From b790ef3d5a7e5f6904cd4063ae3bb1daa8fdbc81 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 26 Aug 2016 15:57:25 +0200
Subject: [PATCH] rec: Add an option to only send protobuf messages with a
 policy or tag set

---
 docs/markdown/recursor/settings.md |  3 ++-
 pdns/pdns_recursor.cc              | 12 ++++++++----
 pdns/rec-lua-conf.cc               |  5 ++++-
 pdns/rec-lua-conf.hh               |  1 +
 pdns/rec-protobuf.cc               | 23 +++++++++++++++++++++++
 pdns/rec-protobuf.hh               |  3 ++-
 6 files changed, 40 insertions(+), 7 deletions(-)

diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md
index 5fd2fa51e6..b8d81e478c 100644
--- a/docs/markdown/recursor/settings.md
+++ b/docs/markdown/recursor/settings.md
@@ -522,7 +522,7 @@ to detect and act on infected hosts.
 Protobuf export to a server is enabled using the `protobufServer()` directive:
 
 ```
-protobufServer("192.0.2.1:4242" [[[[[[, timeout], maxQueuedEntries], reconnectWaitTime], maskV4], maskV6], asynConnect])
+protobufServer("192.0.2.1:4242" [[[[[[[, timeout], maxQueuedEntries], reconnectWaitTime], maskV4], maskV6], asynConnect], taggedOnly])
 ```
 
 The optional parameters are:
@@ -532,6 +532,7 @@ The optional parameters are:
 * reconnectWaitTime = how long to wait, in seconds, between two reconnection attempts, default to 1
 * maskV4 = network mask to apply to the client IPv4 addresses, for anonymization purpose. The default of 32 means no anonymization
 * maskV6 = same as maskV4, but for IPv6. Default to 128
+* taggedOnly = only entries with a policy or a policy tag set will be sent
 * asyncConnect = if set to false (default) the first connection to the server during startup will block up to `timeout` seconds,
 otherwise the connection is done in a separate thread.
 
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index ac31e08d81..f50d57f5ed 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1047,7 +1047,7 @@ void startDoResolve(void *p)
     g_rs.submitResponse(dc->d_mdp.d_qtype, packet.size(), !dc->d_tcp);
     updateResponseStats(res, dc->d_remote, packet.size(), &dc->d_mdp.d_qname, dc->d_mdp.d_qtype);
 #ifdef HAVE_PROTOBUF
-    if (luaconfsLocal->protobufServer) {
+    if (luaconfsLocal->protobufServer && (!luaconfsLocal->protobufTaggedOnly || (appliedPolicy.d_name && !appliedPolicy.d_name->empty()) || !dc->d_policyTags.empty())) {
       pbMessage.setBytes(packet.size());
       pbMessage.setResponseCode(pw.getHeader()->rcode);
       if (appliedPolicy.d_name) {
@@ -1324,7 +1324,9 @@ void handleRunningTCPQuestion(int fd, FDMultiplexer::funcparam_t& var)
           const struct dnsheader* dh = (const struct dnsheader*) conn->data;
           dc->d_ednssubnet = ednssubnet;
 
-          protobufLogQuery(luaconfsLocal->protobufServer, luaconfsLocal->protobufMaskV4, luaconfsLocal->protobufMaskV6, dc->d_uuid, dest, conn->d_remote, ednssubnet, true, dh->id, conn->qlen, qname, qtype, qclass, dc->d_policyTags);
+          if (!luaconfsLocal->protobufTaggedOnly) {
+            protobufLogQuery(luaconfsLocal->protobufServer, luaconfsLocal->protobufMaskV4, luaconfsLocal->protobufMaskV6, dc->d_uuid, dest, conn->d_remote, ednssubnet, true, dh->id, conn->qlen, qname, qtype, qclass, dc->d_policyTags);
+          }
         }
         catch(std::exception& e) {
           if(g_logCommonErrors)
@@ -1466,14 +1468,16 @@ string* doProcessUDPQuestion(const std::string& question, const ComboAddress& fr
     RecProtoBufMessage pbMessage(DNSProtoBufMessage::DNSProtoBufMessageType::Response);
 #ifdef HAVE_PROTOBUF
     if(luaconfsLocal->protobufServer) {
-      protobufLogQuery(luaconfsLocal->protobufServer, luaconfsLocal->protobufMaskV4, luaconfsLocal->protobufMaskV6, uniqueId, fromaddr, destaddr, ednssubnet, false, dh->id, question.size(), qname, qtype, qclass, policyTags);
+      if (!luaconfsLocal->protobufTaggedOnly || !policyTags.empty()) {
+        protobufLogQuery(luaconfsLocal->protobufServer, luaconfsLocal->protobufMaskV4, luaconfsLocal->protobufMaskV6, uniqueId, fromaddr, destaddr, ednssubnet, false, dh->id, question.size(), qname, qtype, qclass, policyTags);
+      }
     }
 #endif /* HAVE_PROTOBUF */
 
