Split the ClientIP and QName processing for RPZ.

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wed, 15 Jul 2020 09:05:35 +0000 (11:05 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Mon, 24 Aug 2020 14:51:03 +0000 (16:51 +0200)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Wed, 15 Jul 2020 09:05:35 +0000 (11:05 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Mon, 24 Aug 2020 14:51:03 +0000 (16:51 +0200)
diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc

index 4966b73d7a944416ef0ba59774616de69831b171..2ec5d3a0cd772dccbbf92a32411574098abfb393 100644 (file)
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -198,9 +198,8 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
    return false;
  }
  
-bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
+bool DNSFilterEngine::getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
  {
-  // cout<<"Got question for "<<qname<<" from "<<ca.toString()<<endl;
    std::vector<bool> zoneEnabled(d_zones.size());
    size_t count = 0;
    bool allEmpty = true;
@@ -214,7 +213,7 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& c
          enabled = false;
        }
        else {
-        if (z->hasQNamePolicies() || z->hasClientPolicies()) {
+        if (z->hasClientPolicies()) {
            allEmpty = false;
          }
          else {
@@ -228,6 +227,59 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& c
    }
  
    if (allEmpty) {
+    cerr << " allempty" << endl;
+    return false;
+  }
+
+  count = 0;
+  for (const auto& z : d_zones) {
+    if (!zoneEnabled[count]) {
+      ++count;
+      continue;
+    }
+
+    if (z->findClientPolicy(ca, pol)) {
+      // cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
+      return true;
+    }
+
+    ++count;
+  }
+
+  return false;
+}
+
+bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& pol) const
+{
+  cerr<<"Got question for "<<qname<<' '<< pol.getPriority()<< endl;
+  std::vector<bool> zoneEnabled(d_zones.size());
+  size_t count = 0;
+  bool allEmpty = true;
+  for (const auto& z : d_zones) {
+    bool enabled = true;
+    if (z->getPriority() >= pol.getPriority()) {
+      enabled = false;
+    } else {
+      const auto& zoneName = z->getName();
+      if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
+        enabled = false;
+      }
+      else {
+        if (z->hasQNamePolicies()) {
+          allEmpty = false;
+        }
+        else {
+          enabled = false;
+        }
+      }
+    }
+
+    zoneEnabled[count] = enabled;
+    ++count;
+  }
+
+  if (allEmpty) {
+    cerr << " allempty" << endl;
      return false;
    }
  
@@ -246,11 +298,6 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& c
        continue;
      }
  
-    if (z->findClientPolicy(ca, pol)) {
-      // cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
-      return true;
-    }
-
      if (z->findExactQNamePolicy(qname, pol)) {
        // cerr<<"Had a hit on the name of the query"<<endl;
        return true;
@@ -262,7 +309,7 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const ComboAddress& c
          return true;
        }
      }
-
+    cerr << "no hit on " << qname << endl;
      ++count;
    }
  
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh

index 1a0476b7905e24e0825f4d52f50c7d3936389642..8dac89e37326476ce348e411f810d1e8e0442177 100644 (file)
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -342,17 +342,26 @@ public:
      }
    }
  
-  bool getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+  bool getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
+  bool getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
    bool getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
    bool getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
    bool getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string,bool>& discardedPolicies, Policy& policy) const;
  
    // A few convenience methods for the unit test code
-  Policy getQueryPolicy(const DNSName& qname, const ComboAddress& nm, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+  Policy getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
      Policy policy;
      policy.d_zoneData = std::make_shared<PolicyZoneData>();
      policy.d_zoneData->d_priority = p;
-    getQueryPolicy(qname, nm, discardedPolicies, policy);
+    getQueryPolicy(qname, discardedPolicies, policy);
+    return policy;
+  }
+
+  Policy getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string,bool>& discardedPolicies, Priority p) const {
+    Policy policy;
+    policy.d_zoneData = std::make_shared<PolicyZoneData>();
+    policy.d_zoneData->d_priority = p;
+    getClientPolicy(ca, discardedPolicies, policy);
      return policy;
    }
  
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc

index 8d1d1686191d250f2feb2a1052cc270fca459071..3cbdfabe0bf6b42739359ced202c54ac8d3b3ee9 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1454,9 +1454,16 @@ static void startDoResolve(void *p)
  
