]>
Commit | Line | Data |
---|---|---|
12471842 PL |
1 | /* |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
ffb07158 | 22 | #include "dnsdist.hh" |
23 | #include "sodcrypto.hh" | |
93644039 | 24 | #include "pwd.h" |
424bdfb1 PD |
25 | |
26 | #if defined (__OpenBSD__) | |
27 | #include <readline/readline.h> | |
28 | #include <readline/history.h> | |
29 | #else | |
9c8aa826 | 30 | #include <editline/readline.h> |
424bdfb1 PD |
31 | #endif |
32 | ||
ffb07158 | 33 | #include <fstream> |
34 | #include "dolog.hh" | |
7e7a5b71 | 35 | #include "ext/json11/json11.hpp" |
ffb07158 | 36 | |
f758857a | 37 | vector<pair<struct timeval, string> > g_confDelta; |
38 | ||
39 | // MUST BE CALLED UNDER A LOCK - right now the LuaLock | |
40 | void feedConfigDelta(const std::string& line) | |
41 | { | |
171fca9a | 42 | if(line.empty()) |
43 | return; | |
f758857a | 44 | struct timeval now; |
45 | gettimeofday(&now, 0); | |
46 | g_confDelta.push_back({now,line}); | |
47 | } | |
48 | ||
93644039 PL |
49 | string historyFile(const bool &ignoreHOME = false) |
50 | { | |
51 | string ret; | |
52 | ||
53 | struct passwd pwd; | |
54 | struct passwd *result; | |
55 | char buf[16384]; | |
56 | getpwuid_r(geteuid(), &pwd, buf, sizeof(buf), &result); | |
57 | ||
58 | const char *homedir = getenv("HOME"); | |
59 | if (result) | |
60 | ret = string(pwd.pw_dir); | |
61 | if (homedir && !ignoreHOME) // $HOME overrides what the OS tells us | |
62 | ret = string(homedir); | |
63 | if (ret.empty()) | |
64 | ret = "."; // CWD if nothing works.. | |
65 | ret.append("/.dnsdist_history"); | |
66 | return ret; | |
67 | } | |
68 | ||
ffb07158 | 69 | void doClient(ComboAddress server, const std::string& command) |
70 | { | |
9c186303 | 71 | if(g_verbose) |
72 | cout<<"Connecting to "<<server.toStringWithPort()<<endl; | |
ffb07158 | 73 | int fd=socket(server.sin4.sin_family, SOCK_STREAM, 0); |
6a62c0e3 RG |
74 | if (fd < 0) { |
75 | cerr<<"Unable to connect to "<<server.toStringWithPort()<<endl; | |
76 | return; | |
77 | } | |
ffb07158 | 78 | SConnect(fd, server); |
9c186303 | 79 | setTCPNoDelay(fd); |
333ea16e | 80 | SodiumNonce theirs, ours, readingNonce, writingNonce; |
ffb07158 | 81 | ours.init(); |
82 | ||
83 | writen2(fd, (const char*)ours.value, sizeof(ours.value)); | |
84 | readn2(fd, (char*)theirs.value, sizeof(theirs.value)); | |
333ea16e RG |
85 | readingNonce.merge(ours, theirs); |
86 | writingNonce.merge(theirs, ours); | |
ffb07158 | 87 | |
88 | if(!command.empty()) { | |
333ea16e | 89 | string msg=sodEncryptSym(command, g_key, writingNonce); |
a683e8bd | 90 | putMsgLen32(fd, (uint32_t) msg.length()); |
ffb07158 | 91 | if(!msg.empty()) |
92 | writen2(fd, msg); | |
93 | uint32_t len; | |
e4ef64be RG |
94 | if(getMsgLen32(fd, &len)) { |
95 | if (len > 0) { | |
96 | boost::scoped_array<char> resp(new char[len]); | |
97 | readn2(fd, resp.get(), len); | |
98 | msg.assign(resp.get(), len); | |
333ea16e | 99 | msg=sodDecryptSym(msg, g_key, readingNonce); |
7e7a5b71 | 100 | cout<<msg; |
a43f9501 | 101 | cout.flush(); |
e4ef64be RG |
102 | } |
103 | } | |
104 | else { | |
105 | cout << "Connection closed by the server." << endl; | |
106 | } | |
6a62c0e3 | 107 | close(fd); |
ffb07158 | 108 | return; |
109 | } | |
110 | ||
93644039 | 111 | string histfile = historyFile(); |
ffb07158 | 112 | set<string> dupper; |
113 | { | |
93644039 | 114 | ifstream history(histfile); |
ffb07158 | 115 | string line; |
116 | while(getline(history, line)) | |
117 | add_history(line.c_str()); | |
118 | } | |
93644039 | 119 | ofstream history(histfile, std::ios_base::app); |
ffb07158 | 120 | string lastline; |
121 | for(;;) { | |
122 | char* sline = readline("> "); | |
123 | rl_bind_key('\t',rl_complete); | |
124 | if(!sline) | |
125 | break; | |
126 | ||
127 | string line(sline); | |
128 | if(!line.empty() && line != lastline) { | |
129 | add_history(sline); | |
130 | history << sline <<endl; | |
131 | history.flush(); | |
132 | } | |
133 | lastline=line; | |
134 | free(sline); | |
135 | ||
136 | if(line=="quit") | |
137 | break; | |
138 | ||
0877da98 RG |
139 | /* no need to send an empty line to the server */ |
140 | if(line.empty()) | |
141 | continue; | |
142 | ||
333ea16e | 143 | string msg=sodEncryptSym(line, g_key, writingNonce); |
a683e8bd | 144 | putMsgLen32(fd, (uint32_t) msg.length()); |
ffb07158 | 145 | writen2(fd, msg); |
