Skip to content
Snippets Groups Projects
Select Git revision
  • kdig_dnssec_valid
  • redis
  • master default protected
  • ctl_sockets_multi
  • redis_squashed
  • 3.4 protected
  • onlinesign_interference
  • zone_load_from_dir
  • redis-tls
  • incr_decr_as_in_c
  • python_libknot_api_doc
  • tests_socket_starting_dv
  • 3.3 protected
  • doc_backup_members
  • kxdpgun_latency
  • dbg_dname_v3.4.1
  • status_frozen_fix
  • memsan_fixes
  • gcc_warnings
  • dbg_log_events
  • v3.4.5 protected
  • v3.4.4 protected
  • v3.3.10 protected
  • v3.4.3 protected
  • v3.4.2 protected
  • v3.4.1 protected
  • v3.5.dev protected
  • v3.4.0 protected
  • v3.3.9 protected
  • v3.3.8 protected
  • v3.2.13 protected
  • v3.3.7 protected
  • v3.3.6 protected
  • v3.3.5 protected
  • v3.3.4 protected
  • v3.2.12 protected
  • v3.3.3 protected
  • v3.2.11 protected
  • v3.3.2 protected
  • v3.2.10 protected
40 results
Search by author
  • Any Author
  • Aleš Mrázek Aleš Mrázek amrazek
  • Daniel Salzman Daniel Salzman dsalzman
  • David Vasek David Vasek dvasek
  • Frantisek Tobias Frantisek Tobias ftobias
  • Hynek Šabacký Hynek Šabacký hsabacky
  • Jakub Ružička Jakub Ružička jruzicka
  • Jan Doskočil Jan Doskočil jan.doskocil
  • Jan Hák Jan Hák jhak
  • Ladislav Lhotka Ladislav Lhotka llhotka
  • Libor Peltan Libor Peltan lpeltan
  • Lukáš Ondráček Lukáš Ondráček londracek
  • Petr Špaček Petr Špaček isc-pspacek
  • Robert Edmonds Robert Edmonds edmonds
  • Štěpán Balážik Štěpán Balážik sbalazik
  • Tomas Krizek Tomas Krizek tkrizek
  • Vaclav Sraier Vaclav Sraier vsraier
  • Vladimír Čunát Vladimír Čunát vcunat
17 authors
  1. Jul 01, 2022
    • Robert Edmonds's avatar
      Support haproxy PROXY v2 protocol on incoming UDP packets · 4c394545
      Robert Edmonds authored and Daniel Salzman's avatar Daniel Salzman committed 
      This commit adds minimal support for the haproxy PROXY v2 protocol which
is described at
https://www.haproxy.org/download/2.5/doc/proxy-protocol.txt.

Only the UDP-over-IPv4 and UDP-over-IPv6 PROXY v2 family/transports are
supported, and only the original source address/port of the proxied
client are recovered from the PROXY v2 payload. Only the PROXY command
is supported.

There is a hardcoded ACL check to verify that the query was sent from
127.0.0.0/8 before PROXY v2 decapsulation is attempted. This prevents
spoofing of the PROXY v2 header and avoids exposing the PROXY v2 parsing
code to the Internet. This should probably be converted to a real ACL
check that can be configured.

If a proxied client address/port was successfully extracted from the
PROXY v2 payload, the 'remote' field in the knotd_qdata_params_t
structure will be updated to represent the address of the real (proxied)
client. This way query modules (e.g. whoami) don't need to be updated to
continue to produce correct source address dependent behavior. The
address of the proxy that actually sent the proxied packet will be saved
in a new 'proxy' field in knotd_qdata_params_t in case this value needs
to be processed.

The 'sdig' utility that comes with PowerDNS supports generating queries
with a PROXY v2 header, which is in the 'pdns-tools' package on
Debian/Ubuntu systems. Example command-line invocations:

 * sdig 127.0.0.1 53053 example.net a proxy 0 192.0.2.1:49153 198.51.100.1:53

 * sdig 127.0.0.1 53053 example.net a proxy 0 '[2001:db8::1]:49153' '[2001:db8::100:1]:53'
      4c394545
  3. Jun 29, 2022
  5. Jun 28, 2022
  7. Jun 27, 2022
  9. Jun 24, 2022
  11. Jun 22, 2022
  13. Jun 21, 2022