dnsdist: Refactoring of the configuration

pdns/credentials.cc

@@ -56,10 +56,6 @@ static std::string const pwhash_prefix = "$scrypt$";
 static size_t const pwhash_prefix_size = pwhash_prefix.size();
 #endif
 
-uint64_t const CredentialsHolder::s_defaultWorkFactor{1024U}; /* N */
-uint64_t const CredentialsHolder::s_defaultParallelFactor{1U}; /* p */
-uint64_t const CredentialsHolder::s_defaultBlockSize{8U}; /* r */
-
 SensitiveData::SensitiveData(std::string&& data) :
   d_data(std::move(data))
 {

pdns/credentials.hh

@@ -81,9 +81,9 @@ public:
   static bool isHashingAvailable();
   static SensitiveData readFromTerminal();
 
-  static uint64_t const s_defaultWorkFactor;
-  static uint64_t const s_defaultParallelFactor;
-  static uint64_t const s_defaultBlockSize;
+  static uint64_t constexpr s_defaultWorkFactor{1024U}; /* N */
+  static uint64_t constexpr s_defaultParallelFactor{1U}; /* p */
+  static uint64_t constexpr s_defaultBlockSize{8U}; /* r */
 
 private:
   SensitiveData d_credentials;

pdns/dnsdistdist/Makefile.am

@@ -144,23 +144,27 @@ dnsdist_SOURCES = \
 	dns.cc dns.hh \
 	dns_random.hh \
 	dnscrypt.cc dnscrypt.hh \
+	dnsdist-actions.hh \
 	dnsdist-async.cc dnsdist-async.hh \
-	dnsdist-backend.cc \
+	dnsdist-backend.cc dnsdist-backend.hh \
 	dnsdist-backoff.hh \
 	dnsdist-cache.cc dnsdist-cache.hh \
 	dnsdist-carbon.cc dnsdist-carbon.hh \
 	dnsdist-concurrent-connections.hh \
+	dnsdist-configuration.cc dnsdist-configuration.hh \
 	dnsdist-console.cc dnsdist-console.hh \
 	dnsdist-crypto.cc dnsdist-crypto.hh \
 	dnsdist-discovery.cc dnsdist-discovery.hh \
 	dnsdist-dnscrypt.cc \
 	dnsdist-dnsparser.cc dnsdist-dnsparser.hh \
+	dnsdist-dnsquestion.cc \
 	dnsdist-doh-common.cc dnsdist-doh-common.hh \
 	dnsdist-downstream-connection.hh \
 	dnsdist-dynblocks.cc dnsdist-dynblocks.hh \
 	dnsdist-dynbpf.cc dnsdist-dynbpf.hh \
 	dnsdist-ecs.cc dnsdist-ecs.hh \
 	dnsdist-edns.cc dnsdist-edns.hh \
+	dnsdist-frontend.cc dnsdist-frontend.hh \
 	dnsdist-healthchecks.cc dnsdist-healthchecks.hh \
 	dnsdist-idstate.cc dnsdist-idstate.hh \
 	dnsdist-internal-queries.cc dnsdist-internal-queries.hh \
@@ -194,6 +198,7 @@ dnsdist_SOURCES = \
 	dnsdist-protobuf.cc dnsdist-protobuf.hh \
 	dnsdist-protocols.cc dnsdist-protocols.hh \
 	dnsdist-proxy-protocol.cc dnsdist-proxy-protocol.hh \
+	dnsdist-query-count.hh dnsdist-query-count.cc \
 	dnsdist-random.cc dnsdist-random.hh \
 	dnsdist-resolver.cc dnsdist-resolver.hh \
 	dnsdist-rings.cc dnsdist-rings.hh \
@@ -270,18 +275,21 @@ testrunner_SOURCES = \
 	dns.cc dns.hh \
 	dnscrypt.cc dnscrypt.hh \
 	dnsdist-async.cc dnsdist-async.hh \
-	dnsdist-backend.cc \
+	dnsdist-backend.cc dnsdist-backend.hh \
 	dnsdist-backoff.hh \
 	dnsdist-cache.cc dnsdist-cache.hh \
 	dnsdist-concurrent-connections.hh \
+	dnsdist-configuration.cc dnsdist-configuration.hh \
 	dnsdist-crypto.cc dnsdist-crypto.hh \
 	dnsdist-dnsparser.cc dnsdist-dnsparser.hh \
+	dnsdist-dnsquestion.cc \
 	dnsdist-doh-common.cc dnsdist-doh-common.hh \
 	dnsdist-downstream-connection.hh \
 	dnsdist-dynblocks.cc dnsdist-dynblocks.hh \
 	dnsdist-dynbpf.cc dnsdist-dynbpf.hh \
 	dnsdist-ecs.cc dnsdist-ecs.hh \
 	dnsdist-edns.cc dnsdist-edns.hh \
+	dnsdist-frontend.cc dnsdist-frontend.hh \
 	dnsdist-idstate.cc dnsdist-idstate.hh \
 	dnsdist-kvs.cc dnsdist-kvs.hh \
 	dnsdist-lbpolicies.cc dnsdist-lbpolicies.hh \
@@ -547,7 +555,9 @@ fuzz_target_dnsdistcache_SOURCES = \
 	channel.hh channel.cc \
 	dns.cc dns.hh \
 	dnsdist-cache.cc dnsdist-cache.hh \
+	dnsdist-configuration.cc dnsdist-configuration.hh \
 	dnsdist-dnsparser.cc dnsdist-dnsparser.hh \
+	dnsdist-dnsquestion.cc \
 	dnsdist-ecs.cc dnsdist-ecs.hh \
 	dnsdist-idstate.hh \
 	dnsdist-protocols.cc dnsdist-protocols.hh \

