2 * This file is part of PowerDNS or dnsdist.
3 * Copyright -- PowerDNS.COM B.V. and its contributors
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of version 2 of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * In addition, for the avoidance of any doubt, permission is granted to
10 * link this program with OpenSSL and to (re)distribute the binaries
11 * produced as the result of such linking.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 #include "cachecleaner.hh"
26 #include "dnsdist-ecs.hh"
27 #include "dnsparser.hh"
29 class MaxQPSIPRule : public DNSRule
32 MaxQPSIPRule(unsigned int qps, unsigned int burst, unsigned int ipv4trunc=32, unsigned int ipv6trunc=64, unsigned int expiration=300, unsigned int cleanupDelay=60, unsigned int scanFraction=10):
33 d_qps(qps), d_burst(burst), d_ipv4trunc(ipv4trunc), d_ipv6trunc(ipv6trunc), d_cleanupDelay(cleanupDelay), d_expiration(expiration), d_scanFraction(scanFraction)
35 gettime(&d_lastCleanup, true);
40 std::lock_guard<std::mutex> lock(d_lock);
44 size_t cleanup(const struct timespec& cutOff, size_t* scannedCount=nullptr) const
46 std::lock_guard<std::mutex> lock(d_lock);
47 size_t toLook = d_limits.size() / d_scanFraction + 1;
51 auto& sequence = d_limits.get<SequencedTag>();
52 for (auto entry = sequence.begin(); entry != sequence.end() && lookedAt < toLook; lookedAt++) {
53 if (entry->d_limiter.seenSince(cutOff)) {
54 /* entries are ordered from least recently seen to more recently
55 seen, as soon as we see one that has not expired yet, we are
61 entry = sequence.erase(entry);
65 if (scannedCount != nullptr) {
66 *scannedCount = lookedAt;
72 void cleanupIfNeeded(const struct timespec& now) const
74 if (d_cleanupDelay > 0) {
75 struct timespec cutOff = d_lastCleanup;
76 cutOff.tv_sec += d_cleanupDelay;
79 /* the QPS Limiter doesn't use realtime, be careful! */
80 gettime(&cutOff, false);
81 cutOff.tv_sec -= d_expiration;
90 bool matches(const DNSQuestion* dq) const override
92 cleanupIfNeeded(*dq->queryTime);
94 ComboAddress zeroport(*dq->remote);
95 zeroport.sin4.sin_port=0;
96 zeroport.truncate(zeroport.sin4.sin_family == AF_INET ? d_ipv4trunc : d_ipv6trunc);
98 std::lock_guard<std::mutex> lock(d_lock);
99 auto iter = d_limits.find(zeroport);
100 if (iter == d_limits.end()) {
101 Entry e(zeroport, QPSLimiter(d_qps, d_burst));
102 iter = d_limits.insert(e).first;
105 moveCacheItemToBack(d_limits, iter);
106 return !iter->d_limiter.check(d_qps, d_burst);
110 string toString() const override
112 return "IP (/"+std::to_string(d_ipv4trunc)+", /"+std::to_string(d_ipv6trunc)+") match for QPS over " + std::to_string(d_qps) + " burst "+ std::to_string(d_burst);
115 size_t getEntriesCount() const
117 std::lock_guard<std::mutex> lock(d_lock);
118 return d_limits.size();
122 struct OrderedTag {};
123 struct SequencedTag {};
126 Entry(const ComboAddress& addr, BasicQPSLimiter&& limiter): d_limiter(limiter), d_addr(addr)
129 mutable BasicQPSLimiter d_limiter;
133 typedef multi_index_container<
136 ordered_unique<tag<OrderedTag>, member<Entry,ComboAddress,&Entry::d_addr>, ComboAddress::addressOnlyLessThan >,
137 sequenced<tag<SequencedTag> >
141 mutable std::mutex d_lock;
142 mutable qpsContainer_t d_limits;
143 mutable struct timespec d_lastCleanup;
144 unsigned int d_qps, d_burst, d_ipv4trunc, d_ipv6trunc, d_cleanupDelay, d_expiration;
145 unsigned int d_scanFraction{10};
