From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 13 Mar 2024 15:04:58 +0000 (+0100)
Subject: - Fix rpz that the rpz override is taken in case of clientip triggers.
X-Git-Tag: release-1.20.0rc1~68
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f417262e35f8ec372486c8dc2b70415e92dc5a4;p=thirdparty%2Funbound.git

- Fix rpz that the rpz override is taken in case of clientip triggers.
  Fix that the clientip passthru action is logged. Fix that the
  clientip localdata action is logged. Fix rpz override action cname
  for the clientip trigger.
---

diff --git a/doc/Changelog b/doc/Changelog
index 95e27db44..6a36adee3 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,10 @@
 13 March 2024: Wouter
 	- Fix #1029: rpz trigger clientip and action rpz-passthru not working
 	  as expected.
+	- Fix rpz that the rpz override is taken in case of clientip triggers.
+	  Fix that the clientip passthru action is logged. Fix that the
+	  clientip localdata action is logged. Fix rpz override action cname
+	  for the clientip trigger.
 
 12 March 2024: Yorgos
 	- Merge #1028: Clearer documentation for tcp-idle-timeout and
diff --git a/services/rpz.c b/services/rpz.c
index e8e7143ad..9b9e88687 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1876,6 +1876,26 @@ nodata:
 		rrset_count, rcode, rsoa);
 }
 
+static void
+rpz_apply_clientip_cname_override_action(struct rpz* r,
+	struct query_info* qinfo, struct regional* temp)
+{
+	if(!r)
+		return;
+	qinfo->local_alias = regional_alloc_zero(temp,
+		sizeof(struct local_rrset));
+	if(qinfo->local_alias == NULL)
+		return; /* out of memory */
+	qinfo->local_alias->rrset = regional_alloc_init(temp,
+		r->cname_override, sizeof(*r->cname_override));
+	if(qinfo->local_alias->rrset == NULL) {
+		qinfo->local_alias = NULL;
+		return; /* out of memory */
+	}
+	qinfo->local_alias->rrset->rk.dname = qinfo->qname;
+	qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
+}
+
 /** add additional section SOA record to the reply.
  * Since this gets fed into the normal iterator answer creation, it
  * gets minimal-responses applied to it, that can remove the additional SOA
@@ -2525,7 +2545,18 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 		az, qinfo, repinfo, taglist, taglen, stats, z_out, a_out, r_out);
 
