From: Pieter Lexis Date: Tue, 11 Jul 2017 22:03:55 +0000 (+0200) Subject: dnsdist: Remove BlockFilter X-Git-Tag: rec-4.1.0-alpha1~17^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0c369ddc04dce8fa900255f7df868383d9710b64;p=pdns dnsdist: Remove BlockFilter Closes #5513 --- diff --git a/docs/MIBS/DNSDIST-MIB.txt b/docs/MIBS/DNSDIST-MIB.txt index 7eba714ac..bf1097c0f 100644 --- a/docs/MIBS/DNSDIST-MIB.txt +++ b/docs/MIBS/DNSDIST-MIB.txt @@ -68,13 +68,7 @@ aclDrops OBJECT-TYPE "Number of queries dropped because of the ACL" ::= { stats 4 } -blockFilters OBJECT-TYPE - SYNTAX Counter64 - MAX-ACCESS read-only - STATUS current - DESCRIPTION - "Number of queries dropped because of the block filters" - ::= { stats 5 } +-- stats 5 was a BlockFilter Counter, removed in 1.2.0 ruleDrop OBJECT-TYPE SYNTAX Counter64 @@ -637,7 +631,6 @@ dnsdistGroup OBJECT-GROUP responses, servfailResponses, aclDrops, - blockFilters, ruleDrop, ruleNXDomain, ruleRefused, diff --git a/pdns/dnsdist-snmp.cc b/pdns/dnsdist-snmp.cc index e3528eb33..1b061293f 100644 --- a/pdns/dnsdist-snmp.cc +++ b/pdns/dnsdist-snmp.cc @@ -14,7 +14,7 @@ static const oid queriesOID[] = { DNSDIST_STATS_OID, 1 }; static const oid responsesOID[] = { DNSDIST_STATS_OID, 2 }; static const oid servfailResponsesOID[] = { DNSDIST_STATS_OID, 3 }; static const oid aclDropsOID[] = { DNSDIST_STATS_OID, 4 }; -static const oid blockFilterOID[] = { DNSDIST_STATS_OID, 5 }; +// 5 was BlockFilter, removed in 1.2.0 static const oid ruleDropOID[] = { DNSDIST_STATS_OID, 6 }; static const oid ruleNXDomainOID[] = { DNSDIST_STATS_OID, 7 }; static const oid ruleRefusedOID[] = { DNSDIST_STATS_OID, 8 }; @@ -544,7 +544,6 @@ DNSDistSNMPAgent::DNSDistSNMPAgent(const std::string& name, const std::string& m registerCounter64Stat("responses", responsesOID, OID_LENGTH(responsesOID), &g_stats.responses); registerCounter64Stat("servfailResponses", servfailResponsesOID, OID_LENGTH(servfailResponsesOID), &g_stats.servfailResponses); registerCounter64Stat("aclDrops", aclDropsOID, OID_LENGTH(aclDropsOID), &g_stats.aclDrops); - registerCounter64Stat("blockFilter", blockFilterOID, OID_LENGTH(blockFilterOID), &g_stats.blockFilter); registerCounter64Stat("ruleDrop", ruleDropOID, OID_LENGTH(ruleDropOID), &g_stats.ruleDrop); registerCounter64Stat("ruleNXDomain", ruleNXDomainOID, OID_LENGTH(ruleNXDomainOID), &g_stats.ruleNXDomain); registerCounter64Stat("ruleRefused", ruleRefusedOID, OID_LENGTH(ruleRefusedOID), &g_stats.ruleRefused); diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc index 6218d4e9f..70696d3de 100644 --- a/pdns/dnsdist-tcp.cc +++ b/pdns/dnsdist-tcp.cc @@ -220,15 +220,8 @@ void* tcpClientThread(int pipefd) from that point on */ bool outstanding = false; - blockfilter_t blockFilter = 0; time_t lastTCPCleanup = time(nullptr); - { - std::lock_guard lock(g_luamutex); - auto candidate = g_lua.readVariable >("blockFilter"); - if(candidate) - blockFilter = *candidate; - } auto localPolicy = g_policy.getLocal(); auto localRulactions = g_rulactions.getLocal(); @@ -365,7 +358,7 @@ void* tcpClientThread(int pipefd) gettime(&now); gettime(&queryRealTime, true); - if (!processQuery(localDynBlockNMG, localDynBlockSMT, localRulactions, blockFilter, dq, poolname, &delayMsec, now)) { + if (!processQuery(localDynBlockNMG, localDynBlockSMT, localRulactions, dq, poolname, &delayMsec, now)) { goto drop; } diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index d36512d92..a5cb24ce1 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -842,7 +842,7 @@ static void spoofResponseFromString(DNSQuestion& dq, const string& spoofContent) bool processQuery(LocalStateHolder >& localDynNMGBlock, LocalStateHolder >& localDynSMTBlock, - LocalStateHolder, std::shared_ptr > > >& localRulactions, blockfilter_t blockFilter, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now) + LocalStateHolder, std::shared_ptr > > >& localRulactions, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now) { { WriteLock wl(&g_rings.queryLock); @@ -920,15 +920,6 @@ bool processQuery(LocalStateHolder >& localDynNMGBlock, } } - if(blockFilter) { - std::lock_guard