From: W.C.A. Wijngaards Date: Fri, 14 Feb 2020 08:03:09 +0000 (+0100) Subject: dnstap io, example.conf example, config_file entries for tcp and tls. X-Git-Tag: 1.11.0rc1~120^2~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=78e6060858fb189cf77e3a618d8cd0de880c2c6e;p=thirdparty%2Funbound.git dnstap io, example.conf example, config_file entries for tcp and tls. --- diff --git a/configure b/configure index e013dc5de..d66138c22 100755 --- a/configure +++ b/configure @@ -649,6 +649,7 @@ ENABLE_DNSCRYPT ENABLE_DNSCRYPT_XCHACHA20 DNSTAP_OBJ DNSTAP_SRC +DNSTAP_SOCKET_PATH opt_dnstap_socket_path ENABLE_DNSTAP PROTOC_C @@ -21038,6 +21039,8 @@ cat >>confdefs.h <<_ACEOF #define DNSTAP_SOCKET_PATH "$hdr_dnstap_socket_path" _ACEOF + DNSTAP_SOCKET_PATH="$hdr_dnstap_socket_path" + DNSTAP_SRC="dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c" diff --git a/configure.ac b/configure.ac index 91f4cfbae..50daab3c2 100644 --- a/configure.ac +++ b/configure.ac @@ -1687,6 +1687,7 @@ dt_DNSTAP([$UNBOUND_RUN_DIR/dnstap.sock], ACX_ESCAPE_BACKSLASH($opt_dnstap_socket_path, hdr_dnstap_socket_path) AC_DEFINE_UNQUOTED(DNSTAP_SOCKET_PATH, ["$hdr_dnstap_socket_path"], [default dnstap socket path]) + AC_SUBST(DNSTAP_SOCKET_PATH,["$hdr_dnstap_socket_path"]) AC_SUBST([DNSTAP_SRC], ["dnstap/dnstap.c dnstap/dnstap.pb-c.c dnstap/dnstap_fstrm.c dnstap/dtstream.c"]) AC_SUBST([DNSTAP_OBJ], ["dnstap.lo dnstap.pb-c.lo dnstap_fstrm.lo dtstream.lo"]) diff --git a/dnstap/dtstream.c b/dnstap/dtstream.c index 3492c4380..4af83cd41 100644 --- a/dnstap/dtstream.c +++ b/dnstap/dtstream.c @@ -244,41 +244,105 @@ void dt_io_thread_delete(struct dt_io_thread* dtio) int dt_io_thread_apply_cfg(struct dt_io_thread* dtio, struct config_file *cfg) { - /* - dtio->upstream_is_tcp = 1; - dtio->ip_str = strdup("127.0.0.1@1234"); - */ -#ifdef HAVE_SSL - dtio->upstream_is_tls = 1; - dtio->ip_str = strdup("127.0.0.1@1234"); - //dtio->tls_server_name; - dtio->use_client_certs = 0; - if(dtio->use_client_certs) { - //dtio->client_key_file = NULL; - //dtio->client_cert_file = NULL; - } else { - free(dtio->client_key_file); - dtio->client_key_file = NULL; - free(dtio->client_cert_file); - dtio->client_cert_file = NULL; - } - dtio->ssl_ctx = connect_sslctx_create(dtio->client_key_file, - dtio->client_cert_file, cfg->tls_cert_bundle, - cfg->tls_win_cert); - if(!dtio->ssl_ctx) { - log_err("could not setup SSL CTX"); + if(!cfg->dnstap) { + log_warn("cannot setup dnstap because dnstap-enable is no"); return 0; } - /* DEBUG */ - return 1; -#endif - if(cfg->dnstap_socket_path && cfg->dnstap_socket_path[0]) { + + /* what type of connectivity do we have */ + if(cfg->dnstap_ip && cfg->dnstap_ip[0]) { + if(cfg->dnstap_tls) + dtio->upstream_is_tls = 1; + else dtio->upstream_is_tcp = 1; + } else { + dtio->upstream_is_unix = 1; + } + + if(dtio->upstream_is_unix) { + if(!cfg->dnstap_socket_path || + cfg->dnstap_socket_path[0]==0) { + log_err("dnstap setup failed, because dnstap is " + "enabled, but no dnstap-ip and no " + "dnstap-socket-path are given"); + return 0; + } + free(dtio->socket_path); dtio->socket_path = strdup(cfg->dnstap_socket_path); if(!dtio->socket_path) { - log_err("malloc failure"); + log_err("dnstap setup: malloc failure"); return 0; } - dtio->upstream_is_unix = 1; + } + + if(dtio->upstream_is_tcp || dtio->upstream_is_tls) { + free(dtio->ip_str); + dtio->ip_str = strdup(cfg->dnstap_ip); + if(!dtio->ip_str) { + log_err("dnstap setup: malloc failure"); + return 0; + } + } + + if(dtio->upstream_is_tls) { +#ifdef HAVE_SSL + if(cfg->dnstap_tls_server_name && + cfg->dnstap_tls_server_name[0]) { + free(dtio->tls_server_name); + dtio->tls_server_name = strdup( + cfg->dnstap_tls_server_name); + if(!dtio->tls_server_name) { + log_err("dnstap setup: malloc failure"); + return 0; + } + } + if(cfg->dnstap_tls_client_key_file && + cfg->dnstap_tls_client_key_file[0]) { + dtio->use_client_certs = 1; + free(dtio->client_key_file); + dtio->client_key_file = strdup( + cfg->dnstap_tls_client_key_file); + if(!dtio->client_key_file) { + log_err("dnstap setup: malloc failure"); + return 0; + } + if(!cfg->dnstap_tls_client_cert_file || + cfg->dnstap_tls_client_cert_file[0]==0) { + log_err("dnstap setup: client key " + "authentication enabled with " + "dnstap-tls-client-key-file, but " + "no dnstap-tls-client-cert-file " + "is given"); + return 0; + } + free(dtio->client_cert_file); + dtio->client_cert_file = strdup( + cfg->dnstap_tls_client_cert_file); + if(!dtio->client_cert_file) { + log_err("dnstap setup: malloc failure"); + return 0; + } + } else { + dtio->use_client_certs = 0; + dtio->client_key_file = NULL; + dtio->client_cert_file = NULL; + } + + if(cfg->dnstap_tls_cert_bundle) { + dtio->ssl_ctx = connect_sslctx_create( + dtio->client_key_file, + dtio->client_cert_file, + cfg->dnstap_tls_cert_bundle, 0); + } else { + dtio->ssl_ctx = connect_sslctx_create( + dtio->client_key_file, + dtio->client_cert_file, + cfg->tls_cert_bundle, cfg->tls_win_cert); + } + if(!dtio->ssl_ctx) { + log_err("could not setup SSL CTX"); + return 0; + } +#endif /* HAVE_SSL */ } return 1; } diff --git a/doc/example.conf.in b/doc/example.conf.in index 4ce9348c2..ec1b1ac70 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1016,6 +1016,38 @@ remote-control: # name-v6: "list-v6" # +# Dnstap logging support, if compiled in. To enable, set the dnstap-enable +# to yes and also some of dnstap-log-..-messages to yes. And select an +# upstream log destination, by socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: no +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + # Response Policy Zones # RPZ policies. Applied in order of configuration. QNAME and Response IP # Address trigger are the only supported triggers. Supported actions are: diff --git a/util/config_file.c b/util/config_file.c index 52ca5a184..19a5a0bcd 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -632,6 +632,13 @@ int config_set_option(struct config_file* cfg, const char* opt, #ifdef USE_DNSTAP else S_YNO("dnstap-enable:", dnstap) else S_STR("dnstap-socket-path:", dnstap_socket_path) + else S_STR("dnstap-ip:", dnstap_ip) + else S_YNO("dnstap-tls:", dnstap_tls) + else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name) + else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle) + else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file) + else S_STR("dnstap-tls-client-cert-file:", + dnstap_tls_client_cert_file) else S_YNO("dnstap-send-identity:", dnstap_send_identity) else S_YNO("dnstap-send-version:", dnstap_send_version) else S_STR("dnstap-identity:", dnstap_identity) @@ -1039,6 +1046,14 @@ config_get_option(struct config_file* cfg, const char* opt, #ifdef USE_DNSTAP else O_YNO(opt, "dnstap-enable", dnstap) else O_STR(opt, "dnstap-socket-path", dnstap_socket_path) + else O_STR(opt, "dnstap-ip", dnstap_ip) + else O_YNO(opt, "dnstap-tls", dnstap_tls) + else O_STR(opt, "dnstap-tls-server-name", dnstap_tls_server_name) + else O_STR(opt, "dnstap-tls-cert-bundle", dnstap_tls_cert_bundle) + else O_STR(opt, "dnstap-tls-client-key-file", + dnstap_tls_client_key_file) + else O_STR(opt, "dnstap-tls-client-cert-file", + dnstap_tls_client_cert_file) else O_YNO(opt, "dnstap-send-identity", dnstap_send_identity) else O_YNO(opt, "dnstap-send-version", dnstap_send_version) else O_STR(opt, "dnstap-identity", dnstap_identity) @@ -1458,6 +1473,11 @@ config_delete(struct config_file* cfg) free(cfg->dns64_prefix); config_delstrlist(cfg->dns64_ignore_aaaa); free(cfg->dnstap_socket_path); + free(cfg->dnstap_ip); + free(cfg->dnstap_tls_server_name); + free(cfg->dnstap_tls_cert_bundle); + free(cfg->dnstap_tls_client_key_file); + free(cfg->dnstap_tls_client_cert_file); free(cfg->dnstap_identity); free(cfg->dnstap_version); config_deldblstrlist(cfg->ratelimit_for_domain); diff --git a/util/config_file.h b/util/config_file.h index 8739ca2ae..548fd9335 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -474,6 +474,18 @@ struct config_file { int dnstap; /** dnstap socket path */ char* dnstap_socket_path; + /** dnstap IP */ + char* dnstap_ip; + /** dnstap TLS enable */ + int dnstap_tls; + /** dnstap tls server authentication name */ + char* dnstap_tls_server_name; + /** dnstap server cert bundle */ + char* dnstap_tls_cert_bundle; + /** dnstap client key for client authentication */ + char* dnstap_tls_client_key_file; + /** dnstap client cert for client authentication */ + char* dnstap_tls_client_cert_file; /** true to send "identity" via dnstap */ int dnstap_send_identity; /** true to send "version" via dnstap */