"Number of queries dropped because of the ACL"
::= { stats 4 }
-blockFilters OBJECT-TYPE
- SYNTAX Counter64
- MAX-ACCESS read-only
- STATUS current
- DESCRIPTION
- "Number of queries dropped because of the block filters"
- ::= { stats 5 }
+-- stats 5 was a BlockFilter Counter, removed in 1.2.0
ruleDrop OBJECT-TYPE
SYNTAX Counter64
responses,
servfailResponses,
aclDrops,
- blockFilters,
ruleDrop,
ruleNXDomain,
ruleRefused,
static const oid responsesOID[] = { DNSDIST_STATS_OID, 2 };
static const oid servfailResponsesOID[] = { DNSDIST_STATS_OID, 3 };
static const oid aclDropsOID[] = { DNSDIST_STATS_OID, 4 };
-static const oid blockFilterOID[] = { DNSDIST_STATS_OID, 5 };
+// 5 was BlockFilter, removed in 1.2.0
static const oid ruleDropOID[] = { DNSDIST_STATS_OID, 6 };
static const oid ruleNXDomainOID[] = { DNSDIST_STATS_OID, 7 };
static const oid ruleRefusedOID[] = { DNSDIST_STATS_OID, 8 };
registerCounter64Stat("responses", responsesOID, OID_LENGTH(responsesOID), &g_stats.responses);
registerCounter64Stat("servfailResponses", servfailResponsesOID, OID_LENGTH(servfailResponsesOID), &g_stats.servfailResponses);
registerCounter64Stat("aclDrops", aclDropsOID, OID_LENGTH(aclDropsOID), &g_stats.aclDrops);
- registerCounter64Stat("blockFilter", blockFilterOID, OID_LENGTH(blockFilterOID), &g_stats.blockFilter);
registerCounter64Stat("ruleDrop", ruleDropOID, OID_LENGTH(ruleDropOID), &g_stats.ruleDrop);
registerCounter64Stat("ruleNXDomain", ruleNXDomainOID, OID_LENGTH(ruleNXDomainOID), &g_stats.ruleNXDomain);
registerCounter64Stat("ruleRefused", ruleRefusedOID, OID_LENGTH(ruleRefusedOID), &g_stats.ruleRefused);
from that point on */
bool outstanding = false;
- blockfilter_t blockFilter = 0;
time_t lastTCPCleanup = time(nullptr);
- {
- std::lock_guard<std::mutex> lock(g_luamutex);
- auto candidate = g_lua.readVariable<boost::optional<blockfilter_t> >("blockFilter");
- if(candidate)
- blockFilter = *candidate;
- }
auto localPolicy = g_policy.getLocal();
auto localRulactions = g_rulactions.getLocal();
gettime(&now);
gettime(&queryRealTime, true);
- if (!processQuery(localDynBlockNMG, localDynBlockSMT, localRulactions, blockFilter, dq, poolname, &delayMsec, now)) {
+ if (!processQuery(localDynBlockNMG, localDynBlockSMT, localRulactions, dq, poolname, &delayMsec, now)) {
goto drop;
}
bool processQuery(LocalStateHolder<NetmaskTree<DynBlock> >& localDynNMGBlock,
LocalStateHolder<SuffixMatchTree<DynBlock> >& localDynSMTBlock,
- LocalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction> > > >& localRulactions, blockfilter_t blockFilter, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now)
+ LocalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction> > > >& localRulactions, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now)
{
{
WriteLock wl(&g_rings.queryLock);
}
}
- if(blockFilter) {
- std::lock_guard<std::mutex> lock(g_luamutex);
-
- if(blockFilter(&dq)) {
- g_stats.blockFilter++;
- return false;
- }
- }
-
DNSAction::Action action=DNSAction::Action::None;
string ruleresult;
for(const auto& lr : *localRulactions) {
boost::uuids::random_generator uuidGenerator;
#endif
- blockfilter_t blockFilter = 0;
- {
- std::lock_guard<std::mutex> lock(g_luamutex);
- auto candidate = g_lua.readVariable<boost::optional<blockfilter_t> >("blockFilter");
- if(candidate)
- blockFilter = *candidate;
- }
auto acl = g_ACL.getLocal();
auto localPolicy = g_policy.getLocal();
auto localRulactions = g_rulactions.getLocal();
gettime(&now);
gettime(&realTime, true);
- if (!processQuery(localDynNMGBlock, localDynSMTBlock, localRulactions, blockFilter, dq, poolname, &delayMsec, now))
+ if (!processQuery(localDynNMGBlock, localDynSMTBlock, localRulactions, dq, poolname, &delayMsec, now))
{
continue;
}
stat_t rdQueries{0};
stat_t emptyQueries{0};
stat_t aclDrops{0};
- stat_t blockFilter{0};
stat_t dynBlocked{0};
stat_t ruleDrop{0};
stat_t ruleNXDomain{0};
{"servfail-responses", &servfailResponses},
{"queries", &queries},
{"acl-drops", &aclDrops},
- {"block-filter", &blockFilter},
{"rule-drop", &ruleDrop},
{"rule-nxdomain", &ruleNXDomain},
{"rule-refused", &ruleRefused},
};
using servers_t =vector<std::shared_ptr<DownstreamState>>;
-typedef std::function<bool(const DNSQuestion*)> blockfilter_t;
template <class T> using NumberedVector = std::vector<std::pair<unsigned int, T> >;
void* responderThread(std::shared_ptr<DownstreamState> state);
bool responseContentMatches(const char* response, const uint16_t responseLen, const DNSName& qname, const uint16_t qtype, const uint16_t qclass, const ComboAddress& remote);
bool processQuery(LocalStateHolder<NetmaskTree<DynBlock> >& localDynBlockNMG,
- LocalStateHolder<SuffixMatchTree<DynBlock> >& localDynBlockSMT, LocalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction> > > >& localRulactions, blockfilter_t blockFilter, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now);
+ LocalStateHolder<SuffixMatchTree<DynBlock> >& localDynBlockSMT, LocalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSAction> > > >& localRulactions, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now);
bool processResponse(LocalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSResponseAction> > > >& localRespRulactions, DNSResponse& dr, int* delayMsec);
bool fixUpResponse(char** response, uint16_t* responseLen, size_t* responseSize, const DNSName& qname, uint16_t origFlags, bool ednsAdded, bool ecsAdded, std::vector<uint8_t>& rewrittenResponse, uint16_t addRoom);
void restoreFlags(struct dnsheader* dh, uint16_t origFlags);
print(string.format("Have %d entries in truncate NMG", truncateNMG:size()))
--- we define a Lua function named blockFilter, which is automatically called
--- when a query is received
--- this example reply with TC=1 for ANY queries, and for queries coming from
--- the specified subnets
--- it also blocks (by returning true) queries for "*.powerdns.org."