148 class MaxQPSRule : public DNSRule
151 MaxQPSRule(unsigned int qps)
155 MaxQPSRule(unsigned int qps, unsigned int burst)
160 bool matches(const DNSQuestion* qd) const override
162 return d_qps.check();
165 string toString() const override
167 return "Max " + std::to_string(d_qps.getRate()) + " qps";
172 mutable QPSLimiter d_qps;
175 class NMGRule : public DNSRule
178 NMGRule(const NetmaskGroup& nmg) : d_nmg(nmg) {}
183 class NetmaskGroupRule : public NMGRule
186 NetmaskGroupRule(const NetmaskGroup& nmg, bool src) : NMGRule(nmg)
190 bool matches(const DNSQuestion* dq) const override
193 return d_nmg.match(*dq->local);
195 return d_nmg.match(*dq->remote);
198 string toString() const override
201 return "Dst: "+d_nmg.toString();
203 return "Src: "+d_nmg.toString();
209 class TimedIPSetRule : public DNSRule, boost::noncopyable
213 IPv6(const ComboAddress& ca)
215 static_assert(sizeof(*this)==16, "IPv6 struct has wrong size");
216 memcpy((char*)this, ca.sin6.sin6_addr.s6_addr, 16);
218 bool operator==(const IPv6& rhs) const
220 return a==rhs.a && b==rhs.b;
228 pthread_rwlock_init(&d_lock4, 0);
229 pthread_rwlock_init(&d_lock6, 0);
231 bool matches(const DNSQuestion* dq) const override
233 if(dq->remote->sin4.sin_family == AF_INET) {
234 ReadLock rl(&d_lock4);
235 auto fnd = d_ip4s.find(dq->remote->sin4.sin_addr.s_addr);
236 if(fnd == d_ip4s.end()) {
239 return time(0) < fnd->second;
241 ReadLock rl(&d_lock6);
242 auto fnd = d_ip6s.find({*dq->remote});
243 if(fnd == d_ip6s.end()) {
246 return time(0) < fnd->second;
250 void add(const ComboAddress& ca, time_t ttd)
252 // think twice before adding templates here
253 if(ca.sin4.sin_family == AF_INET) {
254 WriteLock rl(&d_lock4);
255 auto res=d_ip4s.insert({ca.sin4.sin_addr.s_addr, ttd});
256 if(!res.second && (time_t)res.first->second < ttd)
257 res.first->second = (uint32_t)ttd;
260 WriteLock rl(&d_lock6);
261 auto res=d_ip6s.insert({{ca}, ttd});
262 if(!res.second && (time_t)res.first->second < ttd)
263 res.first->second = (uint32_t)ttd;
267 void remove(const ComboAddress& ca)
269 if(ca.sin4.sin_family == AF_INET) {
270 WriteLock rl(&d_lock4);
271 d_ip4s.erase(ca.sin4.sin_addr.s_addr);
274 WriteLock rl(&d_lock6);
282 WriteLock rl(&d_lock4);
285 WriteLock rl(&d_lock6);
293 WriteLock rl(&d_lock4);
295 for(auto iter = d_ip4s.begin(); iter != d_ip4s.end(); ) {
296 if(iter->second < now)
297 iter=d_ip4s.erase(iter);
305 WriteLock rl(&d_lock6);
307 for(auto iter = d_ip6s.begin(); iter != d_ip6s.end(); ) {
308 if(iter->second < now)
309 iter=d_ip6s.erase(iter);
318 string toString() const override
323 ReadLock rl(&d_lock4);
324 for(const auto& ip : d_ip4s)
329 ReadLock rl(&d_lock6);
330 for(const auto& ip : d_ip6s)
335 return "Src: "+std::to_string(count)+" ips";
340 std::size_t operator()(const IPv6& ip) const
342 auto ah=std::hash<uint64_t>{}(ip.a);
343 auto bh=std::hash<uint64_t>{}(ip.b);
347 std::unordered_map<IPv6, time_t, IPv6Hash> d_ip6s;
348 std::unordered_map<uint32_t, time_t> d_ip4s;
349 mutable pthread_rwlock_t d_lock4;
350 mutable pthread_rwlock_t d_lock6;
354 class AllRule : public DNSRule
358 bool matches(const DNSQuestion* dq) const override
363 string toString() const override
371 class DNSSECRule : public DNSRule
378 bool matches(const DNSQuestion* dq) const override
380 return dq->dh->cd || (getEDNSZ(*dq) & EDNS_HEADER_FLAG_DO); // turns out dig sets ad by default..