146 | uint32_t len; | |
ff16861c | 147 | if(!getMsgLen32(fd, &len)) { |
ffb07158 | 148 | cout << "Connection closed by the server." << endl; |
149 | break; | |
150 | } | |
151 | ||
ff16861c RG |
152 | if (len > 0) { |
153 | boost::scoped_array<char> resp(new char[len]); | |
154 | readn2(fd, resp.get(), len); | |
155 | msg.assign(resp.get(), len); | |
333ea16e | 156 | msg=sodDecryptSym(msg, g_key, readingNonce); |
7e7a5b71 | 157 | cout<<msg; |
158 | cout.flush(); | |
ff16861c RG |
159 | } |
160 | else { | |
161 | cout<<endl; | |
162 | } | |
ffb07158 | 163 | } |
6c1ca990 | 164 | close(fd); |
ffb07158 | 165 | } |
166 | ||
167 | void doConsole() | |
168 | { | |
93644039 | 169 | string histfile = historyFile(true); |
ffb07158 | 170 | set<string> dupper; |
171 | { | |
93644039 | 172 | ifstream history(histfile); |
ffb07158 | 173 | string line; |
174 | while(getline(history, line)) | |
175 | add_history(line.c_str()); | |
176 | } | |
93644039 | 177 | ofstream history(histfile, std::ios_base::app); |
ffb07158 | 178 | string lastline; |
179 | for(;;) { | |
180 | char* sline = readline("> "); | |
181 | rl_bind_key('\t',rl_complete); | |
182 | if(!sline) | |
183 | break; | |
184 | ||
185 | string line(sline); | |
186 | if(!line.empty() && line != lastline) { | |
187 | add_history(sline); | |
188 | history << sline <<endl; | |
189 | history.flush(); | |
190 | } | |
191 | lastline=line; | |
192 | free(sline); | |
193 | ||
194 | if(line=="quit") | |
195 | break; | |
196 | ||
197 | string response; | |
198 | try { | |
7e7a5b71 | 199 | bool withReturn=true; |
200 | retry:; | |
201 | try { | |
202 | std::lock_guard<std::mutex> lock(g_luamutex); | |
203 | g_outputBuffer.clear(); | |
204 | resetLuaSideEffect(); | |
205 | auto ret=g_lua.executeCode< | |
206 | boost::optional< | |
207 | boost::variant< | |
208 | string, | |
209 | shared_ptr<DownstreamState>, | |
210 | std::unordered_map<string, double> | |
211 | > | |
212 | > | |
213 | >(withReturn ? ("return "+line) : line); | |
7e7a5b71 | 214 | if(ret) { |
af619119 RG |
215 | if (const auto dsValue = boost::get<shared_ptr<DownstreamState>>(&*ret)) { |
216 | cout<<(*dsValue)->getName()<<endl; | |
7e7a5b71 | 217 | } |
218 | else if (const auto strValue = boost::get<string>(&*ret)) { | |
219 | cout<<*strValue<<endl; | |
220 | } | |
221 | else if(const auto um = boost::get<std::unordered_map<string, double> >(&*ret)) { | |
222 | using namespace json11; | |
223 | Json::object o; | |
224 | for(const auto& v : *um) | |
225 | o[v.first]=v.second; | |
226 | Json out = o; | |
227 | cout<<out.dump()<<endl; | |
228 | } | |
229 | } | |
230 | else | |
231 | cout << g_outputBuffer; | |
232 | if(!getLuaNoSideEffect()) | |
233 | feedConfigDelta(line); | |
ffb07158 | 234 | } |
7e7a5b71 | 235 | catch(const LuaContext::SyntaxErrorException&) { |
236 | if(withReturn) { | |
237 | withReturn=false; | |
238 | goto retry; | |
239 | } | |
240 | throw; | |
241 | } | |
242 | } | |
243 | catch(const LuaContext::WrongTypeException& e) { | |
244 | std::cerr<<"Command returned an object we can't print"<<std::endl; | |
245 | // tried to return something we don't understand | |
ffb07158 | 246 | } |
247 | catch(const LuaContext::ExecutionErrorException& e) { | |
98bac6bc | 248 | if(!strcmp(e.what(),"invalid key to 'next'")) |
249 | std::cerr<<"Error parsing parameters, did you forget parameter name?"; | |
250 | else | |
251 | std::cerr << e.what(); | |
ffb07158 | 252 | try { |
253 | std::rethrow_if_nested(e); | |
98bac6bc | 254 | |
d96df9ec | 255 | std::cerr << std::endl; |
af619119 RG |
256 | } catch(const std::exception& ne) { |
257 | // ne is the exception that was thrown from inside the lambda | |
258 | std::cerr << ": " << ne.what() << std::endl; | |
ffb07158 | 259 | } |
af619119 RG |
260 | catch(const PDNSException& ne) { |
261 | // ne is the exception that was thrown from inside the lambda | |
262 | std::cerr << ": " << ne.reason << std::endl; | |
ffb07158 | 263 | } |
264 | } | |
265 | catch(const std::exception& e) { | |
ffb07158 | 266 | std::cerr << e.what() << std::endl; |
267 | } | |
268 | } | |
269 | } | |
270 | /**** CARGO CULT CODE AHEAD ****/ | |
ca4252e0 RG |
271 | const std::vector<ConsoleKeyword> g_consoleKeywords{ |
272 | /* keyword, function, parameters, description */ | |
273 | { "addACL", true, "netmask", "add to the ACL set who can use this server" }, | |
