{ "clearDynBlocks", true, "", "clear all dynamic blocks" },
{ "clearQueryCounters", true, "", "clears the query counter buffer" },
{ "clearRules", true, "", "remove all current rules" },
+ { "ContinueAction", true, "action", "execute the specified action and continue the processing of the remaining rules, regardless of the return of the action" },
{ "DelayAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" },
{ "DelayResponseAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" },
{ "delta", true, "", "shows all commands entered that changed the configuration" },
std::string d_value;
};
+class ContinueAction : public DNSAction
+{
+public:
+ ContinueAction(std::shared_ptr<DNSAction>& action): d_action(action)
+ {
+ }
+
+ DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
+ {
+ if (d_action) {
+ /* call the action */
+ auto action = (*d_action)(dq, ruleresult);
+ bool drop = false;
+ /* apply the changes if needed (pool selection, flags, etc */
+ processRulesResult(action, *dq, *ruleresult, drop);
+ }
+
+ /* but ignore the resulting action no matter what */
+ return Action::None;
+ }
+
+ std::string toString() const override
+ {
+ if (d_action) {
+ return "continue after: " + (d_action ? d_action->toString() : "");
+ }
+ else {
+ return "no op";
+ }
+ }
+
+private:
+ std::shared_ptr<DNSAction> d_action;
+};
+
template<typename T, typename ActionT>
static void addAction(GlobalStateHolder<vector<T> > *someRulActions, luadnsrule_t var, std::shared_ptr<ActionT> action, boost::optional<luaruleparams_t> params) {
setLuaSideEffect();
g_lua.writeFunction("TagResponseAction", [](std::string tag, std::string value) {
return std::shared_ptr<DNSResponseAction>(new TagResponseAction(tag, value));
});
+
+ g_lua.writeFunction("ContinueAction", [](std::shared_ptr<DNSAction> action) {
+ return std::shared_ptr<DNSAction>(new ContinueAction(action));
+ });
}
}
}
-static bool applyRulesToQuery(LocalHolders& holders, DNSQuestion& dq, string& poolname, const struct timespec& now)
+bool processRulesResult(const DNSAction::Action& action, DNSQuestion& dq, std::string& ruleresult, bool& drop)
+{
+ switch(action) {
+ case DNSAction::Action::Allow:
+ return true;
+ break;
+ case DNSAction::Action::Drop:
+ ++g_stats.ruleDrop;
+ drop = true;
+ return true;
+ break;
+ case DNSAction::Action::Nxdomain:
+ dq.dh->rcode = RCode::NXDomain;
+ dq.dh->qr=true;
+ ++g_stats.ruleNXDomain;
+ return true;
+ break;
+ case DNSAction::Action::Refused:
+ dq.dh->rcode = RCode::Refused;
+ dq.dh->qr=true;
+ ++g_stats.ruleRefused;
+ return true;
+ break;
+ case DNSAction::Action::ServFail:
+ dq.dh->rcode = RCode::ServFail;
+ dq.dh->qr=true;
+ ++g_stats.ruleServFail;
+ return true;
+ break;
+ case DNSAction::Action::Spoof:
+ spoofResponseFromString(dq, ruleresult);
+ return true;
+ break;
+ case DNSAction::Action::Truncate:
+ dq.dh->tc = true;
+ dq.dh->qr = true;
+ return true;
+ break;
+ case DNSAction::Action::HeaderModify:
+ return true;
+ break;
+ case DNSAction::Action::Pool:
+ dq.poolname=ruleresult;
+ return true;
+ break;
+ case DNSAction::Action::NoRecurse:
+ dq.dh->rd = false;
+ return true;
+ break;
+ /* non-terminal actions follow */
+ case DNSAction::Action::Delay:
+ dq.delayMsec = static_cast<int>(pdns_stou(ruleresult)); // sorry
+ break;
+ case DNSAction::Action::None:
+ /* fall-through */
+ case DNSAction::Action::NoOp:
+ break;
+ }
+