-function blockFilter(dq)
- print(string.format("Got query from %s, (%s) port number: %d", dq.remoteaddr:toString(), dq.remoteaddr:toStringWithPort(), dq.remoteaddr:getPort()))
- if(dq.qtype==dnsdist.ANY or truncateNMG:match(dq.remoteaddr))
- then
--- print("any query, tc=1")
- dq.dh:setTC(true)
- dq.dh:setQR(true)
- end
-
- if(dq.qname:isPartOf(block))
- then
- print("Blocking *.powerdns.org")
- return true
- end
- return false
-end
-
--- this is how you disable a filter
-blockFilter = nil
-
-
-- called to pick a downstream server, ignores 'up' status
counter=0
function luaroundrobin(servers, dq)
self.assertEquals(entry['type'], 'StatisticItem')
values[entry['name']] = entry['value']
- expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'block-filter',
+ expected = ['responses', 'servfail-responses', 'queries', 'acl-drops',
'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
self.assertTrue(r.json())
content = r.json()
- expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'block-filter',
+ expected = ['responses', 'servfail-responses', 'queries', 'acl-drops',
'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts',
'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1',
'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000',
addAction(AndRule({QTypeRule(dnsdist.A),QNameRule("ds9a.nl")}), SpoofAction("1.2.3.4"))
addAction(newDNSName("dnsname.addaction.powerdns.com."), RCodeAction(dnsdist.REFUSED))
addAction({newDNSName("dnsname-table1.addaction.powerdns.com."), newDNSName("dnsname-table2.addaction.powerdns.com.")}, RCodeAction(dnsdist.REFUSED))
- block=newDNSName("powerdns.org.")
- function blockFilter(dq)
- if(dq.qname:isPartOf(block))
- then
- print("Blocking *.powerdns.org")
- return true
- end
- return false
- end
"""
def testDropped(self):
(_, receivedResponse) = self.sendTCPQuery(query, response=None, useQueue=False)
self.assertEquals(receivedResponse, None)
- def testBlockedA(self):
- """
- Basics: Blocked A query
-
- Send an A query for the powerdns.org domain,
- which is blocked by configuration. We expect
- no response.
- """
- name = 'blockeda.tests.powerdns.org.'
- query = dns.message.make_query(name, 'A', 'IN')
- (_, receivedResponse) = self.sendUDPQuery(query, response=None, useQueue=False)
- self.assertEquals(receivedResponse, None)
-
- (_, receivedResponse) = self.sendTCPQuery(query, response=None, useQueue=False)
- self.assertEquals(receivedResponse, None)
-
def testAWithECS(self):
"""
Basics: A query with an ECS value
mySMN:add(newDNSName("nameAndQtype.tests.powerdns.com."))
addAction(AndRule{SuffixMatchNodeRule(mySMN), QTypeRule("TXT")}, RCodeAction(dnsdist.NOTIMP))
addAction(makeRule("drop.test.powerdns.com."), DropAction())
- block=newDNSName("powerdns.org.")
- function blockFilter(dq)
- if(dq.qname:isPartOf(block))
- then
- print("Blocking *.powerdns.org")
- return true
- end
- return false
- end
"""
self.tryDNSDist(configTemplate)
"""
def _checkStatsValues(self, results, queriesCountersValue):
- for i in range(1, 20) + range(24, 35) + [ 35 ] :
+ for i in range(1, 5) + range(6, 20) + range(24, 35) + [ 35 ] :
oid = self._snmpOID + '.1.' + str(i) + '.0'
self.assertTrue(oid in results)
self.assertTrue(isinstance(results[oid], Counter64))
self.assertEquals(results[oid], queriesCountersValue)
# the others counters (except for latency ones) should still be at 0
- for i in range(3, 14) + [26, 27, 29, 30, 31, 35, 36]:
+ for i in range(3, 5) + range(6, 14) + [26, 27, 29, 30, 31, 35, 36]:
oid = self._snmpOID + '.1.' + str(i) + '.0'
self.assertEquals(results[oid], 0)
projects / pdns / commitdiff