summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/dnstap.c67
-rw-r--r--src/dnstap.fields9
-rw-r--r--src/dnswire/dnstap.h69
-rwxr-xr-xsrc/gen-macros.sh13
-rw-r--r--src/test/create_dnstap.c7
-rw-r--r--src/test/print_dnstap.c20
-rw-r--r--src/test/test3.gold12
-rw-r--r--src/test/test4.gold10
-rw-r--r--src/test/test5.gold10
-rw-r--r--src/test/test_dnstap.c4
10 files changed, 213 insertions, 8 deletions
diff --git a/src/dnstap.c b/src/dnstap.c
index c5275b7..4e49e64 100644
--- a/src/dnstap.c
+++ b/src/dnstap.c
@@ -41,6 +41,8 @@ const char* const DNSTAP_MESSAGE_TYPE_STRING[] = {
"STUB_RESPONSE",
"TOOL_QUERY",
"TOOL_RESPONSE",
+ "UPDATE_QUERY",
+ "UPDATE_RESPONSE",
};
const char* const DNSTAP_SOCKET_FAMILY_STRING[] = {
"UNKNOWN",
@@ -51,8 +53,38 @@ const char* const DNSTAP_SOCKET_PROTOCOL_STRING[] = {
"UNKNOWN",
"UDP",
"TCP",
+ "DOT",
+ "DOH",
+ "DNSCryptUDP",
+ "DNSCryptTCP",
+};
+const char* const DNSTAP_POLICY_ACTION_STRING[] = {
+ "UNKNOWN",
+ "NXDOMAIN",
+ "NODATA",
+ "PASS",
+ "DROP",
+ "TRUNCATE",
+ "LOCAL_DATA",
+};
+const char* const DNSTAP_POLICY_MATCH_STRING[] = {
+ "UNKNOWN",
+ "QNAME",
+ "CLIENT_IP",
+ "RESPONSE_IP",
+ "NS_NAME",
+ "NS_IP",
};
+void dnstap_message_clear_policy(struct dnstap* dnstap)
+{
+ static const Dnstap__Policy policy = DNSTAP__POLICY__INIT;
+ assert(dnstap);
+
+ dnstap->message.policy = 0;
+ dnstap->policy = policy;
+}
+
int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t len)
{
assert(dnstap);
@@ -88,6 +120,8 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le
case DNSTAP_MESSAGE_TYPE_STUB_RESPONSE:
case DNSTAP_MESSAGE_TYPE_TOOL_QUERY:
case DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE:
+ case DNSTAP_MESSAGE_TYPE_UPDATE_QUERY:
+ case DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE:
break;
default:
dnstap->message.type = (enum _Dnstap__Message__Type)DNSTAP_MESSAGE_TYPE_UNKNOWN;
@@ -105,11 +139,44 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le
switch (dnstap->message.socket_protocol) {
case DNSTAP_SOCKET_PROTOCOL_UDP:
case DNSTAP_SOCKET_PROTOCOL_TCP:
+ case DNSTAP_SOCKET_PROTOCOL_DOT:
+ case DNSTAP_SOCKET_PROTOCOL_DOH:
+ case DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP:
+ case DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP:
break;
default:
dnstap->message.has_socket_protocol = false;
dnstap->message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_SOCKET_PROTOCOL_UNKNOWN;
}
+
+ if (dnstap->message.policy) {
+ dnstap->policy = *dnstap->message.policy;
+
+ switch (dnstap->policy.action) {
+ case DNSTAP_POLICY_ACTION_NXDOMAIN:
+ case DNSTAP_POLICY_ACTION_NODATA:
+ case DNSTAP_POLICY_ACTION_PASS:
+ case DNSTAP_POLICY_ACTION_DROP:
+ case DNSTAP_POLICY_ACTION_TRUNCATE:
+ case DNSTAP_POLICY_ACTION_LOCAL_DATA:
+ break;
+ default:
+ dnstap->policy.has_action = false;
+ dnstap->policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN;
+ }
+
+ switch (dnstap->policy.match) {
+ case DNSTAP_POLICY_MATCH_QNAME:
+ case DNSTAP_POLICY_MATCH_CLIENT_IP:
+ case DNSTAP_POLICY_MATCH_RESPONSE_IP:
+ case DNSTAP_POLICY_MATCH_NS_NAME:
+ case DNSTAP_POLICY_MATCH_NS_IP:
+ break;
+ default:
+ dnstap->policy.has_match = false;
+ dnstap->policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN;
+ }
+ }
}
return 0;