+ /* false means that we don't stop the processing */
+ return false;
+}
+
+
+static bool applyRulesToQuery(LocalHolders& holders, DNSQuestion& dq, const struct timespec& now)
{
g_rings.insertQuery(now, *dq.remote, *dq.qname, dq.qtype, dq.len, *dq.dh);
DNSAction::Action action=DNSAction::Action::None;
string ruleresult;
+ bool drop = false;
for(const auto& lr : *holders.rulactions) {
if(lr.d_rule->matches(&dq)) {
lr.d_rule->d_matches++;
action=(*lr.d_action)(&dq, &ruleresult);
-
- switch(action) {
- case DNSAction::Action::Allow:
- return true;
- break;
- case DNSAction::Action::Drop:
- ++g_stats.ruleDrop;
- return false;
- break;
- case DNSAction::Action::Nxdomain:
- dq.dh->rcode = RCode::NXDomain;
- dq.dh->qr=true;
- ++g_stats.ruleNXDomain;
- return true;
- break;
- case DNSAction::Action::Refused:
- dq.dh->rcode = RCode::Refused;
- dq.dh->qr=true;
- ++g_stats.ruleRefused;
- return true;
- break;
- case DNSAction::Action::ServFail:
- dq.dh->rcode = RCode::ServFail;
- dq.dh->qr=true;
- ++g_stats.ruleServFail;
- return true;
- break;
- case DNSAction::Action::Spoof:
- spoofResponseFromString(dq, ruleresult);
- return true;
- break;
- case DNSAction::Action::Truncate:
- dq.dh->tc = true;
- dq.dh->qr = true;
- return true;
- break;
- case DNSAction::Action::HeaderModify:
- return true;
- break;
- case DNSAction::Action::Pool:
- poolname=ruleresult;
- return true;
- break;
- /* non-terminal actions follow */
- case DNSAction::Action::Delay:
- dq.delayMsec = static_cast<int>(pdns_stou(ruleresult)); // sorry
- break;
- case DNSAction::Action::None:
- /* fall-through */
- case DNSAction::Action::NoOp:
- break;
- case DNSAction::Action::NoRecurse:
- dq.dh->rd = false;
- return true;
+ if (processRulesResult(action, dq, ruleresult, drop)) {
break;
}
}
}
+ if (drop) {
+ return false;
+ }
+
return true;
}
struct timespec now;
gettime(&now);
- string poolname;
-
- if (!applyRulesToQuery(holders, dq, poolname, now)) {
+ if (!applyRulesToQuery(holders, dq, now)) {
return ProcessQueryResult::Drop;
}
return ProcessQueryResult::SendAnswer;
}
- std::shared_ptr<ServerPool> serverPool = getPool(*holders.pools, poolname);
+ std::shared_ptr<ServerPool> serverPool = getPool(*holders.pools, dq.poolname);
dq.packetCache = serverPool->packetCache;
auto policy = *(holders.policy);
if (serverPool->policy != nullptr) {
Netmask ecs;
boost::optional<Netmask> subnet;
std::string sni; /* Server Name Indication, if any (DoT or DoH) */
+ std::string poolname;
const DNSName* qname{nullptr};
const ComboAddress* local{nullptr};
const ComboAddress* remote{nullptr};
bool responseContentMatches(const char* response, const uint16_t responseLen, const DNSName& qname, const uint16_t qtype, const uint16_t qclass, const ComboAddress& remote, unsigned int& consumed);
bool processResponse(char** response, uint16_t* responseLen, size_t* responseSize, LocalStateHolder<vector<DNSDistResponseRuleAction> >& localRespRulactions, DNSResponse& dr, size_t addRoom, std::vector<uint8_t>& rewrittenResponse, bool muted);
+bool processRulesResult(const DNSAction::Action& action, DNSQuestion& dq, std::string& ruleresult, bool& drop);
bool checkQueryHeaders(const struct dnsheader* dh);
Let these packets go through.
+.. function:: ContinueAction(action)
+
+ Execute the specified action and override its return with None, making it possible to continue the processing.
+ Subsequent rules are processed after this action.
