bool DNSFilterEngine::Zone::findExactNSPolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const
{
- return findExactNamedPolicy(d_propolName, qname, pol);
+ if (findExactNamedPolicy(d_propolName, qname, pol)) {
+ pol.d_trigger = qname;
+ pol.d_trigger.appendRawLabel(rpzNSDnameName);
+ return true;
+ }
+ return false;
}
-bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const
+bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
{
if (const auto fnd = d_propolNSAddr.lookup(addr)) {
- key = fnd->first;
pol = fnd->second;
+ pol.d_trigger = Zone::maskToRPZ(fnd->first);
+ pol.d_trigger.appendRawLabel(rpzNSIPName);
return true;
}
return false;
}
-bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const
+bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
{
if (const auto fnd = d_postpolAddr.lookup(addr)) {
- key = fnd->first;
pol = fnd->second;
+ pol.d_trigger = Zone::maskToRPZ(fnd->first);
+ pol.d_trigger.appendRawLabel(rpzIPName);
return true;
}
return false;
}
-bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const
+bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
{
if (const auto fnd = d_qpolAddr.lookup(addr)) {
- key = fnd->first;
pol = fnd->second;
+ pol.d_trigger = Zone::maskToRPZ(fnd->first);
+ pol.d_trigger.appendRawLabel(rpzClientIPName);
return true;
}
return false;
}
if (z->findExactNSPolicy(qname, pol)) {
// cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
- pol.d_trigger = qname;
- pol.d_trigger.appendRawLabel(rpzNSDnameName);
pol.d_hit = qname.toStringNoDot();
return true;
}
for (const auto& wc : wcNames) {
if (z->findExactNSPolicy(wc, pol)) {
// cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
- pol.d_trigger = wc;
- pol.d_trigger.appendRawLabel(rpzNSDnameName);
pol.d_hit = qname.toStringNoDot();
return true;
}
}
Netmask key;
- if(z->findNSIPPolicy(address, key, pol)) {
+ if(z->findNSIPPolicy(address, pol)) {
// cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
- pol.d_trigger = Zone::maskToRPZ(key);
- pol.d_trigger.appendRawLabel(rpzNSIPName);
pol.d_hit = address.toString();
return true;
}
}
Netmask key;
- if (z->findClientPolicy(ca, key, pol)) {
+ if (z->findClientPolicy(ca, pol)) {
// cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
+ pol.d_hit = ca.toString();
return true;
}
}
}
Netmask key;
- if (z->findResponsePolicy(ca, key, pol)) {
+ if (z->findResponsePolicy(ca, pol)) {
pol.d_trigger = Zone::maskToRPZ(key);
pol.d_trigger.appendRawLabel(rpzIPName);
pol.d_hit = ca.toString();
const DNSName blockedWildcardName("*.wildcard-blocked.");
const ComboAddress responseIP("192.0.2.254");
BOOST_CHECK_EQUAL(zone->size(), 0U);
- zone->addClientTrigger(Netmask(clientIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ClientIP));
+ zone->addClientTrigger(Netmask(clientIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ClientIP));
BOOST_CHECK_EQUAL(zone->size(), 1U);
zone->addQNameTrigger(blockedName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::QName));
BOOST_CHECK_EQUAL(zone->size(), 2U);
zone->addQNameTrigger(blockedWildcardName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::QName));
BOOST_CHECK_EQUAL(zone->size(), 3U);
- zone->addNSIPTrigger(Netmask(nsIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSIP));
+ zone->addNSIPTrigger(Netmask(nsIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSIP));
BOOST_CHECK_EQUAL(zone->size(), 4U);
zone->addNSTrigger(nsName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSDName));
BOOST_CHECK_EQUAL(zone->size(), 5U);
zone->addNSTrigger(nsWildcardName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSDName));
BOOST_CHECK_EQUAL(zone->size(), 6U);
- zone->addResponseTrigger(Netmask(responseIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ResponseIP));
+ zone->addResponseTrigger(Netmask(responseIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ResponseIP));
BOOST_CHECK_EQUAL(zone->size(), 7U);
size_t zoneIdx = dfe.addZone(zone);
const auto matchingPolicy = dfe.getProcessingPolicy(DNSName("sub.sub.wildcard.wolf."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::NSDName);
BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
+ BOOST_CHECK_EQUAL(matchingPolicy.d_trigger, DNSName("*.wildcard.wolf.rpz-nsdname"));
+ BOOST_CHECK_EQUAL(matchingPolicy.d_hit, "sub.sub.wildcard.wolf");
/* looking for wildcard.wolf. should not match *.wildcard-blocked. */
const auto notMatchingPolicy = dfe.getProcessingPolicy(DNSName("wildcard.wolf."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
/* except if we look exactly for the wildcard */
BOOST_CHECK(zone->findExactNSPolicy(nsWildcardName, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("*.wildcard.wolf.rpz-nsdname"));
+ BOOST_CHECK_EQUAL(zonePolicy.d_hit, nsWildcardName.toStringNoDot());
}
{
