rpz: fix forged response

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 85c0b29de7e477b14933314840b212046b86a7f6..831d90761f0fc46cfaf4375844a39d9cf9333f33 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2475,7 +2475,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
                struct dns_msg* forged_response = rpz_iterator_module_callback(qstate, iq);
                if(forged_response != NULL) {
                        qstate->ext_state[id] = module_finished;
-                       qstate->return_rcode = forged_response->rep->flags;
+                       qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
                        qstate->return_msg = forged_response;
                        next_state(iq, FINISHED_STATE);
                        return 0;

diff --git a/services/rpz.c b/services/rpz.c
index f39c5297c57b8e428e19a9d36f6c164a845d9b29..a089f4fa47b1c46c31b25f98504886fc66d1cfd8 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1440,7 +1440,7 @@ rpz_patch_nodata(struct rpz* r, struct module_qstate* ms)
        if(msg == NULL) { return msg; }
        msg->qinfo = ms->qinfo;
        msg->rep = construct_reply_info_base(ms->region,
-                                            BIT_RD|BIT_QR|BIT_AA|BIT_RA,
+                                            BIT_RD | BIT_QR | BIT_AA | BIT_RA,
                                             1, //qd
                                             0, //ttl
                                             0, //prettl
@@ -1461,7 +1461,7 @@ rpz_patch_nxdomain(struct rpz* r, struct module_qstate* ms)
        if(msg == NULL) { return msg; }
        msg->qinfo = ms->qinfo;
        msg->rep = construct_reply_info_base(ms->region,
-                                            BIT_RD|BIT_QR|BIT_AA|BIT_RA,
+                                            BIT_RD | BIT_QR | BIT_AA | BIT_RA,
                                             1, //qd
                                             0, //ttl
                                             0, //prettl
@@ -1481,22 +1481,32 @@ rpz_patch_localdata(struct rpz* r,
                    struct clientip_synthesized_rr* data)
 {
        struct dns_msg* msg = NULL;
-       struct query_info* qi = &msg->qinfo;
+       struct query_info* qi = &ms->qinfo;
        struct ub_packed_rrset_key* rp;
        struct local_rrset* rrset;
        struct reply_info* new_reply_info;
-       struct reply_info* ri = msg->rep;
 
        rrset = rpz_find_synthesized_rrset(qi->qtype, data);
        if(rrset == NULL) {
                verbose(VERB_ALGO, "rpz: nsip: no matching synthesized data found; resorting to nodata");
                return rpz_patch_nodata(r, ms);
        }
+
        msg = rpz_dns_msg_new(ms->region);
        if(msg == NULL) { return NULL; }
 
        // XXX: use ttl etc from rpz zone?
-       new_reply_info = make_new_reply_info(ri, ms->region, 0, 0);
+        new_reply_info = construct_reply_info_base(ms->region,
+                                                   LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA,
+                                                   1, //qd
+                                                   0, //ttl
+                                                   0, //prettl
+                                                   0, //expttl
+                                                   1, //an
+                                                   0, //ns
+                                                   0, //ar
+                                                   1, //total
+                                                   sec_status_secure);
        if(new_reply_info == NULL) {
                log_err("out of memory");
                return NULL;
@@ -1506,15 +1516,13 @@ rpz_patch_localdata(struct rpz* r,
                log_err("out of memory");
                return NULL;
        }
-       new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets));
-       if(new_reply_info->rrsets == NULL) {
-               log_err("out of memory");
-               return NULL;
-       }
+       //new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets));
+       //if(new_reply_info->rrsets == NULL) {
+       //      log_err("out of memory");
+       //      return NULL;
+       //}
        rp->rk.dname = qi->qname;
        rp->rk.dname_len = qi->qname_len;
-       new_reply_info->rrset_count = 1;
-       new_reply_info->an_numrrsets = 1;
        new_reply_info->rrsets[0] = rp;
        msg->rep = new_reply_info;
        return msg;
@@ -1590,12 +1598,16 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
                verbose(VERB_ALGO, "rpz: nsip: tcp-only trigger ignored");
                ret = NULL;
                break;
-       case RPZ_PASSTHRU_ACTION:
-               ret = NULL;
+       case RPZ_DROP_ACTION:
+               ret = rpz_patch_nodata(r, ms);
+               ms->is_drop = 1;
                break;
        case RPZ_LOCAL_DATA_ACTION:
                ret = rpz_patch_localdata(r, ms, raddr);
                break;
+       case RPZ_PASSTHRU_ACTION:
+               ret = NULL;
+               break;
        default:
                verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'",
                        rpz_action_to_string(action));