{ "addDynBlockSMT", true, "names, message[, seconds [, action]]", "block the set of names with message `msg`, for `seconds` seconds (10 by default), applying `action` (default to the one set with `setDynBlocksAction()`)" },
{ "addLocal", true, "addr [, {doTCP=true, reusePort=false, tcpFastOpenQueueSize=0, interface=\"\", cpus={}}]", "add `addr` to the list of addresses we listen on" },
{ "addCacheHitResponseAction", true, "DNS rule, DNS response action [, {uuid=\"UUID\", name=\"name\"}}]", "add a cache hit response rule" },
- { "AddProxyProtocolValueAction", true, "type, value", "Add a Proxy Protocol TLV value of this type" },
{ "addResponseAction", true, "DNS rule, DNS response action [, {uuid=\"UUID\", name=\"name\"}}]", "add a response rule" },
{ "addSelfAnsweredResponseAction", true, "DNS rule, DNS response action [, {uuid=\"UUID\", name=\"name\"}}]", "add a self-answered response rule" },
{ "addTLSLocal", true, "addr, certFile(s), keyFile(s) [,params]", "listen to incoming DNS over TLS queries on the specified address using the specified certificate (or list of) and key (or list of). The last parameter is a table" },
{ "DelayAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" },
{ "DelayResponseAction", true, "milliseconds", "delay the response by the specified amount of milliseconds (UDP-only)" },
{ "delta", true, "", "shows all commands entered that changed the configuration" },
- { "DisableECSAction", true, "", "Disable the sending of ECS to the backend. Subsequent rules are processed after this action." },
- { "DisableValidationAction", true, "", "set the CD bit in the question, let it go through" },
{ "DNSSECRule", true, "", "matches queries with the DO bit set" },
{ "DnstapLogAction", true, "identity, FrameStreamLogger [, alterFunction]", "send the contents of this query to a FrameStreamLogger or RemoteLogger as dnstap. `alterFunction` is a callback, receiving a DNSQuestion and a DnstapMessage, that can be used to modify the dnstap message" },
{ "DnstapLogResponseAction", true, "identity, FrameStreamLogger [, alterFunction]", "send the contents of this response to a remote or FrameStreamLogger or RemoteLogger as dnstap. `alterFunction` is a callback, receiving a DNSResponse and a DnstapMessage, that can be used to modify the dnstap message" },
{ "DSTPortRule", true, "port", "matches questions received to the destination port specified" },
{ "dumpStats", true, "", "print all statistics we gather" },
{ "dynBlockRulesGroup", true, "", "return a new DynBlockRulesGroup object" },
- { "ECSOverrideAction", true, "override", "Whether an existing EDNS Client Subnet value should be overridden (true) or not (false). Subsequent rules are processed after this action" },
- { "ECSPrefixLengthAction", true, "v4, v6", "Set the ECS prefix length. Subsequent rules are processed after this action" },
{ "EDNSVersionRule", true, "version", "matches queries with the specified EDNS version" },
{ "EDNSOptionRule", true, "optcode", "matches queries with the specified EDNS0 option present" },
{ "ERCodeAction", true, "ercode", "Reply immediately by turning the query into a response with the specified EDNS extended rcode" },
{ "LuaFFIRule", true, "function", "Invoke a Lua FFI function that filters DNS questions" },
{ "LuaResponseAction", true, "function", "Invoke a Lua function that accepts a DNSResponse" },
{ "LuaRule", true, "function", "Invoke a Lua function that filters DNS questions" },
- { "MacAddrAction", true, "option", "Add the source MAC address to the query as EDNS0 option option. This action is currently only supported on Linux. Subsequent rules are processed after this action" },
{ "makeIPCipherKey", true, "password", "generates a 16-byte key that can be used to pseudonymize IP addresses with IP cipher" },
{ "makeKey", true, "", "generate a new server access key, emit configuration line ready for pasting" },
{ "makeRule", true, "rule", "Make a NetmaskGroupRule() or a SuffixMatchNodeRule(), depending on how it is called" } ,
{ "newServer", true, "{address=\"ip:port\", qps=1000, order=1, weight=10, pool=\"abuse\", retries=5, tcpConnectTimeout=5, tcpSendTimeout=30, tcpRecvTimeout=30, checkName=\"a.root-servers.net.\", checkType=\"A\", maxCheckFailures=1, mustResolve=false, useClientSubnet=true, source=\"address|interface name|address@interface\", sockets=1, reconnectOnUp=false}", "instantiate a server" },
{ "newServerPolicy", true, "name, function", "create a policy object from a Lua function" },
{ "newSuffixMatchNode", true, "", "returns a new SuffixMatchNode" },
+ { "NegativeAndSOAAction", true, "nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options]", "Turn a query into a NXDomain or NoData answer and sets a SOA record in the additional section" },
{ "NoneAction", true, "", "Does nothing. Subsequent rules are processed after this action" },
- { "NoRecurseAction", true, "", "strip RD bit from the question, let it go through" },
{ "NotRule", true, "selector", "Matches the traffic if the selector rule does not match" },
{ "OpcodeRule", true, "code", "Matches queries with opcode code. code can be directly specified as an integer, or one of the built-in DNSOpcodes" },
{ "OrRule", true, "selectors", "Matches the traffic if one or more of the the selectors rules does match" },
{ "setDynBlocksAction", true, "action", "set which action is performed when a query is blocked. Only DNSAction.Drop (the default) and DNSAction.Refused are supported" },
{ "setDynBlocksPurgeInterval", true, "sec", "set how often the expired dynamic block entries should be removed" },
{ "setDropEmptyQueries", true, "drop", "Whether to drop empty queries right away instead of sending a NOTIMP response" },
- { "SetECSAction", true, "v4[, v6]", "Set the ECS prefix and prefix length sent to backends to an arbitrary value" },
{ "setECSOverride", true, "bool", "whether to override an existing EDNS Client Subnet value in the query" },
{ "setECSSourcePrefixV4", true, "prefix-length", "the EDNS Client Subnet prefix-length used for IPv4 queries" },
{ "setECSSourcePrefixV6", true, "prefix-length", "the EDNS Client Subnet prefix-length used for IPv6 queries" },
{ "setMaxTCPQueriesPerConnection", true, "n", "set the maximum number of queries in an incoming TCP connection. 0 means unlimited" },
{ "setMaxTCPQueuedConnections", true, "n", "set the maximum number of TCP connections queued (waiting to be picked up by a client thread)" },
{ "setMaxUDPOutstanding", true, "n", "set the maximum number of outstanding UDP queries to a given backend server. This can only be set at configuration time and defaults to 65535" },
- { "SetNegativeAndSOAAction", true, "nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options]", "Turn a query into a NXDomain or NoData answer and sets a SOA record in the additional section" },
{ "setPayloadSizeOnSelfGeneratedAnswers", true, "payloadSize", "set the UDP payload size advertised via EDNS on self-generated responses" },
{ "setPoolServerPolicy", true, "policy, pool", "set the server selection policy for this pool to that policy" },
{ "setPoolServerPolicyLua", true, "name, function, pool", "set the server selection policy for this pool to one named 'name' and provided by 'function'" },
{ "showTLSErrorCounters", true, "", "show metrics about TLS handshake failures" },
{ "showVersion", true, "", "show the current version" },
{ "shutdown", true, "", "shut down `dnsdist`" },
