From bde7b866604a48787a753075785581de905195e2 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Fri, 20 Apr 2018 00:02:07 -0400
Subject: [PATCH] fwtool: fix dns lookups

dig +short actually returns the ip with any cname, recursion bit was
wrong.
---
 src/plugins/firewall.sml | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index 1131f20..5d2155c 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -88,6 +88,9 @@ fun query (node, uname) =
 	    (List.filter (fn (User u, FirewallNode n, _) => u = uname andalso n = node) rules)
     end
 
+fun validIp (ip, ipv6) = (case ipv6 of FwIPv6 => Domain.validIpv6 ip
+				     | FwIPv4 =>  Domain.validIp ip)
+
 fun dnsExists dnsRR dnsRecord =
     let
 	val dnsRR_string = case dnsRR of
@@ -97,19 +100,15 @@ fun dnsExists dnsRR dnsRecord =
 	(* timeout chosen arbitrarilty, shorter is better if it's reliable *)
 	(* dig outputs true even if the lookup fails, but no output in short mode should work *)
 	case Slave.runOutput (Config.Firewall.dig, ["+short", "+timeout=3", "-t", dnsRR_string, dnsRecord]) of
-	    (_, SOME s) => (case Domain.validDomain (substring (s, 0, size s - 2)) of (* delete trailing . from cname *)
-				true => dnsExists dnsRR s (* dig will return CNAME, must recurse *)
-			      | false => true) (* maybe also double check ip? use size s - 1 if so! *)
-
-	  | (_, NONE) => false
+	    (_, SOME s) => (validIp (List.last (String.tokens Char.isSpace s), dnsRR))
+	  | (x, NONE) => false
     end
 
 fun fermVariable x = String.isPrefix "$" x
 fun filterHosts (hosts, ipv6) =
-    List.filter (fn host => fermVariable host
-			    orelse (case ipv6 of FwIPv6 => Domain.validIpv6 host
-					       | FwIPv4 =>  Domain.validIp host)
-			    orelse dnsExists ipv6 host)
+    List.filter (fn host => (fermVariable host
+			     orelse validIp (host, ipv6)
+			     orelse dnsExists ipv6 host))
 		hosts
 
 
@@ -217,7 +216,7 @@ fun generateFirewallConfig rules =
 		TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n");
 		TextIO.output (tcp_inf, concat lines);
 		TextIO.output (tcp_inf, "\n}\n\n")
-	    end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *)
+	    end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") (* no sense in opening ports for bad users *)
 
 	fun writeUserOutRules tcp_outf (uname, lines) =
 	    let
@@ -226,7 +225,7 @@ fun generateFirewallConfig rules =
 		TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n");
 		TextIO.output (tcp_outf, concat lines);
 		TextIO.output (tcp_outf, "\nDROP;\n}\n\n")
-	    end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n"
+	    end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n")
 
     in
 	write_tcp_in_conf_preamble (users_tcp_in_conf);
-- 
2.20.1