if a match is found.
return false;
}
-DNSFilterEngine::Policy DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const
+bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
{
// cout<<"Got question for nameserver name "<<qname<<endl;
std::vector<bool> zoneEnabled(d_zones.size());
for (const auto& z : d_zones) {
bool enabled = true;
const auto zoneName = z->getName();
- if (z->getPriority() >= maxPriority) {
+ if (z->getPriority() >= pol.d_priority) {
enabled = false;
}
else if (zoneName && discardedPolicies.find(*zoneName) != discardedPolicies.end()) {
++count;
}
- Policy pol;
if (allEmpty) {
- return pol;
+ return false;
}
/* prepare the wildcard-based names */
}
if (z->findExactNSPolicy(qname, pol)) {
// cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
- return pol;
+ return true;
}
for (const auto& wc : wcNames) {
if (z->findExactNSPolicy(wc, pol)) {
// cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
- return pol;
+ return true;
}
}
++count;
}
- return pol;
+ return false;
}
-DNSFilterEngine::Policy DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const
+bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
{
- Policy pol;
// cout<<"Got question for nameserver IP "<<address.toString()<<endl;
for(const auto& z : d_zones) {
- if (z->getPriority() >= maxPriority) {
+ if (z->getPriority() >= pol.d_priority) {
break;
}
const auto zoneName = z->getName();
if(z->findNSIPPolicy(address, pol)) {
// cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
- return pol;
+ return true;
}
}
- return pol;
+ return false;
}
-DNSFilterEngine::Policy DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const
+bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
{
// cout<<"Got question for "<<qname<<" from "<<ca.toString()<<endl;
std::vector<bool> zoneEnabled(d_zones.size());
bool allEmpty = true;
for (const auto& z : d_zones) {
bool enabled = true;
- if (z->getPriority() >= maxPriority) {
+ if (z->getPriority() >= pol.d_priority) {
enabled = false;
} else {
const auto zoneName = z->getName();
++count;
}
- Policy pol;
if (allEmpty) {
- return pol;
+ return false;
}
/* prepare the wildcard-based names */
if (z->findClientPolicy(ca, pol)) {
// cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
- return pol;
+ return true;
}
if (z->findExactQNamePolicy(qname, pol)) {
// cerr<<"Had a hit on the name of the query"<<endl;
- return pol;
+ return true;
}
for (const auto& wc : wcNames) {
if (z->findExactQNamePolicy(wc, pol)) {
// cerr<<"Had a hit on the name of the query"<<endl;
- return pol;
+ return true;
}
}
++count;
}
- return pol;
+ return false;
}
-DNSFilterEngine::Policy DNSFilterEngine::getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const
+bool DNSFilterEngine::getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
{
- Policy pol;
ComboAddress ca;
for (const auto& r : records) {
if (r.d_place != DNSResourceRecord::ANSWER)
continue;
for (const auto& z : d_zones) {
- if (z->getPriority() >= maxPriority) {
+ if (z->getPriority() >= pol.d_priority) {
break;
}
const auto zoneName = z->getName();
}
if (z->findResponsePolicy(ca, pol)) {
- return pol;
+ return true;
}
}
}
- return pol;
+ return false;
}
void DNSFilterEngine::assureZones(size_t zone)
}
}
- Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const;
- Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const;
- Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const;
- Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Priority maxPriority) const;
+ bool getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+ bool getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+ bool getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+ bool getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+
+ // A few convenience methods for the unit test code
+ Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+ Policy policy;
+ policy.d_priority = p;
+ getQueryPolicy(qname, nm, discardedPolicies, policy);
+ return policy;
+ }
+
+ Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+ Policy policy;
+ policy.d_priority = p;
+ getProcessingPolicy(qname, discardedPolicies, policy);
+ return policy;
+ }
+
+ Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+ Policy policy;
+ policy.d_priority = p;
+ getProcessingPolicy(address, discardedPolicies, policy);
+ return policy;
+ }
+
+ Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+ Policy policy;
+ policy.d_priority = p;
+ getPostPolicy(records, discardedPolicies, policy);
+ return policy;
+ }
size_t size() const {
return d_zones.size();
// Check if the query has a policy attached to it
if (wantsRPZ && (appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
- appliedPolicy = luaconfsLocal->dfe.getQueryPolicy(dc->d_mdp.d_qname, dc->d_source, sr.d_discardedPolicies, appliedPolicy.d_priority);
+ luaconfsLocal->dfe.getQueryPolicy(dc->d_mdp.d_qname, dc->d_source, sr.d_discardedPolicies, appliedPolicy);
}
// if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve
res = -2;
}
dq.validationState = sr.getValidationState();
+ appliedPolicy = sr.d_appliedPolicy;
// During lookup, an NSDNAME or NSIP trigger was hit in RPZ
if (res == -2) { // XXX This block should be macro'd, it is repeated post-resolve.
}
if (wantsRPZ && (appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
- appliedPolicy = luaconfsLocal->dfe.getPostPolicy(ret, sr.d_discardedPolicies, appliedPolicy.d_priority);
+ luaconfsLocal->dfe.getPostPolicy(ret, sr.d_discardedPolicies, appliedPolicy);
}
if(t_pdl) {
*/
if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
for (auto const &ns : nameservers) {
- d_appliedPolicy = dfe.getProcessingPolicy(ns.first, d_discardedPolicies, d_appliedPolicy.d_priority);
- if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
+ bool match = dfe.getProcessingPolicy(ns.first, d_discardedPolicies, d_appliedPolicy);
+ if (match && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
return true;
}
// Traverse all IP addresses for this NS to see if they have an RPN NSIP policy
for (auto const &address : ns.second.first) {
- d_appliedPolicy = dfe.getProcessingPolicy(address, d_discardedPolicies, d_appliedPolicy.d_priority);
- if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
+ match = dfe.getProcessingPolicy(address, d_discardedPolicies, d_appliedPolicy);
+ if (match && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
return true;
}
process any further RPZ rules.
*/
if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
- d_appliedPolicy = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies, d_appliedPolicy.d_priority);
- if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
+ bool match = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies, d_appliedPolicy);
+ if (match && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
LOG(" (blocked by RPZ policy '"+(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")+"')");
return true;
}
nameservers.clear();
for (auto const &nameserver : nsset) {
if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
- d_appliedPolicy = dfe.getProcessingPolicy(nameserver, d_discardedPolicies, d_appliedPolicy.d_priority);
- if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
+ bool match = dfe.getProcessingPolicy(nameserver, d_discardedPolicies, d_appliedPolicy);
+ if (match && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl);
throw PolicyHitException();
}