std::unordered_set<std::string> d_tags;
std::string d_name;
Priority d_priority{maximumPriority};
+ bool d_policyOverridesGettag{true};
};
struct Policy
return notSet;
}
+ bool policyOverridesGettag() const {
+ if (d_zoneData) {
+ return d_zoneData->d_policyOverridesGettag;
+ }
+ return true;
+ }
+
std::vector<DNSRecord> getCustomRecords(const DNSName& qname, uint16_t qtype) const;
std::vector<DNSRecord> getRecords(const DNSName& qname) const;
{
d_zoneData->d_tags = std::move(tags);
}
+ void setPolicyOverridesGettag(bool flag)
+ {
+ d_zoneData->d_policyOverridesGettag = flag;
+ }
const std::string& getName() const
{
return d_zoneData->d_name;
void setPriority(Priority p) {
d_zoneData->d_priority = p;
}
+
private:
static DNSName maskToRPZ(const Netmask& nm);
static bool findExactNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
}
}
- // If we are doing RPZ and a policy was matched, it takes precedence over an answer from gettag_ffi
- // So process the gettag_ffi answer only if no RPZ action was done or matched
- // This might need more sophistication for the type != None && kind == NoAction case...
- if (!wantsRPZ || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) {
+ // If we are doing RPZ and a policy was matched, it normally takes precedence over an answer from gettag.
+ // So process the gettag_ffi answer only if no RPZ action was done or matched or the policy indicates gettag should
+ // have precedence.
+ if (!wantsRPZ || !appliedPolicy.policyOverridesGettag() || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) {
if (dc->d_rcode != boost::none) {
/* we have a response ready to go, most likely from gettag_ffi */
ret = std::move(dc->d_records);
typedef std::unordered_map<std::string, boost::variant<bool, uint32_t, std::string, std::vector<std::pair<int, std::string>> > > rpzOptions_t;
-static void parseRPZParameters(rpzOptions_t& have, std::string& polName, boost::optional<DNSFilterEngine::Policy>& defpol, bool& defpolOverrideLocal, uint32_t& maxTTL, size_t& zoneSizeHint, std::unordered_set<std::string>& tags)
+static void parseRPZParameters(rpzOptions_t& have, std::string& polName, boost::optional<DNSFilterEngine::Policy>& defpol, bool& defpolOverrideLocal, uint32_t& maxTTL, size_t& zoneSizeHint, std::unordered_set<std::string>& tags, bool& overridesGettag)
{
if(have.count("policyName")) {
polName = boost::get<std::string>(have["policyName"]);
tags.insert(tag.second);
}
}
+ if (have.count("overridesGettag")) {
+ overridesGettag = boost::get<bool>(have["overridesGettag"]);
+ }
}
#if HAVE_PROTOBUF
std::string polName("rpzFile");
std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
+ bool overridesGettag = true;
if(options) {
auto& have = *options;
size_t zoneSizeHint = 0;
std::unordered_set<std::string> tags;
- parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint, tags);
+ parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint, tags, overridesGettag);
if (zoneSizeHint > 0) {
zone->reserve(zoneSizeHint);
}
}
g_log<<Logger::Warning<<"Loading RPZ from file '"<<filename<<"'"<<endl;
zone->setName(polName);
+ zone->setPolicyOverridesGettag(overridesGettag);
loadRPZFromFile(filename, zone, defpol, defpolOverrideLocal, maxTTL);
lci.dfe.addZone(zone);
g_log<<Logger::Warning<<"Done loading RPZ from file '"<<filename<<"'"<<endl;
auto& have = *options;
size_t zoneSizeHint = 0;
std::unordered_set<std::string> tags;
- parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint, tags);
+ bool overridesGettag = true;
+ parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint, tags, overridesGettag);
if (zoneSizeHint > 0) {
zone->reserve(zoneSizeHint);
}
zone->setTags(std::move(tags));
+ zone->setPolicyOverridesGettag(overridesGettag);
if(have.count("tsigname")) {
tt.name=DNSName(toLower(boost::get<string>(have["tsigname"])));