Add support for negated addresses

Static addresses can now be negated by prefixing them with the '!' operator. Negated addresses will be loaded into the configured pf tables immediately when pfresolved starts and will prevent the pf tables from matching these addresses. If a host resolves to such an address it will just reference the negated address internally, preventing the resolved address from being added to the pf table in the non-negated form.
genua · Jan 25, 2024 · bbee688 · bbee688
1 parent 48bd288
commit bbee688
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 6 deletions.
diff --git a/Changes b/Changes
@@ -1,6 +1,7 @@
 Revision history for pfresolved pf table DNS update daemon
 
 1.01
+  * Add support for negated addresses.
 
 1.00 2023-11-24
   * Initial public release.
diff --git a/parse.y b/parse.y
@@ -85,7 +85,7 @@ static struct pfresolved_table	*cur_table = NULL;
 int				 add_table_value(struct pfresolved_table *,
 				     const char *);
 int				 add_static_address(struct pfresolved_table *,
-				     const char *);
+				     const char *, int);
 int				 add_host(struct pfresolved_table *,
 				     const char *);
 struct pfresolved_table		*table_lookup_or_create(const char *);
@@ -166,6 +166,15 @@ table_values	: /* empty */
 			}
 			free($2);
 		}
+		| table_values '!' table_value optcomma optnl
+		{
+			if (add_static_address(cur_table, $3, 1) == -1) {
+				yyerror("add_static_address failed");
+				free($3);
+				YYERROR;
+			}
+			free($3);
+		}
 		;
 
 table_name	: STRING
@@ -728,15 +737,15 @@ add_table_value(struct pfresolved_table *table, const char *value)
 	if (!table)
 		return (-1);
 
-	if (add_static_address(table, value) == -1 &&
+	if (add_static_address(table, value, 0) == -1 &&
 	    add_host(table, value) == -1)
 		return (-1);
 
 	return (0);
 }
 
 int
-add_static_address(struct pfresolved_table *table, const char *value)
+add_static_address(struct pfresolved_table *table, const char *value, int negate)
 {
 	struct pfresolved_table_entry	*entry, *old;
 	struct in_addr			 in4;
@@ -750,12 +759,22 @@ add_static_address(struct pfresolved_table *table, const char *value)
 		fatal("%s: calloc", __func__);
 
 	if ((bits = inet_net_pton(AF_INET, value, &in4, sizeof(in4))) != -1) {
+		if (negate && bits != 32) {
+			yyerror("negation is not allowed for networks");
+			free(entry);
+			return (-1);
+		}
 		applymask4(&in4, bits);
 		entry->pfte_addr.pfa_af = AF_INET;
 		entry->pfte_addr.pfa_addr.in4 = in4;
 		entry->pfte_addr.pfa_prefixlen = bits;
 	} else if ((bits = inet_net_pton(AF_INET6, value, &in6,
 	    sizeof(in6))) != -1) {
+		if (negate && bits != 128) {
+			yyerror("negation is not allowed for networks");
+			free(entry);
+			return (-1);
+		}
 		applymask6(&in6, bits);
 		entry->pfte_addr.pfa_af = AF_INET6;
 		entry->pfte_addr.pfa_addr.in6 = in6;
@@ -766,12 +785,19 @@ add_static_address(struct pfresolved_table *table, const char *value)
 	}
 
 	entry->pfte_static = 1;
+	entry->pfte_negate = negate;
 
 	old = RB_INSERT(pfresolved_table_entries, &table->pft_entries, entry);
 	if (old) {
 		free(entry);
-		log_warn("duplicate entry in config: %s %s", table->pft_name,
-		    value);
+		if (old->pfte_negate != negate) {
+			yyerror("the same address cannot be specified in normal"
+			    " and negated form");
+			return (-1);
+		} else {
+			log_warn("duplicate entry in config: %s %s",
+			    table->pft_name, value);
+		}
 	}
 	return (0);
 }

diff --git a/pfresolved.conf.5 b/pfresolved.conf.5
@@ -86,9 +86,12 @@ it will be created by
 A list of hostnames that should be resolved by
 .Xr pfresolved 8
 for the specified table.
-The list can also contain IP addresses.
+The list can also contain IP addresses and networks.
 These will be directly added to the table when the configuration
 file is loaded.
+IP addresses can also be negated by prefixing them with the
+.Cm !\&
+operator.
 Entries in the list may be separated by comma or newline.
 .El
 .Sh EXAMPLES
@@ -99,6 +102,7 @@ myTable2 {
 	example.net
 	example.org
 	198.51.100.0
+	! 198.51.100.1
 	include "/list/with/hosts"
 }
 .Ed

diff --git a/pfresolved.h b/pfresolved.h
@@ -181,6 +181,7 @@ struct pfresolved_address {
 struct pfresolved_table_entry {
 	struct pfresolved_address		 pfte_addr;
 	int					 pfte_static;
+	int					 pfte_negate;
 	int					 pfte_refcount;
 	RB_ENTRY(pfresolved_table_entry)	 pfte_node;
 };

diff --git a/pftable.c b/pftable.c
@@ -51,6 +51,7 @@ pftable_set_addresses(struct pfresolved *env, struct pfresolved_table *table)
 			buffer[count].pfra_ip6addr = entry->pfte_addr.pfa_addr.in6;
 		}
 		buffer[count].pfra_net = entry->pfte_addr.pfa_prefixlen;
+		buffer[count].pfra_not = entry->pfte_negate;
 		count++;
 	}