From: bert hubert Date: Sun, 29 Nov 2015 20:24:01 +0000 (+0100) Subject: implement a dynamic blocklist in the core of dnsdist, so it operates Lua-free. Plus... X-Git-Tag: dnsdist-1.0.0-alpha1~170^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bd1c631b4ba599ef99101245bf607102fb624736;p=pdns implement a dynamic blocklist in the core of dnsdist, so it operates Lua-free. Plus add METRICS! MORE METRICS! --- diff --git a/pdns/dnsdist-lua2.cc b/pdns/dnsdist-lua2.cc index 78ca29085..435852b2b 100644 --- a/pdns/dnsdist-lua2.cc +++ b/pdns/dnsdist-lua2.cc @@ -103,10 +103,14 @@ map exceedRespByterate(int rate, int seconds) void moreLua() { g_lua.writeFunction("newCA", [](const std::string& name) { return ComboAddress(name); }); - g_lua.writeFunction("newNMG", []() { return std::make_shared(); }); + g_lua.writeFunction("newNMG", []() { return NetmaskGroup(); }); g_lua.registerFunction("add", [](NetmaskGroup& s, const ComboAddress& ca) { s.addMask(Netmask(ca)); }); + g_lua.writeFunction("setDynBlockNMG", [](const NetmaskGroup& nmg) { + g_dynblockNMG.setState(nmg); + }); + g_lua.registerFunction&)>("add", [](NetmaskGroup& s, const map& m) { for(const auto& capair : m) diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc index a24680b85..0508deaa7 100644 --- a/pdns/dnsdist-tcp.cc +++ b/pdns/dnsdist-tcp.cc @@ -122,6 +122,7 @@ void* tcpClientThread(int pipefd) auto localPolicy = g_policy.getLocal(); auto localRulactions = g_rulactions.getLocal(); + auto localDynBlockNMG = g_dynblockNMG.getLocal(); map sockets; for(;;) { @@ -160,7 +161,17 @@ void* tcpClientThread(int pipefd) struct dnsheader* dh =(dnsheader*)query; const uint16_t * flags = getFlagsFromDNSHeader(dh); uint16_t origFlags = *flags; - + struct timespec now; + clock_gettime(CLOCK_MONOTONIC, &now); + + g_rings.queryRing.push_back({now,ci.remote,qname,qtype}); // XXX LOCK?! + + if(localDynBlockNMG->match(ci.remote)) { + vinfolog("Query from %s dropped because of dynamic block", ci.remote.toStringWithPort()); + g_stats.dynBlocked++; + goto drop; + } + if(blockFilter) { std::lock_guard lock(g_luamutex); diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index 9c5e03cf7..763bbfbbd 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -101,7 +101,7 @@ GlobalStateHolder, std::shared_ptr g_dstates; - +GlobalStateHolder g_dynblockNMG; int g_tcpRecvTimeout{2}; int g_tcpSendTimeout{2}; @@ -419,6 +419,7 @@ try auto localPolicy = g_policy.getLocal(); auto localRulactions = g_rulactions.getLocal(); auto localServers = g_dstates.getLocal(); + auto localDynBlock = g_dynblockNMG.getLocal(); struct msghdr msgh; struct iovec iov; char cbuf[256]; @@ -460,7 +461,13 @@ try struct timespec now; clock_gettime(CLOCK_MONOTONIC, &now); g_rings.queryRing.push_back({now,remote,qname,qtype}); // XXX LOCK?! - + + if(localDynBlock->match(remote)) { + vinfolog("Query from %s dropped because of dynamic block", remote.toStringWithPort()); + g_stats.dynBlocked++; + continue; + } + if(blockFilter) { std::lock_guard lock(g_luamutex); diff --git a/pdns/dnsdist.hh b/pdns/dnsdist.hh index 6e824d6ef..0e97c7b54 100644 --- a/pdns/dnsdist.hh +++ b/pdns/dnsdist.hh @@ -12,6 +12,8 @@ #include "sholder.hh" void* carbonDumpThread(); uint64_t uptimeOfProcess(const std::string& str); + +extern GlobalStateHolder g_dynblockNMG; struct DNSDistStats { using stat_t=std::atomic; // aww yiss ;-) @@ -21,6 +23,7 @@ struct DNSDistStats stat_t nonCompliantQueries{0}; stat_t aclDrops{0}; stat_t blockFilter{0}; + stat_t dynBlocked{0}; stat_t ruleDrop{0}; stat_t ruleNXDomain{0}; stat_t selfAnswered{0}; @@ -50,7 +53,8 @@ struct DNSDistStats {"noncompliant-queries", &nonCompliantQueries}, {"cpu-user-msec", getCPUTimeUser}, {"cpu-sys-msec", getCPUTimeSystem}, - {"fd-usage", getOpenFileDescriptors} + {"fd-usage", getOpenFileDescriptors}, {"dyn-blocked", &dynBlocked}, + {"dyn-block-nmg-size", [](const std::string&) { return g_dynblockNMG.getLocal()->size(); }} }; };