From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 13 Jun 2023 12:08:56 +0000 (+0200)
Subject: dnsdist: Increment the "dyn blocked" counter for eBPF blocks as well
X-Git-Tag: rec-5.0.0-alpha1~171^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F12911%2Fhead;p=thirdparty%2Fpdns.git

dnsdist: Increment the "dyn blocked" counter for eBPF blocks as well

Regular, userspace blocks increment the "dyn blocked" counter for every
dropped query. The eBPF blocks are executed in kernelspace and thus do
not increment that counter at all, which makes it challenging for
reporting to do its job. On the other hand we want our eBPF code to
be as efficient as possible since it is used when performance really
matters.
This commit updates the counter when a eBPF dynamic block is removed,
which is a compromise between the performance impact and a slight
reporting delay.
---

diff --git a/pdns/dnsdistdist/dnsdist-dynblocks.cc b/pdns/dnsdistdist/dnsdist-dynblocks.cc
index ae9896ed27..acf8524383 100644
--- a/pdns/dnsdistdist/dnsdist-dynblocks.cc
+++ b/pdns/dnsdistdist/dnsdist-dynblocks.cc
@@ -429,6 +429,10 @@ void DynBlockRulesGroup::processResponseRules(counts_t& counts, StatNode& root,
 
 void DynBlockMaintenance::purgeExpired(const struct timespec& now)
 {
+  // we need to increase the dynBlocked counter when removing
+  // eBPF blocks, as otherwise it does not get incremented for these
+  // since the block happens in kernel space.
+  uint64_t bpfBlocked = 0;
   {
     auto blocks = g_dynblockNMG.getLocal();
     std::vector<AddressAndPortRange> toRemove;
@@ -436,8 +440,15 @@ void DynBlockMaintenance::purgeExpired(const struct timespec& now)
       if (!(now < entry.second.until)) {
         toRemove.push_back(entry.first);
         if (g_defaultBPFFilter && entry.second.bpf) {
+          const auto& network = entry.first.getNetwork();
           try {
-            g_defaultBPFFilter->unblock(entry.first.getNetwork());
+            bpfBlocked += g_defaultBPFFilter->getHits(network);
+          }
+          catch (const std::exception& e) {
+            vinfolog("Error while getting block count before removing eBPF dynamic block for %s: %s", entry.first.toString(), e.what());
+          }
+          try {
+            g_defaultBPFFilter->unblock(network);
           }
           catch (const std::exception& e) {
             vinfolog("Error while removing eBPF dynamic block for %s: %s", entry.first.toString(), e.what());
@@ -451,6 +462,7 @@ void DynBlockMaintenance::purgeExpired(const struct timespec& now)
         updated.erase(entry);
       }
       g_dynblockNMG.setState(std::move(updated));
+      g_stats.dynBlocked += bpfBlocked;
     }
   }