{"HeaderModify", (int)DNSAction::Action::HeaderModify},
{"Pool", (int)DNSAction::Action::Pool},
{"None",(int)DNSAction::Action::None},
+ {"NoOp",(int)DNSAction::Action::NoOp},
{"Delay", (int)DNSAction::Action::Delay},
{"Truncate", (int)DNSAction::Action::Truncate},
{"ServFail", (int)DNSAction::Action::ServFail}
auto slow = g_dynblockNMG.getCopy();
struct timespec now;
gettime(&now);
- boost::format fmt("%-24s %8d %8d %s\n");
- g_outputBuffer = (fmt % "What" % "Seconds" % "Blocks" % "Reason").str();
+ boost::format fmt("%-24s %8d %8d %-20s %s\n");
+ g_outputBuffer = (fmt % "What" % "Seconds" % "Blocks" % "Action" % "Reason").str();
for(const auto& e: slow) {
if(now < e->second.until)
- g_outputBuffer+= (fmt % e->first.toString() % (e->second.until.tv_sec - now.tv_sec) % e->second.blocks % e->second.reason).str();
+ g_outputBuffer+= (fmt % e->first.toString() % (e->second.until.tv_sec - now.tv_sec) % e->second.blocks % DNSAction::typeToString(e->second.action) % e->second.reason).str();
}
auto slow2 = g_dynblockSMT.getCopy();
slow2.visit([&now, &fmt](const SuffixMatchTree<DynBlock>& node) {
string dom("empty");
if(!node.d_value.domain.empty())
dom = node.d_value.domain.toString();
- g_outputBuffer+= (fmt % dom % (node.d_value.until.tv_sec - now.tv_sec) % node.d_value.blocks % node.d_value.reason).str();
+ g_outputBuffer+= (fmt % dom % (node.d_value.until.tv_sec - now.tv_sec) % node.d_value.blocks % DNSAction::typeToString(node.d_value.action) % node.d_value.reason).str();
}
});
g_lua.writeFunction("setDynBlocksAction", [](DNSAction::Action action) {
if (!g_configurationDone) {
- if (action == DNSAction::Action::Drop || action == DNSAction::Action::Refused || action == DNSAction::Action::Truncate) {
+ if (action == DNSAction::Action::Drop || action == DNSAction::Action::NoOp || action == DNSAction::Action::Refused || action == DNSAction::Action::Truncate) {
g_dynBlockAction = action;
}
else {
- errlog("Dynamic blocks action can only be Drop, Refused or Truncate!");
- g_outputBuffer="Dynamic blocks action can only be Drop, Refused or Truncate!\n";
+ errlog("Dynamic blocks action can only be Drop, NoOp, Refused or Truncate!");
+ g_outputBuffer="Dynamic blocks action can only be Drop, NoOp, Refused or Truncate!\n";
}
} else {
g_outputBuffer="Dynamic blocks action cannot be altered at runtime!\n";
Json::object thing{
{"reason", e->second.reason},
{"seconds", (double)(e->second.until.tv_sec - now.tv_sec)},
- {"blocks", (double)e->second.blocks}
+ {"blocks", (double)e->second.blocks},
+ {"action", DNSAction::typeToString(e->second.action) }
};
obj.insert({e->first.toString(), thing});
}
string dom("empty");
if(!node.d_value.domain.empty())
dom = node.d_value.domain.toString();
- Json::object thing{{"reason", node.d_value.reason}, {"seconds", (double)(node.d_value.until.tv_sec - now.tv_sec)},
- {"blocks", (double)node.d_value.blocks} };
-
+ Json::object thing{
+ {"reason", node.d_value.reason},
+ {"seconds", (double)(node.d_value.until.tv_sec - now.tv_sec)},
+ {"blocks", (double)node.d_value.blocks},
+ {"action", DNSAction::typeToString(node.d_value.action) }
+ };
obj.insert({dom, thing});
}
});
if (action == DNSAction::Action::None) {
action = g_dynBlockAction;
}
- if (action == DNSAction::Action::Refused) {
+ switch (action) {
+ case DNSAction::Action::NoOp:
