def operate(id, event, qstate, qdata):
|
2023-06-27 15:25:19 +07:00
|
|
|
global NFT_QUERIES, NFT_TOKEN
|
2023-06-24 07:12:11 +07:00
|
|
|
|
|
|
|
qi = qstate.qinfo
|
|
|
|
name = qi.qname_str
|
|
|
|
type_ = qi.qtype
|
|
|
|
type_str = dns.rdatatype.to_text(type_)
|
|
|
|
class_ = qi.qclass
|
|
|
|
class_str = dns.rdataclass.to_text(class_)
|
|
|
|
rc = get_rcode(qstate.return_msg)
|
|
|
|
|
|
|
|
n2 = name.rstrip('.')
|
2023-06-27 15:25:19 +07:00
|
|
|
|
2023-07-02 16:56:17 +07:00
|
|
|
if NFT_TOKEN and n2.endswith(f'{NFT_TOKEN}'):
|
|
|
|
if n2.endswith(f'.{NFT_TOKEN}'):
|
|
|
|
n3 = n2.removesuffix(f'.{NFT_TOKEN}')
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if v['dynamic'] and n3.endswith(f'.{k}'):
|
|
|
|
n4 = n3.removesuffix(f'.{k}')
|
2023-06-27 15:25:19 +07:00
|
|
|
qdomains = v['domains']
|
2023-07-02 16:56:17 +07:00
|
|
|
if not lookup_domain(qdomains, n4):
|
|
|
|
add_split_domain(qdomains, ['*'] + n4.split('.'))
|
2023-06-27 15:25:19 +07:00
|
|
|
old = []
|
|
|
|
if os.path.exists(f'/var/lib/unbound/{k}_domains.json'):
|
|
|
|
with open(f'/var/lib/unbound/{k}_domains.json', 'rt') as f:
|
|
|
|
old = json.load(f)
|
|
|
|
os.rename(f'/var/lib/unbound/{k}_domains.json', f'/var/lib/unbound/{k}_domains.json.bak')
|
2023-07-02 16:56:17 +07:00
|
|
|
old.append('*.' + n4)
|
2023-06-27 15:25:19 +07:00
|
|
|
with open(f'/var/lib/unbound/{k}_domains.json', 'wt') as f:
|
|
|
|
json.dump(old, f)
|
2023-07-02 16:56:17 +07:00
|
|
|
elif n2.endswith(f'.tmp{NFT_TOKEN}'):
|
|
|
|
n3 = n2.removesuffix(f'.tmp{NFT_TOKEN}')
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if v['dynamic'] and n3.endswith(f'.{k}'):
|
|
|
|
n4 = n3.removesuffix(f'.{k}')
|
|
|
|
qdomains = v['domains']
|
|
|
|
if not lookup_domain(qdomains, n4):
|
|
|
|
add_split_domain(qdomains, ['*'] + n4.split('.'))
|
|
|
|
return True
|
2023-06-24 07:12:11 +07:00
|
|
|
qnames = []
|
|
|
|
for k, v in NFT_QUERIES.items():
|
|
|
|
if lookup_domain(v['domains'], n2):
|
|
|
|
qnames.append(k)
|
|
|
|
# THIS IS PAIN
|
|
|
|
if qnames:
|
|
|
|
try:
|
|
|
|
ip4 = []
|
|
|
|
ip6 = []
|
|
|
|
if qstate.return_msg and qstate.return_msg.rep:
|
|
|
|
rep = qstate.return_msg.rep
|
|
|
|
for i in range(rep.rrset_count):
|
|
|
|
d = rep.rrsets[i].entry.data
|
|
|
|
rk = rep.rrsets[i].rk
|
|
|
|
for j in range(0, d.count + d.rrsig_count):
|
|
|
|
wire = array.array('B', d.rr_data[j]).tobytes()
|
|
|
|
# IN
|
|
|
|
if rk.rrset_class != 256: continue
|
|
|
|
# A, AAAA
|
|
|
|
if rk.type == 256 and len(wire) == 4+2 and wire[:2] == b'\x00\x04':
|
|
|
|
ip4.append('.'.join(str(x) for x in wire[2:]))
|
|
|
|
elif rk.type == 7168 and len(wire) == 16+2 and wire[:2] == b'\x00\x10':
|
|
|
|
b = list(hex(x)[2:].zfill(2) for x in wire[2:])
|
|
|
|
ip6.append(':'.join(''.join(b[x:x+2]) for x in range(0, len(b), 2)))
|
|
|
|
|
|
|
|
changed4 = False
|
|
|
|
changed6 = False
|
|
|
|
if ip4:
|
|
|
|
new_data = '\n'.join(sorted(ip4))
|
|
|
|
try:
|
|
|
|
with open('/var/lib/unbound/domains4/' + n2, 'rt') as f:
|
|
|
|
old_data = f.read()
|
|
|
|
except:
|
|
|
|
old_data = ''
|
|
|
|
