Added RPZ log name and stats

2025-12-20 23:00:56 -05:00 · 2019-06-03 15:46:39 +02:00 · 2019-06-03 15:46:39 +02:00 · 268580f348
commit 268580f348
parent b0b69321f9
11 changed files with 3169 additions and 3089 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -69,6 +69,7 @@
 #include "services/mesh.h"
 #include "services/localzone.h"
 #include "services/authzone.h"
+#include "services/rpz.h"
 #include "util/storage/slabhash.h"
 #include "util/fptr_wlist.h"
 #include "util/data/dname.h"
@ -1045,6 +1046,16 @@ print_ext(RES* ssl, struct ub_stats_info* s)
 		(unsigned)s->svr.infra_cache_count)) return 0;
 	if(!ssl_printf(ssl, "key.cache.count"SQ"%u\n",
 		(unsigned)s->svr.key_cache_count)) return 0;
+	/* applied RPZ actions */
+	for(i=0; i<UB_STATS_RPZ_ACTION_NUM; i++) {
+		if((enum rpz_action)s->svr.rpz_action[i] == RPZ_NO_OVERRIDE_ACTION)
+			continue;
+		if(inhibit_zero && s->svr.rpz_action[i] == 0)
+			continue;
+		if(!ssl_printf(ssl, "num.rpz.action.%s"SQ"%lu\n",
+			rpz_action_to_string(i),
+			(unsigned long)s->svr.rpz_action[i])) return 0;
+	}
 #ifdef USE_DNSCRYPT
 	if(!ssl_printf(ssl, "dnscrypt_shared_secret.cache.count"SQ"%u\n",
 		(unsigned)s->svr.shared_secret_cache_count)) return 0;
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -1366,7 +1366,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	if(worker->env.auth_zones &&
 		rpz_apply_qname_trigger(worker->env.auth_zones,
 		&worker->env, &qinfo, &edns, c->buffer, worker->scratchpad,
-		repinfo, acladdr->taglist, acladdr->taglen)) {
+		repinfo, acladdr->taglist, acladdr->taglen, &worker->stats)) {
 		regional_free_all(worker->scratchpad);
 		if(sldns_buffer_limit(c->buffer) == 0) {
 			comm_point_drop_reply(repinfo);
--- a/libunbound/unbound.h
+++ b/libunbound/unbound.h
@ -654,6 +654,8 @@ struct ub_shm_stat_info {
 #define UB_STATS_OPCODE_NUM 16
 /** number of histogram buckets */
 #define UB_STATS_BUCKET_NUM 40
+/** number of RPZ actions */
+#define UB_STATS_RPZ_ACTION_NUM 10

 /** per worker statistics. */
 struct ub_server_stats {
@ -785,6 +787,8 @@ struct ub_server_stats {
 	long long mem_stream_wait;
 	/** number of TLS connection resume */
 	long long qtls_resume;
+	/** RPZ action stats */
+	long long rpz_action[UB_STATS_RPZ_ACTION_NUM];
 };

 /** 
--- a/services/rpz.c
+++ b/services/rpz.c
@ -51,23 +51,22 @@
 #include "util/locks.h"
 #include "util/regional.h"

-/** string for RPZ action enum */
-static const char*
+const char*
 rpz_action_to_string(enum rpz_action a)
 {
 	switch(a) {
-	case RPZ_NXDOMAIN_ACTION:	return "NXDOMAIN ACTION";
-	case RPZ_NODATA_ACTION:		return "NODATA ACTION";
-	case RPZ_PASSTHRU_ACTION:	return "PASSTHRU ACTION";
-	case RPZ_DROP_ACTION:		return "DROP ACTION";
-	case RPZ_TCP_ONLY_ACTION:	return "TCP ONLY ACTION";
-	case RPZ_INVALID_ACTION:	return "INVALID ACTION";
-	case RPZ_LOCAL_DATA_ACTION:	return "LOCAL DATA ACTION";
-	case RPZ_DISABLED_ACTION:	return "DISABLED ACTION";
-	case RPZ_CNAME_OVERRIDE_ACTION:	return "CNAME OVERRIDE ACTION";
-	case RPZ_NO_OVERRIDE_ACTION:	return "NO OVERRIDE ACTION";
+	case RPZ_NXDOMAIN_ACTION:	return "nxdomain";
+	case RPZ_NODATA_ACTION:		return "nodata";
+	case RPZ_PASSTHRU_ACTION:	return "passthru";
+	case RPZ_DROP_ACTION:		return "drop";
+	case RPZ_TCP_ONLY_ACTION:	return "tcp_only";
+	case RPZ_INVALID_ACTION:	return "invalid";
+	case RPZ_LOCAL_DATA_ACTION:	return "local_data";
+	case RPZ_DISABLED_ACTION:	return "disabled";
+	case RPZ_CNAME_OVERRIDE_ACTION:	return "cname_override";
+	case RPZ_NO_OVERRIDE_ACTION:	return "no_override";
 	}
-	return "UNKNOWN RPZ ACTION";
+	return "unknown";
 }