+ { "snmpAgent", true, "enableTraps [, daemonSocket]", "enable `SNMP` support. `enableTraps` is a boolean indicating whether traps should be sent and `daemonSocket` an optional string specifying how to connect to the daemon agent"},
+ { "SetAdditionalProxyProtocolValueAction", true, "type, value", "Add a Proxy Protocol TLV value of this type" },
+ { "SetDisableECSAction", true, "", "Disable the sending of ECS to the backend. Subsequent rules are processed after this action." },
+ { "SetDisableValidationAction", true, "", "set the CD bit in the question, let it go through" },
+ { "SetECSAction", true, "v4[, v6]", "Set the ECS prefix and prefix length sent to backends to an arbitrary value" },
+ { "SetECSOverrideAction", true, "override", "Whether an existing EDNS Client Subnet value should be overridden (true) or not (false). Subsequent rules are processed after this action" },
+ { "SetECSPrefixLengthAction", true, "v4, v6", "Set the ECS prefix length. Subsequent rules are processed after this action" },
+ { "SetMacAddrAction", true, "option", "Add the source MAC address to the query as EDNS0 option option. This action is currently only supported on Linux. Subsequent rules are processed after this action" },
+ { "SetNoRecurseAction", true, "", "strip RD bit from the question, let it go through" },
{ "SetProxyProtocolValuesAction", true, "values", "Set the Proxy-Protocol values for this queries to 'values'" },
- { "SkipCacheAction", true, "", "Don’t lookup the cache for this query, don’t store the answer" },
- { "SkipCacheResponseAction", true, "", "Don’t store this response into the cache" },
+ { "SetSkipCacheAction", true, "", "Don’t lookup the cache for this query, don’t store the answer" },
+ { "SetSkipCacheResponseAction", true, "", "Don’t store this response into the cache" },
+ { "SetTagAction", true, "name, value", "set the tag named 'name' to the given value" },
+ { "SetTagResponseAction", true, "name, value", "set the tag named 'name' to the given value" },
+ { "SetTempFailureCacheTTLAction", true, "ttl", "set packetcache TTL for temporary failure replies" },
{ "SNIRule", true, "name", "Create a rule which matches on the incoming TLS SNI value, if any (DoT or DoH)" },
- { "snmpAgent", true, "enableTraps [, daemonSocket]", "enable `SNMP` support. `enableTraps` is a boolean indicating whether traps should be sent and `daemonSocket` an optional string specifying how to connect to the daemon agent"},
{ "SNMPTrapAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the query description"},
{ "SNMPTrapResponseAction", true, "[reason]", "send an SNMP trap, adding the optional `reason` string as the response description"},
{ "SpoofAction", true, "ip|list of ips [, options]", "forge a response with the specified IPv4 (for an A query) or IPv6 (for an AAAA). If you specify multiple addresses, all that match the query type (A, AAAA or ANY) will get spoofed in" },
{ "SpoofCNAMEAction", true, "cname [, options]", "Forge a response with the specified CNAME value" },
{ "SpoofRawAction", true, "raw [, options]", "Forge a response with the specified record data as raw bytes" },
{ "SuffixMatchNodeRule", true, "smn[, quiet]", "Matches based on a group of domain suffixes for rapid testing of membership. Pass true as second parameter to prevent listing of all domains matched" },
- { "TagAction", true, "name, value", "set the tag named 'name' to the given value" },
- { "TagResponseAction", true, "name, value", "set the tag named 'name' to the given value" },
{ "TagRule", true, "name [, value]", "matches if the tag named 'name' is present, with the given 'value' matching if any" },
{ "TCAction", true, "", "create answer to query with TC and RD bits set, to move to TCP" },
{ "TCPRule", true, "[tcp]", "Matches question received over TCP if tcp is true, over UDP otherwise" },
{ "TeeAction", true, "remote [, addECS]", "send copy of query to remote, optionally adding ECS info" },
- { "TempFailureCacheTTLAction", true, "ttl", "set packetcache TTL for temporary failure replies" },
{ "testCrypto", true, "", "test of the crypto all works" },
{ "TimedIPSetRule", true, "", "Create a rule which matches a set of IP addresses which expire"},
{ "topBandwidth", true, "top", "show top-`top` clients that consume the most bandwidth over length of ringbuffer" },
class NoneAction : public DNSAction
{
public:
+ // this action does not stop the processing
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
return Action::None;
{
public:
QPSAction(int limit) : d_qps(limit, limit)
- {}
+ {
+ }
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
- if(d_qps.check())
+ if (d_qps.check()) {
return Action::None;
- else
+ }
+ else {
return Action::Drop;
+ }
}
std::string toString() const override
{
{
public:
DelayAction(int msec) : d_msec(msec)
- {}
+ {
+ }
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
- *ruleresult=std::to_string(d_msec);
+ *ruleresult = std::to_string(d_msec);
return Action::Delay;
}
std::string toString() const override
int d_msec;
};
-
class TeeAction : public DNSAction
{
public:
+ // this action does not stop the processing
TeeAction(const ComboAddress& ca, bool addECS=false);
~TeeAction() override;
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override;
std::thread d_worker;
void worker();
- int d_fd;
+ int d_fd{-1};
mutable std::atomic<unsigned long> d_senderrors{0};
unsigned long d_recverrors{0};
mutable std::atomic<unsigned long> d_queries{0};
TeeAction::TeeAction(const ComboAddress& ca, bool addECS) : d_remote(ca), d_addECS(addECS)
{
d_fd=SSocket(d_remote.sin4.sin_family, SOCK_DGRAM, 0);
- SConnect(d_fd, d_remote);
- setNonBlocking(d_fd);
- d_worker=std::thread(std::bind(&TeeAction::worker, this));
+ try {
+ SConnect(d_fd, d_remote);
+ setNonBlocking(d_fd);
+ d_worker=std::thread(std::bind(&TeeAction::worker, this));
+ }
+ catch (...) {
+ if (d_fd != -1) {
+ close(d_fd);
+ }
+ throw;
+ }
}
TeeAction::~TeeAction()
DNSAction::Action TeeAction::operator()(DNSQuestion* dq, std::string* ruleresult) const
{
- if(dq->tcp) {
+ if (dq->tcp) {
d_tcpdrops++;
}
else {
d_senderrors++;
}
}
+
return DNSAction::Action::None;
}
QPSPoolAction(unsigned int limit, const std::string& pool) : d_qps(limit, limit), d_pool(pool) {}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
- if(d_qps.check()) {
+ if (d_qps.check()) {
*ruleresult=d_pool;
return Action::Pool;
}
- else
+ else {
return Action::None;
+ }
}
std::string toString() const override
{
std::lock_guard<std::mutex> lock(g_luamutex);
try {
auto ret = d_func(dr);
- if(ruleresult) {
+ if (ruleresult) {
if (boost::optional<std::string> rule = std::get<1>(ret)) {
*ruleresult = *rule;
}
return Action::HeaderModify;
}
-class MacAddrAction : public DNSAction
+class SetMacAddrAction : public DNSAction
{
public:
- MacAddrAction(uint16_t code) : d_code(code)
+ // this action does not stop the processing
+ SetMacAddrAction(uint16_t code) : d_code(code)
{}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
- if(dq->getHeader()->arcount)
+ if (dq->getHeader()->arcount) {
return Action::None;
+ }
std::string mac = getMACAddress(*dq->remote);
- if(mac.empty())
+ if (mac.empty()) {
return Action::None;
+ }
std::string optRData;
generateEDNSOption(d_code, mac, optRData);
uint16_t d_code{3};
};
-class NoRecurseAction : public DNSAction
+class SetNoRecurseAction : public DNSAction
{
public:
+ // this action does not stop the processing
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
dq->getHeader()->rd = false;