lock(g_luamutex); - - if(blockFilter(&dq)) { - g_stats.blockFilter++; - return false; - } - } - DNSAction::Action action=DNSAction::Action::None; string ruleresult; for(const auto& lr : *localRulactions) { @@ -1059,13 +1050,6 @@ try boost::uuids::random_generator uuidGenerator; #endif - blockfilter_t blockFilter = 0; - { - std::lock_guard lock(g_luamutex); - auto candidate = g_lua.readVariable >("blockFilter"); - if(candidate) - blockFilter = *candidate; - } auto acl = g_ACL.getLocal(); auto localPolicy = g_policy.getLocal(); auto localRulactions = g_rulactions.getLocal(); @@ -1176,7 +1160,7 @@ try gettime(&now); gettime(&realTime, true); - if (!processQuery(localDynNMGBlock, localDynSMTBlock, localRulactions, blockFilter, dq, poolname, &delayMsec, now)) + if (!processQuery(localDynNMGBlock, localDynSMTBlock, localRulactions, dq, poolname, &delayMsec, now)) { continue; } diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh index e997696f4..2d2094cf5 100644 --- a/pdns/dnsdist.hh +++ b/pdns/dnsdist.hh @@ -149,7 +149,6 @@ struct DNSDistStats stat_t rdQueries{0}; stat_t emptyQueries{0}; stat_t aclDrops{0}; - stat_t blockFilter{0}; stat_t dynBlocked{0}; stat_t ruleDrop{0}; stat_t ruleNXDomain{0}; @@ -171,7 +170,6 @@ struct DNSDistStats {"servfail-responses", &servfailResponses}, {"queries", &queries}, {"acl-drops", &aclDrops}, - {"block-filter", &blockFilter}, {"rule-drop", &ruleDrop}, {"rule-nxdomain", &ruleNXDomain}, {"rule-refused", &ruleRefused}, @@ -593,7 +591,6 @@ struct DownstreamState }; using servers_t =vector>; -typedef std::function blockfilter_t; template using NumberedVector = std::vector >; void* responderThread(std::shared_ptr state); @@ -744,7 +741,7 @@ void resetLuaSideEffect(); // reset to indeterminate state bool responseContentMatches(const char* response, const uint16_t responseLen, const DNSName& qname, const uint16_t qtype, const uint16_t qclass, const ComboAddress& remote); bool processQuery(LocalStateHolder >& localDynBlockNMG, - LocalStateHolder >& localDynBlockSMT, LocalStateHolder, std::shared_ptr > > >& localRulactions, blockfilter_t blockFilter, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now); + LocalStateHolder >& localDynBlockSMT, LocalStateHolder, std::shared_ptr > > >& localRulactions, DNSQuestion& dq, string& poolname, int* delayMsec, const struct timespec& now); bool processResponse(LocalStateHolder, std::shared_ptr > > >& localRespRulactions, DNSResponse& dr, int* delayMsec); bool fixUpResponse(char** response, uint16_t* responseLen, size_t* responseSize, const DNSName& qname, uint16_t origFlags, bool ednsAdded, bool ecsAdded, std::vector& rewrittenResponse, uint16_t addRoom); void restoreFlags(struct dnsheader* dh, uint16_t origFlags); diff --git a/pdns/dnsdistconf.lua b/pdns/dnsdistconf.lua index 78ff58310..03e07d214 100644 --- a/pdns/dnsdistconf.lua +++ b/pdns/dnsdistconf.lua @@ -82,32 +82,6 @@ truncateNMG:addMask("fe80::/16") print(string.format("Have %d entries in truncate NMG", truncateNMG:size())) --- we define a Lua function named blockFilter, which is automatically called --- when a query is received --- this example reply with TC=1 for ANY queries, and for queries coming from --- the specified subnets --- it also blocks (by returning true) queries for "*.powerdns.org." -function blockFilter(dq) - print(string.format("Got query from %s, (%s) port number: %d", dq.remoteaddr:toString(), dq.remoteaddr:toStringWithPort(), dq.remoteaddr:getPort())) - if(dq.qtype==dnsdist.ANY or truncateNMG:match(dq.remoteaddr)) - then --- print("any query, tc=1") - dq.dh:setTC(true) - dq.dh:setQR(true) - end - - if(dq.qname:isPartOf(block)) - then - print("Blocking *.powerdns.org") - return true - end - return false -end - --- this is how you disable a filter -blockFilter = nil - - -- called to pick a downstream server, ignores 'up' status counter=0 function luaroundrobin(servers, dq) diff --git a/regression-tests.dnsdist/test_API.py b/regression-tests.dnsdist/test_API.py index cd4da7bab..b5312d36c 100644 --- a/regression-tests.dnsdist/test_API.py +++ b/regression-tests.dnsdist/test_API.py @@ -194,7 +194,7 @@ class TestAPIBasics(DNSDistTest): self.assertEquals(entry['type'], 'StatisticItem') values[entry['name']] = entry['value'] - expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'block-filter', + expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts', 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1', 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000', @@ -223,7 +223,7 @@ class TestAPIBasics(DNSDistTest): self.assertTrue(r.json()) content = r.json() - expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'block-filter', + expected = ['responses', 'servfail-responses', 'queries', 'acl-drops', 'rule-drop', 'rule-nxdomain', 'rule-refused', 'self-answered', 'downstream-timeouts', 'downstream-send-errors', 'trunc-failures', 'no-policy', 'latency0-1', 'latency1-10', 'latency10-50', 'latency50-100', 'latency100-1000', diff --git a/regression-tests.dnsdist/test_Basics.py b/regression-tests.dnsdist/test_Basics.py index 31636277c..e1e797c8f 100644 --- a/regression-tests.dnsdist/test_Basics.py +++ b/regression-tests.dnsdist/test_Basics.py @@ -18,15 +18,6 @@ class TestBasics(DNSDistTest): addAction(AndRule({QTypeRule(dnsdist.A),QNameRule("ds9a.nl")}), SpoofAction("1.2.3.4")) addAction(newDNSName("dnsname.addaction.powerdns.com."), RCodeAction(dnsdist.REFUSED)) addAction({newDNSName("dnsname-table1.addaction.powerdns.com."), newDNSName("dnsname-table2.addaction.powerdns.com.")}, RCodeAction(dnsdist.REFUSED)) - block=newDNSName("powerdns.org.") - function blockFilter(dq) - if(dq.qname:isPartOf(block)) - then - print("Blocking *.powerdns.org") - return true - end - return false - end """ def testDropped(self): @@ -45,22 +36,6 @@ class TestBasics(DNSDistTest): (_, receivedResponse) = self.sendTCPQuery(query, response=None, useQueue=False) self.assertEquals(receivedResponse, None) - def testBlockedA(self): - """ - Basics: Blocked A query - - Send an A query for the powerdns.org domain, - which is blocked by configuration. We expect - no response. - """ - name = 'blockeda.tests.powerdns.org.' - query = dns.message.make_query(name, 'A', 'IN') - (_, receivedResponse) = self.sendUDPQuery(query, response=None, useQueue=False) - self.assertEquals(receivedResponse, None) - - (_, receivedResponse) = self.sendTCPQuery(query, response=None, useQueue=False) - self.assertEquals(receivedResponse, None) - def testAWithECS(self): """ Basics: A query with an ECS value diff --git a/regression-tests.dnsdist/test_CheckConfig.py b/regression-tests.dnsdist/test_CheckConfig.py index 709a0ceaa..be973e0c1 100644 --- a/regression-tests.dnsdist/test_CheckConfig.py +++ b/regression-tests.dnsdist/test_CheckConfig.py @@ -39,15 +39,6 @@ class TestCheckConfig(unittest.TestCase): mySMN:add(newDNSName("nameAndQtype.tests.powerdns.com.")) addAction(AndRule{SuffixMatchNodeRule(mySMN), QTypeRule("TXT")}, RCodeAction(dnsdist.NOTIMP)) addAction(makeRule("drop.test.powerdns.com."), DropAction()) - block=newDNSName("powerdns.org.") - function blockFilter(dq) - if(dq.qname:isPartOf(block)) - then - print("Blocking *.powerdns.org") - return true - end - return false - end """ self.tryDNSDist(configTemplate) diff --git a/regression-tests.dnsdist/test_SNMP.py b/regression-tests.dnsdist/test_SNMP.py index 014b675a6..5e5042e35 100644 --- a/regression-tests.dnsdist/test_SNMP.py +++ b/regression-tests.dnsdist/test_SNMP.py @@ -22,7 +22,7 @@ class TestSNMP(DNSDistTest): """ def _checkStatsValues(self, results, queriesCountersValue): - for i in range(1, 20) + range(24, 35) + [ 35 ] : + for i in range(1, 5) + range(6, 20) + range(24, 35) + [ 35 ] : oid = self._snmpOID + '.1.' + str(i) + '.0' self.assertTrue(oid in results) self.assertTrue(isinstance(results[oid], Counter64)) @@ -42,7 +42,7 @@ class TestSNMP(DNSDistTest): self.assertEquals(results[oid], queriesCountersValue) # the others counters (except for latency ones) should still be at 0 - for i in range(3, 14) + [26, 27, 29, 30, 31, 35, 36]: + for i in range(3, 5) + range(6, 14) + [26, 27, 29, 30, 31, 35, 36]: oid = self._snmpOID + '.1.' + str(i) + '.0' self.assertEquals(results[oid], 0)