From: bert hubert Date: Fri, 30 May 2014 08:55:44 +0000 (+0200) Subject: document pdns.DROP for recursor, add policy-drops metric for it X-Git-Tag: rec-3.6.0~18^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9c2ad3a4a0c864d35a5f593800dfc04046075c0;p=thirdparty%2Fpdns.git document pdns.DROP for recursor, add policy-drops metric for it --- diff --git a/pdns/docs/pdns.xml b/pdns/docs/pdns.xml index 6c149df8ab..228bbaf590 100644 --- a/pdns/docs/pdns.xml +++ b/pdns/docs/pdns.xml @@ -15344,6 +15344,7 @@ packetcache-bytes Size of the packet cache in bytes (since 3.3.1) packetcache-entries Size of packet cache (since 3.2) packetcache-hits Packet cache hits (since 3.2) packetcache-misses Packet cache misses (since 3.2) +policy-drops Packets dropped because of (Lua) policy decision qa-latency shows the current latency average, in microseconds questions counts all End-user initiated queries with the RD bit set ipv6-questions counts all End-user initiated queries with the RD bit set, received over IPv6 UDP @@ -15358,7 +15359,7 @@ tcp-questions counts all incoming TCP queries (since starting) throttled-out counts the number of throttled outgoing UDP queries since starting throttle-entries shows the number of entries in the throttle map unauthorized-tcp number of TCP questions denied because of allow-from restrictions -unauthorized-udp number of UDP questions denied because of allow-from restrictions +unauthorized-udp number of UDP questions denied because of allow-from restrictions unexpected-packets number of answers from remote servers that were unexpected (might point to spoofing) uptime number of seconds process has been running (since 3.1.5) user-msec number of CPU milliseconds spent in 'user' mode @@ -15367,7 +15368,10 @@ user-msec number of CPU milliseconds spent in 'user' mode graphs of all these numbers. Use rec_control get-all to get all statistics in one go. - It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + packetcache-hits + over-capacity-drops = questions. + It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-1000 + packetcache-hits + over-capacity-drops + policy-drops = questions. + + + Also note that unauthorized-tcp and unauthorized-udp packets do not end up in the 'questions' count. Every half our or so, the recursor outputs a line with statistics. More infrastructure is planned so as to allow @@ -15493,7 +15497,8 @@ end '25 smtp.example.net.'. - Useful return 'rcodes' include 0 for "no error" and pdns.NXDOMAIN for "NXDOMAIN". + Useful return 'rcodes' include 0 for "no error", pdns.NXDOMAIN for "NXDOMAIN", pdns.DROP to drop the question + from further processing (since 3.6, and such a drop is accounted in the 'policy-drops' metric). Fields that can be set in the return table include: @@ -16050,7 +16055,7 @@ To enable a Lua script for a particular slave zone, determine the domain_id for containing one or more replacement records to be stored in the back-end database. If, on the other hand, your function decides not to modify a record, it must return pdns.PASS and an empty table indicating that PowerDNS should handle the incoming record as normal. If your function decides to drop a query and not respond whatsoever, it must return - pdns.DROP and an empty table indicating that the recursor does not want to process the packet in Lua nor in the core recursor logic. + pdns.DROP and an empty table indicating that the recursor does not want to process the packet in Lua nor in the core recursor logic. Consider the following simple example: diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 4d1fe24874..5fc04a92a2 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -548,10 +548,9 @@ void startDoResolve(void *p) if(!dc->d_mdp.d_header.rd) sr.setCacheOnly(); - // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, g_listenSocketsAddresses[dc->d_socket], dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), ret, res, &variableAnswer)) { - res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); + res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret); if(t_pdl->get()) { if(res == RCode::NoError) { @@ -570,6 +569,7 @@ void startDoResolve(void *p) } if(res == RecursorBehaviour::DROP) { + g_stats.policyDrops++; delete dc; dc=0; return; diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index d1e6e3d1a3..47c1a59a8b 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -502,6 +502,7 @@ RecursorControlParser::RecursorControlParser() addGetStat("resource-limits", &g_stats.resourceLimits); addGetStat("over-capacity-drops", &g_stats.overCapacityDrops); + addGetStat("policy-drops", &g_stats.policyDrops); addGetStat("no-packet-error", &g_stats.noPacketError); addGetStat("dlg-only-drops", &SyncRes::s_nodelegated); addGetStat("max-mthread-stack", &g_stats.maxMThreadStackUsage); diff --git a/pdns/syncres.hh b/pdns/syncres.hh index b2c3b6e259..63c31f83db 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -547,11 +547,12 @@ struct RecursorStats uint64_t noErrors; uint64_t answers0_1, answers1_10, answers10_100, answers100_1000, answersSlow; double avgLatencyUsec; - uint64_t qcounter; + uint64_t qcounter; // not increased for unauth packets uint64_t ipv6qcounter; uint64_t tcpqcounter; - uint64_t unauthorizedUDP; - uint64_t unauthorizedTCP; + uint64_t unauthorizedUDP; // when this is increased, qcounter isn't + uint64_t unauthorizedTCP; // when this is increased, qcounter isn't + uint64_t policyDrops; uint64_t tcpClientOverflow; uint64_t clientParseError; uint64_t serverParseError;