From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 14 Aug 2020 08:51:28 +0000 (+0200)
Subject: Also record the value that caused a hit.
X-Git-Tag: rec-4.4.0-beta1^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f60444b953f5caa8de07c2d17ec68d487cf921c;p=thirdparty%2Fpdns.git

Also record the value that caused a hit.

For triggers fomr rpz zones it makes sense to store them as listed there.
For hit values (names or IPs) it makes more sense to store them
in the regular string value and not list them as rpz trigger format.
e.g.: a trigger is listed

	24.0.2.0.192.rpz-ip.rpz.local.

A corresponding hit as

	192.0.2.1
---

diff --git a/pdns/dnsmessage.proto b/pdns/dnsmessage.proto
index 4f9d2722fd..9a4f18d083 100644
--- a/pdns/dnsmessage.proto
+++ b/pdns/dnsmessage.proto
@@ -80,6 +80,7 @@ message PBDNSMessage {
     optional uint32 queryTimeUsec = 6;          // Time of the corresponding query reception (additional micro-seconds)
     optional PolicyType appliedPolicyType = 7;  // Type of the filtering policy (RPZ or Lua) applied
     optional string appliedPolicyTrigger = 8;   // The RPZ trigger
+    optional string appliedPolicyHit = 9;       // The value (qname or IP) that caused the hit
   }
 
   optional DNSResponse response = 13;
diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc
index e3ec360df4..e444ba58f0 100644
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -103,6 +103,7 @@ bool DNSFilterEngine::Zone::findNamedPolicy(const std::unordered_map<DNSName, DN
     if(iter != polmap.end()) {
       pol=iter->second;
       pol.d_trigger = g_wildcarddnsname+s;
+      pol.d_hit = qname.toString();
       return true;
     }
   }
@@ -119,6 +120,7 @@ bool DNSFilterEngine::Zone::findExactNamedPolicy(const std::unordered_map<DNSNam
   if (it != polmap.end()) {
     pol = it->second;
     pol.d_trigger = qname;
+    pol.d_hit = qname.toString();
     return true;
   }
 
@@ -175,6 +177,7 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
       // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
       pol.d_trigger = qname;
       pol.d_trigger.appendRawLabel("rpz-nsdname");
+      pol.d_hit = qname.toString();
       return true;
     }
 
@@ -183,6 +186,7 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
         // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
         pol.d_trigger = wc;
         pol.d_trigger.appendRawLabel(rpzNSDnameName);
+        pol.d_hit = qname.toString();
         return true;
       }
     }
@@ -209,6 +213,7 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
       // XXX should use ns RPZ
       pol.d_trigger = Zone::maskToRPZ(address);
       pol.d_trigger.appendRawLabel(rpzNSIPName);
+      pol.d_hit = address.toString();
       return true;
     }
   }
@@ -286,6 +291,7 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
     if (z->findExactQNamePolicy(qname, pol)) {
       // cerr<<"Had a hit on the name of the query"<<endl;
       pol.d_trigger = qname;
+      pol.d_hit = qname.toString();
       return true;
     }
 
@@ -293,6 +299,7 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
       if (z->findExactQNamePolicy(wc, pol)) {
         // cerr<<"Had a hit on the name of the query"<<endl;
         pol.d_trigger = wc;
+        pol.d_hit = qname.toString();
         return true;
       }
     }
@@ -346,7 +353,8 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
 
     if (z->findResponsePolicy(ca, pol)) {
       pol.d_trigger = Zone::maskToRPZ(ca);
-      pol.d_trigger.appendRawLabel("rpz-ip");
+      pol.d_trigger.appendRawLabel(rpzIPName);
+      pol.d_hit = ca.toString();
       return true;
     }
   }
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh
index 4cccc189e5..b2cd18361b 100644
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -158,6 +158,7 @@ public:
     std::vector<std::shared_ptr<DNSRecordContent>> d_custom;
     std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
     DNSName d_trigger;
+    string d_hit;
     /* Yup, we are currently using the same TTL for every record for a given name */
     int32_t d_ttl;
     PolicyKind d_kind;
diff --git a/pdns/lua-recursor4.cc b/pdns/lua-recursor4.cc
index 1a768ae8d5..0fdf23772e 100644
--- a/pdns/lua-recursor4.cc
+++ b/pdns/lua-recursor4.cc
@@ -189,6 +189,7 @@ void RecursorLua4::postPrepareContext()
   d_lw->registerMember("policyType", &DNSFilterEngine::Policy::d_type);
   d_lw->registerMember("policyTTL", &DNSFilterEngine::Policy::d_ttl);
   d_lw->registerMember("policyTrigger", &DNSFilterEngine::Policy::d_trigger);
+  d_lw->registerMember("policyHit", &DNSFilterEngine::Policy::d_hit);
   d_lw->registerMember<DNSFilterEngine::Policy, std::string>("policyCustom",
     [](const DNSFilterEngine::Policy& pol) -> std::string {
       std::string result;
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index b30443d03d..282d47a84a 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1778,6 +1778,7 @@ static void startDoResolve(void *p)
         pbMessage->setAppliedPolicy(appliedPolicy.getName());
         pbMessage->setAppliedPolicyType(appliedPolicy.d_type);
         pbMessage->setAppliedPolicyTrigger(appliedPolicy.d_trigger);
+        pbMessage->setAppliedPolicyHit(appliedPolicy.d_hit);
       }
       pbMessage->setPolicyTags(dc->d_policyTags);
       if (g_useKernelTimestamp && dc->d_kernelTimestamp.tv_sec) {
diff --git a/pdns/rec-protobuf.cc b/pdns/rec-protobuf.cc
index eac9f9bfe1..af22526170 100644
--- a/pdns/rec-protobuf.cc
+++ b/pdns/rec-protobuf.cc
@@ -177,6 +177,16 @@ void RecProtoBufMessage::setAppliedPolicyTrigger(const DNSName& trigger)
 #endif /* HAVE_PROTOBUF */
 }
 
+void RecProtoBufMessage::setAppliedPolicyHit(const string& hit)
+{
+#ifdef HAVE_PROTOBUF
+  PBDNSMessage_DNSResponse* response = d_message.mutable_response();
+  if (response && !hit.empty()) {
+    response->set_appliedpolicyhit(hit);
+  }
+#endif /* HAVE_PROTOBUF */
+}
+
 void RecProtoBufMessage::setPolicyTags(const std::unordered_set<std::string>& policyTags)
 {
 #ifdef HAVE_PROTOBUF
diff --git a/pdns/rec-protobuf.hh b/pdns/rec-protobuf.hh
index 61cdd79255..c5ec2f06bd 100644
--- a/pdns/rec-protobuf.hh
+++ b/pdns/rec-protobuf.hh
@@ -53,6 +53,7 @@ public:
   void setAppliedPolicy(const std::string& policy);
   void setAppliedPolicyType(const DNSFilterEngine::PolicyType& policyType);
   void setAppliedPolicyTrigger(const DNSName& trigger);
+  void setAppliedPolicyHit(const string& hit);
   void setPolicyTags(const std::unordered_set<std::string>& policyTags);
   void addPolicyTag(const std::string& policyTag);
   void removePolicyTag(const std::string& policyTag);