From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 27 Jul 2016 13:11:37 +0000 (+0200)
Subject: RPZ: Add metrics for the Policy Engine
X-Git-Tag: rec-4.0.2~1^2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a25883a178c0353c3746bcb53e7e833a68652cc;p=thirdparty%2Fpdns.git

RPZ: Add metrics for the Policy Engine

Closes #2895
---

diff --git a/docs/markdown/recursor/stats.md b/docs/markdown/recursor/stats.md
index 3413cac384..c5eaef283e 100644
--- a/docs/markdown/recursor/stats.md
+++ b/docs/markdown/recursor/stats.md
@@ -59,6 +59,12 @@ The `rec_control get` command can be used to query the following statistics, eit
 * `packetcache-hits`: packet cache hits (since 3.2)
 * `packetcache-misses`: packet cache misses (since 3.2)
 * `policy-drops`: packets dropped because of (Lua) policy decision
+* `policy-result-noaction`: packets that were not actioned upon by the RPZ/filter engine
+* `policy-result-drop`: packets that were dropped by the RPZ/filter engine
+* `policy-result-nxdomain`: packets that were replied to with NXDOMAIN by the RPZ/filter engine
+* `policy-result-nodata`: packets that were replied to with no data by the RPZ/filter engine
+* `policy-result-truncate`: packets that were forced to TCP by the RPZ/filter engine
+* `policy-result-custom`: packets that were sent a custom answer by the RPZ/filter engine
 * `qa-latency`: shows the current latency average, in microseconds, exponentially weighted over past 'latency-statistic-size' packets
 * `questions`: counts all end-user initiated queries with the RD bit set
 * `resource-limits`: counts number of queries that could not be performed because of resource limits
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 3d2957b4de..48a1bd9aef 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -751,16 +751,20 @@ void startDoResolve(void *p)
           break;
         case DNSFilterEngine::PolicyKind::Drop:
           g_stats.policyDrops++;
+          g_stats.policyResults[appliedPolicy.d_kind]++;
           delete dc;
           dc=0;
           return; 
         case DNSFilterEngine::PolicyKind::NXDOMAIN:
+          g_stats.policyResults[appliedPolicy.d_kind]++;
           res=RCode::NXDomain;
           goto haveAnswer;
         case DNSFilterEngine::PolicyKind::NODATA:
+          g_stats.policyResults[appliedPolicy.d_kind]++;
           res=RCode::NoError;
           goto haveAnswer;
         case DNSFilterEngine::PolicyKind::Custom:
+          g_stats.policyResults[appliedPolicy.d_kind]++;
           res=RCode::NoError;
           spoofed.d_name=dc->d_mdp.d_qname;
           spoofed.d_type=appliedPolicy.d_custom->getType();
@@ -772,6 +776,7 @@ void startDoResolve(void *p)
           goto haveAnswer;
         case DNSFilterEngine::PolicyKind::Truncate:
           if(!dc->d_tcp) {
+            g_stats.policyResults[appliedPolicy.d_kind]++;
             res=RCode::NoError;	
             pw.getHeader()->tc=1;
             goto haveAnswer;
@@ -809,6 +814,7 @@ void startDoResolve(void *p)
 	(*t_pdl)->postresolve(dc->d_remote, dc->d_local, dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_tcp, ret, &appliedPolicy, &dc->d_policyTags, res, &variableAnswer);
       }
 
+      g_stats.policyResults[appliedPolicy.d_kind]++;
       switch(appliedPolicy.d_kind) {
       case DNSFilterEngine::PolicyKind::NoAction:
 	break;
diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 1e8e77a507..74b848ae33 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -31,6 +31,7 @@
 #include "rec-lua-conf.hh"
 
 #include "validate-recursor.hh"
+#include "filterpo.hh"
 
 #include "secpoll-recursor.hh"
 #include "pubsuffix.hh"
@@ -888,6 +889,13 @@ RecursorControlParser::RecursorControlParser()
   addGetStat("dnssec-result-bogus", &g_stats.dnssecResults[Bogus]);
   addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[Indeterminate]);
   addGetStat("dnssec-result-nta", &g_stats.dnssecResults[NTA]);
+
+  addGetStat("policy-result-noaction", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NoAction]);
+  addGetStat("policy-result-drop", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Drop]);
+  addGetStat("policy-result-nxdomain", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NXDOMAIN]);
+  addGetStat("policy-result-nodata", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NODATA]);
+  addGetStat("policy-result-truncate", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Truncate]);
+  addGetStat("policy-result-custom", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Custom]);
 }
 
 static void doExitGeneric(bool nicely)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index d9d1ceacfb..e69fb194a4 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -995,8 +995,10 @@ int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, con
         }
         //
 	// XXX NEED TO HANDLE OTHER POLICY KINDS HERE!
-	if(g_luaconfs.getLocal()->dfe.getProcessingPolicy(*tns).d_kind != DNSFilterEngine::PolicyKind::NoAction)
+	if(g_luaconfs.getLocal()->dfe.getProcessingPolicy(*tns).d_kind != DNSFilterEngine::PolicyKind::NoAction) {
+          g_stats.policyResults[g_luaconfs.getLocal()->dfe.getProcessingPolicy(*tns).d_kind]++;
 	  throw ImmediateServFailException("Dropped because of policy");
+        }
 
         if(tns->empty()) {
           LOG(prefix<<qname<<": Domain has hardcoded nameserver");
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index be68a09aa5..b86b55a428 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -637,6 +637,7 @@ struct RecursorStats
   unsigned int maxMThreadStackUsage;
   std::atomic<uint64_t> dnssecValidations; // should be the sum of all dnssecResult* stats
   std::map<vState, std::atomic<uint64_t> > dnssecResults;
+  std::map<DNSFilterEngine::PolicyKind, std::atomic<uint64_t> > policyResults;
 };
 
 //! represents a running TCP/IP client session