- applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules),
uses `Aho-Corasick`_ string matching algorithm `from CloudFlare <https://github.com/cloudflare/lua-aho-corasick>`_ (BSD 3-clause)
* :any:`policy.suffix_common`
-* ``rpz``
+* ``rpz(default_action, path)``
- implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`.
* custom filter function
Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise).
This function is faster for small suffix tables (in the order of "hundreds").
-.. function:: policy.rpz(action, path[, format])
+.. function:: policy.rpz(action, path)
- :param action: the default action for match in the zone (e.g. RH-value `.`)
+ :param action: the default action for match in the zone; typically you want ``policy.DENY``
:param path: path to zone file | database
Enforce RPZ_ rules. This can be used in conjunction with published blocklist feeds.
.. csv-table::
:header: "Policy Action", "RH Value", "Support"
- "NXDOMAIN", "``.``", "**yes**"
- "NODATA", "``*.``", "*partial*, implemented as NXDOMAIN"
- "Unchanged", "``rpz-passthru.``", "**yes**"
- "Nothing", "``rpz-drop.``", "**yes**"
- "Truncated", "``rpz-tcp-only.``", "**yes**"
+ "``action`` is used", "``.``", "**yes**, if ``action`` is ``DENY``"
+ "``action`` is used ", "``*.``", "*partial* [#]_"
+ "``policy.PASS``", "``rpz-passthru.``", "**yes**"
+ "``policy.DROP``", "``rpz-drop.``", "**yes**"
+ "``policy.TC``", "``rpz-tcp-only.``", "**yes**"
"Modified", "anything", "no"
+ .. [#] The specification for ``*.`` wants a ``NODATA`` answer.
+ For now, ``policy.DENY`` action doing ``NXDOMAIN`` is typically used instead.
+
.. csv-table::
:header: "Policy Trigger", "Support"
projects / thirdparty / knot-resolver.git / commitdiff
