diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/dnstap.c | 67 | ||||
-rw-r--r-- | src/dnstap.fields | 9 | ||||
-rw-r--r-- | src/dnswire/dnstap.h | 69 | ||||
-rwxr-xr-x | src/gen-macros.sh | 13 | ||||
-rw-r--r-- | src/test/create_dnstap.c | 7 | ||||
-rw-r--r-- | src/test/print_dnstap.c | 20 | ||||
-rw-r--r-- | src/test/test3.gold | 12 | ||||
-rw-r--r-- | src/test/test4.gold | 10 | ||||
-rw-r--r-- | src/test/test5.gold | 10 | ||||
-rw-r--r-- | src/test/test_dnstap.c | 4 |
10 files changed, 213 insertions, 8 deletions
diff --git a/src/dnstap.c b/src/dnstap.c index c5275b7..4e49e64 100644 --- a/src/dnstap.c +++ b/src/dnstap.c @@ -41,6 +41,8 @@ const char* const DNSTAP_MESSAGE_TYPE_STRING[] = { "STUB_RESPONSE", "TOOL_QUERY", "TOOL_RESPONSE", + "UPDATE_QUERY", + "UPDATE_RESPONSE", }; const char* const DNSTAP_SOCKET_FAMILY_STRING[] = { "UNKNOWN", @@ -51,8 +53,38 @@ const char* const DNSTAP_SOCKET_PROTOCOL_STRING[] = { "UNKNOWN", "UDP", "TCP", + "DOT", + "DOH", + "DNSCryptUDP", + "DNSCryptTCP", +}; +const char* const DNSTAP_POLICY_ACTION_STRING[] = { + "UNKNOWN", + "NXDOMAIN", + "NODATA", + "PASS", + "DROP", + "TRUNCATE", + "LOCAL_DATA", +}; +const char* const DNSTAP_POLICY_MATCH_STRING[] = { + "UNKNOWN", + "QNAME", + "CLIENT_IP", + "RESPONSE_IP", + "NS_NAME", + "NS_IP", }; +void dnstap_message_clear_policy(struct dnstap* dnstap) +{ + static const Dnstap__Policy policy = DNSTAP__POLICY__INIT; + assert(dnstap); + + dnstap->message.policy = 0; + dnstap->policy = policy; +} + int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t len) { assert(dnstap); @@ -88,6 +120,8 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le case DNSTAP_MESSAGE_TYPE_STUB_RESPONSE: case DNSTAP_MESSAGE_TYPE_TOOL_QUERY: case DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE: + case DNSTAP_MESSAGE_TYPE_UPDATE_QUERY: + case DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE: break; default: dnstap->message.type = (enum _Dnstap__Message__Type)DNSTAP_MESSAGE_TYPE_UNKNOWN; @@ -105,11 +139,44 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le switch (dnstap->message.socket_protocol) { case DNSTAP_SOCKET_PROTOCOL_UDP: case DNSTAP_SOCKET_PROTOCOL_TCP: + case DNSTAP_SOCKET_PROTOCOL_DOT: + case DNSTAP_SOCKET_PROTOCOL_DOH: + case DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP: + case DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP: break; default: dnstap->message.has_socket_protocol = false; dnstap->message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_SOCKET_PROTOCOL_UNKNOWN; } + + if (dnstap->message.policy) { + dnstap->policy = *dnstap->message.policy; + + switch (dnstap->policy.action) { + case DNSTAP_POLICY_ACTION_NXDOMAIN: + case DNSTAP_POLICY_ACTION_NODATA: + case DNSTAP_POLICY_ACTION_PASS: + case DNSTAP_POLICY_ACTION_DROP: + case DNSTAP_POLICY_ACTION_TRUNCATE: + case DNSTAP_POLICY_ACTION_LOCAL_DATA: + break; + default: + dnstap->policy.has_action = false; + dnstap->policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN; + } + + switch (dnstap->policy.match) { + case DNSTAP_POLICY_MATCH_QNAME: + case DNSTAP_POLICY_MATCH_CLIENT_IP: + case DNSTAP_POLICY_MATCH_RESPONSE_IP: + case DNSTAP_POLICY_MATCH_NS_NAME: + case DNSTAP_POLICY_MATCH_NS_IP: + break; + default: + dnstap->policy.has_match = false; + dnstap->policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN; + } + } } return 0; diff --git a/src/dnstap.fields b/src/dnstap.fields index e38b6e5..26449d0 100644 --- a/src/dnstap.fields +++ b/src/dnstap.fields @@ -1,5 +1,5 @@ -dnstap dnstap identity string -dnstap dnstap version string +dnstap dnstap identity bytestring +dnstap dnstap version bytestring dnstap dnstap extra bytes dnstap_message message socket_family enum dnstap_socket_family dnstap_message message socket_protocol enum dnstap_socket_protocol @@ -14,3 +14,8 @@ dnstap_message message query_zone bytes dnstap_message message response_time_sec value uint64_t dnstap_message message response_time_nsec value uint32_t dnstap_message message response_message bytes +dnstap_message_policy policy type string +dnstap_message_policy policy rule bytes +dnstap_message_policy policy action enum dnstap_policy_action +dnstap_message_policy policy match enum dnstap_policy_match +dnstap_message_policy policy value bytes diff --git a/src/dnswire/dnstap.h b/src/dnswire/dnstap.h index 97da495..7a01898 100644 --- a/src/dnswire/dnstap.h +++ b/src/dnswire/dnstap.h @@ -52,6 +52,8 @@ enum dnstap_message_type { DNSTAP_MESSAGE_TYPE_STUB_RESPONSE = 10, DNSTAP_MESSAGE_TYPE_TOOL_QUERY = 11, DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE = 12, + DNSTAP_MESSAGE_TYPE_UPDATE_QUERY = 13, + DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE = 14, }; extern const char* const DNSTAP_MESSAGE_TYPE_STRING[]; @@ -63,15 +65,42 @@ enum dnstap_socket_family { extern const char* const DNSTAP_SOCKET_FAMILY_STRING[]; enum dnstap_socket_protocol { - DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0, - DNSTAP_SOCKET_PROTOCOL_UDP = 1, - DNSTAP_SOCKET_PROTOCOL_TCP = 2, + DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0, + DNSTAP_SOCKET_PROTOCOL_UDP = 1, + DNSTAP_SOCKET_PROTOCOL_TCP = 2, + DNSTAP_SOCKET_PROTOCOL_DOT = 3, + DNSTAP_SOCKET_PROTOCOL_DOH = 4, + DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP = 5, + DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP = 6, }; extern const char* const DNSTAP_SOCKET_PROTOCOL_STRING[]; +enum dnstap_policy_action { + DNSTAP_POLICY_ACTION_UNKNOWN = 0, + DNSTAP_POLICY_ACTION_NXDOMAIN = 1, + DNSTAP_POLICY_ACTION_NODATA = 2, + DNSTAP_POLICY_ACTION_PASS = 3, + DNSTAP_POLICY_ACTION_DROP = 4, + DNSTAP_POLICY_ACTION_TRUNCATE = 5, + DNSTAP_POLICY_ACTION_LOCAL_DATA = 6, +}; +extern const char* const DNSTAP_POLICY_ACTION_STRING[]; + +enum dnstap_policy_match { + DNSTAP_POLICY_MATCH_UNKNOWN = 0, + DNSTAP_POLICY_MATCH_QNAME = 1, + DNSTAP_POLICY_MATCH_CLIENT_IP = 2, + DNSTAP_POLICY_MATCH_RESPONSE_IP = 3, + DNSTAP_POLICY_MATCH_NS_NAME = 4, + DNSTAP_POLICY_MATCH_NS_IP = 5, +}; +extern const char* const DNSTAP_POLICY_MATCH_STRING[]; + struct dnstap { Dnstap__Dnstap dnstap; Dnstap__Message message; + Dnstap__Policy policy; + bool _policy_type_alloced; Dnstap__Dnstap* unpacked_dnstap; }; @@ -80,6 +109,7 @@ struct dnstap { { \ .dnstap = DNSTAP__DNSTAP__INIT, \ .message = DNSTAP__MESSAGE__INIT, \ + .policy = DNSTAP__POLICY__INIT, \ .unpacked_dnstap = 0, \ } @@ -140,6 +170,39 @@ struct dnstap { (d).message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_MESSAGE_TYPE_UNKNOWN; \ } +#define dnstap_message_has_policy(d) ((d).dnstap.message->policy != 0) +#define