class LogAction : public DNSAction, public boost::noncopyable
{
public:
+ // this action does not stop the processing
LogAction(): d_fp(nullptr, fclose)
{
}
LogAction(const std::string& str, bool binary=true, bool append=false, bool buffered=true, bool verboseOnly=true, bool includeTimestamp=false): d_fname(str), d_binary(binary), d_verboseOnly(verboseOnly), d_includeTimestamp(includeTimestamp)
{
- if(str.empty())
+ if (str.empty()) {
return;
- if(append)
+ }
+
+ if(append) {
d_fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(str.c_str(), "a+"), fclose);
- else
+ }
+ else {
d_fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(str.c_str(), "w"), fclose);
- if(!d_fp)
+ }
+
+ if (!d_fp) {
throw std::runtime_error("Unable to open file '"+str+"' for logging: "+stringerror());
- if(!buffered)
+ }
+
+ if (!buffered) {
setbuf(d_fp.get(), 0);
+ }
}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
LogResponseAction(const std::string& str, bool append=false, bool buffered=true, bool verboseOnly=true, bool includeTimestamp=false): d_fname(str), d_verboseOnly(verboseOnly), d_includeTimestamp(includeTimestamp)
{
- if(str.empty())
+ if (str.empty()) {
return;
- if(append)
+ }
+
+ if (append) {
d_fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(str.c_str(), "a+"), fclose);
- else
+ }
+ else {
d_fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(str.c_str(), "w"), fclose);
- if(!d_fp)
+ }
+
+ if (!d_fp) {
throw std::runtime_error("Unable to open file '"+str+"' for logging: "+stringerror());
- if(!buffered)
+ }
+
+ if (!buffered) {
setbuf(d_fp.get(), 0);
+ }
}
DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override
};
-class DisableValidationAction : public DNSAction
+class SetDisableValidationAction : public DNSAction
{
public:
+ // this action does not stop the processing
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
dq->getHeader()->cd = true;
}
};
-class SkipCacheAction : public DNSAction
+class SetSkipCacheAction : public DNSAction
{
public:
+ // this action does not stop the processing
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
dq->skipCache = true;
}
};
-class SkipCacheResponseAction : public DNSResponseAction
+class SetSkipCacheResponseAction : public DNSResponseAction
{
public:
DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override
}
};
-class TempFailureCacheTTLAction : public DNSAction
+class SetTempFailureCacheTTLAction : public DNSAction
{
public:
- TempFailureCacheTTLAction(uint32_t ttl) : d_ttl(ttl)
- {}
- TempFailureCacheTTLAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
+ // this action does not stop the processing
+ SetTempFailureCacheTTLAction(uint32_t ttl) : d_ttl(ttl)
+ {
+ }
+ DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
dq->tempFailureTTL = d_ttl;
return Action::None;
uint32_t d_ttl;
};
-class ECSPrefixLengthAction : public DNSAction
+class SetECSPrefixLengthAction : public DNSAction
{
public:
- ECSPrefixLengthAction(uint16_t v4Length, uint16_t v6Length) : d_v4PrefixLength(v4Length), d_v6PrefixLength(v6Length)
+ // this action does not stop the processing
+ SetECSPrefixLengthAction(uint16_t v4Length, uint16_t v6Length) : d_v4PrefixLength(v4Length), d_v6PrefixLength(v6Length)
{
}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
uint16_t d_v6PrefixLength;
};
-class ECSOverrideAction : public DNSAction
+class SetECSOverrideAction : public DNSAction
{
public:
- ECSOverrideAction(bool ecsOverride) : d_ecsOverride(ecsOverride)
+ // this action does not stop the processing
+ SetECSOverrideAction(bool ecsOverride) : d_ecsOverride(ecsOverride)
{
}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
};
-class DisableECSAction : public DNSAction
+class SetDisableECSAction : public DNSAction
{
public:
+ // this action does not stop the processing
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
{
dq->useECS = false;
class SetECSAction : public DNSAction
{
public:
+ // this action does not stop the processing
SetECSAction(const Netmask& v4): d_v4(v4), d_hasV6(false)
{
}
class DnstapLogAction : public DNSAction, public boost::noncopyable
{
public:
+ // this action does not stop the processing
DnstapLogAction(const std::string& identity, std::shared_ptr<RemoteLoggerInterface>& logger, boost::optional<std::function<void(DNSQuestion*, DnstapMessage*)> > alterFunc): d_identity(identity), d_logger(logger), d_alterFunc(alterFunc)
{
}
class RemoteLogAction : public DNSAction, public boost::noncopyable
{
public:
+ // this action does not stop the processing
RemoteLogAction(std::shared_ptr<RemoteLoggerInterface>& logger, boost::optional<std::function<void(DNSQuestion*, DNSDistProtoBufMessage*)> > alterFunc, const std::string& serverID, const std::string& ipEncryptKey): d_logger(logger), d_alterFunc(alterFunc), d_serverID(serverID), d_ipEncryptKey(ipEncryptKey)
{
}
class SNMPTrapAction : public DNSAction
{
public:
+ // this action does not stop the processing
SNMPTrapAction(const std::string& reason): d_reason(reason)
{
}
std::string d_reason;
};
-class TagAction : public DNSAction
+class SetTagAction : public DNSAction
{
public:
- TagAction(const std::string& tag, const std::string& value): d_tag(tag), d_value(value)
+ // this action does not stop the processing
+ SetTagAction(const std::string& tag, const std::string& value): d_tag(tag), d_value(value)
{
}
DNSAction::Action operator()(DNSQuestion* dq, std::string* ruleresult) const override
class DnstapLogResponseAction : public DNSResponseAction, public boost::noncopyable
{
public:
+ // this action does not stop the processing
DnstapLogResponseAction(const std::string& identity, std::shared_ptr<RemoteLoggerInterface>& logger, boost::optional<std::function<void(DNSResponse*, DnstapMessage*)> > alterFunc): d_identity(identity), d_logger(logger), d_alterFunc(alterFunc)
{
}
class RemoteLogResponseAction : public DNSResponseAction, public boost::noncopyable
{
public:
+ // this action does not stop the processing
RemoteLogResponseAction(std::shared_ptr<RemoteLoggerInterface>& logger, boost::optional<std::function<void(DNSResponse*, DNSDistProtoBufMessage*)> > alterFunc, const std::string& serverID, const std::string& ipEncryptKey, bool includeCNAME): d_logger(logger), d_alterFunc(alterFunc), d_serverID(serverID), d_ipEncryptKey(ipEncryptKey), d_includeCNAME(includeCNAME)
{
}
{
public:
DelayResponseAction(int msec) : d_msec(msec)
- {}
+ {
+ }
DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override
{
- *ruleresult=std::to_string(d_msec);
+ *ruleresult = std::to_string(d_msec);
return Action::Delay;
}
std::string toString() const override
class SNMPTrapResponseAction : public DNSResponseAction
{
public:
+ // this action does not stop the processing
SNMPTrapResponseAction(const std::string& reason): d_reason(reason)
{
}
std::string d_reason;
};
-class TagResponseAction : public DNSResponseAction
+class SetTagResponseAction : public DNSResponseAction
{
public:
- TagResponseAction(const std::string& tag, const std::string& value): d_tag(tag), d_value(value)
+ // this action does not stop the processing
+ SetTagResponseAction(const std::string& tag, const std::string& value): d_tag(tag), d_value(value)
{
}
DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override
class ContinueAction : public DNSAction
{
public:
+ // this action does not stop the processing
ContinueAction(std::shared_ptr<DNSAction>& action): d_action(action)
{
}
class KeyValueStoreLookupAction : public DNSAction