383 string toString() const override
389 class AndRule : public DNSRule
392 AndRule(const vector<pair<int, shared_ptr<DNSRule> > >& rules)
394 for(const auto& r : rules)
395 d_rules.push_back(r.second);
398 bool matches(const DNSQuestion* dq) const override
400 auto iter = d_rules.begin();
401 for(; iter != d_rules.end(); ++iter)
402 if(!(*iter)->matches(dq))
404 return iter == d_rules.end();
407 string toString() const override
410 for(const auto& rule : d_rules) {
413 ret += "("+ rule->toString()+")";
419 vector<std::shared_ptr<DNSRule> > d_rules;
424 class OrRule : public DNSRule
427 OrRule(const vector<pair<int, shared_ptr<DNSRule> > >& rules)
429 for(const auto& r : rules)
430 d_rules.push_back(r.second);
433 bool matches(const DNSQuestion* dq) const override
435 auto iter = d_rules.begin();
436 for(; iter != d_rules.end(); ++iter)
437 if((*iter)->matches(dq))
442 string toString() const override
445 for(const auto& rule : d_rules) {
448 ret += "("+ rule->toString()+")";
454 vector<std::shared_ptr<DNSRule> > d_rules;
459 class RegexRule : public DNSRule
462 RegexRule(const std::string& regex) : d_regex(regex), d_visual(regex)
466 bool matches(const DNSQuestion* dq) const override
468 return d_regex.match(dq->qname->toStringNoDot());
471 string toString() const override
473 return "Regex: "+d_visual;
482 class RE2Rule : public DNSRule
485 RE2Rule(const std::string& re2) : d_re2(re2, RE2::Latin1), d_visual(re2)
489 bool matches(const DNSQuestion* dq) const override
491 return RE2::FullMatch(dq->qname->toStringNoDot(), d_re2);
494 string toString() const override
496 return "RE2 match: "+d_visual;
505 class SuffixMatchNodeRule : public DNSRule
508 SuffixMatchNodeRule(const SuffixMatchNode& smn, bool quiet=false) : d_smn(smn), d_quiet(quiet)
511 bool matches(const DNSQuestion* dq) const override
513 return d_smn.check(*dq->qname);
515 string toString() const override
518 return "qname==in-set";
520 return "qname in "+d_smn.toString();
523 SuffixMatchNode d_smn;
527 class QNameRule : public DNSRule
530 QNameRule(const DNSName& qname) : d_qname(qname)
533 bool matches(const DNSQuestion* dq) const override
535 return d_qname==*dq->qname;
537 string toString() const override
539 return "qname=="+d_qname.toString();
546 class QTypeRule : public DNSRule
549 QTypeRule(uint16_t qtype) : d_qtype(qtype)
552 bool matches(const DNSQuestion* dq) const override
554 return d_qtype == dq->qtype;
556 string toString() const override
559 return "qtype=="+qt.getName();
565 class QClassRule : public DNSRule
568 QClassRule(uint16_t qclass) : d_qclass(qclass)
571 bool matches(const DNSQuestion* dq) const override
573 return d_qclass == dq->qclass;
575 string toString() const override
577 return "qclass=="+std::to_string(d_qclass);
583 class OpcodeRule : public DNSRule
586 OpcodeRule(uint8_t opcode) : d_opcode(opcode)
589 bool matches(const DNSQuestion* dq) const override
591 return d_opcode == dq->dh->opcode;
593 string toString() const override
595 return "opcode=="+std::to_string(d_opcode);
601 class DSTPortRule : public DNSRule
604 DSTPortRule(uint16_t port) : d_port(port)
607 bool matches(const DNSQuestion* dq) const override
609 return htons(d_port) == dq->local->sin4.sin_port;
611 string toString() const override
613 return "dst port=="+std::to_string(d_port);
619 class TCPRule : public DNSRule
622 TCPRule(bool tcp): d_tcp(tcp)
625 bool matches(const DNSQuestion* dq) const override
