implement a dynamic blocklist in the core of dnsdist, so it operates Lua-free. Plus...

author bert hubert <bert.hubert@netherlabs.nl>

Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)

committer bert hubert <bert.hubert@netherlabs.nl>

Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)
author bert hubert <bert.hubert@netherlabs.nl>
Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)
committer bert hubert <bert.hubert@netherlabs.nl>
Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)
diff --git a/pdns/dnsdist-lua2.cc b/pdns/dnsdist-lua2.cc

index 78ca29085482bd45429ec6928b032213694de064..435852b2b4a8b7423315b66d4ed4df34340dc05c 100644 (file)
--- a/pdns/dnsdist-lua2.cc
+++ b/pdns/dnsdist-lua2.cc
@@ -103,10 +103,14 @@ map<ComboAddress,int> exceedRespByterate(int rate, int seconds)
  void moreLua()
  {
    g_lua.writeFunction("newCA", [](const std::string& name) { return ComboAddress(name); });
-  g_lua.writeFunction("newNMG", []() { return std::make_shared<NetmaskGroup>(); });
+  g_lua.writeFunction("newNMG", []() { return NetmaskGroup(); });
    g_lua.registerFunction<void(NetmaskGroup::*)(const ComboAddress&)>("add", 
                                                                      [](NetmaskGroup& s, const ComboAddress& ca) { s.addMask(Netmask(ca)); });
  
+  g_lua.writeFunction("setDynBlockNMG", [](const NetmaskGroup& nmg) {
+      g_dynblockNMG.setState(nmg);
+    });
+
    g_lua.registerFunction<void(NetmaskGroup::*)(const map<ComboAddress,int>&)>("add", 
                                                                               [](NetmaskGroup& s, const map<ComboAddress,int>& m) { 
                                                                                 for(const auto& capair : m)
diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc

index a24680b852138445a43411bd1fd0d644aa0a3a85..0508deaa74d9a4853b6f399b6f9a2e64ab580287 100644 (file)
--- a/pdns/dnsdist-tcp.cc
+++ b/pdns/dnsdist-tcp.cc
@@ -122,6 +122,7 @@ void* tcpClientThread(int pipefd)
       
    auto localPolicy = g_policy.getLocal();
    auto localRulactions = g_rulactions.getLocal();
+  auto localDynBlockNMG = g_dynblockNMG.getLocal();
  
    map<ComboAddress,int> sockets;
    for(;;) {
@@ -160,7 +161,17 @@ void* tcpClientThread(int pipefd)
         struct dnsheader* dh =(dnsheader*)query;
         const uint16_t * flags = getFlagsFromDNSHeader(dh);
         uint16_t origFlags = *flags;
-       
+       struct timespec now;
+       clock_gettime(CLOCK_MONOTONIC, &now);
+
+       g_rings.queryRing.push_back({now,ci.remote,qname,qtype}); // XXX LOCK?!
+
+       if(localDynBlockNMG->match(ci.remote)) {
+         vinfolog("Query from %s dropped because of dynamic block", ci.remote.toStringWithPort());
+         g_stats.dynBlocked++;
+         goto drop;
+       }
+
          if(blockFilter) {
           std::lock_guard<std::mutex> lock(g_luamutex);
         
diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc

index 9c5e03cf7f1ae71e2c1979170541bfba0b95678a..763bbfbbd7851dffa28d63780ae1a5ac4e737c46 100644 (file)
--- a/pdns/dnsdist.cc
+++ b/pdns/dnsdist.cc
@@ -101,7 +101,7 @@ GlobalStateHolder<vector<pair<std::shared_ptr<DNSRule>, std::shared_ptr<DNSActio
  Rings g_rings;
  
  GlobalStateHolder<servers_t> g_dstates;
-
+GlobalStateHolder<NetmaskGroup> g_dynblockNMG;
  int g_tcpRecvTimeout{2};
  int g_tcpSendTimeout{2};
  
@@ -419,6 +419,7 @@ try
    auto localPolicy = g_policy.getLocal();
    auto localRulactions = g_rulactions.getLocal();
    auto localServers = g_dstates.getLocal();
+  auto localDynBlock = g_dynblockNMG.getLocal();
    struct msghdr msgh;
    struct iovec iov;
    char cbuf[256];
@@ -460,7 +461,13 @@ try
        struct timespec now;
        clock_gettime(CLOCK_MONOTONIC, &now);
        g_rings.queryRing.push_back({now,remote,qname,qtype}); // XXX LOCK?!
-            
+      
+      if(localDynBlock->match(remote)) {
+       vinfolog("Query from %s dropped because of dynamic block", remote.toStringWithPort());
+       g_stats.dynBlocked++;
+       continue;
+      }
+
        if(blockFilter) {
         std::lock_guard<std::mutex> lock(g_luamutex);
         
diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh

index 6e824d6efe371e506d6a02e938579edd229547ff..0e97c7b544216c3b6674c663f3316f36d4c9bccb 100644 (file)
--- a/pdns/dnsdist.hh
+++ b/pdns/dnsdist.hh
@@ -12,6 +12,8 @@
  #include "sholder.hh"
  void* carbonDumpThread();
  uint64_t uptimeOfProcess(const std::string& str);
+
+extern GlobalStateHolder<NetmaskGroup> g_dynblockNMG;
  struct DNSDistStats
  {
    using stat_t=std::atomic<uint64_t>; // aww yiss ;-)
@@ -21,6 +23,7 @@ struct DNSDistStats
    stat_t nonCompliantQueries{0};
    stat_t aclDrops{0};
    stat_t blockFilter{0};
+  stat_t dynBlocked{0};
    stat_t ruleDrop{0};
    stat_t ruleNXDomain{0};
    stat_t selfAnswered{0};
@@ -50,7 +53,8 @@ struct DNSDistStats
      {"noncompliant-queries", &nonCompliantQueries},
      {"cpu-user-msec", getCPUTimeUser},
      {"cpu-sys-msec", getCPUTimeSystem},
-    {"fd-usage", getOpenFileDescriptors}
+    {"fd-usage", getOpenFileDescriptors}, {"dyn-blocked", &dynBlocked}, 
+    {"dyn-block-nmg-size", [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }}
    };
  };
author	bert hubert <bert.hubert@netherlabs.nl>
	Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)
committer	bert hubert <bert.hubert@netherlabs.nl>
	Sun, 29 Nov 2015 20:24:01 +0000 (21:24 +0100)
pdns/dnsdist-lua2.cc		patch \| blob \| history
pdns/dnsdist-tcp.cc		patch \| blob \| history
pdns/dnsdist.cc		patch \| blob \| history
pdns/dnsdist.hh		patch \| blob \| history