{
public:
+ // this action does not stop the processing
KeyValueStoreLookupAction(std::shared_ptr<KeyValueStore>& kvs, std::shared_ptr<KeyValueLookupKey>& lookupKey, const std::string& destinationTag): d_kvs(kvs), d_key(lookupKey), d_tag(destinationTag)
{
}
std::string d_tag;
};
-class SetNegativeAndSOAAction: public DNSAction
+class NegativeAndSOAAction: public DNSAction
{
public:
- SetNegativeAndSOAAction(bool nxd, const DNSName& zone, uint32_t ttl, const DNSName& mname, const DNSName& rname, uint32_t serial, uint32_t refresh, uint32_t retry, uint32_t expire, uint32_t minimum): d_zone(zone), d_mname(mname), d_rname(rname), d_ttl(ttl), d_serial(serial), d_refresh(refresh), d_retry(retry), d_expire(expire), d_minimum(minimum), d_nxd(nxd)
+ NegativeAndSOAAction(bool nxd, const DNSName& zone, uint32_t ttl, const DNSName& mname, const DNSName& rname, uint32_t serial, uint32_t refresh, uint32_t retry, uint32_t expire, uint32_t minimum): d_zone(zone), d_mname(mname), d_rname(rname), d_ttl(ttl), d_serial(serial), d_refresh(refresh), d_retry(retry), d_expire(expire), d_minimum(minimum), d_nxd(nxd)
{
}
class SetProxyProtocolValuesAction : public DNSAction
{
public:
+ // this action does not stop the processing
SetProxyProtocolValuesAction(const std::vector<std::pair<uint8_t, std::string>>& values)
{
d_values.reserve(values.size());
std::vector<ProxyProtocolValue> d_values;
};
-class AddProxyProtocolValueAction : public DNSAction
+class SetAdditionalProxyProtocolValueAction : public DNSAction
{
public:
- AddProxyProtocolValueAction(uint8_t type, const std::string& value): d_value(value), d_type(type)
+ // this action does not stop the processing
+ SetAdditionalProxyProtocolValueAction(uint8_t type, const std::string& value): d_value(value), d_type(type)
{
}
return std::shared_ptr<DNSAction>(new LuaFFIAction(func));
});
+ luaCtx.writeFunction("SetNoRecurseAction", []() {
+ return std::shared_ptr<DNSAction>(new SetNoRecurseAction);
+ });
+
luaCtx.writeFunction("NoRecurseAction", []() {
- return std::shared_ptr<DNSAction>(new NoRecurseAction);
+ warnlog("access to NoRecurseAction is deprecated, please use SetNoRecurseAction instead");
+ return std::shared_ptr<DNSAction>(new SetNoRecurseAction);
+ });
+
+ luaCtx.writeFunction("SetMacAddrAction", [](int code) {
+ return std::shared_ptr<DNSAction>(new SetMacAddrAction(code));
});
luaCtx.writeFunction("MacAddrAction", [](int code) {
- return std::shared_ptr<DNSAction>(new MacAddrAction(code));
+ warnlog("access to MacAddrAction is deprecated, please use SetMacAddrAction instead");
+ return std::shared_ptr<DNSAction>(new SetMacAddrAction(code));
});
luaCtx.writeFunction("PoolAction", [](const std::string& a) {
return std::shared_ptr<DNSAction>(new TCAction);
});
- luaCtx.writeFunction("DisableValidationAction", []() {
- return std::shared_ptr<DNSAction>(new DisableValidationAction);
+ luaCtx.writeFunction("SetDisableValidationAction", []() {
+ return std::shared_ptr<DNSAction>(new SetDisableValidationAction);
});
+ luaCtx.writeFunction("DisableValidationAction", []() {
+ warnlog("access to DisableValidationAction is deprecated, please use SetDisableValidationAction instead");
+ return std::shared_ptr<DNSAction>(new SetDisableValidationAction);
+ });
+
luaCtx.writeFunction("LogAction", [](boost::optional<std::string> fname, boost::optional<bool> binary, boost::optional<bool> append, boost::optional<bool> buffered, boost::optional<bool> verboseOnly, boost::optional<bool> includeTimestamp) {
return std::shared_ptr<DNSAction>(new LogAction(fname ? *fname : "", binary ? *binary : true, append ? *append : false, buffered ? *buffered : false, verboseOnly ? *verboseOnly : true, includeTimestamp ? *includeTimestamp : false));
});
return ret;
});
+ luaCtx.writeFunction("SetSkipCacheAction", []() {
+ return std::shared_ptr<DNSAction>(new SetSkipCacheAction);
+ });
+
luaCtx.writeFunction("SkipCacheAction", []() {
- return std::shared_ptr<DNSAction>(new SkipCacheAction);
+ warnlog("access to SkipCacheAction is deprecated, please use SetSkipCacheAction instead");
+ return std::shared_ptr<DNSAction>(new SetSkipCacheAction);
});
- luaCtx.writeFunction("SkipCacheResponseAction", []() {
- return std::shared_ptr<DNSResponseAction>(new SkipCacheResponseAction);
+ luaCtx.writeFunction("SetSkipCacheResponseAction", []() {
+ return std::shared_ptr<DNSResponseAction>(new SetSkipCacheResponseAction);
+ });
+
+ luaCtx.writeFunction("SetTempFailureCacheTTLAction", [](int maxTTL) {
+ return std::shared_ptr<DNSAction>(new SetTempFailureCacheTTLAction(maxTTL));
});
luaCtx.writeFunction("TempFailureCacheTTLAction", [](int maxTTL) {
- return std::shared_ptr<DNSAction>(new TempFailureCacheTTLAction(maxTTL));
+ warnlog("access to TempFailureCacheTTLAction is deprecated, please use SetTempFailureCacheTTLAction instead");
+ return std::shared_ptr<DNSAction>(new SetTempFailureCacheTTLAction(maxTTL));
});
luaCtx.writeFunction("DropResponseAction", []() {
return std::shared_ptr<DNSAction>(new TeeAction(ComboAddress(remote, 53), addECS ? *addECS : false));
});
+ luaCtx.writeFunction("SetECSPrefixLengthAction", [](uint16_t v4PrefixLength, uint16_t v6PrefixLength) {
+ return std::shared_ptr<DNSAction>(new SetECSPrefixLengthAction(v4PrefixLength, v6PrefixLength));
+ });
+
luaCtx.writeFunction("ECSPrefixLengthAction", [](uint16_t v4PrefixLength, uint16_t v6PrefixLength) {
- return std::shared_ptr<DNSAction>(new ECSPrefixLengthAction(v4PrefixLength, v6PrefixLength));
+ warnlog("access to ECSPrefixLengthAction is deprecated, please use SetECSPrefixLengthAction instead");
+ return std::shared_ptr<DNSAction>(new SetECSPrefixLengthAction(v4PrefixLength, v6PrefixLength));
+ });
+
+ luaCtx.writeFunction("SetECSOverrideAction", [](bool ecsOverride) {
+ return std::shared_ptr<DNSAction>(new SetECSOverrideAction(ecsOverride));
});
luaCtx.writeFunction("ECSOverrideAction", [](bool ecsOverride) {
- return std::shared_ptr<DNSAction>(new ECSOverrideAction(ecsOverride));
+ warnlog("access to ECSOverrideAction is deprecated, please use SetECSOverrideAction instead");
+ return std::shared_ptr<DNSAction>(new SetECSOverrideAction(ecsOverride));
+ });
+
+ luaCtx.writeFunction("SetDisableECSAction", []() {
+ return std::shared_ptr<DNSAction>(new SetDisableECSAction());
});
luaCtx.writeFunction("DisableECSAction", []() {
- return std::shared_ptr<DNSAction>(new DisableECSAction());
+ warnlog("access to DisableECSAction is deprecated, please use SetDisableECSAction instead");
+ return std::shared_ptr<DNSAction>(new SetDisableECSAction());
});
luaCtx.writeFunction("SetECSAction", [](const std::string v4, boost::optional<std::string> v6) {
#endif /* HAVE_NET_SNMP */
});
+ luaCtx.writeFunction("SetTagAction", [](std::string tag, std::string value) {
+ return std::shared_ptr<DNSAction>(new SetTagAction(tag, value));
+ });
+
luaCtx.writeFunction("TagAction", [](std::string tag, std::string value) {
- return std::shared_ptr<DNSAction>(new TagAction(tag, value));
+ warnlog("access to TagAction is deprecated, please use SetTagAction instead");
+ return std::shared_ptr<DNSAction>(new SetTagAction(tag, value));
+ });
+
+ luaCtx.writeFunction("SetTagResponseAction", [](std::string tag, std::string value) {
+ return std::shared_ptr<DNSResponseAction>(new SetTagResponseAction(tag, value));
});
luaCtx.writeFunction("TagResponseAction", [](std::string tag, std::string value) {
- return std::shared_ptr<DNSResponseAction>(new TagResponseAction(tag, value));
