From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Fri, 8 Mar 2024 13:51:55 +0000 (+0100)
Subject: auth LUA: support returning empty set in filterForward
X-Git-Tag: dnsdist-1.10.0-alpha0~3^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98301eb09c283550951e061fbee047361cb5351c;p=thirdparty%2Fpdns.git

auth LUA: support returning empty set in filterForward

fixes #12436
---

diff --git a/docs/lua-records/functions.rst b/docs/lua-records/functions.rst
index 0c578c72d..c320903c6 100644
--- a/docs/lua-records/functions.rst
+++ b/docs/lua-records/functions.rst
@@ -442,6 +442,9 @@ Reverse DNS functions
 
     *.static4.example.com IN LUA A "filterForward(createForward(), newNMG({'192.0.2.0/24', '10.0.0.0/8'}))"
 
+  Since 4.9.0: if the fallback parameter is an empty string, ``filterForward`` returns an empty set, yielding a NODATA answer.
+  You cannot combine this feature with DNSSEC.
+
 Helper functions
 ~~~~~~~~~~~~~~~~
 
diff --git a/pdns/lua-record.cc b/pdns/lua-record.cc
index 5f3e7cb61..ed1839c68 100644
--- a/pdns/lua-record.cc
+++ b/pdns/lua-record.cc
@@ -1061,16 +1061,20 @@ static void setupLuaRecords(LuaContext& lua) // NOLINT(readability-function-cogn
       ComboAddress ca(address);
 
       if (nmg.match(ComboAddress(address))) {
-        return address;
+        return vector<string>{address};
       } else {
         if (fallback) {
-          return *fallback;
+          if (fallback->empty()) {
+            // if fallback is an empty string, return an empty array
+            return vector<string>{};
+          }
+          return vector<string>{*fallback};
         }
 
         if (ca.isIPv4()) {
-          return string("0.0.0.0");
+          return vector<string>{string("0.0.0.0")};
         } else {
-          return string("::");
+          return vector<string>{string("::")};
         }
       }
     });
diff --git a/regression-tests.auth-py/test_LuaRecords.py b/regression-tests.auth-py/test_LuaRecords.py
index 42aac9037..8fc492e4a 100644
--- a/regression-tests.auth-py/test_LuaRecords.py
+++ b/regression-tests.auth-py/test_LuaRecords.py
@@ -144,6 +144,8 @@ any              IN           TXT "hello there"
 
 resolve          IN    LUA    A   ";local r=resolve('localhost', 1) local t={{}} for _,v in ipairs(r) do table.insert(t, v:toString()) end return t"
 
+filterforwardempty IN LUA A "filterForward('192.0.2.1', newNMG{{'192.1.2.0/24'}}, '')"
+
 *.createforward  IN    LUA    A     "filterForward(createForward(), newNMG{{'1.0.0.0/8', '64.0.0.0/8'}})"
 *.createreverse  IN    LUA    PTR   "createReverse('%5%.example.com', {{['10.10.10.10'] = 'quad10.example.com.'}})"
 *.createreverse6 IN    LUA    PTR   "createReverse6('%33%.example.com', {{['2001:db8::1'] = 'example.example.com.'}})"
@@ -977,6 +979,18 @@ createforward6.example.org.                 3600 IN NS   ns2.example.org.
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
         self.assertEqual(res.answer, response.answer)
 
+    def testFilterForwardEmpty(self):
+        """
+        Test filterForward() function with empty fallback
+        """
+        name = 'filterforwardempty.example.org.'
+
+        query = dns.message.make_query(name, 'A')
+
+        res = self.sendUDPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertEqual(res.answer, [])
+
     def testCreateForwardAndReverse(self):
         expected = {
             ".createforward.example.org." : (dns.rdatatype.A, {