Commit 722391baf163d09d299ad2467843da0e231b1c5e - unbound

- Fix #651: [FR] Better logging for refused queries. W.C.A. Wijngaards 2 years ago

4 changed file(s) with 73 addition(s) and 12 deletion(s). Raw diff Collapse all Expand all

+35

-0

daemon/acl_list.c less more

486	486	if(!acl) return 0;
487	487	return sizeof(*acl) + regional_get_mem(acl->region);
488	488	}
	489
	490	const char* acl_access_to_str(enum acl_access acl)
	491	{
	492	switch(acl) {
	493	case acl_deny: return "deny";
	494	case acl_refuse: return "refuse";
	495	case acl_deny_non_local: return "deny_non_local";
	496	case acl_refuse_non_local: return "refuse_non_local";
	497	case acl_allow: return "allow";
	498	case acl_allow_snoop: return "allow_snoop";
	499	case acl_allow_setrd: return "allow_setrd";
	500	default: break;
	501	}
	502	return "unknown";
	503	}
	504
	505	void
	506	log_acl_action(const char* action, struct sockaddr_storage* addr,
	507	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr)
	508	{
	509	char a[128], n[128];
	510	uint16_t port;
	511	addr_to_str(addr, addrlen, a, sizeof(a));
	512	port = ntohs(((struct sockaddr_in*)addr)->sin_port);
	513	if(acladdr) {
	514	addr_to_str(&acladdr->node.addr, acladdr->node.addrlen,
	515	n, sizeof(n));
	516	verbose(VERB_ALGO, "%s query from %s port %d because of "
	517	"%s/%d %s", action, a, (int)port, n, acladdr->node.net,
	518	acl_access_to_str(acl));
	519	} else {
	520	verbose(VERB_ALGO, "%s query from %s port %d", action, a,
	521	(int)port);
	522	}
	523	}

+11

-0

daemon/acl_list.h less more

153	153	*/
154	154	size_t acl_list_get_mem(struct acl_list* acl);
155	155
	156	/*
	157	* Get string for acl access specification
	158	* @param acl: access type value
	159	* @return string
	160	*/
	161	const char* acl_access_to_str(enum acl_access acl);
	162
	163	/* log acl and addr for action */
	164	void log_acl_action(const char* action, struct sockaddr_storage* addr,
	165	socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr);
	166
156	167	#endif /* DAEMON_ACL_LIST_H */

+24

-12

daemon/worker.c less more

1012	1012	static int
1013	1013	deny_refuse(struct comm_point* c, enum acl_access acl,
1014	1014	enum acl_access deny, enum acl_access refuse,
1015		struct worker* worker, struct comm_reply* repinfo)
	1015	struct worker* worker, struct comm_reply* repinfo,
	1016	struct acl_addr* acladdr)
1016	1017	{
1017	1018	if(acl == deny) {
	1019	if(verbosity >= VERB_ALGO) {
	1020	log_acl_action("dropped", &repinfo->addr,
	1021	repinfo->addrlen, acl, acladdr);
	1022	log_buf(VERB_ALGO, "dropped", c->buffer);
	1023	}
1018	1024	comm_point_drop_reply(repinfo);
1019	1025	if(worker->stats.extended)
1020	1026	worker->stats.unwanted_queries++;
1021	1027	return 0;
1022	1028	} else if(acl == refuse) {
1023		log_addr(VERB_ALGO, "refused query from",
1024		&repinfo->addr, repinfo->addrlen);
1025		log_buf(VERB_ALGO, "refuse", c->buffer);
	1029	if(verbosity >= VERB_ALGO) {
	1030	log_acl_action("refused", &repinfo->addr,
	1031	repinfo->addrlen, acl, acladdr);
	1032	log_buf(VERB_ALGO, "refuse", c->buffer);
	1033	}
1026	1034	if(worker->stats.extended)
1027	1035	worker->stats.unwanted_queries++;
1028	1036	if(worker_check_request(c->buffer, worker) == -1) {

1045	1053
1046	1054	static int
1047	1055	deny_refuse_all(struct comm_point* c, enum acl_access acl,
1048		struct worker* worker, struct comm_reply* repinfo)
1049		{
1050		return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
	1056	struct worker* worker, struct comm_reply* repinfo,
	1057	struct acl_addr* acladdr)
	1058	{
	1059	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
	1060	acladdr);
1051	1061	}
1052	1062
1053	1063	static int
1054	1064	deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
1055		struct worker* worker, struct comm_reply* repinfo)
1056		{
1057		return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
	1065	struct worker* worker, struct comm_reply* repinfo,
	1066	struct acl_addr* acladdr)
	1067	{
	1068	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local,
	1069	worker, repinfo, acladdr);
1058	1070	}
1059	1071
1060	1072	int

1146	1158	acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
1147	1159	repinfo->addrlen);
1148	1160	acl = acl_get_control(acladdr);
1149		if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
	1161	if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1)
1150	1162	{
1151	1163	if(ret == 1)
1152	1164	goto send_reply;

1366	1378
1367	1379	/* We've looked in our local zones. If the answer isn't there, we
1368	1380	* might need to bail out based on ACLs now. */
1369		if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
	1381	if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1)
1370	1382	{
1371	1383	regional_free_all(worker->scratchpad);
1372	1384	if(ret == 1)

-0

doc/Changelog less more

	0	23 March 2022: Wouter
	1	- Fix #651: [FR] Better logging for refused queries.
	2
0	3	18 March 2022: George
1	4	- Merge PR #648 from eaglegai: fix -q doesn't work when use with
2	5	'unbound-control stats_shm'.