+ warnlog("access to TagResponseAction is deprecated, please use SetTagResponseAction instead");
+ return std::shared_ptr<DNSResponseAction>(new SetTagResponseAction(tag, value));
});
luaCtx.writeFunction("ContinueAction", [](std::shared_ptr<DNSAction> action) {
return std::shared_ptr<DNSAction>(new KeyValueStoreLookupAction(kvs, lookupKey, destinationTag));
});
+ luaCtx.writeFunction("NegativeAndSOAAction", [](bool nxd, const std::string& zone, uint32_t ttl, const std::string& mname, const std::string& rname, uint32_t serial, uint32_t refresh, uint32_t retry, uint32_t expire, uint32_t minimum, boost::optional<responseParams_t> vars) {
+ auto ret = std::shared_ptr<DNSAction>(new NegativeAndSOAAction(nxd, DNSName(zone), ttl, DNSName(mname), DNSName(rname), serial, refresh, retry, expire, minimum));
+ auto action = std::dynamic_pointer_cast<NegativeAndSOAAction>(ret);
+ parseResponseConfig(vars, action->d_responseConfig);
+ return ret;
+ });
+
luaCtx.writeFunction("SetNegativeAndSOAAction", [](bool nxd, const std::string& zone, uint32_t ttl, const std::string& mname, const std::string& rname, uint32_t serial, uint32_t refresh, uint32_t retry, uint32_t expire, uint32_t minimum, boost::optional<responseParams_t> vars) {
- auto ret = std::shared_ptr<DNSAction>(new SetNegativeAndSOAAction(nxd, DNSName(zone), ttl, DNSName(mname), DNSName(rname), serial, refresh, retry, expire, minimum));
- auto action = std::dynamic_pointer_cast<SetNegativeAndSOAAction>(ret);
+ warnlog("access to SetNegativeAndSOAAction is deprecated, please use NegativeAndSOAAction instead");
+ auto ret = std::shared_ptr<DNSAction>(new NegativeAndSOAAction(nxd, DNSName(zone), ttl, DNSName(mname), DNSName(rname), serial, refresh, retry, expire, minimum));
+ auto action = std::dynamic_pointer_cast<NegativeAndSOAAction>(ret);
parseResponseConfig(vars, action->d_responseConfig);
return ret;
});
return std::shared_ptr<DNSAction>(new SetProxyProtocolValuesAction(values));
});
- luaCtx.writeFunction("AddProxyProtocolValueAction", [](uint8_t type, const std::string& value) {
- return std::shared_ptr<DNSAction>(new AddProxyProtocolValueAction(type, value));
+ luaCtx.writeFunction("SetAdditionalProxyProtocolValueAction", [](uint8_t type, const std::string& value) {
+ return std::shared_ptr<DNSAction>(new SetAdditionalProxyProtocolValueAction(type, value));
});
}
In addition to the global settings, rules and Lua bindings can alter this behavior per query:
- * calling :func:`DisableECSAction` or setting ``dq.useECS`` to ``false`` prevents the sending of the ECS option.
- * calling :func:`ECSOverrideAction` or setting ``dq.ecsOverride`` will override the global :func:`setECSOverride` value.
- * calling :func:`ECSPrefixLengthAction(v4, v6)` or setting ``dq.ecsPrefixLength`` will override the global :func:`setECSSourcePrefixV4()` and :func:`setECSSourcePrefixV6()` values.
+ * calling :func:`SetDisableECSAction` or setting ``dq.useECS`` to ``false`` prevents the sending of the ECS option.
+ * calling :func:`SetECSOverrideAction` or setting ``dq.ecsOverride`` will override the global :func:`setECSOverride` value.
+ * calling :func:`SetECSPrefixLengthAction(v4, v6)` or setting ``dq.ecsPrefixLength`` will override the global :func:`setECSSourcePrefixV4()` and :func:`setECSSourcePrefixV6()` values.
-In effect this means that for the EDNS Client Subnet option to be added to the request, ``useClientSubnet`` should be set to ``true`` for the backend used (default to ``false``) and ECS should not have been disabled by calling :func:`DisableECSAction` or setting ``dq.useECS`` to ``false`` (default to true).
+In effect this means that for the EDNS Client Subnet option to be added to the request, ``useClientSubnet`` should be set to ``true`` for the backend used (default to ``false``) and ECS should not have been disabled by calling :func:`SetDisableECSAction` or setting ``dq.useECS`` to ``false`` (default to true).
Note that any trailing data present in the incoming query is removed when an OPT (or XPF) record has to be inserted.
Such a Proxy Protocol header can also be passed from the client to dnsdist, using :func:`setProxyProtocolACL` to specify which clients to accept it from.
If :func:`setProxyProtocolApplyACLToProxiedClients` is set (default is false), the general ACL will be applied to the source IP address as seen by dnsdist first, but also to the source IP address provided in the Proxy Protocol header.
-Custom values can be added to the header via :meth:`DNSQuestion:addProxyProtocolValue`, :meth:`DNSQuestion:setProxyProtocolValues`, :func:`AddProxyProtocolValueAction` and :func:`SetProxyProtocolValuesAction`.
+Custom values can be added to the header via :meth:`DNSQuestion:addProxyProtocolValue`, :meth:`DNSQuestion:setProxyProtocolValues`, :func:`SetAdditionalProxyProtocolValueAction` and :func:`SetProxyProtocolValuesAction`.
Be careful that Proxy Protocol values are sent once at the beginning of the TCP connection for TCP and DoT queries.
That means that values received on an incoming TCP connection will be inherited by subsequent queries received over the same incoming TCP connection, if any, but values set to a query will not be inherited by subsequent queries.
Please also note that the maximum size of a Proxy Protocol header dnsdist is willing to accept is 512 bytes by default, although it can be set via :func:`setProxyProtocolMaximumPayloadSize`.
.. code-block:: lua
- addAction(MaxQPSIPRule(5), NoRecurseAction())
+ addAction(MaxQPSIPRule(5), SetNoRecurseAction())
This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps. This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps.
As another example::
- addAction(MaxQPSIPRule(5), NoRecurseAction())
+ addAction(MaxQPSIPRule(5), SetNoRecurseAction())
This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps.
This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps.
.. deprecated:: 1.2.0
Set the CD (Checking Disabled) flag to 1 for all queries matching the DNSRule.
- This function has been deprecated as of 1.2.0 and removed in 1.3.0. Please use the :func:`DisableValidationAction` action instead.
+ This function has been deprecated as of 1.2.0 and removed in 1.3.0. Please use the :func:`SetDisableValidationAction` action instead.
.. function:: addDomainBlock(domain)
Clear the RD flag for all queries matching the rule.
This function has been deprecated as of 1.2.0 and removed in 1.3.0, please use:
- addAction(DNSRule, NoRecurseAction())
+ addAction(DNSRule, SetNoRecurseAction())
:param DNSRule: match queries based on this rule
-------
:ref:`RulesIntro` need to be combined with an action for them to actually do something with the matched packets.
-Some actions allow further processing of rules, this is noted in their description.
-The following actions exist.
-
-.. function:: AddProxyProtocolValueAction(type, value)
-
- .. versionadded:: 1.6.0
-
- Add a Proxy-Protocol Type-Length value to be sent to the server along with this query. It does not replace any
- existing value with the same type but adds a new value.
- Be careful that Proxy Protocol values are sent once at the beginning of the TCP connection for TCP and DoT queries.
- That means that values received on an incoming TCP connection will be inherited by subsequent queries received over
- the same incoming TCP connection, if any, but values set to a query will not be inherited by subsequent queries.