+ /* do nothing */
+ break;
+ case DNSAction::Action::Refused:
vinfolog("Query from %s refused because of dynamic block", dq.remote->toStringWithPort());
updateBlockStats();
dq.dh->rcode = RCode::Refused;
dq.dh->qr=true;
return true;
- }
- else if (action == DNSAction::Action::Truncate) {
+
+ case DNSAction::Action::Truncate:
if(!dq.tcp) {
updateBlockStats();
vinfolog("Query from %s truncated because of dynamic block", dq.remote->toStringWithPort());
else {
vinfolog("Query from %s for %s over TCP *not* truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString());
}
-
- }
- else {
+ break;
+ default:
updateBlockStats();
vinfolog("Query from %s dropped because of dynamic block", dq.remote->toStringWithPort());
return false;
if (action == DNSAction::Action::None) {
action = g_dynBlockAction;
}
- if (action == DNSAction::Action::Refused) {
+ switch (action) {
+ case DNSAction::Action::NoOp:
+ /* do nothing */
+ break;
+ case DNSAction::Action::Refused:
vinfolog("Query from %s for %s refused because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString());
updateBlockStats();
dq.dh->rcode = RCode::Refused;
dq.dh->qr=true;
return true;
- }
- else if (action == DNSAction::Action::Truncate) {
+ case DNSAction::Action::Truncate:
if(!dq.tcp) {
updateBlockStats();
else {
vinfolog("Query from %s for %s over TCP *not* truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString());
}
- }
- else {
+ break;
+ default:
updateBlockStats();
vinfolog("Query from %s for %s dropped because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString());
return false;
*delayMsec = static_cast<int>(pdns_stou(ruleresult)); // sorry
break;
case DNSAction::Action::None:
+ /* fall-through */
+ case DNSAction::Action::NoOp:
break;
}
}
class DNSAction
{
public:
- enum class Action { Drop, Nxdomain, Refused, Spoof, Allow, HeaderModify, Pool, Delay, Truncate, ServFail, None};
+ enum class Action { Drop, Nxdomain, Refused, Spoof, Allow, HeaderModify, Pool, Delay, Truncate, ServFail, None, NoOp };
static std::string typeToString(const Action& action)
{
switch(action) {
case Action::ServFail:
return "Send ServFail";
case Action::None:
+ case Action::NoOp:
return "Do nothing";
}
setDynBlocksAction(DNSAction.Refused)
+Please see the documentation for :func:`setDynBlocksAction` to confirm which actions are supported.
+
.. _DynBlockRulesGroup:
DynBlockRulesGroup
:param addresses: set of Addresses as returned by an exceed function
:param string message: The message to show next to the blocks
:param int seconds: The number of seconds this block to expire
- :param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to the one set with :func:`setDynBlocksAction`)
+ :param int action: The action to take when the dynamic block matches, see :ref:`here <DNSAction>`. (default to DNSAction.None, meaning the one set with :func:`setDynBlocksAction` is used)
+
+ Please see the documentation for :func:`setDynBlocksAction` to confirm which actions are supported by the action paramater.
.. function:: clearDynBlocks()
.. function:: setDynBlocksAction(action)
Set which action is performed when a query is blocked.
- Only DNSAction.Drop (the default), DNSAction.Refused and DNSAction.Truncate are supported.
+ Only DNSAction.Drop (the default), DNSAction.NoOp, DNSAction.Refused and DNSAction.Truncate are supported.
.. _exceedfuncs:
* ``DNSAction.Drop``: drop the query
* ``DNSAction.HeaderModify``: indicate that the query has been turned into a response
* ``DNSAction.None``: continue to the next rule
+ * ``DNSAction.NoOp``: continue to the next rule (used for Dynamic Block actions where None has a different meaning)
* ``DNSAction.Nxdomain``: return a response with a NXDomain rcode
* ``DNSAction.Pool``: use the specified pool to forward this query
* ``DNSAction.Refused``: return a response with a Refused rcode
content = r.json()
if content:
- for key in ['reason', 'seconds', 'blocks']:
+ for key in ['reason', 'seconds', 'blocks', 'action']:
self.assertIn(key, content)
for key in ['blocks']:
self.assertIn(range, content)
values = content[range]
- for key in ['reason', 'seconds', 'blocks']:
+ for key in ['reason', 'seconds', 'blocks', 'action']:
self.assertIn(key, values)
self.assertEqual(values['reason'], reason)
name = 'responsebyterate.group.dynblocks.tests.powerdns.com.'
self.doTestResponseByteRate(name)
-class TestDynBlockGroupResponseBytes(DynBlocksTest):
+class TestDynBlockGroupExcluded(DynBlocksTest):
_dynBlockQPS = 10
_dynBlockPeriod = 2
_dynBlockDuration = 5
- _consoleKey = DNSDistTest.generateConsoleKey()
- _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
- _config_params = ['_consoleKeyB64', '_consolePort', '_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort']
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort']
_config_template = """
- setKey("%s")
- controlSocket("127.0.0.1:%s")
local dbr = dynBlockRulesGroup()
dbr:setQueryRate(%d, %d, "Exceeded query rate", %d)
dbr:excludeRange("127.0.0.1/32")
# let's clear the response queue
self.clearToResponderQueue()
- # we should have been blocked
+ # we should not have been blocked
self.assertEqual(allowed, sent)
# wait for the maintenance function to run
receivedQuery.id = query.id
self.assertEquals(query, receivedQuery)
self.assertEquals(receivedResponse, receivedResponse)
+
+class TestDynBlockGroupNoOp(DynBlocksTest):
+
+ _dynBlockQPS = 10
+ _dynBlockPeriod = 2
+ _dynBlockDuration = 5
+ _config_params = ['_dynBlockQPS', '_dynBlockPeriod', '_dynBlockDuration', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
+ _config_template = """
+ local dbr = dynBlockRulesGroup()
+ dbr:setQueryRate(%d, %d, "Exceeded query rate", %d, DNSAction.NoOp)
+
+ function maintenance()
+ dbr:apply()
+ end
+
+ newServer{address="127.0.0.1:%s"}
+ webserver("127.0.0.1:%s", "%s", "%s")
+ """
+
+ def testNoOp(self):
+ """
+ Dyn Blocks (group) : NoOp
+ """
+ name = 'noop.group.dynblocks.tests.powerdns.com.'
+ query = dns.message.make_query(name, 'A', 'IN')
+ response = dns.message.make_response(query)
+ rrset = dns.rrset.from_text(name,
+ 60,
+ dns.rdataclass.IN,
+ dns.rdatatype.A,
+ '192.0.2.1')
+ response.answer.append(rrset)
+
+ allowed = 0
+ sent = 0
+ for _ in range((self._dynBlockQPS * self._dynBlockPeriod) + 1):
+ (receivedQuery, receivedResponse) = self.sendUDPQuery(query, response)
+ sent = sent + 1
+ if receivedQuery:
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(response, receivedResponse)
+ allowed = allowed + 1
+ else:
+ # the query has not reached the responder,
+ # let's clear the response queue
+ self.clearToResponderQueue()
+
+ # a dynamic rule should have been inserted, but the queries should still go on
+ self.assertEqual(allowed, sent)
+
+ # wait for the maintenance function to run
+ time.sleep(2)
+
+ # the rule should still be present, but the queries pass through anyway
+ (receivedQuery, receivedResponse) = self.sendUDPQuery(query, response)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, receivedResponse)
+
+ # check that the rule has been inserted
+ self.doTestDynBlockViaAPI('127.0.0.1/32', 'Exceeded query rate', self._dynBlockDuration - 4, self._dynBlockDuration, 0, sent)
projects / pdns / commitdiff