From: Otto Moerbeek Date: Fri, 5 Jun 2020 09:51:18 +0000 (+0200) Subject: First stab at solving the issue when gettag_ffi sets an answer but X-Git-Tag: dnsdist-1.5.0-rc3~10^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96491e6cfb1575c3b2023be841c22ccb4b7db59d;p=thirdparty%2Fpdns.git First stab at solving the issue when gettag_ffi sets an answer but we also have an RPZ hit. --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 6d4914589a..74547a6267 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1431,16 +1431,6 @@ static void startDoResolve(void *p) sr.setCacheOnly(); } - if (dc->d_rcode != boost::none) { - /* we have a response ready to go, most likely from gettag_ffi */ - ret = std::move(dc->d_records); - res = *dc->d_rcode; - if (res == RCode::NoError && dc->d_followCNAMERecords) { - res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype)); - } - goto haveAnswer; - } - if (t_pdl) { t_pdl->prerpz(dq, res); } @@ -1452,6 +1442,21 @@ static void startDoResolve(void *p) } } + // If we are doing RPZ and a policy was matched, it takes precedence over an answer from gettag_ffi + // So process the gettag_ffi answer only if no RPZ action was done or matched + // This might need more sophistication for the type != None && kind == NoAction case... + if (!wantsRPZ || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) { + if (dc->d_rcode != boost::none) { + /* we have a response ready to go, most likely from gettag_ffi */ + ret = std::move(dc->d_records); + res = *dc->d_rcode; + if (res == RCode::NoError && dc->d_followCNAMERecords) { + res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype)); + } + goto haveAnswer; + } + } + // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve if (!t_pdl || !t_pdl->preresolve(dq, res)) {