274 | { "addAction", true, "DNS rule, DNS action", "add a rule" }, | |
275 | { "addAnyTCRule", true, "", "generate TC=1 answers to ANY queries received over UDP, moving them to TCP" }, | |
276 | { "addDelay", true, "domain, n", "delay answers within that domain by n milliseconds" }, | |
277 | { "addDisableValidationRule", true, "DNS rule", "set the CD flags to 1 for all queries matching the specified domain" }, | |
efd35aa8 | 278 | { "addDNSCryptBind", true, "\"127.0.0.1:8443\", \"provider name\", \"/path/to/resolver.cert\", \"/path/to/resolver.key\", {reusePort=false, tcpFastOpenSize=0, interface=\"\"}", "listen to incoming DNSCrypt queries on 127.0.0.1 port 8443, with a provider name of `provider name`, using a resolver certificate and associated key stored respectively in the `resolver.cert` and `resolver.key` files. The fifth optional parameter is a table of parameters" }, |
ca4252e0 RG |
279 | { "addDomainBlock", true, "domain", "block queries within this domain" }, |
280 | { "addDomainSpoof", true, "domain, ip[, ip6]", "generate answers for A/AAAA/ANY queries using the ip parameters" }, | |
7b925432 | 281 | { "addDynBlocks", true, "addresses, message[, seconds[, action]]", "block the set of addresses with message `msg`, for `seconds` seconds (10 by default), applying `action` (default to the one set with `setDynBlocksAction()`)" }, |
efd35aa8 | 282 | { "addLocal", true, "addr [, {doTCP=true, reusePort=false, tcpFastOpenSize=0, interface=\"\"}]", "add `addr` to the list of addresses we listen on" }, |
ca4252e0 | 283 | { "addLuaAction", true, "x, func", "where 'x' is all the combinations from `addPoolRule`, and func is a function with the parameter `dq`, which returns an action to be taken on this packet. Good for rare packets but where you want to do a lot of processing" }, |
153d5065 | 284 | { "addLuaResponseAction", true, "x, func", "where 'x' is all the combinations from `addPoolRule`, and func is a function with the parameter `dr`, which returns an action to be taken on this response packet. Good for rare packets but where you want to do a lot of processing" }, |
ca4252e0 RG |
285 | { "addNoRecurseRule", true, "domain", "clear the RD flag for all queries matching the specified domain" }, |
286 | { "addPoolRule", true, "domain, pool", "send queries to this domain to that pool" }, | |
287 | { "addQPSLimit", true, "domain, n", "limit queries within that domain to n per second" }, | |
288 | { "addQPSPoolRule", true, "x, limit, pool", "like `addPoolRule`, but only select at most 'limit' queries/s for this pool, letting the subsequent rules apply otherwise" }, | |
cf48b0ce | 289 | { "addCacheHitResponseAction", true, "DNS rule, DNS response action", "add a cache hit response rule" }, |
ca4252e0 RG |
290 | { "addResponseAction", true, "DNS rule, DNS response action", "add a response rule" }, |
291 | { "AllowAction", true, "", "let these packets go through" }, | |
788c3243 | 292 | { "AllowResponseAction", true, "", "let these packets go through" }, |
ca4252e0 RG |
293 | { "AllRule", true, "", "matches all traffic" }, |
294 | { "AndRule", true, "list of DNS rules", "matches if all sub-rules matches" }, | |
295 | { "benchRule", true, "DNS Rule [, iterations [, suffix]]", "bench the specified DNS rule" }, | |
296 | { "carbonServer", true, "serverIP, [ourname], [interval]", "report statistics to serverIP using our hostname, or 'ourname' if provided, every 'interval' seconds" }, | |
297 | { "controlSocket", true, "addr", "open a control socket on this address / connect to this address in client mode" }, | |
298 | { "clearDynBlocks", true, "", "clear all dynamic blocks" }, | |
786e4d8c | 299 | { "clearQueryCounters", true, "", "clears the query counter buffer" }, |
ca4252e0 RG |
300 | { "clearRules", true, "", "remove all current rules" }, |
301 | { "DelayAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" }, | |
788c3243 | 302 | { "DelayResponseAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" }, |
ca4252e0 RG |
303 | { "delta", true, "", "shows all commands entered that changed the configuration" }, |
304 | { "DisableValidationAction", true, "", "set the CD bit in the question, let it go through" }, | |
305 | { "DropAction", true, "", "drop these packets" }, | |
788c3243 | 306 | { "DropResponseAction", true, "", "drop these packets" }, |
ca4252e0 RG |