diff --git a/src/dnstap.fields b/src/dnstap.fields
index e38b6e5..26449d0 100644
--- a/src/dnstap.fields
+++ b/src/dnstap.fields
@@ -1,5 +1,5 @@
-dnstap dnstap identity string
-dnstap dnstap version string
+dnstap dnstap identity bytestring
+dnstap dnstap version bytestring
dnstap dnstap extra bytes
dnstap_message message socket_family enum dnstap_socket_family
dnstap_message message socket_protocol enum dnstap_socket_protocol
@@ -14,3 +14,8 @@ dnstap_message message query_zone bytes
dnstap_message message response_time_sec value uint64_t
dnstap_message message response_time_nsec value uint32_t
dnstap_message message response_message bytes
+dnstap_message_policy policy type string
+dnstap_message_policy policy rule bytes
+dnstap_message_policy policy action enum dnstap_policy_action
+dnstap_message_policy policy match enum dnstap_policy_match
+dnstap_message_policy policy value bytes
diff --git a/src/dnswire/dnstap.h b/src/dnswire/dnstap.h
index 97da495..7a01898 100644
--- a/src/dnswire/dnstap.h
+++ b/src/dnswire/dnstap.h
@@ -52,6 +52,8 @@ enum dnstap_message_type {
DNSTAP_MESSAGE_TYPE_STUB_RESPONSE = 10,
DNSTAP_MESSAGE_TYPE_TOOL_QUERY = 11,
DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE = 12,
+ DNSTAP_MESSAGE_TYPE_UPDATE_QUERY = 13,
+ DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE = 14,
};
extern const char* const DNSTAP_MESSAGE_TYPE_STRING[];
@@ -63,15 +65,42 @@ enum dnstap_socket_family {
extern const char* const DNSTAP_SOCKET_FAMILY_STRING[];
enum dnstap_socket_protocol {
- DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0,
- DNSTAP_SOCKET_PROTOCOL_UDP = 1,
- DNSTAP_SOCKET_PROTOCOL_TCP = 2,
+ DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0,
+ DNSTAP_SOCKET_PROTOCOL_UDP = 1,
+ DNSTAP_SOCKET_PROTOCOL_TCP = 2,
+ DNSTAP_SOCKET_PROTOCOL_DOT = 3,
+ DNSTAP_SOCKET_PROTOCOL_DOH = 4,
+ DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP = 5,
+ DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP = 6,
};
extern const char* const DNSTAP_SOCKET_PROTOCOL_STRING[];
+enum dnstap_policy_action {
+ DNSTAP_POLICY_ACTION_UNKNOWN = 0,
+ DNSTAP_POLICY_ACTION_NXDOMAIN = 1,
+ DNSTAP_POLICY_ACTION_NODATA = 2,
+ DNSTAP_POLICY_ACTION_PASS = 3,
+ DNSTAP_POLICY_ACTION_DROP = 4,
+ DNSTAP_POLICY_ACTION_TRUNCATE = 5,
+ DNSTAP_POLICY_ACTION_LOCAL_DATA = 6,
+};
+extern const char* const DNSTAP_POLICY_ACTION_STRING[];
+
+enum dnstap_policy_match {
+ DNSTAP_POLICY_MATCH_UNKNOWN = 0,
+ DNSTAP_POLICY_MATCH_QNAME = 1,
+ DNSTAP_POLICY_MATCH_CLIENT_IP = 2,
+ DNSTAP_POLICY_MATCH_RESPONSE_IP = 3,
+ DNSTAP_POLICY_MATCH_NS_NAME = 4,
+ DNSTAP_POLICY_MATCH_NS_IP = 5,
+};
+extern const char* const DNSTAP_POLICY_MATCH_STRING[];
+
struct dnstap {
Dnstap__Dnstap dnstap;
Dnstap__Message message;
+ Dnstap__Policy policy;
+ bool _policy_type_alloced;
Dnstap__Dnstap* unpacked_dnstap;
};
@@ -80,6 +109,7 @@ struct dnstap {
{ \
.dnstap = DNSTAP__DNSTAP__INIT, \
.message = DNSTAP__MESSAGE__INIT, \
+ .policy = DNSTAP__POLICY__INIT, \
.unpacked_dnstap = 0, \
}
@@ -140,6 +170,39 @@ struct dnstap {
(d).message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_MESSAGE_TYPE_UNKNOWN; \
}
+#define dnstap_message_has_policy(d) ((d).dnstap.message->policy != 0)
+#define dnstap_message_use_policy(d) (d).dnstap.message->policy = &(d).policy
