bugfixes in dns and ACL

acl/acl.go

@@ -35,11 +35,11 @@ type ConnInfo struct {
 	Decision
 }
 
-type ByPriority []*ACL
+type ByPriority []ACL
 
 func (a ByPriority) Len() int           { return len(a) }
 func (a ByPriority) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
-func (a ByPriority) Less(i, j int) bool { return (*a[i]).Priority() < (*a[j]).Priority() }
+func (a ByPriority) Less(i, j int) bool { return a[i].Priority() < a[j].Priority() }
 
 type ACL interface {
 	Decide(*ConnInfo) error
@@ -49,8 +49,8 @@ type ACL interface {
 }
 
 // StartACLs starts all the ACLs that have been configured and registered
-func StartACLs(log *slog.Logger, k *koanf.Koanf) ([]*ACL, error) {
-	var a []*ACL
+func StartACLs(log *slog.Logger, k *koanf.Koanf) ([]ACL, error) {
+	var a []ACL
 	aclK := k.Cut("acl")
 	for _, acl := range availableACLs {
 		// cut each konaf based on the name of the ACL
@@ -61,19 +61,23 @@ func StartACLs(log *slog.Logger, k *koanf.Koanf) ([]*ACL, error) {
 		l := slog.New(log.Handler().WithAttrs([]slog.Attr{{Key: "service", Value: slog.StringValue((acl).Name())}}))
 		// we pass the full config to each ACL so that they can cut it themselves. it's needed for some ACLs that need
 		// to read the config of other ACLs or the global config
-		if err := (acl).ConfigAndStart(l, k); err != nil {
+		if err := acl.ConfigAndStart(l, k); err != nil {
+			log.Warn("failed to start ACL", "name", (acl).Name(), "err", err)
 			return a, err
 		}
-		a = append(a, &acl)
+		a = append(a, acl)
+		log.Info("started ACL", "name", (acl).Name())
+		fmt.Printf("%+v\n", a)
+
 	}
 	return a, nil
 }
 
 // MakeDecision loops through all the ACLs and makes a decision for the connection
-func MakeDecision(c *ConnInfo, a []*ACL) error {
+func MakeDecision(c *ConnInfo, a []ACL) error {
 	sort.Sort(ByPriority(a))
 	for _, acl := range a {
-		if err := (*acl).Decide(c); err != nil {
+		if err := acl.Decide(c); err != nil {
 			return err
 		}
 	}

acl/domain.go

@@ -139,14 +139,16 @@ func (d *domain) LoadDomainsCSVWorker() {
 
 // implement domain as an ACL interface
 func (d domain) Decide(c *ConnInfo) error {
-	// true means skip
+
 	if c.Decision == Reject {
 		c.DstIP = net.TCPAddr{IP: net.IPv4zero, Port: 0}
 		return nil
 	}
 	if d.inDomainList(c.Domain) {
+		d.logger.Debug("domain not going through proxy", "domain", c.Domain)
 		c.Decision = OriginIP
 	} else {
+		d.logger.Debug("domain going through proxy", "domain", c.Domain)
 		c.Decision = ProxyIP
 	}
 	return nil

acl/override.go

@@ -109,7 +109,7 @@ func (o *override) ConfigAndStart(logger *slog.Logger, c *koanf.Koanf) error {
 		}
 		dohConfig.Cert = o.tlsCert
 		dohConfig.Key = o.tlsKey
-		dohConfig.Upstream = []string{DNSBind}
+		dohConfig.Upstream = []string{fmt.Sprintf("udp:%s", DNSBind)}
 		dohS, err := dohserver.NewServer(dohConfig)
 		if err != nil {
 			return err

dns.go

@@ -55,7 +55,7 @@ func (dnsc *DNSClient) performExternalAQuery(fqdn string, QType uint16) ([]dns.R
 func processQuestion(q dns.Question, decision acl.Decision) ([]dns.RR, error) {
 	c.recievedDNS.Inc(1)
 	// Check to see if we should respond with our own IP
-	if decision == acl.ProxyIP || decision == acl.Accept || decision == acl.Override {
+	if decision == acl.ProxyIP || decision == acl.Override {
 		// Return the public IP.
 		c.proxiedDNS.Inc(1)
 		dnslog.Info("returned sniproxy address for domain", "fqdn", q.Name)

main.go

@@ -50,7 +50,7 @@ type runConfig struct {
 	Interface       string `yaml:"interface"`
 	BindPrometheus  string `yaml:"bind_prometheus"`
 
-	acl []*acl.ACL
+	acl []acl.ACL
 
 	dnsClient  DNSClient
 	dialer     proxy.Dialer