const auto matchingPolicy = dfe.getProcessingPolicy(nsIP, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::NSIP);
BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findNSIPPolicy(nsIP, key, zonePolicy));
- BOOST_CHECK(key == nsIP);
+ BOOST_CHECK(zone->findNSIPPolicy(nsIP, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.0.2.0.192.rpz-nsip"));
}
{
/* allowed NS IP */
const auto matchingPolicy = dfe.getProcessingPolicy(ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findNSIPPolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false);
+ BOOST_CHECK(zone->findNSIPPolicy(ComboAddress("192.0.2.142"), zonePolicy) == false);
}
{
DNSFilterEngine::Policy zonePolicy;
BOOST_CHECK(zone->findExactQNamePolicy(blockedName, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, blockedName);
+ BOOST_CHECK_EQUAL(zonePolicy.d_hit, blockedName.toStringNoDot());
/* but a subdomain should not be blocked (not a wildcard, and this is not suffix domain matching */
matchingPolicy = dfe.getQueryPolicy(DNSName("sub") + blockedName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
const auto matchingPolicy = dfe.getQueryPolicy(DNSName("sub.sub.wildcard-blocked."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
+ BOOST_CHECK_EQUAL(matchingPolicy.d_trigger, blockedWildcardName);
+ BOOST_CHECK_EQUAL(matchingPolicy.d_hit, "sub.sub.wildcard-blocked");
/* looking for wildcard-blocked. should not match *.wildcard-blocked. */
const auto notMatchingPolicy = dfe.getQueryPolicy(DNSName("wildcard-blocked."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
/* except if we look exactly for the wildcard */
BOOST_CHECK(zone->findExactQNamePolicy(blockedWildcardName, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, blockedWildcardName);
+ BOOST_CHECK_EQUAL(zonePolicy.d_hit, blockedWildcardName.toStringNoDot());
}
{
const auto matchingPolicy = dfe.getClientPolicy(clientIP, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findClientPolicy(clientIP, key, zonePolicy));
- BOOST_CHECK(key == clientIP);
+ BOOST_CHECK(zone->findClientPolicy(clientIP, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.128.2.0.192.rpz-client-ip"));
}
{
/* not blocked */
const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findClientPolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false);
+ BOOST_CHECK(zone->findClientPolicy(ComboAddress("192.0.2.142"), zonePolicy) == false);
BOOST_CHECK(zone->findExactQNamePolicy(DNSName("totally.legit."), zonePolicy) == false);
}
const auto matchingPolicy = dfe.getPostPolicy({dr}, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ResponseIP);
BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findResponsePolicy(responseIP, key, zonePolicy));
- BOOST_CHECK(key == responseIP);
+ BOOST_CHECK(zone->findResponsePolicy(responseIP, zonePolicy));
BOOST_CHECK(zonePolicy == matchingPolicy);
+ BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.254.2.0.192.rpz-ip"));
}
{
dr.d_content = DNSRecordContent::mastermake(QType::A, QClass::IN, "192.0.2.142");
const auto matchingPolicy = dfe.getPostPolicy({dr}, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
- Netmask key;
DNSFilterEngine::Policy zonePolicy;
- BOOST_CHECK(zone->findResponsePolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false);
+ BOOST_CHECK(zone->findResponsePolicy(ComboAddress("192.0.2.142"), zonePolicy) == false);
}
BOOST_CHECK_EQUAL(zone->size(), 7U);
- zone->rmClientTrigger(Netmask(clientIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ClientIP));
+ zone->rmClientTrigger(Netmask(clientIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ClientIP));
BOOST_CHECK_EQUAL(zone->size(), 6U);
zone->rmQNameTrigger(blockedName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::QName));
BOOST_CHECK_EQUAL(zone->size(), 5U);
zone->rmQNameTrigger(blockedWildcardName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::QName));
BOOST_CHECK_EQUAL(zone->size(), 4U);
- zone->rmNSIPTrigger(Netmask(nsIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSIP));
+ zone->rmNSIPTrigger(Netmask(nsIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSIP));
BOOST_CHECK_EQUAL(zone->size(), 3U);
zone->rmNSTrigger(nsName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSDName));
BOOST_CHECK_EQUAL(zone->size(), 2U);
zone->rmNSTrigger(nsWildcardName, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::NSDName));
BOOST_CHECK_EQUAL(zone->size(), 1U);
- zone->rmResponseTrigger(Netmask(responseIP, 32), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ResponseIP));
+ zone->rmResponseTrigger(Netmask(responseIP, 31), DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Drop, DNSFilterEngine::PolicyType::ResponseIP));
BOOST_CHECK_EQUAL(zone->size(), 0U);
/* DNSFilterEngine::clear() calls clear() on all zones, but keeps the zones */
projects / thirdparty / pdns.git / commitdiff