 static enum rpz_action
@ -95,13 +94,13 @@ static const char*
 rpz_trigger_to_string(enum rpz_trigger r)
 {
 	switch(r) {
-	case RPZ_QNAME_TRIGGER:		return "QNAME TRIGGER";
-	case RPZ_CLIENT_IP_TRIGGER:	return "CLIENT IP TRIGGER";
-	case RPZ_RESPONSE_IP_TRIGGER:	return "RESPONSE IP TRIGGER";
-	case RPZ_NSDNAME_TRIGGER:	return "NSDNAME TRIGGER";
-	case RPZ_NSIP_TRIGGER:		return "NSIP TRIGGER";
+	case RPZ_QNAME_TRIGGER:		return "qname";
+	case RPZ_CLIENT_IP_TRIGGER:	return "client_ip";
+	case RPZ_RESPONSE_IP_TRIGGER:	return "response_ip";
+	case RPZ_NSDNAME_TRIGGER:	return "nsdname";
+	case RPZ_NSIP_TRIGGER:		return "nsip";
 	}
-	return "UNKNOWN RPZ TRIGGER";
+	return "unknown";
 }

 /**
@ -335,7 +334,7 @@ rpz_create(struct config_auth* p)
 		free(r);
 		return 0;
 	}
-	r->taglist = memdup(p->rpz_taglist, p->rpz_taglistlen);
+	r->taglist = p->rpz_taglist;
 	r->taglistlen = p->rpz_taglistlen;
 	if(p->rpz_action_override) {
 		r->action_override = rpz_config_to_action(p->rpz_action_override);
@ -372,6 +371,7 @@ rpz_create(struct config_auth* p)
 		}
 	}
 	r->log = p->rpz_log;
+	r->log_name = p->rpz_log_name;
 	return r;
 }

@ -642,15 +642,20 @@ rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 */
 static void
 log_rpz_apply(uint8_t* dname, enum rpz_action a, struct query_info* qinfo,
-	struct comm_reply* repinfo)
+	struct comm_reply* repinfo, char* log_name)
 {
 	char ip[128], txt[512];
 	char dnamestr[LDNS_MAX_DOMAINLEN+1];
 	uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
 	dname_str(dname, dnamestr);
 	addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
-	snprintf(txt, sizeof(txt), "RPZ applied %s %s %s@%u", dnamestr,
-		rpz_action_to_string(a), ip, (unsigned)port);
+	if(log_name)
+		snprintf(txt, sizeof(txt), "RPZ applied [%s] %s %s %s@%u",
+			log_name, dnamestr, rpz_action_to_string(a), ip,
+			(unsigned)port);
+	else
+		snprintf(txt, sizeof(txt), "RPZ applied %s %s %s@%u",
+			dnamestr, rpz_action_to_string(a), ip, (unsigned)port);
 	log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
 }

@ -658,7 +663,7 @@ int
 rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
 	struct regional* temp, struct comm_reply* repinfo,
-	uint8_t* taglist, size_t taglen)
+	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats)
 {
 	struct rpz* r;
 	int ret;
@ -675,7 +680,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 				if(r->log)
 					log_rpz_apply(z->name,
 						r->action_override,
-						qinfo,repinfo);
+						qinfo, repinfo, r->log_name);
+				stats->rpz_action[r->action_override]++;
 				lock_rw_unlock(&z->lock);
 				z = NULL;
 			}
@ -711,7 +717,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 		qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
 		if(r->log)
 			log_rpz_apply(z->name, RPZ_CNAME_OVERRIDE_ACTION, 
-				qinfo, repinfo);
+				qinfo, repinfo, r->log_name);
+		stats->rpz_action[RPZ_CNAME_OVERRIDE_ACTION]++;
 		lock_rw_unlock(&z->lock);
 		return 0;
 	}
@ -722,7 +729,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 		if(r->log)
 			log_rpz_apply(z->name,
 				localzone_type_to_rpz_action(lzt), qinfo,
-				repinfo);
+				repinfo, r->log_name);
+		stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
 		lock_rw_unlock(&z->lock);
 		return !qinfo->local_alias;
 	}
@ -731,7 +739,8 @@ rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 		0 /* no local data used */, lzt);
 	if(r->log)
 		log_rpz_apply(z->name, localzone_type_to_rpz_action(lzt),
-			qinfo, repinfo);
+			qinfo, repinfo, r->log_name);
+	stats->rpz_action[localzone_type_to_rpz_action(lzt)]++;
 	lock_rw_unlock(&z->lock);

 	return ret;
--- a/services/rpz.h
+++ b/services/rpz.h
@ -47,6 +47,7 @@
 #include "util/config_file.h"
 #include "services/authzone.h"
 #include "sldns/sbuffer.h"
+#include "daemon/stats.h"