307 | { "dumpStats", true, "", "print all statistics we gather" }, |
308 | { "exceedNXDOMAINs", true, "rate, seconds", "get set of addresses that exceed `rate` NXDOMAIN/s over `seconds` seconds" }, | |
309 | { "exceedQRate", true, "rate, seconds", "get set of address that exceed `rate` queries/s over `seconds` seconds" }, | |
310 | { "exceedQTypeRate", true, "type, rate, seconds", "get set of address that exceed `rate` queries/s for queries of type `type` over `seconds` seconds" }, | |
55fcc3d7 | 311 | { "exceedRespByterate", true, "rate, seconds", "get set of addresses that exceeded `rate` bytes/s answers over `seconds` seconds" }, |
82e55fbd | 312 | { "exceedServFails", true, "rate, seconds", "get set of addresses that exceed `rate` servfails/s over `seconds` seconds" }, |
ca4252e0 RG |
313 | { "firstAvailable", false, "", "picks the server with the lowest `order` that has not exceeded its QPS limit" }, |
314 | { "fixupCase", true, "bool", "if set (default to no), rewrite the first qname of the question part of the answer to match the one from the query. It is only useful when you have a downstream server that messes up the case of the question qname in the answer" }, | |
315 | { "generateDNSCryptCertificate", true, "\"/path/to/providerPrivate.key\", \"/path/to/resolver.cert\", \"/path/to/resolver.key\", serial, validFrom, validUntil", "generate a new resolver private key and related certificate, valid from the `validFrom` timestamp until the `validUntil` one, signed with the provider private key" }, | |
79500db5 RG |
316 | { "generateDNSCryptProviderKeys", true, "\"/path/to/providerPublic.key\", \"/path/to/providerPrivate.key\"", "generate a new provider keypair" }, |
317 | { "getDNSCryptBind", true, "n", "return the `DNSCryptContext` object corresponding to the bind `n`" }, | |
ca4252e0 | 318 | { "getPoolServers", true, "pool", "return servers part of this pool" }, |
786e4d8c | 319 | { "getQueryCounters", true, "[max=10]", "show current buffer of query counters, limited by 'max' if provided" }, |
ca4252e0 RG |
320 | { "getResponseRing", true, "", "return the current content of the response ring" }, |
321 | { "getServer", true, "n", "returns server with index n" }, | |
322 | { "getServers", true, "", "returns a table with all defined servers" }, | |
323 | { "grepq", true, "Netmask|DNS Name|100ms|{\"::1\", \"powerdns.com\", \"100ms\"} [, n]", "shows the last n queries and responses matching the specified client address or range (Netmask), or the specified DNS Name, or slower than 100ms" }, | |
324 | { "leastOutstanding", false, "", "Send traffic to downstream server with least outstanding queries, with the lowest 'order', and within that the lowest recent latency"}, | |
456fc645 | 325 | { "LogAction", true, "[filename], [binary], [append], [buffered]", "Log a line for each query, to the specified file if any, to the console (require verbose) otherwise. When logging to a file, the `binary` optional parameter specifies whether we log in binary form (default) or in textual form, the `append` optional parameter specifies whether we open the file for appending or truncate each time (default), and the `buffered` optional parameter specifies whether writes to the file are buffered (default) or not." }, |
ca4252e0 RG |
326 | { "makeKey", true, "", "generate a new server access key, emit configuration line ready for pasting" }, |
327 | { "MaxQPSIPRule", true, "qps, v4Mask=32, v6Mask=64", "matches traffic exceeding the qps limit per subnet" }, | |
328 | { "MaxQPSRule", true, "qps", "matches traffic **not** exceeding this qps limit" }, | |
cf48b0ce | 329 | { "mvCacheHitResponseRule", true, "from, to", "move cache hit response rule 'from' to a position where it is in front of 'to'. 'to' can be one larger than the largest rule" }, |
ca4252e0 RG |
330 | { "mvResponseRule", true, "from, to", "move response rule 'from' to a position where it is in front of 'to'. 'to' can be one larger than the largest rule" }, |
331 | { "mvRule", true, "from, to", "move rule 'from' to a position where it is in front of 'to'. 'to' can be one larger than the largest rule, in which case the rule will be moved to the last position" }, | |
332 | { "newDNSName", true, "name", "make a DNSName based on this .-terminated name" }, | |
2b67180c | 333 | { "newPacketCache", true, "maxEntries[, maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false]", "return a new Packet Cache" }, |
