New dnstap.pb

- Update to latest `dnstap.pb`, new message types, protocols and message policy
DNS-OARC · Jan 21, 2022 · 87e7909 · 87e7909
1 parent 59c0837
commit 87e7909
Show file tree

Hide file tree

Showing 11 changed files with 214 additions and 9 deletions.
diff --git a/src/dnstap.c b/src/dnstap.c
@@ -41,6 +41,8 @@ const char* const DNSTAP_MESSAGE_TYPE_STRING[] = {
  "STUB_RESPONSE",
  "TOOL_QUERY",
  "TOOL_RESPONSE",
+ "UPDATE_QUERY",
+ "UPDATE_RESPONSE",
 };
 const char* const DNSTAP_SOCKET_FAMILY_STRING[] = {
  "UNKNOWN",
@@ -51,8 +53,38 @@ const char* const DNSTAP_SOCKET_PROTOCOL_STRING[] = {
  "UNKNOWN",
  "UDP",
  "TCP",
+ "DOT",
+ "DOH",
+ "DNSCryptUDP",
+ "DNSCryptTCP",
+};
+const char* const DNSTAP_POLICY_ACTION_STRING[] = {
+ "UNKNOWN",
+ "NXDOMAIN",
+ "NODATA",
+ "PASS",
+ "DROP",
+ "TRUNCATE",
+ "LOCAL_DATA",
+};
+const char* const DNSTAP_POLICY_MATCH_STRING[] = {
+ "UNKNOWN",
+ "QNAME",
+ "CLIENT_IP",
+ "RESPONSE_IP",
+ "NS_NAME",
+ "NS_IP",
 };
 
+void dnstap_message_clear_policy(struct dnstap* dnstap)
+{
+ static const Dnstap__Policy policy = DNSTAP__POLICY__INIT;
+ assert(dnstap);
+
+ dnstap->message.policy = 0;
+ dnstap->policy = policy;
+}
+
 int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t len)
 {
  assert(dnstap);
@@ -88,6 +120,8 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le
  case DNSTAP_MESSAGE_TYPE_STUB_RESPONSE:
  case DNSTAP_MESSAGE_TYPE_TOOL_QUERY:
  case DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE:
+ case DNSTAP_MESSAGE_TYPE_UPDATE_QUERY:
+ case DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE:
  break;
  default:
  dnstap->message.type = (enum _Dnstap__Message__Type)DNSTAP_MESSAGE_TYPE_UNKNOWN;
@@ -105,11 +139,44 @@ int dnstap_decode_protobuf(struct dnstap* dnstap, const uint8_t* data, size_t le
  switch (dnstap->message.socket_protocol) {
  case DNSTAP_SOCKET_PROTOCOL_UDP:
  case DNSTAP_SOCKET_PROTOCOL_TCP:
+ case DNSTAP_SOCKET_PROTOCOL_DOT:
+ case DNSTAP_SOCKET_PROTOCOL_DOH:
+ case DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP:
+ case DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP:
  break;
  default:
  dnstap->message.has_socket_protocol = false;
  dnstap->message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_SOCKET_PROTOCOL_UNKNOWN;
  }
+
+ if (dnstap->message.policy) {
+ dnstap->policy = *dnstap->message.policy;
+
+ switch (dnstap->policy.action) {
+ case DNSTAP_POLICY_ACTION_NXDOMAIN:
+ case DNSTAP_POLICY_ACTION_NODATA:
+ case DNSTAP_POLICY_ACTION_PASS:
+ case DNSTAP_POLICY_ACTION_DROP:
+ case DNSTAP_POLICY_ACTION_TRUNCATE:
+ case DNSTAP_POLICY_ACTION_LOCAL_DATA:
+ break;
+ default:
+ dnstap->policy.has_action = false;
+ dnstap->policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN;
+ }
+
+ switch (dnstap->policy.match) {
+ case DNSTAP_POLICY_MATCH_QNAME:
+ case DNSTAP_POLICY_MATCH_CLIENT_IP:
+ case DNSTAP_POLICY_MATCH_RESPONSE_IP:
+ case DNSTAP_POLICY_MATCH_NS_NAME:
+ case DNSTAP_POLICY_MATCH_NS_IP:
+ break;
+ default:
+ dnstap->policy.has_match = false;
+ dnstap->policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN;
+ }
+ }
  }
 
