Module: monitoring-plugins
Branch: master
Commit: fd42290d4a0aafd0d3c154cdd8fad53bfcc79046
Author: Dennis <[email protected]>
Committer: GitHub <[email protected]>
Date: Sat Nov 29 15:24:52 2025 +0100
URL:
https://www.monitoring-plugins.org/repositories/monitoring-plugins/commit/?id=fd42290d
check_dig: add -E/--require-flags and -X/--forbid-flags (#2165)
* check_dig: Add feature to require or forbid dig DNS flags -E, -X.
Introduced helper functions for flag parsing.
-E, --require-flags=LIST
Comma-separated dig flags that must be present (e.g. 'aa,qr')
-X, --forbid-flags=LIST
Comma-separated dig flags that must NOT be present
---
plugins/check_dig.c | 268 ++++++++++++++++++++++++++++++++++++++++++-
plugins/check_dig.d/config.h | 10 +-
2 files changed, 273 insertions(+), 5 deletions(-)
diff --git a/plugins/check_dig.c b/plugins/check_dig.c
index c27e5f13..9ea19e6a 100644
--- a/plugins/check_dig.c
+++ b/plugins/check_dig.c
@@ -3,7 +3,7 @@
* Monitoring check_dig plugin
*
* License: GPL
- * Copyright (c) 2002-2024 Monitoring Plugins Development Team
+ * Copyright (c) 2002-2025 Monitoring Plugins Development Team
*
* Description:
*
@@ -33,9 +33,10 @@
* because on some architectures those strings are in non-writable memory */
const char *progname = "check_dig";
-const char *copyright = "2002-2024";
+const char *copyright = "2002-2025";
const char *email = "[email protected]";
+#include <ctype.h>
#include "common.h"
#include "netutils.h"
#include "utils.h"
@@ -56,6 +57,12 @@ void print_usage(void);
static int verbose = 0;
+/* helpers for flag parsing */
+static flag_list parse_flags_line(const char *line);
+static flag_list split_csv_trim(const char *csv);
+static bool flag_list_contains(const flag_list *list, const char *needle);
+static void free_flag_list(flag_list *list);
+
int main(int argc, char **argv) {
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
@@ -101,13 +108,35 @@ int main(int argc, char **argv) {
output chld_out;
output chld_err;
char *msg = NULL;
+ flag_list dig_flags = {.items = NULL, .count = 0};
mp_state_enum result = STATE_UNKNOWN;
+
/* run the command */
if (np_runcmd(command_line, &chld_out, &chld_err, 0) != 0) {
result = STATE_WARNING;
msg = (char *)_("dig returned an error status");
}
+ /* extract ';; flags: ...' from stdout (first occurrence) */
+ for (size_t i = 0; i < chld_out.lines; i++) {
+ if (strstr(chld_out.line[i], "flags:")) {
+ if (verbose) {
+ printf("Raw flags line: %s\n",
chld_out.line[i]);
+ }
+
+ dig_flags = parse_flags_line(chld_out.line[i]);
+
+ if (verbose && dig_flags.count > 0) {
+ printf(_("Parsed flags:"));
+ for (size_t k = 0; k < dig_flags.count; k++) {
+ printf(" %s", dig_flags.items[k]);
+ }
+ printf("\n");
+ }
+ break;
+ }
+ }
+
for (size_t i = 0; i < chld_out.lines; i++) {
/* the server is responding, we just got the host name... */
if (strstr(chld_out.line[i], ";; ANSWER SECTION:")) {
@@ -174,6 +203,44 @@ int main(int argc, char **argv) {
result = STATE_WARNING;
}
+ /* Optional: evaluate dig flags only if -E/-X were provided */
+ if ((config.require_flags.count > 0) || (config.forbid_flags.count >
0)) {
+ if (dig_flags.count > 0) {
+ for (size_t r = 0; r < config.require_flags.count; r++)
{
+ if (!flag_list_contains(&dig_flags,
config.require_flags.items[r])) {
+ result = STATE_CRITICAL;
+ if (!msg) {
+ xasprintf(&msg, _("Missing
required DNS flag: %s"),
+
config.require_flags.items[r]);
