From 9825a9b2bf40b47e847437c252f69972ff704c8b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Sun, 27 Jul 2025 09:57:54 +0200
Subject: [PATCH] modules/policy refactor: split a part of
 policy.rule_forward_add()

---
 modules/policy/policy.lua | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 41eff2daa..77fa29a71 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -877,22 +877,9 @@ function policy.COMBINE(list)
 	return r .. 'end'
 end
 
---[[ Insert a forwarding rule, i.e. override upstream for one DNS subtree.
-
-Throws lua exceptions when detecting something fishy.
-
-\param subtree plain string
-\param options
-  .auth targets are authoritative (false by default = resolver)
-  .dnssec if overridden to false, don't validate DNSSEC locally
-    - for resolvers we still do *not* send CD=1 upstream,
-      i.e. we trust their DNSSEC validation.
-    - for auths this inserts a negative trust anchor
-      Beware that setting .set_insecure() *later* would override that.
-\param targets same format as policy.TLS_FORWARD() except that `tls = true`
-               can be specified for each address (defaults to false)
---]]
-function policy.rule_forward_add(subtree, options, targets)
+-- Convert lua targets to C struct sockaddr * targets[]; see .rule_forward_add()
+-- Throws on errors.
+function policy.forward_convert_targets(options, targets)
 	local targets_2 = {}
 	for _, target in ipairs(targets) do
 		local port_default = 53
@@ -913,7 +900,25 @@ function policy.rule_forward_add(subtree, options, targets)
 	end
 	local targets_3 = ffi.new('const struct sockaddr * [?]', #targets_2 + 1, targets_2)
 	targets_3[#targets_2] = nil
+	return targets_3
+end
+--[[ Insert a forwarding rule, i.e. override upstream for one DNS subtree.
+
+Throws lua exceptions when detecting something fishy.
 
+\param subtree plain string
+\param options
+  .auth targets are authoritative (false by default = resolver)
+  .dnssec if overridden to false, don't validate DNSSEC locally
+    - for resolvers we still do *not* send CD=1 upstream,
+      i.e. we trust their DNSSEC validation.
+    - for auths this inserts a negative trust anchor
+      Beware that setting .set_insecure() *later* would override that.
+\param targets same format as policy.TLS_FORWARD() except that `tls = true`
+               can be specified for each address (defaults to false)
+--]]
+function policy.rule_forward_add(subtree, options, targets)
+	local targets_3 = policy.forward_convert_targets(options, targets)
 	local subtree_dname = todname(subtree)
 	assert(ffi.C.kr_rule_forward(subtree_dname,
 			{
-- 
2.47.3