From: vitas <vitezslav.kriz@nic.cz>
Date: Tue, 27 Jun 2017 11:53:37 +0000 (+0200)
Subject: policy: private reverse zone handled separately
X-Git-Tag: v1.3.3~8^2~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1408463489aefe70109e4c7b3539e20ff2eef3f1;p=thirdparty%2Fknot-resolver.git

policy: private reverse zone handled separately

This allows to disable specific deny rules on zone-by-zone basis
as it should be according to RFC6303 sec.3. Disable can be done by
policy rule PASS.

Also any FORWARD rule for such zone will be evaluated before DENY
that query.
---

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index dafbdf3ea..1a095e603 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -243,7 +243,7 @@ function policy.evaluate(rules, req, query, state)
 			end
 		end
 	end
-	return state
+	return
 end
 
 -- Enforce policy action
@@ -284,11 +284,13 @@ end
 policy.layer = {
 	begin = function(state, req)
 		req = kres.request_t(req)
-		return policy.evaluate(policy.rules, req, req:current(), state)
-	end,
+		return policy.evaluate(policy.rules, req, req:current(), state) or 
+		       policy.evaluate(policy.special_names, req, req:current(), state) or
+		       state
+	end,	
 	finish = function(state, req)
 		req = kres.request_t(req)
-		return policy.evaluate(policy.postrules, req, req:current(), state)
+		return policy.evaluate(policy.postrules, req, req:current(), state) or state
 	end
 }
 
@@ -446,6 +448,12 @@ policy.todnames(private_zones)
 -- @var Default rules
 policy.rules = {}
 policy.postrules = {}
-policy.add(policy.suffix_common(policy.DENY, private_zones, '\4arpa\0'))
+policy.special_names = {
+	{
+		id=0,
+		cb=policy.suffix_common(policy.DENY, private_zones, '\4arpa\0'),
+		count=0
+	}
+}
 
 return policy