From: W.C.A. Wijngaards Date: Wed, 23 Mar 2022 12:56:52 +0000 (+0100) Subject: - Fix #651: [FR] Better logging for refused queries. X-Git-Tag: release-1.16.0rc1~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=722391baf163d09d299ad2467843da0e231b1c5e;p=thirdparty%2Funbound.git - Fix #651: [FR] Better logging for refused queries. --- diff --git a/daemon/acl_list.c b/daemon/acl_list.c index 84324575e..aecb3e0c6 100644 --- a/daemon/acl_list.c +++ b/daemon/acl_list.c @@ -487,3 +487,38 @@ acl_list_get_mem(struct acl_list* acl) if(!acl) return 0; return sizeof(*acl) + regional_get_mem(acl->region); } + +const char* acl_access_to_str(enum acl_access acl) +{ + switch(acl) { + case acl_deny: return "deny"; + case acl_refuse: return "refuse"; + case acl_deny_non_local: return "deny_non_local"; + case acl_refuse_non_local: return "refuse_non_local"; + case acl_allow: return "allow"; + case acl_allow_snoop: return "allow_snoop"; + case acl_allow_setrd: return "allow_setrd"; + default: break; + } + return "unknown"; +} + +void +log_acl_action(const char* action, struct sockaddr_storage* addr, + socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr) +{ + char a[128], n[128]; + uint16_t port; + addr_to_str(addr, addrlen, a, sizeof(a)); + port = ntohs(((struct sockaddr_in*)addr)->sin_port); + if(acladdr) { + addr_to_str(&acladdr->node.addr, acladdr->node.addrlen, + n, sizeof(n)); + verbose(VERB_ALGO, "%s query from %s port %d because of " + "%s/%d %s", action, a, (int)port, n, acladdr->node.net, + acl_access_to_str(acl)); + } else { + verbose(VERB_ALGO, "%s query from %s port %d", action, a, + (int)port); + } +} diff --git a/daemon/acl_list.h b/daemon/acl_list.h index 3a3b94bc5..c09e832a1 100644 --- a/daemon/acl_list.h +++ b/daemon/acl_list.h @@ -154,4 +154,15 @@ acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, */ size_t acl_list_get_mem(struct acl_list* acl); +/* + * Get string for acl access specification + * @param acl: access type value + * @return string + */ +const char* acl_access_to_str(enum acl_access acl); + +/* log acl and addr for action */ +void log_acl_action(const char* action, struct sockaddr_storage* addr, + socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); + #endif /* DAEMON_ACL_LIST_H */ diff --git a/daemon/worker.c b/daemon/worker.c index 863cd7a35..7209bc4cd 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1013,17 +1013,25 @@ answer_notify(struct worker* w, struct query_info* qinfo, static int deny_refuse(struct comm_point* c, enum acl_access acl, enum acl_access deny, enum acl_access refuse, - struct worker* worker, struct comm_reply* repinfo) + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr* acladdr) { if(acl == deny) { + if(verbosity >= VERB_ALGO) { + log_acl_action("dropped", &repinfo->addr, + repinfo->addrlen, acl, acladdr); + log_buf(VERB_ALGO, "dropped", c->buffer); + } comm_point_drop_reply(repinfo); if(worker->stats.extended) worker->stats.unwanted_queries++; return 0; } else if(acl == refuse) { - log_addr(VERB_ALGO, "refused query from", - &repinfo->addr, repinfo->addrlen); - log_buf(VERB_ALGO, "refuse", c->buffer); + if(verbosity >= VERB_ALGO) { + log_acl_action("refused", &repinfo->addr, + repinfo->addrlen, acl, acladdr); + log_buf(VERB_ALGO, "refuse", c->buffer); + } if(worker->stats.extended) worker->stats.unwanted_queries++; if(worker_check_request(c->buffer, worker) == -1) { @@ -1046,16 +1054,20 @@ deny_refuse(struct comm_point* c, enum acl_access acl, static int deny_refuse_all(struct comm_point* c, enum acl_access acl, - struct worker* worker, struct comm_reply* repinfo) + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr* acladdr) { - return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo); + return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo, + acladdr); } static int deny_refuse_non_local(struct comm_point* c, enum acl_access acl, - struct worker* worker, struct comm_reply* repinfo) + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr* acladdr) { - return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo); + return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, + worker, repinfo, acladdr); } int @@ -1147,7 +1159,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, repinfo->addrlen); acl = acl_get_control(acladdr); - if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1) + if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1) { if(ret == 1) goto send_reply; @@ -1367,7 +1379,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* We've looked in our local zones. If the answer isn't there, we * might need to bail out based on ACLs now. */ - if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1) + if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1) { regional_free_all(worker->scratchpad); if(ret == 1) diff --git a/doc/Changelog b/doc/Changelog index 3d57479e7..ea01a80a9 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +23 March 2022: Wouter + - Fix #651: [FR] Better logging for refused queries. + 18 March 2022: George - Merge PR #648 from eaglegai: fix -q doesn't work when use with 'unbound-control stats_shm'.