From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 7 Aug 2020 12:30:30 +0000 (+0200)
Subject: Store the trigger hit in the (applied)Policy.
X-Git-Tag: rec-4.4.0-beta1^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=767d7660a0f6a3b0a03eca7e63806b423c305d6f;p=thirdparty%2Fpdns.git

Store the trigger hit in the (applied)Policy.

While there fix (a (I thnk) doc bug: appliedPolicy.policyAction does
not exists. I think what is meant is policyType. So document that.
---

diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc
index 69eaf053e9..97a379bb66 100644
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -94,6 +94,7 @@ bool DNSFilterEngine::Zone::findNamedPolicy(const std::unordered_map<DNSName, DN
     iter = polmap.find(g_wildcarddnsname+s);
     if(iter != polmap.end()) {
       pol=iter->second;
+      pol.d_trigger = g_wildcarddnsname+s;
       return true;
     }
   }
@@ -109,6 +110,7 @@ bool DNSFilterEngine::Zone::findExactNamedPolicy(const std::unordered_map<DNSNam
   const auto& it = polmap.find(qname);
   if (it != polmap.end()) {
     pol = it->second;
+    pol.d_trigger = qname;
     return true;
   }
 
@@ -163,12 +165,16 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
     }
     if (z->findExactNSPolicy(qname, pol)) {
       // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
+      pol.d_trigger = qname;
+      pol.d_trigger.appendRawLabel("rpz-nsdname");
       return true;
     }
 
     for (const auto& wc : wcNames) {
       if (z->findExactNSPolicy(wc, pol)) {
         // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
+        pol.d_trigger = wc;
+        pol.d_trigger.appendRawLabel("rpz-nsdname");
         return true;
       }
     }
@@ -192,6 +198,9 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
 
     if(z->findNSIPPolicy(address, pol)) {
       //      cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
+      // XXX should use ns RPZ
+      pol.d_trigger = Zone::maskToRPZ(address);
+      pol.d_trigger.appendRawLabel("rpz-nsip");
       return true;
     }
   }
@@ -268,12 +277,14 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
 
     if (z->findExactQNamePolicy(qname, pol)) {
       // cerr<<"Had a hit on the name of the query"<<endl;
+      pol.d_trigger = qname;
       return true;
     }
 
     for (const auto& wc : wcNames) {
       if (z->findExactQNamePolicy(wc, pol)) {
         // cerr<<"Had a hit on the name of the query"<<endl;
+        pol.d_trigger = wc;
         return true;
       }
     }
@@ -326,6 +337,8 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
     }
 
     if (z->findResponsePolicy(ca, pol)) {
+      pol.d_trigger = Zone::maskToRPZ(ca);
+      pol.d_trigger.appendRawLabel("rpz-ip");
       return true;
     }
   }
diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh
index b450374144..4cccc189e5 100644
--- a/pdns/filterpo.hh
+++ b/pdns/filterpo.hh
@@ -157,6 +157,7 @@ public:
 
     std::vector<std::shared_ptr<DNSRecordContent>> d_custom;
     std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
+    DNSName d_trigger;
     /* Yup, we are currently using the same TTL for every record for a given name */
     int32_t d_ttl;
     PolicyKind d_kind;
@@ -280,13 +281,15 @@ public:
       d_zoneData->d_priority = p;
     }
     
+    static DNSName maskToRPZ(const Netmask& nm);
+
   private:
     void addNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
     void addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
     bool rmNameTrigger(std::unordered_map<DNSName,Policy>& map, const DNSName& n, const Policy& pol);
     bool rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, const Policy& pol);
 
-    static DNSName maskToRPZ(const Netmask& nm);
+  private:
     static bool findExactNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
     static bool findNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
     static void dumpNamedPolicy(FILE* fp, const DNSName& name, const Policy& pol);
diff --git a/pdns/lua-recursor4.cc b/pdns/lua-recursor4.cc
index 30a6b25fec..1a768ae8d5 100644
--- a/pdns/lua-recursor4.cc
+++ b/pdns/lua-recursor4.cc
@@ -188,6 +188,7 @@ void RecursorLua4::postPrepareContext()
   d_lw->registerMember("policyKind", &DNSFilterEngine::Policy::d_kind);
   d_lw->registerMember("policyType", &DNSFilterEngine::Policy::d_type);
   d_lw->registerMember("policyTTL", &DNSFilterEngine::Policy::d_ttl);
+  d_lw->registerMember("policyTrigger", &DNSFilterEngine::Policy::d_trigger);
   d_lw->registerMember<DNSFilterEngine::Policy, std::string>("policyCustom",
     [](const DNSFilterEngine::Policy& pol) -> std::string {
       std::string result;
@@ -331,6 +332,15 @@ void RecursorLua4::postPrepareContext()
     {"Custom",   (int)DNSFilterEngine::PolicyKind::Custom  }
     }});
 
+  d_pd.push_back({"policytypes", in_t {
+    {"None",       (int)DNSFilterEngine::PolicyType::None       },
+    {"QName",      (int)DNSFilterEngine::PolicyType::QName      },
+    {"ClientIP",   (int)DNSFilterEngine::PolicyType::ClientIP   },
+    {"ResponseIP", (int)DNSFilterEngine::PolicyType::ResponseIP },
+    {"NSDName",    (int)DNSFilterEngine::PolicyType::NSDName    },
+    {"NSIP",       (int)DNSFilterEngine::PolicyType::NSIP       }
+    }});
+
   for(const auto& n : QType::names)
     d_pd.push_back({n.first, n.second});
 
diff --git a/pdns/recursordist/docs/lua-scripting/dq.rst b/pdns/recursordist/docs/lua-scripting/dq.rst
index 25ca8d8cc8..343b00bd7e 100644
--- a/pdns/recursordist/docs/lua-scripting/dq.rst
+++ b/pdns/recursordist/docs/lua-scripting/dq.rst
@@ -62,9 +62,16 @@ The DNSQuestion object contains at least the following fields:
       Set by :ref:`policyName <rpz-policyName>` in the :func:`rpzFile` and :func:`rpzMaster` configuration items.
       It is advised to overwrite this when modifying the :attr:`DNSQuestion.appliedPolicy.policyKind`
 
-    .. attribute:: DNSQuestion.appliedPolicy.policyAction
-
-        The action taken by the engine
+    .. attribute:: DNSQuestion.appliedPolicy.policyType
+
+        The type of match for the policy.
+ 
+      -  ``pdns.policytypes.None``  the empty policy type
+      -  ``pdns.policytypes.QName`` a match on qname
+      -  ``pdns.policytypes.ClientIP`` a match on client IP
+      -  ``pdns.policytypes.ResponseIP`` a match on response IP
+      -  ``pdns.policytypes.NSDName`` a match on the name of a nameserver
+      -  ``pdns.policytypes.NSIP`` a match on the IP of a nameserver
 
     .. attribute:: DNSQuestion.appliedPolicy.policyCustom