 /**
 * RPZ triggers, only the QNAME trigger is currently supported in Unbound.
@ -91,6 +92,7 @@ struct rpz {
 	enum rpz_action action_override;
 	struct ub_packed_rrset_key* cname_override;
 	int log;
+	char* log_name;
 	struct rpz* next;
 	struct rpz* prev;
 	struct regional* region;
@ -140,12 +142,13 @@ void rpz_remove_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 * @param repinfo: reply info
 * @param taglist: taglist to lookup.
 * @param taglen: lenth of taglist.
+ * @param stats: worker stats struct
 * @return: 1 if client answer is ready, 0 to continue resolving
 */
 int rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf,
 	struct regional* temp, struct comm_reply* repinfo,
-	uint8_t* taglist, size_t taglen);
+	uint8_t* taglist, size_t taglen, struct ub_server_stats* stats);

 /**
 * Delete RPZ
@ -165,4 +168,11 @@ int rpz_clear_lz(struct rpz* r);
 */
 struct rpz* rpz_create(struct config_auth* p);

+/**
+ * String for RPZ action enum
+ * @param a: RPZ action to get string for
+ * @return: string for RPZ action
+ */
+const char* rpz_action_to_string(enum rpz_action a);
+
 #endif /* SERVICES_RPZ_H */
--- a/util/config_file.h
+++ b/util/config_file.h
@ -641,6 +641,8 @@ struct config_auth {
 	char* rpz_action_override;
 	/** Log when this RPZ policy is applied */
 	int rpz_log;
+	/** Display this name in the log when RPZ policy is applied */
+	char* rpz_log_name;
 	/** Always reply with this CNAME target if the cname override action is
 	 * used */
 	char* rpz_cname;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -322,6 +322,7 @@ tags{COLON}			{ YDVAR(1, VAR_TAGS) }
 rpz-action-override{COLON}	{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) }
 rpz-cname-override{COLON}	{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) }
 rpz-log{COLON}			{ YDVAR(1, VAR_RPZ_LOG) }
+rpz-log-name{COLON}		{ YDVAR(1, VAR_RPZ_LOG_NAME) }
 zonefile{COLON}			{ YDVAR(1, VAR_ZONEFILE) }
 master{COLON}			{ YDVAR(1, VAR_MASTER) }
 url{COLON}			{ YDVAR(1, VAR_URL) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -313,7 +313,8 @@ extern int yydebug;
    VAR_TAGS = 523,
    VAR_RPZ_ACTION_OVERRIDE = 524,
    VAR_RPZ_CNAME_OVERRIDE = 525,
-    VAR_RPZ_LOG = 526
+    VAR_RPZ_LOG = 526,
+    VAR_RPZ_LOG_NAME = 527
  };
 #endif
 /* Tokens.  */
@ -586,6 +587,7 @@ extern int yydebug;
 #define VAR_RPZ_ACTION_OVERRIDE 524
 #define VAR_RPZ_CNAME_OVERRIDE 525
 #define VAR_RPZ_LOG 526
+#define VAR_RPZ_LOG_NAME 527

 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -596,7 +598,7 @@ union YYSTYPE

 	char*	str;

-#line 600 "util/configparser.h" /* yacc.c:1909  */
+#line 602 "util/configparser.h" /* yacc.c:1909  */
 };

 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -167,7 +167,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
 %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
 %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
-%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG
+%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME

 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -405,6 +405,17 @@ rpz_log: VAR_RPZ_LOG STRING_ARG
 	}
 	;

+rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG
+	{
+		OUTYY(("P(rpz_log_name:%s)\n", $2));
+		if(cfg_parser->cfg->auths->rpz_log_name)
+			yyerror("RPZ log name, there can only be one "
+				"rpz-log-name per rpz");
+		free(cfg_parser->cfg->auths->rpz_log_name);
+		cfg_parser->cfg->auths->rpz_log_name = $2;
+	}
+	;
+
 rpzstart: VAR_RPZ
 	{
 		struct config_auth* s;
@ -426,7 +437,7 @@ contents_rpz: contents_rpz content_rpz
 	| ;
 content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url |
 	   auth_allow_notify | rpz_action_override | rpz_cname_override |
-	   rpz_log
+	   rpz_log | rpz_log_name
 	;
 server_num_threads: VAR_NUM_THREADS STRING_ARG 
 	{