  return 0;

diff --git a/src/dnstap.fields b/src/dnstap.fields
@@ -1,5 +1,5 @@
-dnstap dnstap identity string
-dnstap dnstap version string
+dnstap dnstap identity bytestring
+dnstap dnstap version bytestring
 dnstap dnstap extra bytes
 dnstap_message message socket_family enum dnstap_socket_family
 dnstap_message message socket_protocol enum dnstap_socket_protocol
@@ -14,3 +14,8 @@ dnstap_message message query_zone bytes
 dnstap_message message response_time_sec value uint64_t
 dnstap_message message response_time_nsec value uint32_t
 dnstap_message message response_message bytes
+dnstap_message_policy policy type string
+dnstap_message_policy policy rule bytes
+dnstap_message_policy policy action enum dnstap_policy_action
+dnstap_message_policy policy match enum dnstap_policy_match
+dnstap_message_policy policy value bytes
diff --git a/src/dnstap.pb b/src/dnstap.pb
diff --git a/src/dnswire/dnstap.h b/src/dnswire/dnstap.h
@@ -52,6 +52,8 @@ enum dnstap_message_type {
  DNSTAP_MESSAGE_TYPE_STUB_RESPONSE = 10,
  DNSTAP_MESSAGE_TYPE_TOOL_QUERY = 11,
  DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE = 12,
+ DNSTAP_MESSAGE_TYPE_UPDATE_QUERY = 13,
+ DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE = 14,
 };
 extern const char* const DNSTAP_MESSAGE_TYPE_STRING[];
 
@@ -63,15 +65,42 @@ enum dnstap_socket_family {
 extern const char* const DNSTAP_SOCKET_FAMILY_STRING[];
 
 enum dnstap_socket_protocol {
- DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0,
- DNSTAP_SOCKET_PROTOCOL_UDP = 1,
- DNSTAP_SOCKET_PROTOCOL_TCP = 2,
+ DNSTAP_SOCKET_PROTOCOL_UNKNOWN = 0,
+ DNSTAP_SOCKET_PROTOCOL_UDP = 1,
+ DNSTAP_SOCKET_PROTOCOL_TCP = 2,
+ DNSTAP_SOCKET_PROTOCOL_DOT = 3,
+ DNSTAP_SOCKET_PROTOCOL_DOH = 4,
+ DNSTAP_SOCKET_PROTOCOL_DNSCryptUDP = 5,
+ DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP = 6,
 };
 extern const char* const DNSTAP_SOCKET_PROTOCOL_STRING[];
 
+enum dnstap_policy_action {
+ DNSTAP_POLICY_ACTION_UNKNOWN = 0,
+ DNSTAP_POLICY_ACTION_NXDOMAIN = 1,
+ DNSTAP_POLICY_ACTION_NODATA = 2,
+ DNSTAP_POLICY_ACTION_PASS = 3,
+ DNSTAP_POLICY_ACTION_DROP = 4,
+ DNSTAP_POLICY_ACTION_TRUNCATE = 5,
+ DNSTAP_POLICY_ACTION_LOCAL_DATA = 6,
+};
+extern const char* const DNSTAP_POLICY_ACTION_STRING[];
+
+enum dnstap_policy_match {
+ DNSTAP_POLICY_MATCH_UNKNOWN = 0,
+ DNSTAP_POLICY_MATCH_QNAME = 1,
+ DNSTAP_POLICY_MATCH_CLIENT_IP = 2,
+ DNSTAP_POLICY_MATCH_RESPONSE_IP = 3,
+ DNSTAP_POLICY_MATCH_NS_NAME = 4,
+ DNSTAP_POLICY_MATCH_NS_IP = 5,
+};
+extern const char* const DNSTAP_POLICY_MATCH_STRING[];
+
 struct dnstap {
  Dnstap__Dnstap dnstap;
  Dnstap__Message message;
+ Dnstap__Policy policy;
+ bool _policy_type_alloced;
 
  Dnstap__Dnstap* unpacked_dnstap;
 };
@@ -80,6 +109,7 @@ struct dnstap {
  { \
  .dnstap = DNSTAP__DNSTAP__INIT, \
  .message = DNSTAP__MESSAGE__INIT, \
+ .policy = DNSTAP__POLICY__INIT, \
  .unpacked_dnstap = 0, \
  }
 
