Document new Lua dq fields and centralize logging in handle olicyHit functions.

Plus corrections from review.

diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc
index 6de5c9bdacae3aaf47a2140b66ee1223f4d47f8b..b5f66d8f6a60e0ff768469f158d393f070ae8e84 100644 (file)
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -27,7 +27,7 @@
 #include "namespaces.hh"
 #include "dnsrecords.hh"
 
-// Names below are RPZ Actions and end with a dot (execpt "Local Data")
+// Names below are RPZ Actions and end with a dot (except "Local Data")
 static const std::string rpzDropName("rpz-drop."),
   rpzTruncateName("rpz-tcp-only."),
   rpzNoActionName("rpz-passthru."),
@@ -106,7 +106,7 @@ bool DNSFilterEngine::Zone::findNamedPolicy(const std::unordered_map<DNSName, DN
     iter = polmap.find(g_wildcarddnsname+s);
     if(iter != polmap.end()) {
       pol=iter->second;
-      pol.d_trigger = g_wildcarddnsname+s;
+      pol.d_trigger = iter->first;
       pol.d_hit = qname.toStringNoDot();
       return true;
     }

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index aaec67a0c066fece50298e66e38778167a6926f7..71a61f517b85a54f66ab56f411df159d3fb77b38 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -889,6 +889,10 @@ static PolicyResult handlePolicyHit(const DNSFilterEngine::Policy& appliedPolicy
     ++g_stats.policyResults[appliedPolicy.d_kind];
   }
 
+  if (sr.doLog() &&  appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
+    g_log << Logger::Warning << dc->d_mdp.d_qname << "|" << QType(dc->d_mdp.d_qtype).getName() << appliedPolicy.getLogString() << endl;
+  }
+
   switch (appliedPolicy.d_kind) {
 
   case DNSFilterEngine::PolicyKind::NoAction:
@@ -1569,10 +1573,6 @@ static void startDoResolve(void *p)
           goto haveAnswer;
         }
         else if (policyResult == PolicyResult::Drop) {
-          if (sr.doLog()) {
-            g_log << Logger::Warning << dc->d_mdp.d_qname << "|" << QType(dc->d_mdp.d_qtype).getName() << appliedPolicy.getLogString() << endl;
-          }
-          g_stats.policyDrops++;
           return;
         }
       }
@@ -1621,9 +1621,6 @@ static void startDoResolve(void *p)
         }
       }
     }
-    if (sr.doLog() &&  appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
-      g_log << Logger::Warning << dc->d_mdp.d_qname << "|" << QType(dc->d_mdp.d_qtype).getName() << appliedPolicy.getLogString() << endl;
-    }
 
     if(res == -1) {
       pw.getHeader()->rcode=RCode::ServFail;

diff --git a/pdns/recursordist/docs/lua-scripting/dq.rst b/pdns/recursordist/docs/lua-scripting/dq.rst
index 343b00bd7e94ffe388befc74b83d15690a9f729d..550830c2c234aae72851c950c1c78f3148027c95 100644 (file)
--- a/pdns/recursordist/docs/lua-scripting/dq.rst
+++ b/pdns/recursordist/docs/lua-scripting/dq.rst
@@ -92,6 +92,14 @@ The DNSQuestion object contains at least the following fields:
 
         The TTL in seconds for the ``pdns.policyactions.Custom`` response
 
+    .. attribute:: DNSQuestion.appliedPolicy.policyTrigger
+
+        The trigger (left-hand) part of the RPZ rule that was matched
+
+  .. attribute:: DNSQuestion.appliedPolicy.policyHit
+
+        The value that was matched. This is a string representing a name or an address.
+
   .. attribute:: DNSQuestion.wantsRPZ
 
       A boolean that indicates the use of the Policy Engine.

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 4f3ecb3886c4932794d7382746d995844f811a40..efa6343b2cda1b188da5fba5c8c810e965ae0043 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2028,6 +2028,10 @@ void SyncRes::handlePolicyHit(const std::string& prefix, const DNSName& qname, c
     ++g_stats.policyResults[d_appliedPolicy.d_kind];
   }
 
+  if (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
+    LOG(prefix << qname << "|" << qtype.getName() << d_appliedPolicy.getLogString() << endl);
+  }
+
   switch (d_appliedPolicy.d_kind) {
 
   case DNSFilterEngine::PolicyKind::NoAction: