diff options
| author | Vladimír Čunát <vladimir.cunat@nic.cz> | 2023-05-24 16:09:13 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2023-06-12 10:32:57 +0200 |
| commit | 449a0bab092322ae36d695f376b06840590233fc (patch) | |
| tree | 042c9b878dcd105f3406b1032e7837b2bc3c5396 /modules | |
| parent | lib/rules: implement forwarding (diff) | |
| download | knot-resolver-449a0bab092322ae36d695f376b06840590233fc.tar.xz knot-resolver-449a0bab092322ae36d695f376b06840590233fc.zip | |
lib/rules forwarding: per-IP .tls
We planned it that way for the new config schema - and, why not.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/policy/policy.lua | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua index b4030375..443fc0b0 100644 --- a/modules/policy/policy.lua +++ b/modules/policy/policy.lua @@ -863,24 +863,25 @@ Throws lua exceptions when detecting something fishy. \param subtree plain string \param options .auth targets are authoritative (false by default = resolver) - .tls use DoT (false by default, only for resolvers) .dnssec if overridden to false, don't validate DNSSEC locally - for resolvers we still do *not* send CD=1 upstream, i.e. we trust their DNSSEC validation. - for auths this inserts a negative trust anchor Beware that setting .set_insecure() *later* would override that. -\param targets same format as policy.TLS_FORWARD() +\param targets same format as policy.TLS_FORWARD() except that `tls = true` + can be specified for each address (defaults to false) --]] function policy.rule_forward_add(subtree, options, targets) - local port_default = 53 - if options.tls or false then - port_default = 853 - -- lots of code; easiest to just call it this way; checks and throws - policy.TLS_FORWARD(targets) - end - local targets_2 = {} for _, target in ipairs(targets) do + local port_default = 53 + if target.tls or false then + port_default = 853 + -- lots of code; easiest to just call it this way; checks and throws + -- The extra .tls field gets ignored. + policy.TLS_FORWARD({target}) + end + -- this also throws on failure local sock = addr2sock(target[1], port_default) if options.auth then @@ -894,9 +895,9 @@ function policy.rule_forward_add(subtree, options, targets) local subtree_dname = todname(subtree) assert(ffi.C.kr_rule_forward(subtree_dname, - { is_tcp = options.tls - , is_nods = options.dnssec == false - , is_auth = options.auth + { + is_nods = options.dnssec == false, + is_auth = options.auth, }, targets_3 ) == 0) |