{% raw %}
-modules.load('view')
-view:addr('127.0.0.0/24', policy.suffix(policy.DENY,{"\3com\0"}))
-view:addr('127.0.0.0/24', policy.suffix(policy.FORWARD('1.2.3.4'),{"\2cz\0"}))
+modules.load('view < policy')
+
+view:addr('127.0.0.0/24', policy.suffix(policy.DENY_MSG("addr 127.0.0.0/24 matched com"),{"\3com\0"}))
+view:addr('127.0.0.0/24', policy.suffix(policy.DENY_MSG("addr 127.0.0.0/24 matched net"),{"\3net\0"}))
+policy.add(policy.all(policy.FORWARD('1.2.3.4')))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
example.cz. IN A 5.6.7.8
ENTRY_END
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-example.com. IN A
-SECTION ANSWER
-example.com. IN A 21.22.23.24
-ENTRY_END
RANGE_END
-; allowed by view
+; policy module loaded before view module must take precedence before view
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
example.cz. IN A 5.6.7.8
ENTRY_END
-; blocked by view
+; blocked by view:addr + inner policy.suffix com
; NXDOMAIN expected
STEP 30 QUERY
ENTRY_BEGIN
example.com. IN A
ENTRY_END
-STEP 40 CHECK_ANSWER
+STEP 31 CHECK_ANSWER
ENTRY_BEGIN
-MATCH flags rcode question answer
+MATCH opcode question rcode additional
REPLY QR RD RA AA NXDOMAIN
SECTION QUESTION
example.com. IN A
-SECTION ANSWER
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "addr 127.0.0.0/24 matched com"
+ENTRY_END
+
+; blocked by view:addr + inner policy.suffix net
+; second view rule gets executed if policy in preceding view rule did not match
+STEP 32 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.net. IN A
+ENTRY_END
+
+STEP 33 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode question rcode additional
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+example.net. IN A
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "addr 127.0.0.0/24 matched net"
ENTRY_END
SCENARIO_END
{% raw %}
modules.load('view')
-view:tsig('\8testkey1\0', policy.suffix(policy.DENY,{"\3com\0"}))
-view:tsig('\7testkey\0', policy.suffix(policy.FORWARD('1.2.3.4'),{"\2cz\0"}))
+print(table_print(modules.list()))
+
+view:tsig('\8testkey1\0', policy.suffix(policy.DENY_MSG("TSIG key testkey1 matched com"),{"\3com\0"}))
+view:tsig('\8testkey1\0', policy.suffix(policy.DENY_MSG("TSIG key testkey1 matched net"),{"\3net\0"}))
+view:tsig('\7testkey\0', policy.suffix(policy.DENY_MSG("TSIG key testkey matched example"),{"\7example\0"}))
+policy.add(policy.all(policy.FORWARD('1.2.3.4')))
-- Disable RFC8145 signaling, scenario doesn't provide expected answers
if ta_signal_query then
stub-addr: 1.2.3.4
CONFIG_END
-SCENARIO_BEGIN view:addr test
+SCENARIO_BEGIN view:tsig test
RANGE_BEGIN 0 110
ADDRESS 1.2.3.4
example.cz. IN A 5.6.7.8
ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 110
+ ADDRESS 192.0.2.1
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR RD RA NOERROR
SECTION QUESTION
-example.com. IN A
+example.net. IN A
SECTION ANSWER
-example.com. IN A 21.22.23.24
+example.net. IN A 6.6.6.6
ENTRY_END
RANGE_END
-; allowed by view
+; policy fallback (no view matched, policy is behind view module)
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
example.cz. IN A 5.6.7.8
ENTRY_END
-; blocked by view
+; blocked by view:tsig testkey1 + inner policy.suffix com
; NXDOMAIN expected
STEP 30 QUERY
ENTRY_BEGIN
example.com. IN A
ENTRY_END
-STEP 40 CHECK_ANSWER
+STEP 31 CHECK_ANSWER
ENTRY_BEGIN
-MATCH flags rcode question answer
+MATCH opcode question rcode additional
REPLY QR RD RA AA NXDOMAIN
SECTION QUESTION
example.com. IN A
-SECTION ANSWER
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "TSIG key testkey1 matched com"
+ENTRY_END
+
+; blocked by view:tsig testkey1 + inner policy.suffix net
+; second view rule gets executed if policy in preceding view rule did not match
+STEP 32 QUERY
+ENTRY_BEGIN
+REPLY RD
+TSIG testkey1 +Cdjlkef9ZTSeixERZ433Q==
+SECTION QUESTION
+example.net. IN A
+ENTRY_END
+
+STEP 33 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode question rcode additional
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+example.net. IN A
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "TSIG key testkey1 matched net"
+ENTRY_END
+
+; blocked by view:tsig testkey + inner policy.suffix example (different key)
+; third view rule gets executed if policy in preceding view rule did not match
+STEP 34 QUERY
+ENTRY_BEGIN
+REPLY RD
+TSIG testkey +Cdjlkef9ZTSeixERZ433Q==
+SECTION QUESTION
+example. IN A
+ENTRY_END
+
+STEP 35 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH opcode question rcode additional
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+example. IN A
+SECTION ADDITIONAL
+explanation.invalid. 10800 IN TXT "TSIG key testkey matched example"
ENTRY_END
SCENARIO_END
projects / thirdparty / knot-resolver.git / commitdiff