ca4252e0 RG |
334 | { "newQPSLimiter", true, "rate, burst", "configure a QPS limiter with that rate and that burst capacity" }, |
335 | { "newRemoteLogger", true, "address:port [, timeout=2, maxQueuedEntries=100, reconnectWaitTime=1]", "create a Remote Logger object, to use with `RemoteLogAction()` and `RemoteLogResponseAction()`" }, | |
336 | { "newRuleAction", true, "DNS rule, DNS action", "return a pair of DNS Rule and DNS Action, to be used with `setRules()`" }, | |
efd35aa8 | 337 | { "newServer", true, "{address=\"ip:port\", qps=1000, order=1, weight=10, pool=\"abuse\", retries=5, tcpConnectTimeout=5, tcpSendTimeout=30, tcpRecvTimeout=30, checkName=\"a.root-servers.net.\", checkType=\"A\", maxCheckFailures=1, mustResolve=false, useClientSubnet=true, source=\"address|interface name|address@interface\"}", "instantiate a server" }, |
ca4252e0 RG |
338 | { "newServerPolicy", true, "name, function", "create a policy object from a Lua function" }, |
339 | { "newSuffixMatchNode", true, "", "returns a new SuffixMatchNode" }, | |
340 | { "NoRecurseAction", true, "", "strip RD bit from the question, let it go through" }, | |
341 | { "PoolAction", true, "poolname", "set the packet into the specified pool" }, | |
342 | { "printDNSCryptProviderFingerprint", true, "\"/path/to/providerPublic.key\"", "display the fingerprint of the provided resolver public key" }, | |
343 | { "RegexRule", true, "regex", "matches the query name against the supplied regex" }, | |
8429ad04 | 344 | { "registerDynBPFFilter", true, "DynBPFFilter", "register this dynamic BPF filter into the web interface so that its counters are displayed" }, |
165c9030 RG |
345 | { "RemoteLogAction", true, "RemoteLogger [, alterFunction]", "send the content of this query to a remote logger via Protocol Buffer. `alterFunction` is a callback, receiving a DNSQuestion and a DNSDistProtoBufMessage, that can be used to modify the Protocol Buffer content, for example for anonymization purposes" }, |
346 | { "RemoteLogResponseAction", true, "RemoteLogger [,alterFunction [,includeCNAME]]", "send the content of this response to a remote logger via Protocol Buffer. `alterFunction` is the same callback than the one in `RemoteLogAction` and `includeCNAME` indicates whether CNAME records inside the response should be parsed and exported. The default is to only exports A and AAAA records" }, | |
cf48b0ce | 347 | { "rmCacheHitResponseRule", true, "n", "remove cache hit response rule n" }, |
ca4252e0 RG |
348 | { "rmResponseRule", true, "n", "remove response rule n" }, |
349 | { "rmRule", true, "n", "remove rule n" }, | |
350 | { "rmServer", true, "n", "remove server with index n" }, | |
351 | { "roundrobin", false, "", "Simple round robin over available servers" }, | |
352 | { "QNameLabelsCountRule", true, "min, max", "matches if the qname has less than `min` or more than `max` labels" }, | |
0f697c45 | 353 | { "QNameRule", true, "qname", "matches queries with the specified qname" }, |
ca4252e0 RG |
354 | { "QNameWireLengthRule", true, "min, max", "matches if the qname's length on the wire is less than `min` or more than `max` bytes" }, |
355 | { "QTypeRule", true, "qtype", "matches queries with the specified qtype" }, | |
788c3243 | 356 | { "RCodeRule", true, "rcode", "matches responses with the specified rcode" }, |
9f4eb5cc | 357 | { "sendCustomTrap", true, "str", "send a custom `SNMP` trap from Lua, containing the `str` string"}, |
ca4252e0 | 358 | { "setACL", true, "{netmask, netmask}", "replace the ACL set with these netmasks. Use `setACL({})` to reset the list, meaning no one can use us" }, |
56d68fad | 359 | { "setAPIWritable", true, "bool, dir", "allow modifications via the API. if `dir` is set, it must be a valid directory where the configuration files will be written by the API" }, |
ca4252e0 | 360 | { "setDNSSECPool", true, "pool name", "move queries requesting DNSSEC processing to this pool" }, |
7b925432 | 361 | { "setDynBlocksAction", true, "action", "set which action is performed when a query is blocked. Only DNSAction.Drop (the default) and DNSAction.Refused are supported" }, |
ca4252e0 RG |
362 | { "setECSOverride", true, "bool", "whether to override an existing EDNS Client Subnet value in the query" }, |