pdns/dnsdistdist/dnscrypt.cc

@@ -873,7 +873,7 @@ int DNSCryptContext::encryptQuery(PacketBuffer& packet, size_t maximumSize, cons
 bool generateDNSCryptCertificate(const std::string& providerPrivateKeyFile, uint32_t serial, time_t begin, time_t end, DNSCryptExchangeVersion version, DNSCryptCert& certOut, DNSCryptPrivateKey& keyOut)
 {
   bool success = false;
-  DNSCryptCertSignedData::ResolverPrivateKeyType providerPrivateKey;
+  DNSCryptCertSignedData::ResolverPrivateKeyType providerPrivateKey{};
   sodium_mlock(providerPrivateKey.data(), providerPrivateKey.size());
   sodium_memzero(providerPrivateKey.data(), providerPrivateKey.size());
 

pdns/dnsdistdist/dnscrypt.hh

@@ -259,7 +259,7 @@ public:
   void getCertificateResponse(time_t now, PacketBuffer& response) const;
   int encryptResponse(PacketBuffer& response, size_t maxResponseSize, bool tcp);
 
-  static const size_t s_minUDPLength = 256;
+  static constexpr size_t s_minUDPLength = 256;
 
 private:
   static void fillServerNonce(DNSCryptNonceType& nonce);