     cacheHit = (!SyncRes::s_nopacketcache && t_packetCache->getResponsePacket(ctag, question, g_now.tv_sec, &response, &age, &pbMessage));
     if (cacheHit) {
 #ifdef HAVE_PROTOBUF
-      if(luaconfsLocal->protobufServer) {
+      if(luaconfsLocal->protobufServer && (!luaconfsLocal->protobufTaggedOnly || !pbMessage.getAppliedPolicy().empty() || !pbMessage.getPolicyTags().empty())) {
         Netmask requestorNM(fromaddr, fromaddr.sin4.sin_family == AF_INET ? luaconfsLocal->protobufMaskV4 : luaconfsLocal->protobufMaskV6);
         const ComboAddress& requestor = requestorNM.getMaskedNetwork();
         pbMessage.update(uniqueId, &requestor, &destaddr, false, dh->id);
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc
index f8001bf9fa..7dfbbe5bca 100644
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -260,7 +260,7 @@ void loadRecursorLuaConfig(const std::string& fname)
     });
 
 #if HAVE_PROTOBUF
-  Lua.writeFunction("protobufServer", [&lci](const string& server_, const boost::optional<uint16_t> timeout, const boost::optional<uint64_t> maxQueuedEntries, const boost::optional<uint8_t> reconnectWaitTime, const boost::optional<uint8_t> maskV4, boost::optional<uint8_t> maskV6, boost::optional<bool> asyncConnect) {
+  Lua.writeFunction("protobufServer", [&lci](const string& server_, const boost::optional<uint16_t> timeout, const boost::optional<uint64_t> maxQueuedEntries, const boost::optional<uint8_t> reconnectWaitTime, const boost::optional<uint8_t> maskV4, boost::optional<uint8_t> maskV6, boost::optional<bool> asyncConnect, boost::optional<bool> taggedOnly) {
       try {
 	ComboAddress server(server_);
         if (!lci.protobufServer) {
@@ -271,6 +271,9 @@ void loadRecursorLuaConfig(const std::string& fname)
           if (maskV6) {
             lci.protobufMaskV6 = *maskV6;
           }
+          if (taggedOnly) {
+            lci.protobufTaggedOnly = *taggedOnly;
+          }
         }
         else {
           theL()<<Logger::Error<<"Only one protobuf server can be configured, we already have "<<lci.protobufServer->toString()<<endl;
diff --git a/pdns/rec-lua-conf.hh b/pdns/rec-lua-conf.hh
index f3f598fab6..85224663e0 100644
--- a/pdns/rec-lua-conf.hh
+++ b/pdns/rec-lua-conf.hh
@@ -37,6 +37,7 @@ public:
   std::shared_ptr<RemoteLogger> protobufServer{nullptr};
   uint8_t protobufMaskV4{32};
   uint8_t protobufMaskV6{128};
+  bool protobufTaggedOnly{false};
 };
 
 extern GlobalStateHolder<LuaConfigItems> g_luaconfs;
diff --git a/pdns/rec-protobuf.cc b/pdns/rec-protobuf.cc
index 77e05d5d67..b1f4909bf9 100644
--- a/pdns/rec-protobuf.cc
+++ b/pdns/rec-protobuf.cc
@@ -72,3 +72,26 @@ void RecProtoBufMessage::setPolicyTags(const std::vector<std::string>& policyTag
   }
 #endif /* HAVE_PROTOBUF */
 }
+
+std::string RecProtoBufMessage::getAppliedPolicy() const
+{
+  std::string result;
+#ifdef HAVE_PROTOBUF
+  const PBDNSMessage_DNSResponse& response = d_message.response();
+  result = response.appliedpolicy();
+#endif /* HAVE_PROTOBUF */
+  return result;
+}
+
+std::vector<std::string> RecProtoBufMessage::getPolicyTags() const
+{
+  std::vector<std::string> result;
+#ifdef HAVE_PROTOBUF
+  const PBDNSMessage_DNSResponse& response = d_message.response();
+  const int count = response.tags_size();
+  for (int idx = 0; idx < count; idx++) {
+    result.push_back(response.tags(idx));
+  }
+#endif /* HAVE_PROTOBUF */
+  return result;
+}
diff --git a/pdns/rec-protobuf.hh b/pdns/rec-protobuf.hh
index 9b4b35a611..da5d81a8f1 100644
--- a/pdns/rec-protobuf.hh
+++ b/pdns/rec-protobuf.hh
@@ -46,5 +46,6 @@ public:
   void addRR(const DNSRecord& record);
   void setAppliedPolicy(const std::string& policy);
   void setPolicyTags(const std::vector<std::string>& policyTags);
-
+  std::string getAppliedPolicy() const;
+  std::vector<std::string> getPolicyTags() const;
 };
-- 
2.47.2