363 | { "setECSSourcePrefixV4", true, "prefix-length", "the EDNS Client Subnet prefix-length used for IPv4 queries" }, | |
364 | { "setECSSourcePrefixV6", true, "prefix-length", "the EDNS Client Subnet prefix-length used for IPv6 queries" }, | |
365 | { "setKey", true, "key", "set access key to that key" }, | |
efd35aa8 | 366 | { "setLocal", true, "addr [, {doTCP=true, reusePort=false, tcpFastOpenSize=0, interface=\"\"}]", "reset the list of addresses we listen on to this address" }, |
ca4252e0 | 367 | { "setMaxTCPClientThreads", true, "n", "set the maximum of TCP client threads, handling TCP connections" }, |
9396d955 RG |
368 | { "setMaxTCPConnectionDuration", true, "n", "set the maximum duration of an incoming TCP connection, in seconds. 0 means unlimited" }, |
369 | { "setMaxTCPConnectionsPerClient", true, "n", "set the maximum number of TCP connections per client. 0 means unlimited" }, | |
370 | { "setMaxTCPQueriesPerConnection", true, "n", "set the maximum number of queries in an incoming TCP connection. 0 means unlimited" }, | |
ca4252e0 RG |
371 | { "setMaxTCPQueuedConnections", true, "n", "set the maximum number of TCP connections queued (waiting to be picked up by a client thread)" }, |
372 | { "setMaxUDPOutstanding", true, "n", "set the maximum number of outstanding UDP queries to a given backend server. This can only be set at configuration time and defaults to 10240" }, | |
742c079a RG |
373 | { "setPoolServerPolicy", true, "policy, pool", "set the server selection policy for this pool to that policy" }, |
374 | { "setPoolServerPolicy", true, "name, func, pool", "set the server selection policy for this pool to one named 'name' and provided by 'function'" }, | |
786e4d8c RS |
375 | { "setQueryCount", true, "bool", "set whether queries should be counted" }, |
376 | { "setQueryCountFilter", true, "func", "filter queries that would be counted, where `func` is a function with parameter `dq` which decides whether a query should and how it should be counted" }, | |
e4c24bb3 | 377 | { "setRingBuffersSize", true, "n", "set the capacity of the ringbuffers used for live traffic inspection to `n`" }, |
ca4252e0 RG |
378 | { "setRules", true, "list of rules", "replace the current rules with the supplied list of pairs of DNS Rules and DNS Actions (see `newRuleAction()`)" }, |
379 | { "setServerPolicy", true, "policy", "set server selection policy to that policy" }, | |
380 | { "setServerPolicyLua", true, "name, function", "set server selection policy to one named 'name' and provided by 'function'" }, | |
26a3cdb7 | 381 | { "setServFailWhenNoServer", true, "bool", "if set, return a ServFail when no servers are available, instead of the default behaviour of dropping the query" }, |
840ed663 | 382 | { "setTCPDownstreamCleanupInterval", true, "interval", "minimum interval in seconds between two cleanups of the idle TCP downstream connections" }, |
edbda1ad | 383 | { "setTCPUseSinglePipe", true, "bool", "whether the incoming TCP connections should be put into a single queue instead of using per-thread queues. Defaults to false" }, |
ca4252e0 RG |
384 | { "setTCPRecvTimeout", true, "n", "set the read timeout on TCP connections from the client, in seconds" }, |
385 | { "setTCPSendTimeout", true, "n", "set the write timeout on TCP connections from the client, in seconds" }, | |
e0b5e49d | 386 | { "setUDPTimeout", true, "n", "set the maximum time dnsdist will wait for a response from a backend over UDP, in seconds" }, |
ca4252e0 RG |
387 | { "setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged" }, |
388 | { "show", true, "string", "outputs `string`" }, | |
389 | { "showACL", true, "", "show our ACL set" }, | |
cf48b0ce | 390 | { "showCacheHitResponseRules", true, "", "show all defined cache hit response rules" }, |
ca4252e0 RG |
391 | { "showDNSCryptBinds", true, "", "display the currently configured DNSCrypt binds" }, |
392 | { "showDynBlocks", true, "", "show dynamic blocks in force" }, | |
742c079a | 393 | { "showPoolServerPolicy", true, "pool", "show server selection policy for this pool" }, |
ca4252e0 RG |
394 | { "showResponseLatency", true, "", "show a plot of the response time latency distribution" }, |
395 | { "showResponseRules", true, "", "show all defined response rules" }, | |
396 | { "showRules", true, "", "show all defined rules" }, | |
397 | { "showServerPolicy", true, "", "show name of currently operational server selection policy" }, | |
