[dnsdist] SuffixMatchNode() is not dynamic for rules...
bert hubert
bert.hubert at powerdns.com
Sat Feb 20 08:35:25 UTC 2016
On Fri, Feb 19, 2016 at 04:46:17PM -0800, gregc at olypensupport.com wrote:
> You must delete the rule, and re-add it.
> rmRule(<rule number>);
> addAction(SuffixMatchNodeRule(BlockedDomains), DropAction());
> Is this expected behavior?
It actually is, and for a good reason. Within dnsdist, the rules are by
default 'Lua-free', so they execute all in C++. If you want you can add Lua
rules and Lua actions, of course, but mostly this is not the case.
This means that the rules have to do their own thing, independent of Lua.
Therefore, the rules contain their own *copy* of BlockedDomains, and not a
reference to anything that might also live on the Lua side. The rules are
protected by a 'GlobalStateHolder' as described on
http://bert-hubert.blogspot.nl/2015/03/some-notes-on-sharedptr-atomicity-and.html
and are therefore completely lock free.
If we did a reference there, which we could do, we would have to protect it
with a lock against concurrent changes coming from Lua. This would of course
be fun, but it would also slow down against the more common case of NOT
having a "moving blocklist".
Alternatively, you can implement this yourself with a LuaRule that would
actually respond 'live' to your own SuffixMatchNode.
Would that work for you?
> Also it appears we are missing “NetmaskGroupRule()” function.
makeRule() is doing that as a hobby. But for consistency, this would be
great to have.
Could you make a ticket to remind us of that at
https://github.com/powerdns/pdns/issues ?
Thanks!
Bert
More information about the dnsdist
mailing list