+Some actions allow further processing of rules, this is noted in their description. Most of these start with 'Set' with a few exceptions, mostly for logging actions. These exceptions are:
+- :func:`KeyValueStoreLookupAction`
+- :func:`DnstapLogAction`
+- :func:`DnstapLogResponseAction`
+- :func:`LogAction`
+- :func:`NoneAction`
+- :func:`RemoteLogAction`
+- :func:`RemoteLogResponseAction`
+- :func:`SNMPTrapAction`
+- :func:`SNMPTrapResponseAction`
+- :func:`TeeAction`
- :param int type: The type of the value to send, ranging from 0 to 255 (both included)
- :param str value: The binary-safe value
+The following actions exist.
.. function:: AllowAction()
.. function:: DisableECSAction()
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetDisableECSAction` instead.
+
Disable the sending of ECS to the backend.
Subsequent rules are processed after this action.
.. function:: DisableValidationAction()
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetDisableValidationAction` instead.
+
Set the CD bit in the query and let it go through.
+ Subsequent rules are processed after this action.
.. function:: DnstapLogAction(identity, logger[, alterFunction])
.. function:: ECSOverrideAction(override)
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetECSOverrideAction` instead.
+
Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
Subsequent rules are processed after this action.
.. function:: ECSPrefixLengthAction(v4, v6)
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetECSPrefixLengthAction` instead.
+
Set the ECS prefix length.
Subsequent rules are processed after this action.
:param int v4: The IPv4 netmask length
:param int v6: The IPv6 netmask length
-
.. function:: ERCodeAction(rcode [, options])
.. versionadded:: 1.4.0
The store can be a CDB (:func:`newCDBKVStore`) or a LMDB database (:func:`newLMDBKVStore`).
The key can be based on the qname (:func:`KeyValueLookupKeyQName` and :func:`KeyValueLookupKeySuffix`),
source IP (:func:`KeyValueLookupKeySourceIP`) or the value of an existing tag (:func:`KeyValueLookupKeyTag`).
+ Subsequent rules are processed after this action.
:param KeyValueStore kvs: The key value store to query
:param KeyValueLookupKey lookupKey: The key to use for the lookup
.. function:: MacAddrAction(option)
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetMacAddrAction` instead.
+
Add the source MAC address to the query as EDNS0 option ``option``.
This action is currently only supported on Linux.
Subsequent rules are processed after this action.
:param int option: The EDNS0 option number
+.. function:: NegativeAndSOAAction(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options])
+
+ .. versionadded:: 1.6.0
+
+ Turn a question into a response, either a NXDOMAIN or a NODATA one based on ''nxd'', setting the QR bit to 1 and adding a SOA record in the additional section.
+ Note that this function was called :func:`SetNegativeAndSOAAction` before 1.6.0.
+
+ :param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
+ :param string zone: The owner name for the SOA record
+ :param int ttl: The TTL of the SOA record
+ :param string mname: The mname of the SOA record
+ :param string rname: The rname of the SOA record
+ :param int serial: The value of the serial field in the SOA record
+ :param int refresh: The value of the refresh field in the SOA record
+ :param int retry: The value of the retry field in the SOA record
+ :param int expire: The value of the expire field in the SOA record
+ :param int minimum: The value of the minimum field in the SOA record
+ :param table options: A table with key: value pairs with options
+
+ Options:
+
+ * ``aa``: bool - Set the AA bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
+ * ``ad``: bool - Set the AD bit to this value (true means the bit is set, false means it's cleared). Default is to clear it.
+ * ``ra``: bool - Set the RA bit to this value (true means the bit is set, false means it's cleared). Default is to copy the value of the RD bit from the incoming query.
+
.. function:: NoneAction()
Does nothing.
.. function:: NoRecurseAction()
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`NoRecurseAction` instead.
+
Strip RD bit from the question, let it go through.
Subsequent rules are processed after this action.
* ``serverID=""``: str - Set the Server Identity field.
* ``ipEncryptKey=""``: str - A key, that can be generated via the :func:`makeIPCipherKey` function, to encrypt the IP address of the requestor for anonymization purposes. The encryption is done using ipcrypt for IPv4 and a 128-bit AES ECB operation for IPv6.
+.. function:: SetAdditionalProxyProtocolValueAction(type, value)
+
+ .. versionadded:: 1.6.0
+
+ Add a Proxy-Protocol Type-Length value to be sent to the server along with this query. It does not replace any
+ existing value with the same type but adds a new value.
+ Be careful that Proxy Protocol values are sent once at the beginning of the TCP connection for TCP and DoT queries.
+ That means that values received on an incoming TCP connection will be inherited by subsequent queries received over
+ the same incoming TCP connection, if any, but values set to a query will not be inherited by subsequent queries.
+ Subsequent rules are processed after this action.
+
+ :param int type: The type of the value to send, ranging from 0 to 255 (both included)
+ :param str value: The binary-safe value
+
+.. function:: SetDisableECSAction()
+
+ .. versionadded:: 1.6.0
+
+ Disable the sending of ECS to the backend.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`DisableECSAction` before 1.6.0.
+
+.. function:: SetDisableValidationAction()
+
+ .. versionadded:: 1.6.0
+
+ Set the CD bit in the query and let it go through.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`DisableValidationAction` before 1.6.0.
+
.. function:: SetECSAction(v4 [, v6])
.. versionadded:: 1.3.1
:param string v4: The IPv4 netmask, for example "192.0.2.1/32"
:param string v6: The IPv6 netmask, if any
+.. function:: SetECSOverrideAction(override)
+
+ .. versionadded:: 1.6.0
+
+ Whether an existing EDNS Client Subnet value should be overridden (true) or not (false).
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`ECSOverrideAction` before 1.6.0.
+
+ :param bool override: Whether or not to override ECS value
+
+.. function:: SetECSPrefixLengthAction(v4, v6)
+
+ .. versionadded:: 1.6.0
+
+ Set the ECS prefix length.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`ECSPrefixLengthAction` before 1.6.0.
+
+ :param int v4: The IPv4 netmask length
+ :param int v6: The IPv6 netmask length
+
+.. function:: SetMacAddrAction(option)
+
+ .. versionadded:: 1.6.0
+
+ Add the source MAC address to the query as EDNS0 option ``option``.
+ This action is currently only supported on Linux.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`MacAddrAction` before 1.6.0.
+
+ :param int option: The EDNS0 option number
+
+.. function:: SetNoRecurseAction()
+
+ .. versionadded:: 1.6.0
+
+ Strip RD bit from the question, let it go through.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`NoRecurseAction` before 1.6.0.
+
.. function:: SetNegativeAndSOAAction(nxd, zone, ttl, mname, rname, serial, refresh, retry, expire, minimum [, options])
.. versionadded:: 1.5.0
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`NegativeAndSOAAction` instead.
+
Turn a question into a response, either a NXDOMAIN or a NODATA one based on ''nxd'', setting the QR bit to 1 and adding a SOA record in the additional section.
:param bool nxd: Whether the answer is a NXDOMAIN (true) or a NODATA (false)
.. versionadded:: 1.5.0
Set the Proxy-Protocol Type-Length values to be sent to the server along with this query to ``values``.
+ Subsequent rules are processed after this action.
:param table values: A table of types and values to send, for example: ``{ [0] = foo", [42] = "bar" }``
-.. function:: SkipCacheAction()
+.. function:: SetSkipCacheAction()
+
+ .. versionadded:: 1.6.0
Don't lookup the cache for this query, don't store the answer.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`SkipCacheAction` before 1.6.0.
-.. function:: SkipCacheResponseAction()
+.. function:: SetSkipCacheResponseAction()
.. versionadded:: 1.6.0
Don't store this answer into the cache.
+ Subsequent rules are processed after this action.
+
+.. function:: SetTagAction(name, value)
+
+ .. versionadded:: 1.6.0
+
+ Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`TagAction` before 1.6.0.
+
+ :param string name: The name of the tag to set
+ :param string value: The value of the tag
+
+.. function:: SetTagResponseAction(name, value)
+
+ .. versionadded:: 1.6.0
+
+ Associate a tag named ``name`` with a value of ``value`` to this response.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`TagResponseAction` before 1.6.0.
