From: Otto Moerbeek Date: Tue, 4 Aug 2020 12:51:23 +0000 (+0200) Subject: We have a rather fundamental issue here: in some cases, we want X-Git-Tag: rec-4.4.0-beta1~1^2~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e5a50f965d589a930f814b117691860e386183e9;p=thirdparty%2Fpdns.git We have a rather fundamental issue here: in some cases, we want the RPZ post policy to extend the current result vector and in some cases we want to replace the result vector built up earlier. ATM I have no clear method how that should be determined. --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index b66b71d19b..76e9eed601 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1233,6 +1233,26 @@ static PolicyResult handlePolicyHit(const DNSFilterEngine::Policy& appliedPolicy case DNSFilterEngine::PolicyKind::Custom: res = RCode::NoError; + //cerr << "current answer(" << post << ") Q: " << dc->d_mdp.d_qname << '/' << QType(dc->d_mdp.d_qtype).getName() << endl; + //for (auto r : ret) { + // cerr << r.d_place << ' ' << r.d_name << ' ' << QType(r.d_type).getName() << ' ' << r.d_content->getZoneRepresentation() << endl; + //} + //cerr << "------------" << endl; + // In some cases, the policy should extend the result vector and in some cases replace + // We extend if the current vector contains a CNAME we found while resolving a non-CNAME + // This is all very ugly, but ATM I don't know a better approach... + if (post && dc->d_mdp.d_qtype != QType::CNAME) { + bool cname = false; + for (const auto& r : ret) { + if (r.d_place == DNSResourceRecord::ANSWER && r.d_type == QType::CNAME) { + cname = true; + break; + } + } + if (!cname) { + ret.clear(); + } + } if (post && ret.size() == 0) { // can happen with NS matches, those do not fill the result auto spoofed = appliedPolicy.getCustomRecords(dc->d_mdp.d_qname, dc->d_mdp.d_qtype); for (auto& dr : spoofed) {