diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:26:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:26:00 +0000 |
commit | 830407e88f9d40d954356c3754f2647f91d5c06a (patch) | |
tree | d6a0ece6feea91f3c656166dbaa884ef8a29740e /daemon/proxyv2.h | |
parent | Initial commit. (diff) | |
download | knot-resolver-830407e88f9d40d954356c3754f2647f91d5c06a.tar.xz knot-resolver-830407e88f9d40d954356c3754f2647f91d5c06a.zip |
Adding upstream version 5.6.0.upstream/5.6.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | daemon/proxyv2.h | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/daemon/proxyv2.h b/daemon/proxyv2.h new file mode 100644 index 0000000..2d57744 --- /dev/null +++ b/daemon/proxyv2.h @@ -0,0 +1,50 @@ +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#pragma once + +#include <stdint.h> + +#include "daemon/session.h" +#include "daemon/network.h" +#include "lib/utils.h" + +extern const char PROXY2_SIGNATURE[12]; + +#define PROXY2_MIN_SIZE 16 + +enum proxy2_command { + PROXY2_CMD_LOCAL = 0x0, + PROXY2_CMD_PROXY = 0x1 +}; + +/** Parsed result of the PROXY protocol */ +struct proxy_result { + enum proxy2_command command; /**< Proxy command - PROXY or LOCAL. */ + int family; /**< Address family from netinet library (e.g. AF_INET6). */ + int protocol; /**< Protocol type from socket library (e.g. SOCK_STREAM). */ + union kr_sockaddr src_addr; /**< Parsed source address and port. */ + union kr_sockaddr dst_addr; /**< Parsed destination address and port. */ + bool has_tls : 1; /**< `true` = client has used TLS with the proxy. + If TLS padding is enabled, it will be used even if + the proxy did not use TLS with kresd. */ +}; + +/** Checks for a PROXY protocol version 2 signature in the specified buffer. */ +static inline bool proxy_header_present(const void* buf, const ssize_t nread) +{ + return nread >= PROXY2_MIN_SIZE && + memcmp(buf, PROXY2_SIGNATURE, sizeof(PROXY2_SIGNATURE)) == 0; +} + +/** Checks whether the use of PROXYv2 protocol is allowed for the specified + * address. */ +bool proxy_allowed(const struct network *net, const struct sockaddr *saddr); + +/** Parses the PROXYv2 header from buf of size nread and writes the result into + * out. The rest of the buffer is moved to free bytes of the specified session's + * wire buffer. The function assumes that the PROXYv2 signature is present + * and has been already checked by the caller (like `udp_recv` or `tcp_recv`). */ +ssize_t proxy_process_header(struct proxy_result *out, struct session *s, + const void *buf, ssize_t nread); |