Store the trigger hit in the (applied)Policy.

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 7 Aug 2020 12:30:30 +0000 (14:30 +0200)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 28 Aug 2020 08:46:22 +0000 (10:46 +0200)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 7 Aug 2020 12:30:30 +0000 (14:30 +0200)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 28 Aug 2020 08:46:22 +0000 (10:46 +0200)
diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc

index 69eaf053e90dfaaf7d797888a8c70d0d8ef5aaa8..97a379bb663e3e7f0f0b61920af7f25e4ac61e4f 100644 (file)
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -94,6 +94,7 @@ bool DNSFilterEngine::Zone::findNamedPolicy(const std::unordered_map<DNSName, DN
      iter = polmap.find(g_wildcarddnsname+s);
      if(iter != polmap.end()) {
        pol=iter->second;
+      pol.d_trigger = g_wildcarddnsname+s;
        return true;
      }
    }
@@ -109,6 +110,7 @@ bool DNSFilterEngine::Zone::findExactNamedPolicy(const std::unordered_map<DNSNam
    const auto& it = polmap.find(qname);
    if (it != polmap.end()) {
      pol = it->second;
+    pol.d_trigger = qname;
      return true;
    }
  
@@ -163,12 +165,16 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
      }
      if (z->findExactNSPolicy(qname, pol)) {
        // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
+      pol.d_trigger = qname;
+      pol.d_trigger.appendRawLabel("rpz-nsdname");
        return true;
      }
  
      for (const auto& wc : wcNames) {
        if (z->findExactNSPolicy(wc, pol)) {
          // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
+        pol.d_trigger = wc;
+        pol.d_trigger.appendRawLabel("rpz-nsdname");
          return true;
        }
      }
@@ -192,6 +198,9 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
  
      if(z->findNSIPPolicy(address, pol)) {
        //      cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
+      // XXX should use ns RPZ
+      pol.d_trigger = Zone::maskToRPZ(address);
+      pol.d_trigger.appendRawLabel("rpz-nsip");
        return true;
      }
    }
@@ -268,12 +277,14 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
  
      if (z->findExactQNamePolicy(qname, pol)) {
        // cerr<<"Had a hit on the name of the query"<<endl;
+      pol.d_trigger = qname;
        return true;
      }
  
      for (const auto& wc : wcNames) {
        if (z->findExactQNamePolicy(wc, pol)) {
          // cerr<<"Had a hit on the name of the query"<<endl;
+        pol.d_trigger = wc;
          return true;
        }
      }
@@ -326,6 +337,8 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
      }
  
      if (z->findResponsePolicy(ca, pol)) {
+      pol.d_trigger = Zone::maskToRPZ(ca);
+      pol.d_trigger.appendRawLabel("rpz-ip");
        return true;
      }
    }
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh

index b4503741444c93551c5cd5c45b57ab440795e0f0..4cccc189e5262d606ec8b98c2ea7f694b7a857f8 100644 (file)
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -157,6 +157,7 @@ public:
  
      std::vector<std::shared_ptr<DNSRecordContent>> d_custom;
      std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
+    DNSName d_trigger;
      /* Yup, we are currently using the same TTL for every record for a given name */
      int32_t d_ttl;
      PolicyKind d_kind;
@@ -280,13 +281,15 @@ public:
        d_zoneData->d_priority = p;
      }
      
+    static DNSName maskToRPZ(const Netmask& nm);
+
    private:
      void addNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
      void addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
      bool rmNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, const Policy& pol);
      bool rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, const Policy& pol);
  
-    static DNSName maskToRPZ(const Netmask& nm);
+  private:
      static bool findExactNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
      static bool findNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
      static void dumpNamedPolicy(FILE* fp, const DNSName& name, const Policy& pol);
diff --git a/pdns/lua-recursor4.cc b/pdns/lua-recursor4.cc

index 30a6b25fec2793adf68fcf32003f69f4e447630b..1a768ae8d5ec7a91c59729ee80bd55a62302cea8 100644 (file)
--- a/pdns/lua-recursor4.cc
+++ b/pdns/lua-recursor4.cc
@@ -188,6 +188,7 @@ void RecursorLua4::postPrepareContext()
    d_lw->registerMember("policyKind", &DNSFilterEngine::Policy::d_kind);
    d_lw->registerMember("policyType", &DNSFilterEngine::Policy::d_type);
    d_lw->registerMember("policyTTL", &DNSFilterEngine::Policy::d_ttl);
+  d_lw->registerMember("policyTrigger", &DNSFilterEngine::Policy::d_trigger);
    d_lw->registerMember<DNSFilterEngine::Policy, std::string>("policyCustom",
      [](const DNSFilterEngine::Policy& pol) -> std::string {
        std::string result;
@@ -331,6 +332,15 @@ void RecursorLua4::postPrepareContext()
      {"Custom",   (int)DNSFilterEngine::PolicyKind::Custom  }
      }});
  
+  d_pd.push_back({"policytypes", in_t {
+    {"None",       (int)DNSFilterEngine::PolicyType::None       },
+    {"QName",      (int)DNSFilterEngine::PolicyType::QName      },
+    {"ClientIP",   (int)DNSFilterEngine::PolicyType::ClientIP   },
+    {"ResponseIP", (int)DNSFilterEngine::PolicyType::ResponseIP },
+    {"NSDName",    (int)DNSFilterEngine::PolicyType::NSDName    },
+    {"NSIP",       (int)DNSFilterEngine::PolicyType::NSIP       }
+    }});
+
    for(const auto& n : QType::names)
      d_pd.push_back({n.first, n.second});
  
diff --git a/pdns/recursordist/docs/lua-scripting/dq.rst b/pdns/recursordist/docs/lua-scripting/dq.rst

index 25ca8d8cc836bf12dec315965331089383031cdc..343b00bd7e94ffe388befc74b83d15690a9f729d 100644 (file)
--- a/pdns/recursordist/docs/lua-scripting/dq.rst
+++ b/pdns/recursordist/docs/lua-scripting/dq.rst
@@ -62,9 +62,16 @@ The DNSQuestion object contains at least the following fields:
        Set by :ref:`policyName <rpz-policyName>` in the :func:`rpzFile` and :func:`rpzMaster` configuration items.
        It is advised to overwrite this when modifying the :attr:`DNSQuestion.appliedPolicy.policyKind`
  
-    .. attribute:: DNSQuestion.appliedPolicy.policyAction
-
-        The action taken by the engine
+    .. attribute:: DNSQuestion.appliedPolicy.policyType
+
+        The type of match for the policy.
+ 
+      -  ``pdns.policytypes.None``  the empty policy type
+      -  ``pdns.policytypes.QName`` a match on qname
+      -  ``pdns.policytypes.ClientIP`` a match on client IP
+      -  ``pdns.policytypes.ResponseIP`` a match on response IP
+      -  ``pdns.policytypes.NSDName`` a match on the name of a nameserver
+      -  ``pdns.policytypes.NSIP`` a match on the IP of a nameserver
  
      .. attribute:: DNSQuestion.appliedPolicy.policyCustom
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 7 Aug 2020 12:30:30 +0000 (14:30 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 28 Aug 2020 08:46:22 +0000 (10:46 +0200)
pdns/filterpo.cc		patch \| blob \| blame \| history
pdns/filterpo.hh		patch \| blob \| blame \| history
pdns/lua-recursor4.cc		patch \| blob \| blame \| history
pdns/recursordist/docs/lua-scripting/dq.rst		patch \| blob \| blame \| history