dnstap_message_use_policy(d) (d).dnstap.message->policy = &(d).policy +void dnstap_message_clear_policy(struct dnstap*); +#define dnstap_message_policy_set_action(d, v) \ + switch (v) { \ + case DNSTAP_POLICY_ACTION_NXDOMAIN: \ + case DNSTAP_POLICY_ACTION_NODATA: \ + case DNSTAP_POLICY_ACTION_PASS: \ + case DNSTAP_POLICY_ACTION_DROP: \ + case DNSTAP_POLICY_ACTION_TRUNCATE: \ + case DNSTAP_POLICY_ACTION_LOCAL_DATA: \ + (d).policy.has_action = true; \ + (d).policy.action = (enum _Dnstap__Policy__Action)v; \ + break; \ + default: \ + (d).policy.has_action = false; \ + (d).policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN; \ + } +#define dnstap_message_policy_set_match(d, v) \ + switch (v) { \ + case DNSTAP_POLICY_MATCH_QNAME: \ + case DNSTAP_POLICY_MATCH_CLIENT_IP: \ + case DNSTAP_POLICY_MATCH_RESPONSE_IP: \ + case DNSTAP_POLICY_MATCH_NS_NAME: \ + case DNSTAP_POLICY_MATCH_NS_IP: \ + (d).policy.has_match = true; \ + (d).policy.match = (enum _Dnstap__Policy__Match)v; \ + break; \ + default: \ + (d).policy.has_match = false; \ + (d).policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN; \ + } + int dnstap_decode_protobuf(struct dnstap*, const uint8_t*, size_t); // int dnstap_decode_cbor(struct dnstap*, const uint8_t*, size_t); diff --git a/src/gen-macros.sh b/src/gen-macros.sh index 190d74a..a7d74c2 100755 --- a/src/gen-macros.sh +++ b/src/gen-macros.sh @@ -1,11 +1,24 @@ #!/bin/sh -e echo "/* autogenerated, don't edit */" +echo "#include <string.h>" +echo "#include <stdlib.h>" while read prefix base name type typedef; do echo "// $base.$name ($type)" case "$type" in string ) + echo "#define ${prefix}_has_${name}(d) ((d).${base}.${name} != 0) +#define ${prefix}_${name}(d) (const char*)((d).${base}.${name}) +#define ${prefix}_${name}_length(d) strlen((d).${base}.${name}) +#define ${prefix}_set_${name}(d, v) \ + if ((d)._${base}_${name}_alloced) { \ + free((d).${base}.${name}); \ + } \ + (d).${base}.${name} = strdup(v); \ + (d)._${base}_${name}_alloced = true;" + ;; + bytestring ) echo "#define ${prefix}_has_${name}(d) (bool)((d).${base}.has_${name}) #define ${prefix}_${name}(d) (const uint8_t*)((d).${base}.${name}.data) #define ${prefix}_${name}_length(d) (size_t)((d).${base}.${name}.len) diff --git a/src/test/create_dnstap.c b/src/test/create_dnstap.c index 9fbd4a8..b1f00ff 100644 --- a/src/test/create_dnstap.c +++ b/src/test/create_dnstap.c @@ -12,6 +12,7 @@ static char dns_wire_format_placeholder[] = "dns_wire_format_placeholder"; static unsigned char query_address[sizeof(struct in_addr)]; static unsigned char response_address[sizeof(struct in_addr)]; +static char policy_value[] = "bad.ns.name"; static inline void create_dnstap(struct dnstap* d, const char* identity) { @@ -48,4 +49,10 @@ static inline void create_dnstap(struct dnstap* d, const char* identity) dnstap_message_set_query_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1); dnstap_message_set_response_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1); + + dnstap_message_use_policy(*d); + dnstap_message_policy_set_type(*d, "RPZ"); + dnstap_message_policy_set_action(*d, DNSTAP_POLICY_ACTION_DROP); + dnstap_message_policy_set_match(*d, DNSTAP_POLICY_MATCH_NS_NAME); + dnstap_message_policy_set_value(*d, policy_value, sizeof(policy_value) - 1); } diff --git a/src/test/print_dnstap.c