      // Check if the query has a policy attached to it
      if (wantsRPZ && (appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
-      if (luaconfsLocal->dfe.getQueryPolicy(dc->d_mdp.d_qname, dc->d_source, sr.d_discardedPolicies, appliedPolicy)) {
+
+      if (luaconfsLocal->dfe.getClientPolicy(dc->d_source, sr.d_discardedPolicies, appliedPolicy)) {
          mergePolicyTags(dc->d_policyTags, appliedPolicy.getTags());
        }
+ 
+      if ((appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) {
+        if (luaconfsLocal->dfe.getQueryPolicy(dc->d_mdp.d_qname, sr.d_discardedPolicies, appliedPolicy)) {
+          mergePolicyTags(dc->d_policyTags, appliedPolicy.getTags());
+        }
+      }
      }
  
      // If we are doing RPZ and a policy was matched, it normally takes precedence over an answer from gettag.
diff --git a/pdns/recursordist/test-filterpo_cc.cc b/pdns/recursordist/test-filterpo_cc.cc

index 67c0827d1c690fb50cdb6bc9d2a14c703d65d78e..181f0981e1ca7c01ecc7c7b12aa11c3f8418d7c3 100644 (file)
--- a/pdns/recursordist/test-filterpo_cc.cc
+++ b/pdns/recursordist/test-filterpo_cc.cc
@@ -122,7 +122,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
  
    {
      /* blocked qname */
-    auto matchingPolicy = dfe.getQueryPolicy(blockedName, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(blockedName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
      DNSFilterEngine::Policy zonePolicy;
@@ -130,19 +130,19 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
      BOOST_CHECK(zonePolicy == matchingPolicy);
  
      /* but a subdomain should not be blocked (not a wildcard, and this is not suffix domain matching */
-    matchingPolicy = dfe.getQueryPolicy(DNSName("sub") + blockedName, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    matchingPolicy = dfe.getQueryPolicy(DNSName("sub") + blockedName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      BOOST_CHECK(zone->findExactQNamePolicy(DNSName("sub") + blockedName, zonePolicy) == false);
    }
  
    {
      /* blocked NS name via wildcard */
-    const auto matchingPolicy = dfe.getQueryPolicy(DNSName("sub.sub.wildcard-blocked."), ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(DNSName("sub.sub.wildcard-blocked."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
  
      /* looking for wildcard-blocked. should not match *.wildcard-blocked. */
-    const auto notMatchingPolicy = dfe.getQueryPolicy(DNSName("wildcard-blocked."), ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto notMatchingPolicy = dfe.getQueryPolicy(DNSName("wildcard-blocked."), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(notMatchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
  
      /* a direct lookup would not match */
@@ -155,7 +155,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
  
    {
      /* blocked client IP */
-    const auto matchingPolicy = dfe.getQueryPolicy(DNSName("totally.legit."), clientIP, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(clientIP, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
      DNSFilterEngine::Policy zonePolicy;
@@ -165,7 +165,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
  
    {
      /* not blocked */
-    const auto matchingPolicy = dfe.getQueryPolicy(DNSName("totally.legit."), ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      DNSFilterEngine::Policy zonePolicy;
      BOOST_CHECK(zone->findClientPolicy(ComboAddress("192.0.2.142"), zonePolicy) == false);
@@ -246,14 +246,14 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_wildcard_with_enc)
  
    {
      const DNSName tstName("bcbsks.com.102.112.2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction);
    }
  
    {
      const DNSName tstName("2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
    }
@@ -263,28 +263,28 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_wildcard_with_enc)
  
    {
      const DNSName tstName("112.2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_WARN_MESSAGE(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None, m);
      BOOST_WARN_MESSAGE(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction, m);
    }
  
    {
      const DNSName tstName("102.112.2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_WARN_MESSAGE(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None, m);
      BOOST_WARN_MESSAGE(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction, m);
    }
  
    {
      const DNSName tstName("com.112.2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_WARN_MESSAGE(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None, m);
      BOOST_WARN_MESSAGE(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction, m);
    }
  
    {
      const DNSName tstName("wcmatch.2o7.net.");
-    auto matchingPolicy = dfe.getQueryPolicy(tstName, address, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    auto matchingPolicy = dfe.getQueryPolicy(tstName, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop);
    }
@@ -317,7 +317,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data)
  
    {
      /* exact type does not exist, but we have a CNAME */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad1, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad1, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad1, QType::A);
@@ -332,7 +332,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data)
  
    {
      /* exact type exists */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad2, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad2, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
  
@@ -381,7 +381,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data)
  
    {
      /* exact type exists */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad2, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad2, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
  
@@ -436,7 +436,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
    dfe.addZone(zone);
  
    { // A query should match two records
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(DNSName(), QType::A);
@@ -457,7 +457,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
    }
  
