From: W.C.A. Wijngaards Date: Mon, 18 Sep 2023 07:55:39 +0000 (+0200) Subject: - Fix rpz tcp-only action with rpz triggers nsdname and nsip. X-Git-Tag: release-1.19.0rc1~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd5dc855af122de1274cf7cdd2b52563c064702e;p=thirdparty%2Funbound.git - Fix rpz tcp-only action with rpz triggers nsdname and nsip. --- diff --git a/doc/Changelog b/doc/Changelog index 998b0d33c..1ff496d82 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +18 September 2023: Wouter + - Fix rpz tcp-only action with rpz triggers nsdname and nsip. + 15 September 2023: Wouter - Merge #936: Check for c99 with autoconf versions prior to 2.70. - Fix to remove two c99 notations. diff --git a/services/mesh.c b/services/mesh.c index 52d14a2d1..be968e422 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -1224,11 +1224,12 @@ static inline int mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m) { struct respip_action_info const* respip_info = m->s.respip_action_info; - return respip_info == NULL + return (respip_info == NULL ? 0 : (respip_info->rpz_used && !respip_info->rpz_disabled - && respip_info->action == respip_truncate); + && respip_info->action == respip_truncate)) + || m->s.tcp_required; } static inline int diff --git a/services/rpz.c b/services/rpz.c index 6ce83cb66..7f7a2fa9b 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -2162,7 +2162,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r, case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be * honored before the query gets sent. */ - ms->respip_action_info->action = respip_truncate; + ms->tcp_required = 1; ret = NULL; break; case RPZ_DROP_ACTION: @@ -2217,7 +2217,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r, case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be * honored before the query gets sent. */ - ms->respip_action_info->action = respip_truncate; + ms->tcp_required = 1; ret = NULL; break; case RPZ_DROP_ACTION: @@ -2428,7 +2428,7 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, case RPZ_TCP_ONLY_ACTION: /* basically a passthru here but the tcp-only will be * honored before the query gets sent. */ - ms->respip_action_info->action = respip_truncate; + ms->tcp_required = 1; ret = NULL; break; case RPZ_DROP_ACTION: diff --git a/testdata/rpz_nsdname.rpl b/testdata/rpz_nsdname.rpl index 1c678cc13..a4e9bb31d 100644 --- a/testdata/rpz_nsdname.rpl +++ b/testdata/rpz_nsdname.rpl @@ -225,6 +225,36 @@ ENTRY_END RANGE_END +; dd. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.3.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +dd. IN NS +SECTION ANSWER +dd. IN NS ns1.dd. +SECTION ADDITIONAL +ns1.dd. IN A 8.8.3.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.dd. IN A +SECTION AUTHORITY +gotham.dd. IN NS ns1.gotham.dd. +SECTION ADDITIONAL +ns1.gotham.dd. IN A 192.0.3.1 +ENTRY_END + +RANGE_END + ; ff. ------------------------------------------------------------------------ RANGE_BEGIN 0 100 ADDRESS 8.8.6.8 @@ -303,6 +333,22 @@ ENTRY_END RANGE_END +; ns1.gotham.dd. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.3.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +gotham.dd. IN A +SECTION ANSWER +gotham.dd. IN A 192.0.3.2 +ENTRY_END + +RANGE_END + ; ns1.gotham.ff. ------------------------------------------------------------- RANGE_BEGIN 0 100 ADDRESS 192.0.5.1 @@ -387,4 +433,39 @@ SECTION ANSWER gotham.ff. IN A 127.0.0.1 ENTRY_END +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.dd. IN A +ENTRY_END + +; should come back truncated because TCP is required. +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA TC NOERROR +SECTION QUESTION +gotham.dd. IN A +SECTION ANSWER +ENTRY_END + +STEP 42 QUERY +ENTRY_BEGIN +MATCH TCP +REPLY RD +SECTION QUESTION +gotham.dd. IN A +ENTRY_END + +STEP 43 CHECK_ANSWER +ENTRY_BEGIN +MATCH all TCP +REPLY QR RD RA NOERROR +SECTION QUESTION +gotham.dd. IN A +SECTION ANSWER +gotham.dd. IN A 192.0.3.2 +ENTRY_END + SCENARIO_END diff --git a/util/module.h b/util/module.h index d25bebd15..8a9da3f93 100644 --- a/util/module.h +++ b/util/module.h @@ -691,6 +691,8 @@ struct module_qstate { struct respip_action_info* respip_action_info; /** if the query is rpz passthru, no further rpz processing for it */ int rpz_passthru; + /* Flag tcp required. */ + int tcp_required; /** whether the reply should be dropped */ int is_drop;