From: Remi Gacogne Date: Wed, 26 Aug 2020 14:07:10 +0000 (+0200) Subject: rec: Add DNSFilterEngine::Policy::wasHit() to prevent code duplication X-Git-Tag: rec-4.4.0-beta1~1^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=99ced1e18bc6cd7c8b9f0d4f837f65d0c836655e;p=thirdparty%2Fpdns.git rec: Add DNSFilterEngine::Policy::wasHit() to prevent code duplication --- diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh index d1cac6ced6..b450374144 100644 --- a/pdns/filterpo.hh +++ b/pdns/filterpo.hh @@ -147,6 +147,11 @@ public: return true; } + bool wasHit() const + { + return (d_type != DNSFilterEngine::PolicyType::None && d_kind != DNSFilterEngine::PolicyKind::NoAction); + } + std::vector getCustomRecords(const DNSName& qname, uint16_t qtype) const; std::vector getRecords(const DNSName& qname) const; diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 54e25c6404..b40ad57d11 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1453,7 +1453,7 @@ static void startDoResolve(void *p) } // Check if the client has a policy attached to it - if (wantsRPZ && (appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (wantsRPZ && !appliedPolicy.wasHit()) { if (luaconfsLocal->dfe.getClientPolicy(dc->d_source, sr.d_discardedPolicies, appliedPolicy)) { mergePolicyTags(dc->d_policyTags, appliedPolicy.getTags()); @@ -1479,7 +1479,7 @@ static void startDoResolve(void *p) } } - if (appliedPolicy.d_type != DNSFilterEngine::PolicyType::None && appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { + if (appliedPolicy.wasHit()) { policyOverride = true; } } diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 52a1cb26f4..b6f647d38f 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -647,7 +647,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vectordfe.getQueryPolicy(qname, d_discardedPolicies, d_appliedPolicy)) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); bool done = false; @@ -882,12 +882,14 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty // we will get the records from the cache, resulting in a small overhead. // This might be a real problem if we had a RPZ hit, though, because we do not want the processing to continue, since // RPZ rules will not be evaluated anymore (we already matched). - if (fromCache && (!d_cacheonly || (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None && d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction))) { + const bool stoppedByPolicyHit = d_appliedPolicy.wasHit(); + + if (fromCache && (!d_cacheonly || stoppedByPolicyHit)) { *fromCache = true; } /* Apply Post filtering policies */ - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !stoppedByPolicyHit) { auto luaLocal = g_luaconfs.getLocal(); if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); @@ -909,7 +911,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty *fromCache = true; } - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { auto luaLocal = g_luaconfs.getLocal(); if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); @@ -950,7 +952,7 @@ int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qty res = doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state, stopAtDelegation); /* Apply Post filtering policies */ - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { auto luaLocal = g_luaconfs.getLocal(); if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); @@ -2087,7 +2089,7 @@ bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& n the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not process any further RPZ rules. Except that we need to process rules of higher priority.. */ - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { for (auto const &ns : nameservers) { bool match = dfe.getProcessingPolicy(ns.first, d_discardedPolicies, d_appliedPolicy); if (match) { @@ -2122,7 +2124,7 @@ bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAd the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not process any further RPZ rules. Except that we need to process rules of higher priority.. */ - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { bool match = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies, d_appliedPolicy); if (match) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags()); @@ -3728,7 +3730,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn nameservers.clear(); for (auto const &nameserver : nsset) { - if (d_wantsRPZ && (d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction)) { + if (d_wantsRPZ && !d_appliedPolicy.wasHit()) { bool match = dfe.getProcessingPolicy(nameserver, d_discardedPolicies, d_appliedPolicy); if (match) { mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());