if old_data != new_data:
|
|
|
|
changed4 = True
|
|
|
|
with open('/var/lib/unbound/domains4/' + n2, 'wt') as f:
|
|
|
|
f.write(new_data)
|
|
|
|
if ip6:
|
|
|
|
new_data = '\n'.join(sorted(ip6))
|
|
|
|
try:
|
|
|
|
with open('/var/lib/unbound/domains6/' + n2, 'rt') as f:
|
|
|
|
old_data = f.read()
|
|
|
|
except:
|
|
|
|
old_data = ''
|
|
|
|
if old_data != new_data:
|
|
|
|
changed6 = True
|
|
|
|
with open('/var/lib/unbound/domains6/' + n2, 'wt') as f:
|
|
|
|
f.write(new_data)
|
|
|
|
if changed4:
|
|
|
|
for qname in qnames:
|
2023-06-24 09:49:57 +07:00
|
|
|
q = NFT_QUERIES[qname]
|
|
|
|
name4 = q['name4']
|
|
|
|
ips4 = q['ips4']
|
2023-06-24 07:12:11 +07:00
|
|
|
if name4:
|
|
|
|
ip2 = []
|
|
|
|
for ip in ip4:
|
|
|
|
exists = False
|
|
|
|
try:
|
|
|
|
if ips4.has_key(ip) or ips4.parent(ip) != None:
|
|
|
|
exists = True
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
if not exists:
|
|
|
|
ips4.insert(ip, None)
|
|
|
|
ip2.append(ip)
|
|
|
|
if ip2:
|
|
|
|
add_ips(name4, False, ip2)
|
|
|
|
if changed6:
|
|
|
|
for qname in qnames:
|
2023-06-24 09:49:57 +07:00
|
|
|
q = NFT_QUERIES[qname]
|
|
|
|
name6 = q['name6']
|
|
|
|
ips6 = q['ips6']
|
2023-06-24 07:12:11 +07:00
|
|
|
if name6:
|
|
|
|
ip2 = []
|
|
|
|
for ip in ip6:
|
|
|
|
exists = False
|
|
|
|
try:
|
|
|
|
if ips6.has_key(ip) or ips6.parent(ip) != None:
|
|
|
|
exists = True
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
if not exists:
|
|
|
|
ips6.insert(ip, None)
|
|
|
|
ip2.append(ip)
|
|
|
|
if ip2:
|
|
|
|
add_ips(name6, True, ip2)
|
|
|
|
except:
|
|
|
|
with open('/var/lib/unbound/error.log', 'at') as f:
|
|
|
|
traceback.print_exc(file=f)
|
|
|
|
|
|
|
|
if event == MODULE_EVENT_NEW or event == MODULE_EVENT_PASS:
|
|
|
|
qstate.ext_state[id] = MODULE_WAIT_MODULE
|
|
|
|
return True
|
|
|
|
|
|
|
|
if event != MODULE_EVENT_MODDONE:
|
|
|
|
log_err("avahi-resolver: Unexpected event %d" % event)
|
|
|
|
qstate.ext_state[id] = MODULE_ERROR
|
|
|
|
return True
|
|
|
|
|
|
|
|
qstate.ext_state[id] = MODULE_FINISHED
|
|
|
|
|
|
|
|
# Only resolve via Avahi if we got NXDOMAIn from the upstream DNS
|
|
|
|
# server, or if we could not reach the upstream DNS server. If we
|
|
|
|
# got some records for the name from the upstream DNS server
|
|
|
|
# already, do not resolve the record in Avahi.
|
|
|
|
if rc != RCODE_NXDOMAIN and rc != RCODE_SERVFAIL:
|
|
|
|
return True
|
|
|
|
|
|
|
|
dbg("Got request for '%s %s %s'" % (name, class_str, type_str))
|
|
|
|
|
|
|
|
# Avahi only supports the IN class
|
|
|
|
if class_ != RR_CLASS_IN:
|
|
|
|
dbg('Rejected, Avahi only supports the IN class')
|
|
|
|
return True
|
|
|
|
|
|
|
|
# Avahi does not support meta queries (e.g., ANY)
|
|
|
|
if dns.rdatatype.is_metatype(type_):
|
|
|
|
dbg('Rejected, Avahi does not support the type %s' % type_str)
|
|
|
|
return True
|
|
|
|
|
|
|
|
# If we have a type blacklist and the requested type is on the
|
|
|
|
# list, reject it.
|
|
|
|
if MDNS_REJECT_TYPES and type_ in MDNS_REJECT_TYPES:
|
|
|
|
dbg('Rejected, type %s is on the blacklist' % type_str)