+
+ :param int action: Any other action
+
.. function:: DelayAction(milliseconds)
Delay the response by the specified amount of milliseconds (UDP-only).
Send the the current query to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
+ Subsequent rules are processed after this action.
:param string identity: Server identity to store in the dnstap message
:param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
Send the the current response to a remote logger as a :doc:`dnstap <reference/dnstap>` message.
``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DnstapMessage`, that can be used to modify the message.
+ Subsequent rules are processed after this action.
:param string identity: Server identity to store in the dnstap message
:param logger: The :func:`FrameStreamLogger <newFrameStreamUnixLogger>` or :func:`RemoteLogger <newRemoteLogger>` object to write to
``ipEncryptKey`` optional key added to the options table.
Send the content of this query to a remote logger via Protocol Buffer.
- ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes
+ ``alterFunction`` is a callback, receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes.
+ Subsequent rules are processed after this action.
:param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
:param string alterFunction: Name of a function to modify the contents of the logs before sending
``ipEncryptKey`` optional key added to the options table.
Send the content of this response to a remote logger via Protocol Buffer.
- ``alterFunction`` is the same callback that receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes
+ ``alterFunction`` is the same callback that receiving a :class:`DNSQuestion` and a :class:`DNSDistProtoBufMessage`, that can be used to modify the Protocol Buffer content, for example for anonymization purposes.
``includeCNAME`` indicates whether CNAME records inside the response should be parsed and exported.
- The default is to only exports A and AAAA records
+ The default is to only exports A and AAAA records.
+ Subsequent rules are processed after this action.
:param string remoteLogger: The :func:`remoteLogger <newRemoteLogger>` object to write to
:param string alterFunction: Name of a function to modify the contents of the logs before sending
.. versionadded:: 1.3.0
Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
+ Subsequent rules are processed after this action.
:param string name: The name of the tag to set
:param string value: The value of the tag
.. versionadded:: 1.3.0
Associate a tag named ``name`` with a value of ``value`` to this response.
+ Subsequent rules are processed after this action.
:param string name: The name of the tag to set
:param string value: The value of the tag
(_, receivedResponse) = sender(query, response=None, useQueue=False)
self.assertTrue(receivedResponse)
self.assertEquals(expectedResponse, receivedResponse)
+
+class TestAdvancedContinueAction(DNSDistTest):
+
+ _config_template = """
+ newServer{address="127.0.0.1:%s", pool="mypool"}
+ addAction("nocontinue.continue-action.advanced.tests.powerdns.com.", PoolAction("mypool"))
+ addAction("continue.continue-action.advanced.tests.powerdns.com.", ContinueAction(PoolAction("mypool")))
+ addAction(AllRule(), DisableValidationAction())
+ """
+
+ def testNoContinue(self):
+ """
+ Advanced: Query routed to pool, PoolAction should be terminal
+ """
+
+ name = 'nocontinue.continue-action.advanced.tests.powerdns.com.'
+
+ query = dns.message.make_query(name, 'A', 'IN')
+ expectedQuery = dns.message.make_query(name, 'A', 'IN')
+
+ response = dns.message.make_response(query)
+ expectedResponse = dns.message.make_response(query)
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ self.assertEquals(receivedQuery, expectedQuery)
+ self.assertEquals(receivedResponse, expectedResponse)
+
+ def testNoContinue(self):
+ """
+ Advanced: Query routed to pool, ContinueAction() should not stop the processing
+ """
+
+ name = 'continue.continue-action.advanced.tests.powerdns.com.'
+
+ query = dns.message.make_query(name, 'A', 'IN')
+ expectedQuery = dns.message.make_query(name, 'A', 'IN')
+ expectedQuery.flags |= dns.flags.CD
+
+ response = dns.message.make_response(query)
+ expectedResponse = dns.message.make_response(query)
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ expectedQuery.id = receivedQuery.id
+ self.assertEquals(receivedQuery, expectedQuery)
+ print(receivedResponse)
+ print(expectedResponse)
+ self.assertEquals(receivedResponse, expectedResponse)
projects / pdns / commitdiff