+
+ :param string name: The name of the tag to set
+ :param string value: The value of the tag
+
+.. function:: SetTempFailureCacheTTLAction(ttl)
+
+ .. versionadded:: 1.6.0
+
+ Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
+ Subsequent rules are processed after this action.
+ Note that this function was called :func:`TempFailureCacheTTLAction` before 1.6.0.
+
+ :param int ttl: Cache TTL for temporary failure replies
+
+.. function:: SkipCacheAction()
+
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetSkipAction` instead.
+
+ Don't lookup the cache for this query, don't store the answer.
+ Subsequent rules are processed after this action.
.. function:: SNMPTrapAction([message])
.. versionadded:: 1.3.0
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetTagAction` instead.
+
Associate a tag named ``name`` with a value of ``value`` to this query, that will be passed on to the response.
Subsequent rules are processed after this action.
.. versionadded:: 1.3.0
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetTagResponseAction` instead.
+
Associate a tag named ``name`` with a value of ``value`` to this response.
Subsequent rules are processed after this action.
Send copy of query to ``remote``, keep stats on responses.
If ``addECS`` is set to true, EDNS Client Subnet information will be added to the query.
+ Subsequent rules are processed after this action.
:param string remote: An IP:PORT combination to send the copied queries to
:param bool addECS: Whether or not to add ECS information. Default false
.. function:: TempFailureCacheTTLAction(ttl)
+ .. deprecated:: 1.6.0
+
+ This function has been deprecated in 1.6.0, please use :func:`SetTempFailureCacheTTLAction` instead.
+
Set the cache TTL to use for ServFail and Refused replies. TTL is not applied for successful replies.
+ Subsequent rules are processed after this action.
:param int ttl: Cache TTL for temporary failure replies
The packet cache no longer hashes EDNS Cookies by default, which means that two queries that are identical except for the content of their cookie will now be served the same answer. This only works if the backend is not returning any answer containing EDNS Cookies, otherwise the wrong cookie might be returned to a client. To prevent this, the ``cookieHashing=true`` parameter might be passed to :func:`newPacketCache` so that cookies are hashed, resulting in separate entries in the packet cache.
+Several actions have been renamed so that almost all actions that allow further processing of rules start with 'Set', to prevent mistakes:
+- ``DisableECSAction`` to :func:`SetDisableECSAction`
+- ``DisableValidationAction`` to :func:`SetDisableValidationAction`
+- ``ECSOverrideAction`` to :func:`SetECSOverrideAction`
+- ``ECSPrefixLengthAction`` to :func:`SetECSPrefixLengthAction`
+- ``MacAddrAction`` to :func:`SetMacAddrAction`
+- ``NoRecurseAction`` to :func:`SetTagResponseAction`
+- ``SkipCacheAction`` to :func:`SetTagResponseAction`
+- ``TagAction`` to :func:`SetTagResponseAction`
+- ``TagResponseAction`` to :func:`SetTagResponseAction`
+- ``TempFailureCacheTTLAction`` to :func:`SetAdditionalProxyProtocolValueAction`
+- ``SetNegativeAndSOAAction`` to :func:`NegativeAndSOAAction`
+
1.4.x to 1.5.0
--------------
class TestAdvancedRemoveRD(DNSDistTest):
_config_template = """
- addAction("norecurse.advanced.tests.powerdns.com.", NoRecurseAction())
+ addAction("norecurse.advanced.tests.powerdns.com.", SetNoRecurseAction())
newServer{address="127.0.0.1:%s"}
"""
class TestAdvancedAddCD(DNSDistTest):
_config_template = """
- addAction("setcd.advanced.tests.powerdns.com.", DisableValidationAction())
- addAction(makeRule("setcdviaaction.advanced.tests.powerdns.com."), DisableValidationAction())
+ addAction("setcd.advanced.tests.powerdns.com.", SetDisableValidationAction())
+ addAction(makeRule("setcdviaaction.advanced.tests.powerdns.com."), SetDisableValidationAction())
newServer{address="127.0.0.1:%s"}
"""
class TestAdvancedClearRD(DNSDistTest):
_config_template = """
- addAction("clearrd.advanced.tests.powerdns.com.", NoRecurseAction())
- addAction(makeRule("clearrdviaaction.advanced.tests.powerdns.com."), NoRecurseAction())
+ addAction("clearrd.advanced.tests.powerdns.com.", SetNoRecurseAction())
+ addAction(makeRule("clearrdviaaction.advanced.tests.powerdns.com."), SetNoRecurseAction())
newServer{address="127.0.0.1:%s"}
"""
_config_template = """
newServer{address="127.0.0.1:%s", pool="real"}
- addAction(AllRule(), DisableValidationAction())
+ addAction(AllRule(), SetDisableValidationAction())
addAction(AllRule(), PoolAction("real"))
addAction(AllRule(), DropAction())
"""
"""
Advanced: Non terminal rules
- We check that DisableValidationAction() is applied
+ We check that SetDisableValidationAction() is applied
but does not stop the processing, then that
PoolAction() is applied _and_ stop the processing.
"""
class TestAdvancedRestoreFlagsOnSelfResponse(DNSDistTest):
_config_template = """
- addAction(AllRule(), DisableValidationAction())
+ addAction(AllRule(), SetDisableValidationAction())
addAction(AllRule(), SpoofAction("192.0.2.1"))
newServer{address="127.0.0.1:%s"}
"""
newServer{address="127.0.0.1:%s", pool="mypool"}
addAction("nocontinue.continue-action.advanced.tests.powerdns.com.", PoolAction("mypool"))
addAction("continue.continue-action.advanced.tests.powerdns.com.", ContinueAction(PoolAction("mypool")))
- addAction(AllRule(), DisableValidationAction())
+ addAction(AllRule(), SetDisableValidationAction())
"""
def testNoContinue(self):
self.assertEquals(receivedQuery, expectedQuery)
self.assertEquals(receivedResponse, expectedResponse)
-class TestAdvancedSetNegativeAndSOA(DNSDistTest):
+class TestAdvancedNegativeAndSOA(DNSDistTest):
_selfGeneratedPayloadSize = 1232
_config_template = """
- addAction("nxd.setnegativeandsoa.advanced.tests.powerdns.com.", SetNegativeAndSOAAction(true, "auth.", 42, "mname", "rname", 5, 4, 3, 2, 1))
- addAction("nodata.setnegativeandsoa.advanced.tests.powerdns.com.", SetNegativeAndSOAAction(false, "another-auth.", 42, "mname", "rname", 1, 2, 3, 4, 5))
+ addAction("nxd.negativeandsoa.advanced.tests.powerdns.com.", NegativeAndSOAAction(true, "auth.", 42, "mname", "rname", 5, 4, 3, 2, 1))
+ addAction("nodata.negativeandsoa.advanced.tests.powerdns.com.", NegativeAndSOAAction(false, "another-auth.", 42, "mname", "rname", 1, 2, 3, 4, 5))
setPayloadSizeOnSelfGeneratedAnswers(%d)
newServer{address="127.0.0.1:%s"}
"""
def testAdvancedNegativeAndSOANXD(self):
"""
- Advanced: SetNegativeAndSOAAction NXD
+ Advanced: NegativeAndSOAAction NXD
"""
- name = 'nxd.setnegativeandsoa.advanced.tests.powerdns.com.'
+ name = 'nxd.negativeandsoa.advanced.tests.powerdns.com.'
# no EDNS
query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
query.flags &= ~dns.flags.RD
def testAdvancedNegativeAndSOANoData(self):
"""
- Advanced: SetNegativeAndSOAAction NoData
+ Advanced: NegativeAndSOAAction NoData
"""
- name = 'nodata.setnegativeandsoa.advanced.tests.powerdns.com.'
+ name = 'nodata.negativeandsoa.advanced.tests.powerdns.com.'
