First stab at solving the issue when gettag_ffi sets an answer but

we also have an RPZ hit.

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 6d4914589a97b85c0b1c3c7cbddf876da3d221bb..74547a626797c65b35e34093c61886397e1039cc 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1431,16 +1431,6 @@ static void startDoResolve(void *p)
       sr.setCacheOnly();
     }
 
-    if (dc->d_rcode != boost::none) {
-      /* we have a response ready to go, most likely from gettag_ffi */
-      ret = std::move(dc->d_records);
-      res = *dc->d_rcode;
-      if (res == RCode::NoError && dc->d_followCNAMERecords) {
-        res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype));
-      }
-      goto haveAnswer;
-    }
-
     if (t_pdl) {
       t_pdl->prerpz(dq, res);
     }
@@ -1452,6 +1442,21 @@ static void startDoResolve(void *p)
       }
     }
 
+    // If we are doing RPZ and a policy was matched, it takes precedence over an answer from gettag_ffi
+    // So process the gettag_ffi answer only if no RPZ action was done or matched
+    // This might need more sophistication for the type != None && kind == NoAction case...
+    if (!wantsRPZ || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) {
+      if (dc->d_rcode != boost::none) {
+        /* we have a response ready to go, most likely from gettag_ffi */
+        ret = std::move(dc->d_records);
+        res = *dc->d_rcode;
+        if (res == RCode::NoError && dc->d_followCNAMERecords) {
+          res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype));
+        }
+        goto haveAnswer;
+      }
+    }
+
     // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve
     if (!t_pdl || !t_pdl->preresolve(dq, res)) {