pdns/dnsdistdist/dnsdist-actions.hh

@@ -0,0 +1,128 @@
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#pragma once
+
+/* so what could you do:
+   drop,
+   fake up nxdomain,
+   provide actual answer,
+   allow & and stop processing,
+   continue processing,
+   modify header:    (servfail|refused|notimp), set TC=1,
+   send to pool */
+
+struct DNSQuestion;
+struct DNSResponse;
+
+class DNSAction
+{
+public:
+  enum class Action : uint8_t
+  {
+    Drop,
+    Nxdomain,
+    Refused,
+    Spoof,
+    Allow,
+    HeaderModify,
+    Pool,
+    Delay,
+    Truncate,
+    ServFail,
+    None,
+    NoOp,
+    NoRecurse,
+    SpoofRaw,
+    SpoofPacket,
+    SetTag,
+  };
+  static std::string typeToString(const Action& action)
+  {
+    switch (action) {
+    case Action::Drop:
+      return "Drop";
+    case Action::Nxdomain:
+      return "Send NXDomain";
+    case Action::Refused:
+      return "Send Refused";
+    case Action::Spoof:
+      return "Spoof an answer";
+    case Action::SpoofPacket:
+      return "Spoof a raw answer from bytes";
+    case Action::SpoofRaw:
+      return "Spoof an answer from raw bytes";
+    case Action::Allow:
+      return "Allow";
+    case Action::HeaderModify:
+      return "Modify the header";
+    case Action::Pool:
+      return "Route to a pool";
+    case Action::Delay:
+      return "Delay";
+    case Action::Truncate:
+      return "Truncate over UDP";
+    case Action::ServFail:
+      return "Send ServFail";
+    case Action::SetTag:
+      return "Set Tag";
+    case Action::None:
+    case Action::NoOp:
+      return "Do nothing";
+    case Action::NoRecurse:
+      return "Set rd=0";
+    }
+
+    return "Unknown";
+  }
+
+  virtual Action operator()(DNSQuestion*, std::string* ruleresult) const = 0;
+  virtual ~DNSAction() = default;
+  virtual std::string toString() const = 0;
+  virtual std::map<std::string, double> getStats() const
+  {
+    return {{}};
+  }
+  virtual void reload()
+  {
+  }
+};
+
+class DNSResponseAction
+{
+public:
+  enum class Action : uint8_t
+  {
+    Allow,
+    Delay,
+    Drop,
+    HeaderModify,
+    ServFail,
+    Truncate,
+    None
+  };
+  virtual Action operator()(DNSResponse*, std::string* ruleresult) const = 0;
+  virtual ~DNSResponseAction() = default;
+  virtual std::string toString() const = 0;
+  virtual void reload()
+  {
+  }
+};

pdns/dnsdistdist/dnsdist-async.cc

@@ -22,6 +22,7 @@
 #include "dnsdist-async.hh"
 #include "dnsdist-internal-queries.hh"
 #include "dolog.hh"
+#include "mplexer.hh"
 #include "threadname.hh"
 
 namespace dnsdist
@@ -222,8 +223,7 @@ static bool resumeResponse(std::unique_ptr<CrossProtocolQuery>&& response)
     auto& ids = response->query.d_idstate;
     DNSResponse dnsResponse = response->getDR();
 
-    LocalHolders holders;
-    auto result = processResponseAfterRules(response->query.d_buffer, *holders.cacheInsertedRespRuleActions, dnsResponse, ids.cs->muted);
+    auto result = processResponseAfterRules(response->query.d_buffer, dnsResponse, ids.cs->muted);
     if (!result) {
       /* easy */
       return true;
@@ -284,9 +284,8 @@ bool resumeQuery(std::unique_ptr<CrossProtocolQuery>&& query)
   }
 
   DNSQuestion dnsQuestion = query->getDQ();
-  LocalHolders holders;
 
-  auto result = processQueryAfterRules(dnsQuestion, holders, query->downstream);
+  auto result = processQueryAfterRules(dnsQuestion, query->downstream);
   if (result == ProcessQueryResult::Drop) {
     /* easy */
     return true;

pdns/dnsdistdist/dnsdist-async.hh

@@ -59,7 +59,7 @@ private:
     uint16_t d_queryID;
   };
 
-  typedef multi_index_container<
+  using content_t = multi_index_container<
     Entry,
     indexed_by<
       ordered_unique<tag<IDTag>,
@@ -68,8 +68,7 @@ private:
                        member<Entry, uint16_t, &Entry::d_queryID>,
                        member<Entry, uint16_t, &Entry::d_asyncID>>>,
       ordered_non_unique<tag<TTDTag>,
-                         member<Entry, struct timeval, &Entry::d_ttd>>>>
-    content_t;
+                         member<Entry, struct timeval, &Entry::d_ttd>>>>;
 
   static void pickupExpired(content_t&, const struct timeval& now, std::list<std::pair<uint16_t, std::unique_ptr<CrossProtocolQuery>>>& expiredEvents);
   static struct timeval getNextTTD(const content_t&);