627 return dq->tcp == d_tcp;
629 string toString() const override
631 return (d_tcp ? "TCP" : "UDP");
638 class NotRule : public DNSRule
641 NotRule(shared_ptr<DNSRule>& rule): d_rule(rule)
644 bool matches(const DNSQuestion* dq) const override
646 return !d_rule->matches(dq);
648 string toString() const override
650 return "!("+ d_rule->toString()+")";
653 shared_ptr<DNSRule> d_rule;
656 class RecordsCountRule : public DNSRule
659 RecordsCountRule(uint8_t section, uint16_t minCount, uint16_t maxCount): d_minCount(minCount), d_maxCount(maxCount), d_section(section)
662 bool matches(const DNSQuestion* dq) const override
667 count = ntohs(dq->dh->qdcount);
670 count = ntohs(dq->dh->ancount);
673 count = ntohs(dq->dh->nscount);
676 count = ntohs(dq->dh->arcount);
679 return count >= d_minCount && count <= d_maxCount;
681 string toString() const override
698 return std::to_string(d_minCount) + " <= records in " + section + " <= "+ std::to_string(d_maxCount);
706 class RecordsTypeCountRule : public DNSRule
709 RecordsTypeCountRule(uint8_t section, uint16_t type, uint16_t minCount, uint16_t maxCount): d_type(type), d_minCount(minCount), d_maxCount(maxCount), d_section(section)
712 bool matches(const DNSQuestion* dq) const override
717 count = ntohs(dq->dh->qdcount);
720 count = ntohs(dq->dh->ancount);
723 count = ntohs(dq->dh->nscount);
726 count = ntohs(dq->dh->arcount);
729 if (count < d_minCount) {
732 count = getRecordsOfTypeCount(reinterpret_cast<const char*>(dq->dh), dq->len, d_section, d_type);
733 return count >= d_minCount && count <= d_maxCount;
735 string toString() const override
752 return std::to_string(d_minCount) + " <= " + QType(d_type).getName() + " records in " + section + " <= "+ std::to_string(d_maxCount);
761 class TrailingDataRule : public DNSRule
767 bool matches(const DNSQuestion* dq) const override
769 uint16_t length = getDNSPacketLength(reinterpret_cast<const char*>(dq->dh), dq->len);
770 return length < dq->len;
772 string toString() const override
774 return "trailing data";
778 class QNameLabelsCountRule : public DNSRule
781 QNameLabelsCountRule(unsigned int minLabelsCount, unsigned int maxLabelsCount): d_min(minLabelsCount), d_max(maxLabelsCount)
784 bool matches(const DNSQuestion* dq) const override
786 unsigned int count = dq->qname->countLabels();
787 return count < d_min || count > d_max;
789 string toString() const override
791 return "labels count < " + std::to_string(d_min) + " || labels count > " + std::to_string(d_max);
798 class QNameWireLengthRule : public DNSRule
801 QNameWireLengthRule(size_t min, size_t max): d_min(min), d_max(max)
804 bool matches(const DNSQuestion* dq) const override
806 size_t const wirelength = dq->qname->wirelength();
807 return wirelength < d_min || wirelength > d_max;
809 string toString() const override
811 return "wire length < " + std::to_string(d_min) + " || wire length > " + std::to_string(d_max);
818 class RCodeRule : public DNSRule
821 RCodeRule(uint8_t rcode) : d_rcode(rcode)
824 bool matches(const DNSQuestion* dq) const override
826 return d_rcode == dq->dh->rcode;
828 string toString() const override
830 return "rcode=="+RCode::to_s(d_rcode);
836 class ERCodeRule : public DNSRule
839 ERCodeRule(uint8_t rcode) : d_rcode(rcode & 0xF), d_extrcode(rcode >> 4)
842 bool matches(const DNSQuestion* dq) const override
844 // avoid parsing EDNS OPT RR when not needed.