@@ -140,6 +170,39 @@ struct dnstap {
  (d).message.socket_protocol = (enum _Dnstap__SocketProtocol)DNSTAP_MESSAGE_TYPE_UNKNOWN; \
  }
 
+#define dnstap_message_has_policy(d) ((d).dnstap.message->policy != 0)
+#define dnstap_message_use_policy(d) (d).dnstap.message->policy = &(d).policy
+void dnstap_message_clear_policy(struct dnstap*);
+#define dnstap_message_policy_set_action(d, v) \
+ switch (v) { \
+ case DNSTAP_POLICY_ACTION_NXDOMAIN: \
+ case DNSTAP_POLICY_ACTION_NODATA: \
+ case DNSTAP_POLICY_ACTION_PASS: \
+ case DNSTAP_POLICY_ACTION_DROP: \
+ case DNSTAP_POLICY_ACTION_TRUNCATE: \
+ case DNSTAP_POLICY_ACTION_LOCAL_DATA: \
+ (d).policy.has_action = true; \
+ (d).policy.action = (enum _Dnstap__Policy__Action)v; \
+ break; \
+ default: \
+ (d).policy.has_action = false; \
+ (d).policy.action = (enum _Dnstap__Policy__Action)DNSTAP_POLICY_ACTION_UNKNOWN; \
+ }
+#define dnstap_message_policy_set_match(d, v) \
+ switch (v) { \
+ case DNSTAP_POLICY_MATCH_QNAME: \
+ case DNSTAP_POLICY_MATCH_CLIENT_IP: \
+ case DNSTAP_POLICY_MATCH_RESPONSE_IP: \
+ case DNSTAP_POLICY_MATCH_NS_NAME: \
+ case DNSTAP_POLICY_MATCH_NS_IP: \
+ (d).policy.has_match = true; \
+ (d).policy.match = (enum _Dnstap__Policy__Match)v; \
+ break; \
+ default: \
+ (d).policy.has_match = false; \
+ (d).policy.match = (enum _Dnstap__Policy__Match)DNSTAP_POLICY_MATCH_UNKNOWN; \
+ }
+
 int dnstap_decode_protobuf(struct dnstap*, const uint8_t*, size_t);
 // int dnstap_decode_cbor(struct dnstap*, const uint8_t*, size_t);
 

diff --git a/src/gen-macros.sh b/src/gen-macros.sh
@@ -1,11 +1,24 @@
 #!/bin/sh -e
 
 echo "/* autogenerated, don't edit */"
+echo "#include <string.h>"
+echo "#include <stdlib.h>"
 
 while read prefix base name type typedef; do
  echo "// $base.$name ($type)"
  case "$type" in
  string )
+ echo "#define ${prefix}_has_${name}(d) ((d).${base}.${name} != 0)
+#define ${prefix}_${name}(d) (const char*)((d).${base}.${name})
+#define ${prefix}_${name}_length(d) strlen((d).${base}.${name})
+#define ${prefix}_set_${name}(d, v) \
+ if ((d)._${base}_${name}_alloced) { \
+ free((d).${base}.${name}); \
+ } \
+ (d).${base}.${name} = strdup(v); \
+ (d)._${base}_${name}_alloced = true;"
+ ;;
+ bytestring )
  echo "#define ${prefix}_has_${name}(d) (bool)((d).${base}.has_${name})
 #define ${prefix}_${name}(d) (const uint8_t*)((d).${base}.${name}.data)
 #define ${prefix}_${name}_length(d) (size_t)((d).${base}.${name}.len)

diff --git a/src/test/create_dnstap.c b/src/test/create_dnstap.c
@@ -12,6 +12,7 @@
 static char dns_wire_format_placeholder[] = "dns_wire_format_placeholder";
 static unsigned char query_address[sizeof(struct in_addr)];
 static unsigned char response_address[sizeof(struct in_addr)];
+static char policy_value[] = "bad.ns.name";
 
 static inline void create_dnstap(struct dnstap* d, const char* identity)
 {
@@ -48,4 +49,10 @@ static inline void create_dnstap(struct dnstap* d, const char* identity)
 