+ } else {
+ char *newmsg = NULL;
+ xasprintf(&newmsg, _("%s;
missing required DNS flag: %s"), msg,
+
config.require_flags.items[r]);
+ msg = newmsg;
+ }
+ }
+ }
+
+ for (size_t r = 0; r < config.forbid_flags.count; r++) {
+ if (flag_list_contains(&dig_flags,
config.forbid_flags.items[r])) {
+ result = STATE_CRITICAL;
+ if (!msg) {
+ xasprintf(&msg, _("Forbidden
DNS flag present: %s"),
+
config.forbid_flags.items[r]);
+ } else {
+ char *newmsg = NULL;
+ xasprintf(&newmsg, _("%s;
forbidden DNS flag present: %s"), msg,
+
config.forbid_flags.items[r]);
+ msg = newmsg;
+ }
+ }
+ }
+ }
+ }
+
+ /* cleanup flags buffer */
+ free_flag_list(&dig_flags);
+
printf("DNS %s - %.3f seconds response time (%s)|%s\n",
state_text(result), elapsed_time,
msg ? msg : _("Probably a non-existent host/domain"),
fperfdata("time", elapsed_time, "s",
(config.warning_interval > UNDEFINED),
@@ -190,6 +257,8 @@ check_dig_config_wrapper process_arguments(int argc, char
**argv) {
{"critical", required_argument, 0, 'c'},
{"timeout", required_argument, 0, 't'},
{"dig-arguments", required_argument, 0, 'A'},
+
{"require-flags", required_argument, 0, 'E'},
+
{"forbid-flags", required_argument, 0, 'X'},
{"verbose", no_argument, 0, 'v'},
{"version", no_argument, 0, 'V'},
{"help", no_argument, 0, 'h'},
@@ -212,7 +281,8 @@ check_dig_config_wrapper process_arguments(int argc, char
**argv) {
int option = 0;
while (true) {
- int option_index = getopt_long(argc, argv,
"hVvt:l:H:w:c:T:p:a:A:46", longopts, &option);
+ int option_index =
+ getopt_long(argc, argv, "hVvt:l:H:w:c:T:p:a:A:E:X:46",
longopts, &option);
if (option_index == -1 || option_index == EOF) {
break;
@@ -263,6 +333,12 @@ check_dig_config_wrapper process_arguments(int argc, char
**argv) {
case 'A': /* dig arguments */
result.config.dig_args = strdup(optarg);
break;
+ case 'E': /* require flags */
+ result.config.require_flags = split_csv_trim(optarg);
+ break;
+ case 'X': /* forbid flags */
+ result.config.forbid_flags = split_csv_trim(optarg);
+ break;
case 'v': /* verbose */
verbose++;
break;
@@ -343,6 +419,10 @@ void print_help(void) {
printf(" %s\n", _("was in -l"));
printf(" %s\n", "-A, --dig-arguments=STRING");
printf(" %s\n", _("Pass STRING as argument(s) to dig"));
+ printf(" %s\n", "-E, --require-flags=LIST");
+ printf(" %s\n", _("Comma-separated dig flags that must be present
(e.g. 'aa,qr')"));
+ printf(" %s\n", "-X, --forbid-flags=LIST");
+ printf(" %s\n", _("Comma-separated dig flags that must NOT be
present"));
printf(UT_WARN_CRIT);
printf(UT_CONN_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
printf(UT_VERBOSE);
@@ -359,5 +439,185 @@ void print_usage(void) {
printf("%s\n", _("Usage:"));
printf("%s -l <query_address> [-H <host>] [-p <server port>]\n",
progname);
printf(" [-T <query type>] [-w <warning interval>] [-c <critical
interval>]\n");
- printf(" [-t <timeout>] [-a <expected answer address>] [-v]\n");
+ printf(" [-t <timeout>] [-a <expected answer address>] [-E <flags>] [-X
<flags>] [-v]\n");
+}
+
+/* helpers */
+
+/**
+ * parse_flags_line - Parse a dig output line and extract DNS header flags.
+ *
+ * Input:
+ * line - NUL terminated dig output line, e.g. ";; flags: qr rd ra; ..."
+ *
+ * Returns:
+ * flag_list where:
+ * - items: array of NUL terminated flag strings (heap allocated)
+ * - count: number of entries in items
+ * On parse failure or if no flags were found, count is 0 and items is NULL.