845 if (d_rcode != dq->dh->rcode) {
852 const char * packet = reinterpret_cast<const char*>(dq->dh);
853 std::string packetStr(packet, dq->len);
854 int res = locateEDNSOptRR(packetStr, &optStart, &optLen, &last);
857 return d_extrcode == 0;
860 // root label (1), type (2), class (2), ttl (4) + rdlen (2)
865 if (optStart < dq->len && packet[optStart] != 0) {
866 // OPT RR Name != '.'
870 static_assert(sizeof(EDNS0Record) == sizeof(uint32_t), "sizeof(EDNS0Record) must match sizeof(uint32_t) AKA RR TTL size");
871 // copy out 4-byte "ttl" (really the EDNS0 record), after root label (1) + type (2) + class (2).
872 memcpy(&edns0, packet + optStart + 5, sizeof edns0);
874 return d_extrcode == edns0.extRCode;
876 string toString() const override
878 return "ercode=="+ERCode::to_s(d_rcode | (d_extrcode << 4));
881 uint8_t d_rcode; // plain DNS Rcode
882 uint8_t d_extrcode; // upper bits in EDNS0 record
885 class EDNSOptionRule : public DNSRule
888 EDNSOptionRule(uint16_t optcode) : d_optcode(optcode)
891 bool matches(const DNSQuestion* dq) const override
896 const char * packet = reinterpret_cast<const char*>(dq->dh);
897 std::string packetStr(packet, dq->len);
898 int res = locateEDNSOptRR(packetStr, &optStart, &optLen, &last);
904 // root label (1), type (2), class (2), ttl (4) + rdlen (2)
909 if (optStart < dq->len && packetStr.at(optStart) != 0) {
910 // OPT RR Name != '.'
914 return isEDNSOptionInOpt(packetStr, optStart, optLen, d_optcode);
916 string toString() const override
918 return "ednsoptcode=="+std::to_string(d_optcode);
924 class RDRule : public DNSRule
930 bool matches(const DNSQuestion* dq) const override
932 return dq->dh->rd == 1;
934 string toString() const override
940 class ProbaRule : public DNSRule
943 ProbaRule(double proba) : d_proba(proba)
946 bool matches(const DNSQuestion* dq) const override
950 double rnd = 1.0*random() / RAND_MAX;
951 return rnd > (1.0 - d_proba);
953 string toString() const override
955 return "match with prob. " + (boost::format("%0.2f") % d_proba).str();
961 class TagRule : public DNSRule
964 TagRule(const std::string& tag, boost::optional<std::string> value) : d_value(value), d_tag(tag)
967 bool matches(const DNSQuestion* dq) const override
973 const auto it = dq->qTag->find(d_tag);
974 if (it == dq->qTag->cend()) {
982 return it->second == *d_value;
985 string toString() const override
987 return "tag '" + d_tag + "' is set" + (d_value ? (" to '" + *d_value + "'") : "");
991 boost::optional<std::string> d_value;