Add support to filter sub-domains as well

2020-04-15 09:59:59 +02:00
parent 55e4ae3be1
commit 86a449a619
5 changed files with 107 additions and 15 deletions
--- a/profile/config.go
+++ b/profile/config.go
@@ -27,6 +27,9 @@ var (
 	CfgOptionFilterListKey = "filter/lists"
 	cfgOptionFilterLists   config.StringArrayOption

+	CfgOptionFilterSubDomainsKey = "filter/includeSubdomains"
+	cfgOptionFilterSubDomains    config.IntOption // security level option
+
 	CfgOptionBlockScopeLocalKey = "filter/blockLocal"
 	cfgOptionBlockScopeLocal    config.IntOption // security level option

@@ -155,6 +158,21 @@ Examples:
 	cfgOptionFilterLists = config.Concurrent.GetAsStringArray(CfgOptionFilterListKey, []string{})
 	cfgStringArrayOptions[CfgOptionFilterListKey] = cfgOptionFilterLists

+	err = config.Register(&config.Option{
+		Name:            "Filter SubDomains",
+		Key:             CfgOptionFilterSubDomainsKey,
+		Description:     "Also filter sub-domains if a parent domain is blocked by a filter list",
+		OptType:         config.OptTypeInt,
+		ExternalOptType: "security level",
+		DefaultValue:    status.SecurityLevelOff,
+		ValidationRegex: "^(0|4|6|7)$",
+	})
+	if err != nil {
+		return err
+	}
+	cfgOptionFilterSubDomains = config.Concurrent.GetAsInt(CfgOptionFilterSubDomainsKey, int64(status.SecurityLevelOff))
+	cfgIntOptions[CfgOptionFilterSubDomainsKey] = cfgOptionFilterSubDomains
+
 	// Block Scope Local
 	err = config.Register(&config.Option{
 		Name:            "Block Scope Local",
--- a/profile/profile-layered.go
+++ b/profile/profile-layered.go
@@ -42,6 +42,7 @@ type LayeredProfile struct {
 	EnforceSPN          config.BoolOption
 	RemoveOutOfScopeDNS config.BoolOption
 	RemoveBlockedDNS    config.BoolOption
+	FilterSubDomains    config.BoolOption
 }

 // NewLayeredProfile returns a new layered profile based on the given local profile.
@@ -93,6 +94,10 @@ func NewLayeredProfile(localProfile *Profile) *LayeredProfile {
 		CfgOptionRemoveBlockedDNSKey,
 		cfgOptionRemoveBlockedDNS,
 	)
+	new.FilterSubDomains = new.wrapSecurityLevelOption(
+		CfgOptionFilterSubDomainsKey,
+		cfgOptionFilterSubDomains,
+	)

 	// TODO: load linked profiles.

@@ -220,6 +225,8 @@ func (lp *LayeredProfile) MatchServiceEndpoint(entity *intel.Entity) (result end
 // MatchFilterLists matches the entity against the set of filter
 // lists.
 func (lp *LayeredProfile) MatchFilterLists(entity *intel.Entity) (result endpoints.EPResult, reason string) {
+	entity.ResolveSubDomainLists(lp.FilterSubDomains())
+
 	lookupMap, hasLists := entity.GetListsMap()
 	if !hasLists {
 		return endpoints.NoMatch, ""