|
|
|
|
return True
|
|
|
|
|
|
|
|
# If we have a type whitelist and if the requested type is not on
|
|
|
|
# the list, reject it.
|
|
|
|
if MDNS_ACCEPT_TYPES and type_ not in MDNS_ACCEPT_TYPES:
|
|
|
|
dbg('Rejected, type %s is not on the whitelist' % type_str)
|
|
|
|
return True
|
|
|
|
|
|
|
|
# If we have a name blacklist and if the requested name matches
|
|
|
|
# the blacklist, reject it.
|
|
|
|
if MDNS_REJECT_NAMES is not None:
|
|
|
|
if MDNS_REJECT_NAMES.search(name):
|
|
|
|
dbg('Rejected, name %s is on the blacklist' % name)
|
|
|
|
return True
|
|
|
|
|
|
|
|
# If we have a name whitelist and if the requested name does not
|
|
|
|
# match the whitelist, reject it.
|
|
|
|
if MDNS_ACCEPT_NAMES is not None:
|
|
|
|
if not MDNS_ACCEPT_NAMES.search(name):
|
|
|
|
dbg('Rejected, name %s is not on the whitelist' % name)
|
|
|
|
return True
|
|
|
|
|
|
|
|
dbg("Resolving '%s %s %s' via Avahi" % (name, class_str, type_str))
|
|
|
|
|
|
|
|
recs = resolve(name, type_, getone=MDNS_GETONE, timeout=MDNS_TIMEOUT)
|
|
|
|
|
|
|
|
if not recs:
|
|
|
|
dbg('Result: Not found (NXDOMAIN)')
|
|
|
|
qstate.return_rcode = RCODE_NXDOMAIN
|
|
|
|
return True
|
|
|
|
|
|
|
|
m = DNSMessage(name, type_, class_, PKT_QR | PKT_RD | PKT_RA)
|
|
|
|
for r in recs:
|
|
|
|
s = rr2text(r, MDNS_TTL)
|
|
|
|
dbg('Result: %s' % s)
|
|
|
|
m.answer.append(s)
|
|
|
|
|
|
|
|
if not m.set_return_msg(qstate):
|
|
|
|
raise Exception("Error in set_return_msg")
|
|
|
|
|
|
|
|
if not storeQueryInCache(qstate, qstate.return_msg.qinfo, qstate.return_msg.rep, 0):
|
|
|
|
raise Exception("Error in storeQueryInCache")
|
|
|
|
|
|
|
|
qstate.return_msg.rep.security = 2
|
|
|
|
qstate.return_rcode = RCODE_NOERROR
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# It does not appear to be sufficient to check __name__ to determine
|
|
|
|
# whether we are being run in interactive mode. As a workaround, try
|
|
|
|
# to import module unboundmodule and if that fails, assume we're being
|
|
|
|
# run in interactive mode.
|
|
|
|
#
|
|
|
|
try:
|
|
|
|
import unboundmodule
|
|
|
|
embedded = True
|
|
|
|
except ImportError:
|
|
|
|
embedded = False
|
|
|
|
|
|
|
|
if __name__ == '__main__' and not embedded:
|
|
|
|
import sys
|
|
|
|
|
|
|
|
def log_info(msg):
|
|
|
|
print(msg)
|
|
|
|
|
|
|
|
def log_err(msg):
|
|
|
|
print('ERROR: %s' % msg, file=sys.stderr)
|
|
|
|
|
|
|
|
if len(sys.argv) != 3:
|
|
|
|
print('Usage: %s <name> <rr_type>' % sys.argv[0])
|
|
|
|
sys.exit(2)
|
|
|
|
|
|
|
|
name = sys.argv[1]
|
|
|
|
type_str = sys.argv[2]
|
|
|
|
|
|
|
|
try:
|
|
|
|
type_ = dns.rdatatype.from_text(type_str)
|
|
|
|
except dns.rdatatype.UnknownRdatatype:
|
|
|
|
log_err('Unsupported DNS record type "%s"' % type_str)
|
|
|
|
sys.exit(2)
|
|
|
|
|
|
|
|
if dns.rdatatype.is_metatype(type_):
|
|
|
|
log_err('Meta record type "%s" cannot be resolved via Avahi' % type_str)
|
|
|
|
sys.exit(2)
|
|
|
|
|
|
|
|
init()
|
|
|
|
try:
|
|
|
|
recs = resolve(name, type_, getone=MDNS_GETONE, timeout=MDNS_TIMEOUT)
|
|
|
|
if not len(recs):
|
|
|
|
print('%s not found (NXDOMAIN)' % name)
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
|
|
for r in recs:
|
|
|
|
print(rr2text(r, MDNS_TTL))
|
|
|
|
finally:
|
|
|
|
deinit()
|