 	client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action);
+	if(node != NULL && *r_out &&
+		(*r_out)->action_override != RPZ_NO_OVERRIDE_ACTION) {
+		client_action = (*r_out)->action_override;
+	}
 	if(client_action == RPZ_PASSTHRU_ACTION) {
+		if(*r_out && (*r_out)->log)
+			log_rpz_apply(
+				(node?"clientip":"qname"),
+				((*z_out)?(*z_out)->name:NULL),
+				(node?&node->node:NULL),
+				client_action, qinfo, repinfo, NULL,
+				(*r_out)->log_name);
 		*passthru = 1;
 		ret = 0;
 		goto done;
@@ -2543,14 +2574,12 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 		if(client_action == RPZ_LOCAL_DATA_ACTION) {
 			rpz_apply_clientip_localdata_action(node, env, qinfo,
 				edns, repinfo, buf, temp, *a_out);
+			ret = 1;
+		} else if(client_action == RPZ_CNAME_OVERRIDE_ACTION) {
+			rpz_apply_clientip_cname_override_action(*r_out,
+				qinfo, temp);
+			ret = 0;
 		} else {
-			if(*r_out && (*r_out)->log)
-				log_rpz_apply(
-					(node?"clientip":"qname"),
-					((*z_out)?(*z_out)->name:NULL),
-					(node?&node->node:NULL),
-					client_action, qinfo, repinfo, NULL,
-					(*r_out)->log_name);
 			local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
 				repinfo, buf, temp, 0 /* no local data used */,
 				rpz_action_to_localzone_type(client_action));
@@ -2558,8 +2587,15 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 				LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
 				== LDNS_RCODE_NXDOMAIN)
 				LDNS_RA_CLR(sldns_buffer_begin(buf));
+			ret = 1;
 		}
-		ret = 1;
+		if(*r_out && (*r_out)->log)
+			log_rpz_apply(
+				(node?"clientip":"qname"),
+				((*z_out)?(*z_out)->name:NULL),
+				(node?&node->node:NULL),
+				client_action, qinfo, repinfo, NULL,
+				(*r_out)->log_name);
 		goto done;
 	}
 	ret = -1;
diff --git a/testdata/rpz_clientip_override.rpl b/testdata/rpz_clientip_override.rpl
new file mode 100644
index 000000000..20e5213ff
--- /dev/null
+++ b/testdata/rpz_clientip_override.rpl
@@ -0,0 +1,269 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	rpz-action-override: "nxdomain"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+32.1.5.0.192.rpz-client-ip CNAME rpz-passthru.
+32.2.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz2.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz2.example.com"
+	rpz-action-override: "nodata"
+	zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2	3600	IN	SOA	ns1.rpz2.example.com. hostmaster.rpz2.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz2.example.com.
+	3600	IN	NS	ns2.rpz2.example.com.
+$ORIGIN rpz2.example.com.
+32.4.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz3.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz3.example.com"
+	rpz-action-override: "passthru"
+	zonefile:
+TEMPFILE_NAME rpz3.example.com
+TEMPFILE_CONTENTS rpz3.example.com
+$ORIGIN example.com.
+rpz3	3600	IN	SOA	ns1.rpz3.example.com. hostmaster.rpz3.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz3.example.com.
+	3600	IN	NS	ns2.rpz3.example.com.
+$ORIGIN rpz3.example.com.
+32.5.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz4.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz4.example.com"
+	rpz-action-override: "drop"
+	zonefile:
+TEMPFILE_NAME rpz4.example.com
+TEMPFILE_CONTENTS rpz4.example.com
+$ORIGIN example.com.
+rpz4	3600	IN	SOA	ns1.rpz4.example.com. hostmaster.rpz4.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz4.example.com.
+	3600	IN	NS	ns2.rpz4.example.com.
+$ORIGIN rpz4.example.com.
+32.5.5.0.192.rpz-client-ip A 1.2.3.5
+32.6.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz5.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz5.example.com"
+	rpz-action-override: "cname"
+	rpz-cname-override: "target.a"
+	zonefile:
+TEMPFILE_NAME rpz5.example.com
+TEMPFILE_CONTENTS rpz5.example.com
+$ORIGIN example.com.
+rpz5	3600	IN	SOA	ns1.rpz5.example.com. hostmaster.rpz5.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz5.example.com.
+	3600	IN	NS	ns2.rpz5.example.com.
+$ORIGIN rpz5.example.com.
+32.7.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+rpz:
+	name: "rpz6.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz6.example.com"
+	rpz-action-override: "disabled"
+	zonefile:
+TEMPFILE_NAME rpz6.example.com
+TEMPFILE_CONTENTS rpz6.example.com
+$ORIGIN example.com.
+rpz6	3600	IN	SOA	ns1.rpz6.example.com. hostmaster.rpz6.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz6.example.com.
+	3600	IN	NS	ns2.rpz6.example.com.
+$ORIGIN rpz6.example.com.
+32.8.5.0.192.rpz-client-ip A 1.2.3.5
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ action override with trigger from clientip.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+target.a. IN A
+SECTION ANSWER
+target.a. IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY ADDRESS 192.0.5.2
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 30 QUERY ADDRESS 192.0.5.3
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+STEP 40 QUERY ADDRESS 192.0.5.4
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 50 QUERY ADDRESS 192.0.5.5
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+STEP 60 QUERY ADDRESS 192.0.5.6
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+; dropped.
+
+STEP 70 QUERY ADDRESS 192.0.5.7
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a. CNAME target.a.
+target.a. A 1.2.3.6
+ENTRY_END
+
+STEP 80 QUERY ADDRESS 192.0.5.8
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a.	IN	A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END