+void dnstap_message_clear_policy(struct dnstap*);
+#define dnstap_message_policy_set_action(d, v) \
+ switch (v) { \
+ case DNSTAP_POLICY_ACTION_NXDOMAIN: \
+ case DNSTAP_POLICY_ACTION_NODATA: \
+ case DNSTAP_POLICY_ACTION_PASS: \
+ case DNSTAP_POLICY_ACTION_DROP: \
+ case DNSTAP_POLICY_ACTION_TRUNCATE: \
+ case DNSTAP_POLICY_ACTION_LOCAL_DATA: \
+ (d).policy.has_action = true; \
+ (d).policy.action = (enum _Dnstap__Policy__Action)v; \
+ break; \
+ default: \
+ (d).policy.has_action = false; \
+ (d).policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN; \
+ }
+#define dnstap_message_policy_set_match(d, v) \
+ switch (v) { \
+ case DNSTAP_POLICY_MATCH_QNAME: \
+ case DNSTAP_POLICY_MATCH_CLIENT_IP: \
+ case DNSTAP_POLICY_MATCH_RESPONSE_IP: \
+ case DNSTAP_POLICY_MATCH_NS_NAME: \
+ case DNSTAP_POLICY_MATCH_NS_IP: \
+ (d).policy.has_match = true; \
+ (d).policy.match = (enum _Dnstap__Policy__Match)v; \
+ break; \
+ default: \
+ (d).policy.has_match = false; \
+ (d).policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN; \
+ }
+
int dnstap_decode_protobuf(struct dnstap*, const uint8_t*, size_t);
// int dnstap_decode_cbor(struct dnstap*, const uint8_t*, size_t);
diff --git a/src/gen-macros.sh b/src/gen-macros.sh
index 190d74a..a7d74c2 100755
--- a/src/gen-macros.sh
+++ b/src/gen-macros.sh
@@ -1,11 +1,24 @@
#!/bin/sh -e
echo "/* autogenerated, don't edit */"
+echo "#include <string.h>"
+echo "#include <stdlib.h>"
while read prefix base name type typedef; do
echo "// $base.$name ($type)"
case "$type" in
string )
+ echo "#define ${prefix}_has_${name}(d) ((d).${base}.${name} != 0)
+#define ${prefix}_${name}(d) (const char*)((d).${base}.${name})
+#define ${prefix}_${name}_length(d) strlen((d).${base}.${name})
+#define ${prefix}_set_${name}(d, v) \
+ if ((d)._${base}_${name}_alloced) { \
+ free((d).${base}.${name}); \
+ } \
+ (d).${base}.${name} = strdup(v); \
+ (d)._${base}_${name}_alloced = true;"
+ ;;
+ bytestring )
echo "#define ${prefix}_has_${name}(d) (bool)((d).${base}.has_${name})
#define ${prefix}_${name}(d) (const uint8_t*)((d).${base}.${name}.data)
#define ${prefix}_${name}_length(d) (size_t)((d).${base}.${name}.len)
diff --git a/src/test/create_dnstap.c b/src/test/create_dnstap.c
index 9fbd4a8..b1f00ff 100644
--- a/src/test/create_dnstap.c
+++ b/src/test/create_dnstap.c
@@ -12,6 +12,7 @@
static char dns_wire_format_placeholder[] = "dns_wire_format_placeholder";
static unsigned char query_address[sizeof(struct in_addr)];
static unsigned char response_address[sizeof(struct in_addr)];
+static char policy_value[] = "bad.ns.name";
static inline void create_dnstap(struct dnstap* d, const char* identity)
{
@@ -48,4 +49,10 @@ static inline void create_dnstap(struct dnstap* d, const char* identity)
dnstap_message_set_query_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1);
dnstap_message_set_response_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1);
+
+ dnstap_message_use_policy(*d);
+ dnstap_message_policy_set_type(*d, "RPZ");
+ dnstap_message_policy_set_action(*d, DNSTAP_POLICY_ACTION_DROP);
+ dnstap_message_policy_set_match(*d, DNSTAP_POLICY_MATCH_NS_NAME);
+ dnstap_message_policy_set_value(*d, policy_value, sizeof(policy_value) - 1);
}