398 | { "showServers", true, "", "output all servers" }, | |
e65ae260 | 399 | { "showTCPStats", true, "", "show some statistics regarding TCP" }, |
ca4252e0 RG |
400 | { "showVersion", true, "", "show the current version" }, |
401 | { "shutdown", true, "", "shut down `dnsdist`" }, | |
9f4eb5cc RG |
402 | { "snmpAgent", true, "enableTraps [, masterSocket]", "enable `SNMP` support. `enableTraps` is a boolean indicating whether traps should be sent and `masterSocket` an optional string specifying how to connect to the master agent"}, |
403 | { "SNMPTrapAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the query description"}, | |
404 | { "SNMPTrapResponseAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the response description"}, | |
ca4252e0 RG |
405 | { "SpoofAction", true, "{ip, ...} ", "forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA). If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in" }, |
406 | { "TCAction", true, "", "create answer to query with TC and RD bits set, to move to TCP" }, | |
407 | { "testCrypto", true, "", "test of the crypto all works" }, | |
01b8149e | 408 | { "TimedIPSetRule", true, "", "Create a rule which matches a set of IP addresses which expire"}, |
ca4252e0 | 409 | { "topBandwidth", true, "top", "show top-`top` clients that consume the most bandwidth over length of ringbuffer" }, |
cf48b0ce | 410 | { "topCacheHitResponseRule", true, "", "move the last cache hit response rule to the first position" }, |
ca4252e0 RG |
411 | { "topClients", true, "n", "show top-`n` clients sending the most queries over length of ringbuffer" }, |
412 | { "topQueries", true, "n[, labels]", "show top 'n' queries, as grouped when optionally cut down to 'labels' labels" }, | |
413 | { "topResponses", true, "n, kind[, labels]", "show top 'n' responses with RCODE=kind (0=NO Error, 2=ServFail, 3=ServFail), as grouped when optionally cut down to 'labels' labels" }, | |
414 | { "topResponseRule", true, "", "move the last response rule to the first position" }, | |
415 | { "topRule", true, "", "move the last rule to the first position" }, | |
416 | { "topSlow", true, "[top][, limit][, labels]", "show `top` queries slower than `limit` milliseconds, grouped by last `labels` labels" }, | |
e72fbfc4 | 417 | { "truncateTC", true, "bool", "if set (defaults to no starting with dnsdist 1.2.0) truncate TC=1 answers so they are actually empty. Fixes an issue for PowerDNS Authoritative Server 2.9.22. Note: turning this on breaks compatibility with RFC 6891." }, |
8429ad04 | 418 | { "unregisterDynBPFFilter", true, "DynBPFFilter", "unregister this dynamic BPF filter" }, |
ca4252e0 RG |
419 | { "webserver", true, "address:port, password [, apiKey [, customHeaders ]])", "launch a webserver with stats on that address with that password" }, |
420 | { "whashed", false, "", "Weighted hashed ('sticky') distribution over available servers, based on the server 'weight' parameter" }, | |
421 | { "wrandom", false, "", "Weighted random over available servers, based on the server 'weight' parameter" }, | |
422 | }; | |
423 | ||
ffb07158 | 424 | extern "C" { |
425 | char* my_generator(const char* text, int state) | |
426 | { | |
427 | string t(text); | |
e8130431 RG |
428 | /* to keep it readable, we try to keep only 4 keywords per line |
429 | and to start a new line when the first letter changes */ | |
ffb07158 | 430 | static int s_counter=0; |
431 | int counter=0; | |
432 | if(!state) | |
433 | s_counter=0; | |
434 | ||
ca4252e0 RG |
435 | for(const auto& keyword : g_consoleKeywords) { |
436 | if(boost::starts_with(keyword.name, t) && counter++ == s_counter) { | |
437 | std::string value(keyword.name); | |
ffb07158 | 438 | s_counter++; |
ca4252e0 RG |
439 | if (keyword.function) { |
440 | value += "("; | |
441 | if (keyword.parameters.empty()) { | |
442 | value += ")"; | |
443 | } | |
444 | } | |
445 | return strdup(value.c_str()); | |
ffb07158 | 446 | } |
447 | } | |
448 | return 0; | |
449 | } | |
450 | ||
451 | char** my_completion( const char * text , int start, int end) | |
452 | { | |
453 | char **matches=0; | |
454 | if (start == 0) | |
455 | matches = rl_completion_matches ((char*)text, &my_generator); | |
d9de8b61 CH |
456 | |
457 | // skip default filename completion. | |
458 | rl_attempted_completion_over = 1; | |
459 | ||
