rec: Add DNSFilterEngine::Policy::wasHit() to prevent code duplication

author Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh

index d1cac6ced699c8ce6c679412409ef13b31ff8cd1..b4503741444c93551c5cd5c45b57ab440795e0f0 100644 (file)
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -147,6 +147,11 @@ public:
        return true;
      }
  
+    bool wasHit() const
+    {
+      return (d_type != DNSFilterEngine::PolicyType::None && d_kind != DNSFilterEngine::PolicyKind::NoAction);
+    }
+
      std::vector<DNSRecord> getCustomRecords(const DNSName& qname, uint16_t qtype) const;
      std::vector<DNSRecord> getRecords(const DNSName& qname) const;
  
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc

index 54e25c6404338fedd3b1e6d85d584b8368dd4bcb..b40ad57d11cb4544a61aa4e18369033ec041ac94 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1453,7 +1453,7 @@ static void startDoResolve(void *p)
      }
  
      // Check if the client has a policy attached to it
-    if (wantsRPZ && (appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+    if (wantsRPZ && !appliedPolicy.wasHit()) {
  
        if (luaconfsLocal->dfe.getClientPolicy(dc->d_source, sr.d_discardedPolicies, appliedPolicy)) {
          mergePolicyTags(dc->d_policyTags, appliedPolicy.getTags());
@@ -1479,7 +1479,7 @@ static void startDoResolve(void *p)
            }
          }
  
-        if (appliedPolicy.d_type != DNSFilterEngine::PolicyType::None && appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
+        if (appliedPolicy.wasHit()) {
            policyOverride = true;
          }
        }
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index 52a1cb26f4f530a47f571ef43665cfc51b055b40..b6f647d38f70d41df12e81fe9b262012eb720aab 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -647,7 +647,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
    auto luaconfsLocal = g_luaconfs.getLocal();
  
    /* Apply qname (including CNAME chain) filtering policies */
-  if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+  if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
      if (luaconfsLocal->dfe.getQueryPolicy(qname, d_discardedPolicies, d_appliedPolicy)) {
        mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
        bool done = false;
@@ -882,12 +882,14 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty
        // we will get the records from the cache, resulting in a small overhead.
        // This might be a real problem if we had a RPZ hit, though, because we do not want the processing to continue, since
        // RPZ rules will not be evaluated anymore (we already matched).
-      if (fromCache && (!d_cacheonly || (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction))) {
+      const bool stoppedByPolicyHit = d_appliedPolicy.wasHit();
+
+      if (fromCache && (!d_cacheonly || stoppedByPolicyHit)) {
          *fromCache = true;
        }
        /* Apply Post filtering policies */
  
-      if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+      if (d_wantsRPZ && !stoppedByPolicyHit) {
          auto luaLocal = g_luaconfs.getLocal();
          if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
            mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
@@ -909,7 +911,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty
          *fromCache = true;
        }
  
-      if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+      if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
          auto luaLocal = g_luaconfs.getLocal();
          if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
            mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
@@ -950,7 +952,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty
    res = doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state, stopAtDelegation);
  
    /* Apply Post filtering policies */
-  if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+  if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
      auto luaLocal = g_luaconfs.getLocal();
      if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
        mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
@@ -2087,7 +2089,7 @@ bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& n
       the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not
       process any further RPZ rules. Except that we need to process rules of higher priority..
    */
-  if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+  if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
      for (auto const &ns : nameservers) {
        bool match = dfe.getProcessingPolicy(ns.first, d_discardedPolicies, d_appliedPolicy);
        if (match) {
@@ -2122,7 +2124,7 @@ bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAd
       the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not
       process any further RPZ rules. Except that we need to process rules of higher priority..
    */
-  if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+  if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
      bool match = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies, d_appliedPolicy);
      if (match) {
        mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
@@ -3728,7 +3730,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn
  
      nameservers.clear();
      for (auto const &nameserver : nsset) {
-      if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+      if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
          bool match = dfe.getProcessingPolicy(nameserver, d_discardedPolicies, d_appliedPolicy);
          if (match) {
            mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 26 Aug 2020 14:07:10 +0000 (16:07 +0200)
pdns/filterpo.hh		patch \| blob \| blame \| history
pdns/pdns_recursor.cc		patch \| blob \| blame \| history
pdns/syncres.cc		patch \| blob \| blame \| history