b/src/test/print_dnstap.c index b758119..109677b 100644 --- a/src/test/print_dnstap.c +++ b/src/test/print_dnstap.c @@ -111,6 +111,26 @@ static void print_dnstap(const struct dnstap* d) printf(" response_message_length: %zu\n", dnstap_message_response_message_length(*d)); printf(" response_message: %s\n", printable_string(dnstap_message_response_message(*d), dnstap_message_response_message_length(*d))); } + + if (dnstap_message_has_policy(*d)) { + printf(" policy:\n"); + + if (dnstap_message_policy_has_type(*d)) { + printf(" type: %s\n", dnstap_message_policy_type(*d)); + } + if (dnstap_message_policy_has_rule(*d)) { + printf(" rule: %s\n", printable_string(dnstap_message_policy_rule(*d), dnstap_message_policy_rule_length(*d))); + } + if (dnstap_message_policy_has_action(*d)) { + printf(" action: %s\n", DNSTAP_POLICY_ACTION_STRING[dnstap_message_policy_action(*d)]); + } + if (dnstap_message_policy_has_match(*d)) { + printf(" match: %s\n", DNSTAP_POLICY_MATCH_STRING[dnstap_message_policy_match(*d)]); + } + if (dnstap_message_policy_has_value(*d)) { + printf(" value: %s\n", printable_string(dnstap_message_policy_value(*d), dnstap_message_policy_value_length(*d))); + } + } } printf("----\n"); diff --git a/src/test/test3.gold b/src/test/test3.gold index a6e5c22..c86c86d 100644 --- a/src/test/test3.gold +++ b/src/test/test3.gold @@ -1,4 +1,4 @@ -read 322 +read 370 ---- dnstap identity: writer_write-1 message: @@ -13,6 +13,11 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- ---- dnstap identity: writer_write-2 @@ -28,4 +33,9 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- diff --git a/src/test/test4.gold b/src/test/test4.gold index f6c9f7f..36523e4 100644 --- a/src/test/test4.gold +++ b/src/test/test4.gold @@ -12,6 +12,11 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- ---- dnstap identity: writer_pop-2 @@ -27,4 +32,9 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- diff --git a/src/test/test5.gold b/src/test/test5.gold index 86404aa..3042714 100644 --- a/src/test/test5.gold +++ b/src/test/test5.gold @@ -12,6 +12,11 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- ---- dnstap identity: writer_reader_unixsock-2 @@ -27,4 +32,9 @@ message: query_message: dns_wire_format_placeholder response_message_length: 27 response_message: dns_wire_format_placeholder + policy: + type: RPZ + action: DROP + match: NS_NAME + value: bad.ns.name ---- diff --git a/src/test/test_dnstap.c b/src/test/test_dnstap.c index fd199f8..eec0049 100644 --- a/src/test/test_dnstap.c +++ b/src/test/test_dnstap.c @@ -27,7 +27,7 @@ int main(void) d.dnstap.type = (enum _Dnstap__Dnstap__Type)DNSTAP_TYPE_MESSAGE; // invalid message.type - d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE + 1); + d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE + 1); s = dnstap_encode_protobuf_size(&d); assert(s < sizeof(buf)); assert(dnstap_encode_protobuf(&d, buf) == s); @@ -47,7 +47,7 @@ int main(void) d.message.socket_family = (enum _Dnstap__SocketFamily)DNSTAP_SOCKET_FAMILY_INET; // invalid message.socket_protocol - d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_TCP + 1); + d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP + 1); s = dnstap_encode_protobuf_size(&d); assert(s < sizeof(buf)); assert(dnstap_encode_protobuf(&d, buf) == s); |