    { // AAAA query should match 1 record
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(DNSName(), QType::AAAA);
@@ -483,7 +483,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
    zone->rmClientTrigger(nm1, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Custom, DNSFilterEngine::PolicyType::ClientIP, 0, nullptr, {DNSRecordContent::mastermake(QType::A, QClass::IN, "1.2.3.5")}));
  
    { // A query should match one record now
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(DNSName(), QType::A);
@@ -496,7 +496,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
      BOOST_CHECK_EQUAL(content1->getCA().toString(), "1.2.3.4");
    }
    { // AAAA query should still match one record
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(DNSName(), QType::AAAA);
@@ -516,7 +516,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
    zone->rmClientTrigger(nm1, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Custom, DNSFilterEngine::PolicyType::ClientIP, 0, nullptr, {DNSRecordContent::mastermake(QType::A, QClass::IN, "1.2.3.4")}));
  
    { // AAAA query should still match one record
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(DNSName(), QType::AAAA);
@@ -533,7 +533,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_local_data_netmask)
    zone->rmClientTrigger(nm1, DNSFilterEngine::Policy(DNSFilterEngine::PolicyKind::Custom, DNSFilterEngine::PolicyType::ClientIP, 0, nullptr, {DNSRecordContent::mastermake(QType::AAAA, QClass::IN, "::1234")}));
  
    { // there should be no match left
-    const auto matchingPolicy = dfe.getQueryPolicy(name, ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.168.1.1"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction);
    }
@@ -563,7 +563,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies)
  
    {
      /* zone 1 should match first */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -578,7 +578,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies)
  
    {
      /* zone 2 has an exact match for badUnderWildcard, but the wildcard from the first zone should match first */
-    const auto matchingPolicy = dfe.getQueryPolicy(badUnderWildcard, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(badUnderWildcard, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(badUnderWildcard, QType::A);
@@ -593,7 +593,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies)
  
    {
      /* zone 1 should still match if zone 2 has been disabled */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), {{zone2->getName(), true}}, DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, {{zone2->getName(), true}}, DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -608,7 +608,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies)
  
    {
      /* if zone 1 is disabled, zone 2 should match */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), {{zone1->getName(), true}}, DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, {{zone1->getName(), true}}, DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -623,7 +623,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies)
  
    {
      /* if both zones are disabled, we should not match */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), {{zone1->getName(), true}, {zone2->getName(), true}}, DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, {{zone1->getName(), true}, {zone2->getName(), true}}, DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
    }
  }
@@ -663,7 +663,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies_order)
  
    {
      /* client IP should match before qname */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.128"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.0.2.128"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -678,14 +678,14 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies_order)
  
    {
      /* client IP and qname should match, but zone 1 is disabled and zone2's priority is too high */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.128"), {{zone1->getName(), true}}, 1);
+    const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.0.2.128"), {{zone1->getName(), true}}, 1);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction);
    }
  
    {
      /* zone 1 should match first */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, std::unordered_map<std::string, bool>(), DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -700,7 +700,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies_order)
  
    {
      /* zone 1 should still match if we require a priority < 1 */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), 1);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, std::unordered_map<std::string, bool>(), 1);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -715,14 +715,14 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies_order)
  
    {
      /* nothing should match if we require a priority < 0 */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), std::unordered_map<std::string, bool>(), 0);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, std::unordered_map<std::string, bool>(), 0);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction);
    }
  
    {
      /* if we disable zone 1, zone 2 should match */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), {{zone1->getName(), true}}, DNSFilterEngine::maximumPriority);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, {{zone1->getName(), true}}, DNSFilterEngine::maximumPriority);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::QName);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Custom);
      auto records = matchingPolicy.getCustomRecords(bad, QType::A);
@@ -737,7 +737,7 @@ BOOST_AUTO_TEST_CASE(test_multiple_filter_policies_order)
  
    {
      /* if we disable zone 1, zone 2 should match, except if we require a priority < 1 */
-    const auto matchingPolicy = dfe.getQueryPolicy(bad, ComboAddress("192.0.2.142"), {{zone1->getName(), true}}, 1);
+    const auto matchingPolicy = dfe.getQueryPolicy(bad, {{zone1->getName(), true}}, 1);
      BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None);
      BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction);
    }
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Wed, 15 Jul 2020 09:05:35 +0000 (11:05 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 24 Aug 2020 14:51:03 +0000 (16:51 +0200)
pdns/filterpo.cc		patch \| blob \| blame \| history
pdns/filterpo.hh		patch \| blob \| blame \| history
pdns/pdns_recursor.cc		patch \| blob \| blame \| history
pdns/recursordist/test-filterpo_cc.cc		patch \| blob \| blame \| history