From: Otto Moerbeek Date: Mon, 17 Jun 2024 09:24:04 +0000 (+0200) Subject: Add regression test for remote count when using proxy protocol X-Git-Tag: rec-5.2.0-alpha0~17^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=264ee89e28dc6537836e840688a6d3d521291122;p=thirdparty%2Fpdns.git Add regression test for remote count when using proxy protocol --- diff --git a/pdns/recursordist/rec-tcp.cc b/pdns/recursordist/rec-tcp.cc index 661be32fbe..386dd5060a 100644 --- a/pdns/recursordist/rec-tcp.cc +++ b/pdns/recursordist/rec-tcp.cc @@ -501,7 +501,7 @@ static void doProcessTCPQuestion(std::unique_ptr& comboWriter, s } // good query } -static void handleRunningTCPQuestion(int fileDesc, FDMultiplexer::funcparam_t& var) +static void handleRunningTCPQuestion(int fileDesc, FDMultiplexer::funcparam_t& var) // NOLINT(readability-function-cognitive-complexity) { auto conn = boost::any_cast>(var); @@ -700,6 +700,9 @@ void handleNewTCPQuestion(int fileDesc, [[maybe_unused]] FDMultiplexer::funcpara socklen_t len = sizeof(destaddr); getsockname(newsock, reinterpret_cast(&destaddr), &len); // if this fails, we're ok with it NOLINT(cppcoreguidelines-pro-type-reinterpret-cast) bool fromProxyProtocolSource = expectProxyProtocol(addr, destaddr); + if (!fromProxyProtocolSource && t_remotes) { + t_remotes->push_back(addr); + } ComboAddress mappedSource = addr; if (!fromProxyProtocolSource && t_proxyMapping) { if (const auto* iter = t_proxyMapping->lookup(addr)) { diff --git a/regression-tests.recursor-dnssec/test_ProxyProtocol.py b/regression-tests.recursor-dnssec/test_ProxyProtocol.py index 5f100fe13e..78c88d025f 100644 --- a/regression-tests.recursor-dnssec/test_ProxyProtocol.py +++ b/regression-tests.recursor-dnssec/test_ProxyProtocol.py @@ -4,6 +4,7 @@ import socket import struct import sys import time +import requests try: range = xrange @@ -34,6 +35,10 @@ class ProxyProtocolRecursorTest(RecursorTest): class ProxyProtocolAllowedRecursorTest(ProxyProtocolRecursorTest): _confdir = 'ProxyProtocol' + _wsPort = 8042 + _wsTimeout = 2 + _wsPassword = 'secretpassword' + _apiKey = 'secretapikey' _lua_dns_script_file = """ function gettag(remote, ednssubnet, localip, qname, qtype, ednsoptions, tcp, proxyProtocolValues) @@ -134,7 +139,29 @@ class ProxyProtocolAllowedRecursorTest(ProxyProtocolRecursorTest): proxy-protocol-from=127.0.0.1 proxy-protocol-maximum-size=512 allow-from=127.0.0.0/24, ::1/128, ::42/128 -""" % () + webserver=yes + webserver-port=%d + webserver-address=127.0.0.1 + webserver-password=%s +api-key=%s + +""" % (_wsPort, _wsPassword, _apiKey) + + def checkStats(self, expected127001): + headers = {'x-api-key': self._apiKey} + url = 'http://127.0.0.1:' + str(self._wsPort) + '/jsonstat?command=get-remote-ring&name=remotes' + r = requests.get(url, headers=headers, timeout=self._wsTimeout) + self.assertTrue(r) + self.assertEqual(r.status_code, 200) + self.assertTrue(r.json()) + content = r.json() + # We allow all kind of entries, but 127.0.0.1 must have the given value, due to the + # testLocalProxyProtocol test, which actually does not set a source address. If we see a + # higher value than expected, some ProxyProtocol clients were accounted as 127.0.0.1, which + # is not right as all other tests set a source addres other than 127.0.0.1 + for entry in content['entries']: + if entry[1] == '127.0.0.1': + self.assertEqual(entry[0], expected127001) def testLocalProxyProtocol(self): qname = 'local.proxy-protocol.recursor-tests.powerdns.com.' @@ -161,6 +188,7 @@ class ProxyProtocolAllowedRecursorTest(ProxyProtocolRecursorTest): res = dns.message.from_wire(data) self.assertRcodeEqual(res, dns.rcode.NOERROR) self.assertRRsetInAnswer(res, expected) + self.checkStats(1) # TCP sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) @@ -189,6 +217,7 @@ class ProxyProtocolAllowedRecursorTest(ProxyProtocolRecursorTest): res = dns.message.from_wire(data) self.assertRcodeEqual(res, dns.rcode.NOERROR) self.assertRRsetInAnswer(res, expected) + self.checkStats(2) def testInvalidMagicProxyProtocol(self): qname = 'invalid-magic.proxy-protocol.recursor-tests.powerdns.com.'