ffb07158 | 460 | return matches; |
461 | } | |
462 | } | |
463 | ||
464 | void controlClientThread(int fd, ComboAddress client) | |
465 | try | |
466 | { | |
9c186303 | 467 | setTCPNoDelay(fd); |
333ea16e | 468 | SodiumNonce theirs, ours, readingNonce, writingNonce; |
ffb07158 | 469 | ours.init(); |
333ea16e | 470 | readn2(fd, (char*)theirs.value, sizeof(theirs.value)); |
ffb07158 | 471 | writen2(fd, (char*)ours.value, sizeof(ours.value)); |
333ea16e RG |
472 | readingNonce.merge(ours, theirs); |
473 | writingNonce.merge(theirs, ours); | |
ffb07158 | 474 | |
475 | for(;;) { | |
476 | uint32_t len; | |
477 | if(!getMsgLen32(fd, &len)) | |
478 | break; | |
0877da98 RG |
479 | |
480 | if (len == 0) { | |
481 | /* just ACK an empty message | |
482 | with an empty response */ | |
483 | putMsgLen32(fd, 0); | |
484 | continue; | |
485 | } | |
486 | ||
ffb07158 | 487 | boost::scoped_array<char> msg(new char[len]); |
488 | readn2(fd, msg.get(), len); | |
489 | ||
490 | string line(msg.get(), len); | |
333ea16e | 491 | line = sodDecryptSym(line, g_key, readingNonce); |
ffb07158 | 492 | // cerr<<"Have decrypted line: "<<line<<endl; |
493 | string response; | |
494 | try { | |
7e7a5b71 | 495 | bool withReturn=true; |
496 | retry:; | |
497 | try { | |
498 | std::lock_guard<std::mutex> lock(g_luamutex); | |
499 | ||
500 | g_outputBuffer.clear(); | |
501 | resetLuaSideEffect(); | |
502 | auto ret=g_lua.executeCode< | |
503 | boost::optional< | |
504 | boost::variant< | |
505 | string, | |
506 | shared_ptr<DownstreamState>, | |
507 | std::unordered_map<string, double> | |
508 | > | |
509 | > | |
510 | >(withReturn ? ("return "+line) : line); | |
ffb07158 | 511 | |
512 | if(ret) { | |
af619119 RG |
513 | if (const auto dsValue = boost::get<shared_ptr<DownstreamState>>(&*ret)) { |
514 | response=(*dsValue)->getName()+"\n"; | |
ffb07158 | 515 | } |
516 | else if (const auto strValue = boost::get<string>(&*ret)) { | |
7e7a5b71 | 517 | response=*strValue+"\n"; |
ffb07158 | 518 | } |
7e7a5b71 | 519 | else if(const auto um = boost::get<std::unordered_map<string, double> >(&*ret)) { |
520 | using namespace json11; | |
521 | Json::object o; | |
522 | for(const auto& v : *um) | |
523 | o[v.first]=v.second; | |
524 | Json out = o; | |
525 | response=out.dump()+"\n"; | |
526 | } | |
ffb07158 | 527 | } |
528 | else | |
529 | response=g_outputBuffer; | |
f758857a | 530 | if(!getLuaNoSideEffect()) |
531 | feedConfigDelta(line); | |
7e7a5b71 | 532 | } |
533 | catch(const LuaContext::SyntaxErrorException&) { | |
534 | if(withReturn) { | |
535 | withReturn=false; | |
536 | goto retry; | |
537 | } | |
538 | throw; | |
539 | } | |
ffb07158 | 540 | } |
628377ec RG |
541 | catch(const LuaContext::WrongTypeException& e) { |
542 | response = "Command returned an object we can't print: " +std::string(e.what()) + "\n"; | |
543 | // tried to return something we don't understand | |
544 | } | |
ffb07158 | 545 | catch(const LuaContext::ExecutionErrorException& e) { |
98bac6bc | 546 | if(!strcmp(e.what(),"invalid key to 'next'")) |
547 | response = "Error: Parsing function parameters, did you forget parameter name?"; | |
548 | else | |
549 | response = "Error: " + string(e.what()); | |
ffb07158 | 550 | try { |
551 | std::rethrow_if_nested(e); | |
af619119 RG |
552 | } catch(const std::exception& ne) { |
553 | // ne is the exception that was thrown from inside the lambda | |
554 | response+= ": " + string(ne.what()); | |
ffb07158 | 555 | } |
af619119 RG |
556 | catch(const PDNSException& ne) { |
557 | // ne is the exception that was thrown from inside the lambda | |
558 | response += ": " + string(ne.reason); | |
ffb07158 | 559 | } |
560 | } | |
561 | catch(const LuaContext::SyntaxErrorException& e) { | |
562 | response = "Error: " + string(e.what()) + ": "; | |
563 | } | |
333ea16e | 564 | response = sodEncryptSym(response, g_key, writingNonce); |
ffb07158 | 565 | putMsgLen32(fd, response.length()); |
566 | writen2(fd, response.c_str(), response.length()); | |
567 | } | |
568 | infolog("Closed control connection from %s", client.toStringWithPort()); | |
569 | close(fd); | |
570 | fd=-1; | |
571 | } | |
572 | catch(std::exception& e) | |
573 | { | |
574 | errlog("Got an exception in client connection from %s: %s", client.toStringWithPort(), e.what()); | |
575 | if(fd >= 0) | |
576 | close(fd); | |
577 | } | |
578 |