rpz: apply trigger at query time not response time

diff --git a/iterator/iterator.c b/iterator/iterator.c
index fcda1bb3b7e7835909a4ee1f829ebe06532ba0da..f2585be319a34a1a11b8196467562efa1090888a 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2471,6 +2471,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
        /* Add the current set of unused targets to our queue. */
        delegpt_add_unused_targets(iq->dp);
 
+       rpz_iterator_module_callback(qstate, iq);
+
        /* Select the next usable target, filtering out unsuitable targets. */
        target = iter_server_selection(ie, qstate->env, iq->dp, 
                iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
@@ -2660,15 +2662,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 {
        int dnsseclame = 0;
        enum response_type type;
-       int rpz_filter_result;
+       //int rpz_filter_result;
 
        iq->num_current_queries--;
 
        if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
                log_err("unable to call query_response callback");
 
-       rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
-       if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
+       //rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
+       //if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
 
        if(iq->response == NULL) {
                /* Don't increment qname when QNAME minimisation is enabled */

diff --git a/services/rpz.c b/services/rpz.c
index eae3feeeb36feeae146bb903777d4626f946d1dd..5b5c10eb8b97597aca56d4dfd92511a615aea20c 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -53,6 +53,7 @@
 #include "util/data/msgencode.h"
 #include "services/cache/dns.h"
 #include "iterator/iterator.h"
+#include "iterator/iter_delegpt.h"
 
 typedef struct resp_addr rpz_aclnode_type;
 
@@ -1489,16 +1490,35 @@ rpz_patch_localdata(struct dns_msg* response, struct clientip_synthesized_rr* da
        return 1;
 }
 
+struct clientip_synthesized_rr*
+rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz,
+                                           struct iter_qstate* is)
+{
+       struct delegpt_addr* cursor;
+       struct clientip_synthesized_rr* action = NULL;
+       if(is->dp == NULL) { return NULL; }
+       for(cursor = is->dp->target_list; cursor != NULL; cursor = cursor->next_target) {
+               if(cursor->bogus) { continue; }
+               action = rpz_ipbased_trigger_lookup(rpz->ns_set, &cursor->addr, cursor->addrlen);
+               if(action != NULL) { return action; }
+       }
+       return NULL;
+}
+
 int
 rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
 {
-       struct auth_zones* az = ms->env->auth_zones;
+       struct auth_zones* az;
        struct auth_zone* a;
        struct clientip_synthesized_rr* raddr;
        enum rpz_action action = RPZ_INVALID_ACTION;
        struct rpz* r;
        int ret = 0;
 
+       if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
+
+       az = ms->env->auth_zones;
+
        verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
 
        lock_rw_rdlock(&az->rpz_lock);
@@ -1507,7 +1527,7 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
        for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
                lock_rw_rdlock(&a->lock);
                r = a->rpz;
-               raddr = rpz_ipbased_trigger_lookup(r->ns_set, &ms->reply->addr, ms->reply->addrlen);
+               raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
                if(raddr != NULL) {
                        lock_rw_unlock(&a->lock);
                        break;
@@ -1515,6 +1535,8 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
                lock_rw_unlock(&a->lock);
        }
 
+       lock_rw_unlock(&az->rpz_lock);
+
        if(raddr == NULL) { return 0; }
 
        verbose(VERB_ALGO, "rpz: iterator callback: nsip: apply action=%s",