# no EDNS
query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
query.flags &= ~dns.flags.RD
return true
end
- addAction(AllRule(), TagAction('a-tag', 'a-value'))
+ addAction(AllRule(), SetTagAction('a-tag', 'a-value'))
addAction(LuaRule(luarulefunction), RCodeAction(DNSRCode.NOTIMP))
addAction(AllRule(), RCodeAction(DNSRCode.REFUSED))
-- newServer{address="127.0.0.1:%s"}
_config_template = """
pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
getPool(""):setCache(pc)
- addAction(makeRule("nocache.cache.tests.powerdns.com."), SkipCacheAction())
- addResponseAction(makeRule("nocache-response.cache.tests.powerdns.com."), SkipCacheResponseAction())
+ addAction(makeRule("nocache.cache.tests.powerdns.com."), SetSkipCacheAction())
+ addResponseAction(makeRule("nocache-response.cache.tests.powerdns.com."), SetSkipCacheResponseAction())
function skipViaLua(dq)
dq.skipCache = true
return DNSAction.None, ""
def testSkipCache(self):
"""
- Cache: SkipCacheAction
+ Cache: SetSkipCacheAction
dnsdist is configured to not cache entries for nocache.cache.tests.powerdns.com.
we are sending several requests and checking that the backend get them all.
def testSkipCacheResponse(self):
"""
- Cache: SkipCacheResponseAction
+ Cache: SetSkipCacheResponseAction
dnsdist is configured to not cache entries for answer matching nocache-response.cache.tests.powerdns.com.
we are sending several requests and checking that the backend get them all.
_config_template = """
pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
getPool(""):setCache(pc)
- addAction("servfail.cache.tests.powerdns.com.", TempFailureCacheTTLAction(1))
+ addAction("servfail.cache.tests.powerdns.com.", SetTempFailureCacheTTLAction(1))
newServer{address="127.0.0.1:%d"}
"""
-- we will force the ECS value added to the query if RD is set (note that we need
-- to unset it using rules before the first cache lookup)
addAction(RDRule(), SetECSAction("192.0.2.1/32"))
- addAction(RDRule(), NoRecurseAction())
+ addAction(RDRule(), SetNoRecurseAction())
"""
def testScopeZero(self):
-- we will force the ECS value added to the query if RD is set (note that we need
-- to unset it using rules before the first cache lookup)
addAction(RDRule(), SetECSAction("192.0.2.1/32"))
- addAction(RDRule(), NoRecurseAction())
+ addAction(RDRule(), SetNoRecurseAction())
"""
def testScopeZero(self):
class TestECSDisabledByRuleOrLua(DNSDistTest):
"""
dnsdist is configured to add the EDNS0 Client Subnet
- option, but we disable it via DisableECSAction()
+ option, but we disable it via SetDisableECSAction()
or Lua.
"""
setECSSourcePrefixV4(16)
setECSSourcePrefixV6(16)
newServer{address="127.0.0.1:%s", useClientSubnet=true}
- addAction(makeRule("disabled.ecsrules.tests.powerdns.com."), DisableECSAction())
+ addAction(makeRule("disabled.ecsrules.tests.powerdns.com."), SetDisableECSAction())
function disableECSViaLua(dq)
dq.useECS = false
return DNSAction.None, ""
"""
dnsdist is configured to set the EDNS0 Client Subnet
option without overriding an existing one, but we
- force the overriding via ECSOverrideAction() or Lua.
+ force the overriding via SetECSOverrideAction() or Lua.
"""
_config_template = """
setECSSourcePrefixV4(24)
setECSSourcePrefixV6(56)
newServer{address="127.0.0.1:%s", useClientSubnet=true}
- addAction(makeRule("overridden.ecsrules.tests.powerdns.com."), ECSOverrideAction(true))
+ addAction(makeRule("overridden.ecsrules.tests.powerdns.com."), SetECSOverrideAction(true))
function overrideECSViaLua(dq)
dq.ecsOverride = true
return DNSAction.None, ""
"""
dnsdist is configured to set the EDNS0 Client Subnet
option with a prefix length of 24 for IPv4 and 56 for IPv6,
- but we override that to 32 and 128 via ECSPrefixLengthAction() or Lua.
+ but we override that to 32 and 128 via SetECSPrefixLengthAction() or Lua.
"""
_config_template = """
setECSSourcePrefixV4(24)
setECSSourcePrefixV6(56)
newServer{address="127.0.0.1:%s", useClientSubnet=true}
- addAction(makeRule("overriddenprefixlength.ecsrules.tests.powerdns.com."), ECSPrefixLengthAction(32, 128))
+ addAction(makeRule("overriddenprefixlength.ecsrules.tests.powerdns.com."), SetECSPrefixLengthAction(32, 128))
function overrideECSPrefixLengthViaLua(dq)
dq.ecsPrefixLength = 32
return DNSAction.None, ""
-- add these values for all queries
addAction("proxy-protocol-incoming.tests.powerdns.com.", LuaAction(addValues))
- addAction("proxy-protocol-incoming.tests.powerdns.com.", AddProxyProtocolValueAction(1, "dnsdist"))
- addAction("proxy-protocol-incoming.tests.powerdns.com.", AddProxyProtocolValueAction(255, "proxy-protocol"))
+ addAction("proxy-protocol-incoming.tests.powerdns.com.", SetAdditionalProxyProtocolValueAction(1, "dnsdist"))
+ addAction("proxy-protocol-incoming.tests.powerdns.com.", SetAdditionalProxyProtocolValueAction(255, "proxy-protocol"))
-- override all existing values
addAction("override.proxy-protocol-incoming.tests.powerdns.com.", SetProxyProtocolValuesAction({["50"]="overridden"}))
setMaxTCPConnectionDuration(%s)
pc = newPacketCache(100, {maxTTL=86400, minTTL=1})
getPool(""):setCache(pc)
- addAction("largernumberofconnections.tcpka.tests.powerdns.com.", SkipCacheAction())
+ addAction("largernumberofconnections.tcpka.tests.powerdns.com.", SetSkipCacheAction())
addAction("refused.tcpka.tests.powerdns.com.", RCodeAction(DNSRCode.REFUSED))
addAction("dropped.tcpka.tests.powerdns.com.", DropAction())
addResponseAction("dropped-response.tcpka.tests.powerdns.com.", DropResponseAction())
end
addAction(AllRule(), LuaAction(lol))
- addAction("tag-me-dns-1.tags.tests.powerdns.com.", TagAction("dns", "value1"))
- addAction("tag-me-dns-2.tags.tests.powerdns.com.", TagAction("dns", "value2"))
- addAction("tag-me-response-1.tags.tests.powerdns.com.", TagAction("response", "value1"))
- addAction("tag-me-response-2.tags.tests.powerdns.com.", TagAction("response", "value2"))
+ addAction("tag-me-dns-1.tags.tests.powerdns.com.", SetTagAction("dns", "value1"))
+ addAction("tag-me-dns-2.tags.tests.powerdns.com.", SetTagAction("dns", "value2"))
+ addAction("tag-me-response-1.tags.tests.powerdns.com.", SetTagAction("response", "value1"))
+ addAction("tag-me-response-2.tags.tests.powerdns.com.", SetTagAction("response", "value2"))
addAction(TagRule("not-dns"), SpoofAction("1.2.3.4"))
addAction(TagRule("dns", "value1"), SpoofAction("1.2.3.50"))
addResponseAction(TagRule("response", "value1"), LuaResponseAction(responseHandlerSetTC))
addResponseAction(TagRule("response", "no-match-value"), DropResponseAction())
- addResponseAction("tag-me-response-3.tags.tests.powerdns.com.", TagResponseAction("response-tag", "value"))
+ addResponseAction("tag-me-response-3.tags.tests.powerdns.com.", SetTagResponseAction("response-tag", "value"))
addResponseAction(TagRule("response-tag"), LuaResponseAction(responseHandlerUnsetQR))
"""
projects / thirdparty / pdns.git / commitdiff
