From: W.C.A. Wijngaards Date: Fri, 12 Mar 2021 08:04:54 +0000 (+0100) Subject: Merge branch 'master' into rpz-triggers X-Git-Tag: release-1.14.0rc1~62^2~48 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f507eb036812a4ee3c211a6d5b98bdc93ed6289;p=thirdparty%2Funbound.git Merge branch 'master' into rpz-triggers --- 6f507eb036812a4ee3c211a6d5b98bdc93ed6289 diff --cc services/localzone.c index 2458842aa,fd2ff2bb6..fa586ef38 --- a/services/localzone.c +++ b/services/localzone.c @@@ -1557,13 -1590,11 +1601,13 @@@ local_zones_zone_answer(struct local_zo */ int rcode = (ld || lz_type == local_zone_redirect || lz_type == local_zone_inform_redirect || - lz_type == local_zone_always_nodata)? + lz_type == local_zone_always_nodata || + lz_type == local_zone_truncate)? LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN; - if(z->soa && z->soa_negative) + rcode = lz_type == local_zone_truncate ? (rcode|BIT_TC) : rcode; - if(z != NULL && z->soa) ++ if(z != NULL && z->soa && z->soa_negative) return local_encode(qinfo, env, edns, repinfo, buf, temp, - z->soa, 0, rcode); + z->soa_negative, 0, rcode); local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode, (rcode|BIT_AA)); return 1; @@@ -1618,9 -1649,9 +1662,9 @@@ * does not, then we should make this noerror/nodata */ if(ld && ld->rrsets) { int rcode = LDNS_RCODE_NOERROR; - if(z != NULL && z->soa) - if(z->soa && z->soa_negative) ++ if(z != NULL && z->soa && z->soa_negative) return local_encode(qinfo, env, edns, repinfo, buf, temp, - z->soa, 0, rcode); + z->soa_negative, 0, rcode); local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode, (rcode|BIT_AA)); return 1; diff --cc services/rpz.c index 00f3b5a3d,0c79a0620..cf2c10191 --- a/services/rpz.c +++ b/services/rpz.c @@@ -566,33 -476,53 +567,50 @@@ rpz_insert_local_zones_trigger(struct l struct local_zone* z; enum localzone_type tp = local_zone_always_transparent; int dnamelabs = dname_count_labels(dname); - - char* rrstr; int newzone = 0; + if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) { + char str[255+1]; + if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS || + rrtype == LDNS_RR_TYPE_DNAME || + rrtype == LDNS_RR_TYPE_DNSKEY || + rrtype == LDNS_RR_TYPE_RRSIG || + rrtype == LDNS_RR_TYPE_NSEC || + rrtype == LDNS_RR_TYPE_NSEC3PARAM || + rrtype == LDNS_RR_TYPE_NSEC3 || + rrtype == LDNS_RR_TYPE_DS) + return; /* no need to log these types as unsupported */ + dname_str(dname, str); + verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s", + str, rpz_action_to_string(a)); + free(dname); + return; + } + - lock_rw_wrlock(&r->local_zones->lock); + lock_rw_wrlock(&lz->lock); /* exact match */ - z = local_zones_find(r->local_zones, dname, dnamelen, dnamelabs, - LDNS_RR_CLASS_IN); - if(z && a != RPZ_LOCAL_DATA_ACTION) { - rrstr = sldns_wire2str_rr(rr, rr_len); - if(!rrstr) { - log_err("malloc error while inserting RPZ qname " - "trigger"); + z = local_zones_find(lz, dname, dnamelen, dnamelabs, LDNS_RR_CLASS_IN); + if(z != NULL && a != RPZ_LOCAL_DATA_ACTION) { + char* rrstr = sldns_wire2str_rr(rr, rr_len); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz nsdname trigger"); free(dname); - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&lz->lock); return; } - verbose(VERB_ALGO, "RPZ: skipping duplicate record: '%s'", - rrstr); + verbose(VERB_ALGO, "rpz: skipping duplicate record: '%s'", rrstr); free(rrstr); free(dname); - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&lz->lock); return; } - if(!z) { + if(z == NULL) { tp = rpz_action_to_localzone_type(a); - if(!(z = local_zones_add_zone(r->local_zones, dname, dnamelen, - dnamelabs, rrclass, tp))) { - log_warn("RPZ create failed"); - lock_rw_unlock(&r->local_zones->lock); + z = local_zones_add_zone(lz, dname, dnamelen, + dnamelabs, rrclass, tp); + if(z == NULL) { + log_warn("rpz: create failed"); + lock_rw_unlock(&lz->lock); /* dname will be free'd in failed local_zone_create() */ return; } @@@ -685,18 -559,31 +703,26 @@@ rpz_insert_ipaddr_based_trigger(struct char* rrstr; enum respip_action respa = rpz_action_to_respip_action(a); + lock_rw_wrlock(&set->lock); + if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION || + respa == respip_invalid) { + char str[255+1]; + dname_str(dname, str); + verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s", + str, rpz_action_to_string(a)); + return 0; + } - if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) - return 0; - - lock_rw_wrlock(&r->respip_set->lock); rrstr = sldns_wire2str_rr(rr, rr_len); - if(!rrstr) { - log_err("malloc error while inserting RPZ respip trigger"); - lock_rw_unlock(&r->respip_set->lock); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz ipaddr based trigger"); + lock_rw_unlock(&set->lock); return 0; } - if(!(node=respip_sockaddr_find_or_create(r->respip_set, &addr, addrlen, - net, 1, rrstr))) { - lock_rw_unlock(&r->respip_set->lock); + + node = respip_sockaddr_find_or_create(set, addr, addrlen, net, 1, rrstr); + if(node == NULL) { + lock_rw_unlock(&set->lock); free(rrstr); return 0; } @@@ -1056,10 -716,10 +1083,10 @@@ rpz_find_zone(struct local_zones* zones * zone match, append '*' to that and do another lookup. */ ce = dname_get_shared_topdomain(z->name, qname); - if(!ce /* should not happen */ || !*ce /* root */) { + if(!ce /* should not happen */) { lock_rw_unlock(&z->lock); if(zones_keep_lock) { - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&zones->lock); } return NULL; }