diff --git a/src/test/print_dnstap.c b/src/test/print_dnstap.c
index b758119..109677b 100644
--- a/src/test/print_dnstap.c
+++ b/src/test/print_dnstap.c
@@ -111,6 +111,26 @@ static void print_dnstap(const struct dnstap* d)
printf(" response_message_length: %zu\n", dnstap_message_response_message_length(*d));
printf(" response_message: %s\n", printable_string(dnstap_message_response_message(*d), dnstap_message_response_message_length(*d)));
}
+
+ if (dnstap_message_has_policy(*d)) {
+ printf(" policy:\n");
+
+ if (dnstap_message_policy_has_type(*d)) {
+ printf(" type: %s\n", dnstap_message_policy_type(*d));
+ }
+ if (dnstap_message_policy_has_rule(*d)) {
+ printf(" rule: %s\n", printable_string(dnstap_message_policy_rule(*d), dnstap_message_policy_rule_length(*d)));
+ }
+ if (dnstap_message_policy_has_action(*d)) {
+ printf(" action: %s\n", DNSTAP_POLICY_ACTION_STRING[dnstap_message_policy_action(*d)]);
+ }
+ if (dnstap_message_policy_has_match(*d)) {
+ printf(" match: %s\n", DNSTAP_POLICY_MATCH_STRING[dnstap_message_policy_match(*d)]);
+ }
+ if (dnstap_message_policy_has_value(*d)) {
+ printf(" value: %s\n", printable_string(dnstap_message_policy_value(*d), dnstap_message_policy_value_length(*d)));
+ }
+ }
}
printf("----\n");
diff --git a/src/test/test3.gold b/src/test/test3.gold
index a6e5c22..c86c86d 100644
--- a/src/test/test3.gold
+++ b/src/test/test3.gold
@@ -1,4 +1,4 @@
-read 322
+read 370
---- dnstap
identity: writer_write-1
message:
@@ -13,6 +13,11 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
---- dnstap
identity: writer_write-2
@@ -28,4 +33,9 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
diff --git a/src/test/test4.gold b/src/test/test4.gold
index f6c9f7f..36523e4 100644
--- a/src/test/test4.gold
+++ b/src/test/test4.gold
@@ -12,6 +12,11 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
---- dnstap
identity: writer_pop-2
@@ -27,4 +32,9 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
diff --git a/src/test/test5.gold b/src/test/test5.gold
index 86404aa..3042714 100644
--- a/src/test/test5.gold
+++ b/src/test/test5.gold
@@ -12,6 +12,11 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
---- dnstap
identity: writer_reader_unixsock-2
@@ -27,4 +32,9 @@ message:
query_message: dns_wire_format_placeholder
response_message_length: 27
response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
----
diff --git a/src/test/test_dnstap.c b/src/test/test_dnstap.c
index fd199f8..eec0049 100644
--- a/src/test/test_dnstap.c
+++ b/src/test/test_dnstap.c
@@ -27,7 +27,7 @@ int main(void)
d.dnstap.type = (enum _Dnstap__Dnstap__Type)DNSTAP_TYPE_MESSAGE;
// invalid message.type
- d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE + 1);
+ d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE + 1);
s = dnstap_encode_protobuf_size(&d);
assert(s < sizeof(buf));
assert(dnstap_encode_protobuf(&d, buf) == s);
@@ -47,7 +47,7 @@ int main(void)
d.message.socket_family = (enum _Dnstap__SocketFamily)DNSTAP_SOCKET_FAMILY_INET;
// invalid message.socket_protocol
- d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_TCP + 1);
+ d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP + 1);
s = dnstap_encode_protobuf_size(&d);
assert(s < sizeof(buf));
assert(dnstap_encode_protobuf(&d, buf) == s);