+ */
+static flag_list parse_flags_line(const char *line) {
+ flag_list result = {.items = NULL, .count = 0};
+
+ if (!line) {
+ return result;
+ }
+
+ /* Locate start of DNS header flags in dig output */
+ const char *p = strstr(line, "flags:");
+ if (!p) {
+ return result;
+ }
+ p += 6; /* skip literal "flags:" */
+
+ /* Skip whitespace after "flags:" */
+ while (*p && isspace((unsigned char)*p)) {
+ p++;
+ }
+
+ /* Flags are terminated by the next semicolon e.g. "qr rd ra;" */
+ const char *q = strchr(p, ';');
+ if (!q) {
+ return result;
+ }
+
+ /* Extract substring containing the flag block */
+ size_t len = (size_t)(q - p);
+ if (len == 0) {
+ return result;
+ }
+
+ char *buf = (char *)malloc(len + 1);
+ if (!buf) {
+ return result;
+ }
+ memcpy(buf, p, len);
+ buf[len] = '\0';
+
+ /* Tokenize flags separated by whitespace */
+ char **arr = NULL;
+ size_t cnt = 0;
+ char *saveptr = NULL;
+ char *tok = strtok_r(buf, " \t", &saveptr);
+
+ while (tok) {
+ /* Expand array for the next flag token */
+ char **tmp = (char **)realloc(arr, (cnt + 1) * sizeof(char *));
+ if (!tmp) {
+ /* On allocation failure keep what we have and return
it */
+ break;
+ }
+ arr = tmp;
+ arr[cnt++] = strdup(tok);
+ tok = strtok_r(NULL, " \t", &saveptr);
+ }
+
+ free(buf);
+
+ result.items = arr;
+ result.count = cnt;
+ return result;
+}
+
+/**
+ * split_csv_trim - Split a comma separated string into trimmed tokens.
+ *
+ * Input:
+ * csv - NUL terminated string, e.g. "aa, qr , rd"
+ *
+ * Returns:
+ * flag_list where:
+ * - items: array of NUL terminated tokens (heap allocated, whitespace
trimmed)
+ * - count: number of tokens
+ * On empty input, count is 0 and items is NULL
+ */
+static flag_list split_csv_trim(const char *csv) {
+ flag_list result = {.items = NULL, .count = 0};
+
+ if (!csv || !*csv) {
+ return result;
+ }
+
+ char *tmp = strdup(csv);
+ if (!tmp) {
+ return result;
+ }
+
+ char *s = tmp;
+ char *token = NULL;
+
+ /* Split CSV by commas, trimming whitespace on each token */
+ while ((token = strsep(&s, ",")) != NULL) {
+ /* trim leading whitespace */
+ while (*token && isspace((unsigned char)*token)) {
+ token++;
+ }
+
+ /* trim trailing whitespace */
+ char *end = token + strlen(token);
+ while (end > token && isspace((unsigned char)end[-1])) {
+ *--end = '\0';
+ }
+
+ if (*token) {
+ /* Expand the items array and append the token */
+ char **arr = (char **)realloc(result.items,
(result.count + 1) * sizeof(char *));
+ if (!arr) {
+ /* Allocation failed, stop and return what we
have */
+ break;
+ }
+ result.items = arr;
+ result.items[result.count++] = strdup(token);
+ }
+ }
+
+ free(tmp);
+ return result;
+}
+
+/**
+ * flag_list_contains - Case-insensitive membership test in a flag_list.
+ *
+ * Input:
+ * list - pointer to a flag_list
+ * needle - NUL terminated string to search for
+ *
+ * Returns:
+ * true if needle is contained in list (strcasecmp)
+ * false otherwise
+ */
+static bool flag_list_contains(const flag_list *list, const char *needle) {
+ if (!list || !needle || !*needle) {
+ return false;
+ }
+
+ for (size_t i = 0; i < list->count; i++) {
+ if (strcasecmp(list->items[i], needle) == 0) {
+ return true;
+ }
+ }
+ return false;
+}
+
+/**
+ * free_flag_list - Release all heap allocations held by a flag_list.
+ *
+ * Input:
+ * list - pointer to a flag_list whose items were allocated by
+ * parse_flags_line() or split_csv_trim().
+ *
+ * After this call list->items is NULL and list->count is 0.
+ */
+static void free_flag_list(flag_list *list) {
+ if (!list || !list->items) {
+ return;
+ }
+
+ for (size_t i = 0; i < list->count; i++) {
+ free(list->items[i]);
+ }
+ free(list->items);
+
+ list->items = NULL;
+ list->count = 0;
}
diff --git a/plugins/check_dig.d/config.h b/plugins/check_dig.d/config.h
index a570b633..dd1f58b5 100644
--- a/plugins/check_dig.d/config.h
+++ b/plugins/check_dig.d/config.h
@@ -7,6 +7,11 @@
#define DEFAULT_PORT 53
#define DEFAULT_TRIES 2
+typedef struct {
+ char **items;
+ size_t count;
+} flag_list;
+
typedef struct {
char *query_address;
char *record_type;
@@ -19,6 +24,8 @@ typedef struct {
double warning_interval;
double critical_interval;
+ flag_list require_flags;
+ flag_list forbid_flags;
} check_dig_config;
check_dig_config check_dig_config_init() {
@@ -34,7 +41,8 @@ check_dig_config check_dig_config_init() {
.warning_interval = UNDEFINED,
.critical_interval = UNDEFINED,
-
+ .require_flags = {.count = 0, .items = NULL},
+ .forbid_flags = {.count = 0, .items = NULL},
};
return tmp;
}