  dnstap_message_set_query_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1);
  dnstap_message_set_response_message(*d, dns_wire_format_placeholder, sizeof(dns_wire_format_placeholder) - 1);
+
+ dnstap_message_use_policy(*d);
+ dnstap_message_policy_set_type(*d, "RPZ");
+ dnstap_message_policy_set_action(*d, DNSTAP_POLICY_ACTION_DROP);
+ dnstap_message_policy_set_match(*d, DNSTAP_POLICY_MATCH_NS_NAME);
+ dnstap_message_policy_set_value(*d, policy_value, sizeof(policy_value) - 1);
 }
diff --git a/src/test/print_dnstap.c b/src/test/print_dnstap.c
@@ -111,6 +111,26 @@ static void print_dnstap(const struct dnstap* d)
  printf(" response_message_length: %zu\n", dnstap_message_response_message_length(*d));
  printf(" response_message: %s\n", printable_string(dnstap_message_response_message(*d), dnstap_message_response_message_length(*d)));
  }
+
+ if (dnstap_message_has_policy(*d)) {
+ printf(" policy:\n");
+
+ if (dnstap_message_policy_has_type(*d)) {
+ printf(" type: %s\n", dnstap_message_policy_type(*d));
+ }
+ if (dnstap_message_policy_has_rule(*d)) {
+ printf(" rule: %s\n", printable_string(dnstap_message_policy_rule(*d), dnstap_message_policy_rule_length(*d)));
+ }
+ if (dnstap_message_policy_has_action(*d)) {
+ printf(" action: %s\n", DNSTAP_POLICY_ACTION_STRING[dnstap_message_policy_action(*d)]);
+ }
+ if (dnstap_message_policy_has_match(*d)) {
+ printf(" match: %s\n", DNSTAP_POLICY_MATCH_STRING[dnstap_message_policy_match(*d)]);
+ }
+ if (dnstap_message_policy_has_value(*d)) {
+ printf(" value: %s\n", printable_string(dnstap_message_policy_value(*d), dnstap_message_policy_value_length(*d)));
+ }
+ }
  }
 
  printf("----\n");

diff --git a/src/test/test3.gold b/src/test/test3.gold
@@ -1,4 +1,4 @@
-read 322
+read 370
 ---- dnstap
 identity: writer_write-1
 message:
@@ -13,6 +13,11 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
 ---- dnstap
 identity: writer_write-2
@@ -28,4 +33,9 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
diff --git a/src/test/test4.gold b/src/test/test4.gold
@@ -12,6 +12,11 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
 ---- dnstap
 identity: writer_pop-2
@@ -27,4 +32,9 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
diff --git a/src/test/test5.gold b/src/test/test5.gold
@@ -12,6 +12,11 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
 ---- dnstap
 identity: writer_reader_unixsock-2
@@ -27,4 +32,9 @@ message:
  query_message: dns_wire_format_placeholder
  response_message_length: 27
  response_message: dns_wire_format_placeholder
+ policy:
+ type: RPZ
+ action: DROP
+ match: NS_NAME
+ value: bad.ns.name
 ----
diff --git a/src/test/test_dnstap.c b/src/test/test_dnstap.c
@@ -27,7 +27,7 @@ int main(void)
  d.dnstap.type = (enum _Dnstap__Dnstap__Type)DNSTAP_TYPE_MESSAGE;
 
  // invalid message.type
- d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_TOOL_RESPONSE + 1);
+ d.message.type = (enum _Dnstap__Message__Type)(DNSTAP_MESSAGE_TYPE_UPDATE_RESPONSE + 1);
  s = dnstap_encode_protobuf_size(&d);
  assert(s < sizeof(buf));
  assert(dnstap_encode_protobuf(&d, buf) == s);
@@ -47,7 +47,7 @@ int main(void)
  d.message.socket_family = (enum _Dnstap__SocketFamily)DNSTAP_SOCKET_FAMILY_INET;
 
  // invalid message.socket_protocol
- d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_TCP + 1);
+ d.message.socket_protocol = (enum _Dnstap__SocketProtocol)(DNSTAP_SOCKET_PROTOCOL_DNSCryptTCP + 1);
  s = dnstap_encode_protobuf_size(&d);
  assert(s < sizeof(buf));
  assert(dnstap_encode_protobuf(&d, buf) == s);