Keep a count of per rpz (or filter) hits, by default only exported via

Prometheus. After #10554 is merged the Promethus help info should be added
to this branch.

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index f29d5a8285d161956b23e3f9064656858d3134cb..fc765629018cff73bb2da3db645b24fd0846caf3 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1161,6 +1161,7 @@ static PolicyResult handlePolicyHit(const DNSFilterEngine::Policy& appliedPolicy
   /* don't account truncate actions for TCP queries, since they are not applied */
   if (appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::Truncate || !dc->d_tcp) {
     ++g_stats.policyResults[appliedPolicy.d_kind];
+    ++g_stats.policyHits[appliedPolicy.getName()];
   }
 
   if (sr.doLog() &&  appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
@@ -5860,7 +5861,7 @@ int main(int argc, char **argv)
     for (size_t idx = 0; idx < 128; idx++) {
       defaultAPIDisabledStats += ", ecs-v6-response-bits-" + std::to_string(idx + 1);
     }
-    std::string defaultDisabledStats = defaultAPIDisabledStats + ", cumul-answers, cumul-auth4answers, cumul-auth6answers";
+    std::string defaultDisabledStats = defaultAPIDisabledStats + ", cumul-answers, cumul-auth4answers, cumul-auth6answers, policy-hits";
 
     ::arg().set("stats-api-blacklist", "List of statistics that are disabled when retrieving the complete list of statistics via the API (deprecated)")=defaultAPIDisabledStats;
     ::arg().set("stats-carbon-blacklist", "List of statistics that are prevented from being exported via Carbon (deprecated)")=defaultDisabledStats;

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 1d30c41009a357e0706324747de99496cbba2061..8b19663913ad0ee2efdd062526addfac10ed14a2 100644 (file)
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1145,7 +1145,6 @@ static StatsMap toCPUStatsMap(const string& name)
 {
   const string pbasename = getPrometheusName(name);
   StatsMap entries;
-
   for (unsigned int n = 0; n < g_numThreads; ++n) {
     uint64_t tm = doGetThreadCPUMsec(n);
     std::string pname = pbasename + "{thread=" + std::to_string(n) + '}';
@@ -1154,6 +1153,27 @@ static StatsMap toCPUStatsMap(const string& name)
   return entries;
 }
 
+static StatsMap toRPZStatsMap(const string& name, const std::unordered_map<std::string, std::atomic<uint64_t>>& map)
+{
+  const string pbasename = getPrometheusName(name);
+  StatsMap entries;
+
+  for (const auto& entry: map) {
+    auto &key = entry.first;
+    auto count = entry.second.load();
+    std::string sname, pname;
+    if (key.empty()) {
+      sname = name + "-filter";
+      pname = pbasename + "{type=\"filter\"}";
+    } else {
+      sname = name + "-rpz-" + key;
+      pname = pbasename + "{type=\"rpz\",zone=\"" + entry.first + "\"}";
+    }
+    entries.emplace(make_pair(sname, StatsMapEntry{pname, std::to_string(count)}));
+  }
+  return entries;
+}
+
 extern ResponseStats g_rs;
 
 static void registerAllStats1()
@@ -1410,6 +1430,9 @@ static void registerAllStats1()
   addGetStat("cumul-auth6answers", []() {
     return toStatsMap(g_stats.cumulativeAuth6Answers.getName(), g_stats.cumulativeAuth6Answers);
   });
+  addGetStat("policy-hits", []() {
+    return toRPZStatsMap("policy-hits", g_stats.policyHits);
+  });
 }
 
 void registerAllStats()

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index d55436b9f4e22619e1c962c805790303b2f366a7..e484736429cf96a2cde1a2f8c3697a66caf8f895 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2184,6 +2184,7 @@ void SyncRes::handlePolicyHit(const std::string& prefix, const DNSName& qname, c
   /* don't account truncate actions for TCP queries, since they are not applied */
   if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::Truncate || !d_queryReceivedOverTCP) {
     ++g_stats.policyResults[d_appliedPolicy.d_kind];
+    ++g_stats.policyHits[d_appliedPolicy.getName()];
   }
 
   if (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {

diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 3df45df0ea5f893f71a7397a130312f3228c7a41..7bbadc4993de5520791a32213d0812de72829d19 100644 (file)
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -1072,6 +1072,7 @@ struct RecursorStats
   std::map<vState, std::atomic<uint64_t> > dnssecResults;
   std::map<vState, std::atomic<uint64_t> > xdnssecResults;
   std::map<DNSFilterEngine::PolicyKind, std::atomic<uint64_t> > policyResults;
+  std::unordered_map<std::string, std::atomic<uint64_t>> policyHits;
   std::atomic<uint64_t> rebalancedQueries{0};
   std::atomic<uint64_t> proxyProtocolInvalidCount{0};
   std::atomic<uint64_t> nodLookupsDroppedOversize{0};