From: Otto <otto.moerbeek@open-xchange.com>
Date: Tue, 20 Jul 2021 12:07:20 +0000 (+0200)
Subject: Keep a count of per rpz (or filter) hits, by default only exported via
X-Git-Tag: dnsdist-1.7.0-alpha1~57^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2e15cbbadde68e5079e9e0f7af96c2fecf72c09a;p=thirdparty%2Fpdns.git

Keep a count of per rpz (or filter) hits, by default only exported via
Prometheus. After #10554 is merged the Promethus help info should be added
to this branch.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index f29d5a8285..fc76562901 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1161,6 +1161,7 @@ static PolicyResult handlePolicyHit(const DNSFilterEngine::Policy& appliedPolicy
   /* don't account truncate actions for TCP queries, since they are not applied */
   if (appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::Truncate || !dc->d_tcp) {
     ++g_stats.policyResults[appliedPolicy.d_kind];
+    ++g_stats.policyHits[appliedPolicy.getName()];
   }
 
   if (sr.doLog() &&  appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
@@ -5860,7 +5861,7 @@ int main(int argc, char **argv)
     for (size_t idx = 0; idx < 128; idx++) {
       defaultAPIDisabledStats += ", ecs-v6-response-bits-" + std::to_string(idx + 1);
     }
-    std::string defaultDisabledStats = defaultAPIDisabledStats + ", cumul-answers, cumul-auth4answers, cumul-auth6answers";
+    std::string defaultDisabledStats = defaultAPIDisabledStats + ", cumul-answers, cumul-auth4answers, cumul-auth6answers, policy-hits";
 
     ::arg().set("stats-api-blacklist", "List of statistics that are disabled when retrieving the complete list of statistics via the API (deprecated)")=defaultAPIDisabledStats;
     ::arg().set("stats-carbon-blacklist", "List of statistics that are prevented from being exported via Carbon (deprecated)")=defaultDisabledStats;
diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 1d30c41009..8b19663913 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1145,7 +1145,6 @@ static StatsMap toCPUStatsMap(const string& name)
 {
   const string pbasename = getPrometheusName(name);
   StatsMap entries;
-
   for (unsigned int n = 0; n < g_numThreads; ++n) {
     uint64_t tm = doGetThreadCPUMsec(n);
     std::string pname = pbasename + "{thread=" + std::to_string(n) + '}';
@@ -1154,6 +1153,27 @@ static StatsMap toCPUStatsMap(const string& name)
   return entries;
 }
 
+static StatsMap toRPZStatsMap(const string& name, const std::unordered_map<std::string, std::atomic<uint64_t>>& map)
+{
+  const string pbasename = getPrometheusName(name);
+  StatsMap entries;
+
+  for (const auto& entry: map) {
+    auto &key = entry.first;
+    auto count = entry.second.load();
+    std::string sname, pname;
+    if (key.empty()) {
+      sname = name + "-filter";
+      pname = pbasename + "{type=\"filter\"}";
+    } else {
+      sname = name + "-rpz-" + key;
+      pname = pbasename + "{type=\"rpz\",zone=\"" + entry.first + "\"}";
+    }
+    entries.emplace(make_pair(sname, StatsMapEntry{pname, std::to_string(count)}));
+  }
+  return entries;
+}
+
 extern ResponseStats g_rs;
 
 static void registerAllStats1()
@@ -1410,6 +1430,9 @@ static void registerAllStats1()
   addGetStat("cumul-auth6answers", []() {
     return toStatsMap(g_stats.cumulativeAuth6Answers.getName(), g_stats.cumulativeAuth6Answers);
   });
+  addGetStat("policy-hits", []() {
+    return toRPZStatsMap("policy-hits", g_stats.policyHits);
+  });
 }
 
 void registerAllStats()
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index d55436b9f4..e484736429 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2184,6 +2184,7 @@ void SyncRes::handlePolicyHit(const std::string& prefix, const DNSName& qname, c
   /* don't account truncate actions for TCP queries, since they are not applied */
   if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::Truncate || !d_queryReceivedOverTCP) {
     ++g_stats.policyResults[d_appliedPolicy.d_kind];
+    ++g_stats.policyHits[d_appliedPolicy.getName()];
   }
 
   if (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 3df45df0ea..7bbadc4993 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -1072,6 +1072,7 @@ struct RecursorStats
   std::map<vState, std::atomic<uint64_t> > dnssecResults;
   std::map<vState, std::atomic<uint64_t> > xdnssecResults;
   std::map<DNSFilterEngine::PolicyKind, std::atomic<uint64_t> > policyResults;
+  std::unordered_map<std::string, std::atomic<uint64_t>> policyHits;
   std::atomic<uint64_t> rebalancedQueries{0};
   std::atomic<uint64_t> proxyProtocolInvalidCount{0};
   std::atomic<uint64_t> nodLookupsDroppedOversize{0};