From: Ralph Dolmans Date: Mon, 12 Aug 2019 14:06:15 +0000 (+0200) Subject: - Add RPZ respip test X-Git-Tag: release-1.10.0rc1~28^2~28^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88fce791dfc8035cab27adb81808dd428e1e951b;p=thirdparty%2Funbound.git - Add RPZ respip test - Fix rpz memory leak --- diff --git a/services/rpz.c b/services/rpz.c index 3e016b7d4..e3a890456 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -518,6 +518,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, if(!(node=respip_sockaddr_find_or_create(r->respip_set, &addr, addrlen, net, 1, rrstr))) { lock_rw_unlock(&r->respip_set->lock); + free(rrstr); return 0; } @@ -530,6 +531,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, rrclass, ttl, rdata, rdata_len, rrstr, ""); } lock_rw_unlock(&node->lock); + free(rrstr); return 1; } @@ -558,10 +560,10 @@ rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname, free(policydname); } else if(t == RPZ_RESPONSE_IP_TRIGGER) { - if(!rpz_insert_response_ip_trigger(r, policydname, + rpz_insert_response_ip_trigger(r, policydname, a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, - rr_len)) - free(policydname); + rr_len); + free(policydname); } else { free(policydname); diff --git a/testdata/rpz_respip.rpl b/testdata/rpz_respip.rpl new file mode 100644 index 000000000..b3e5e43bf --- /dev/null +++ b/testdata/rpz_respip.rpl @@ -0,0 +1,422 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + do-not-query-localhost: no + qname-minimisation: no + + +rpz: + name: "rpz.example.com." + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +8.0.0.0.10.rpz-ip CNAME *. +16.0.0.10.10.rpz-ip CNAME . +24.0.10.10.10.rpz-ip CNAME rpz-drop. +32.10.10.10.10.rpz-ip CNAME rpz-passthru. +32.zz.db8.2001.rpz-ip CNAME *. +48.zz.aa.db8.2001.rpz-ip CNAME . +64.zz.bb.aa.db8.2001.rpz-ip CNAME rpz-drop. +128.1.zz.cc.bb.aa.db8.2001.rpz-ip CNAME rpz-passthru. +128.123.zz.cc.bb.aa.db8.2001.rpz-ip AAAA 2001:db8::123 + +TEMPFILE_END + +rpz: + name: "rpz2.example.com." + zonefile: +TEMPFILE_NAME rpz2.example.com +TEMPFILE_CONTENTS rpz2.example.com +$ORIGIN example.com. +rpz2 3600 IN SOA ns1.rpz2.example.com. hostmaster.rpz2.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz2.example.com. + 3600 IN NS ns2.rpz2.example.com. +$ORIGIN rpz2.example.com. +32.10.10.10.10.rpz-ip A 203.0.113.123 +32.123.2.0.192.rpz-ip A 203.0.113.123 +128.1.zz.cc.bb.aa.db8.2001.rpz-ip AAAA 2001:db1::123 +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test all supported RPZ action for response IP address trigger + +; c. +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS ns. +SECTION ADDITIONAL +ns. IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN A +SECTION ANSWER +a. IN A 10.0.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN AAAA +SECTION ANSWER +a. IN AAAA 2001:db8::123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b. IN A +SECTION ANSWER +b. IN A 10.1.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b. IN AAAA +SECTION ANSWER +b. IN AAAA 2001:db8:1::123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c. IN A +SECTION ANSWER +c. IN A 10.11.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c. IN AAAA +SECTION ANSWER +c. IN AAAA 2001:db8:ff::123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d. IN A +SECTION ANSWER +d. IN A 10.10.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d. IN AAAA +SECTION ANSWER +d. IN AAAA 2001:db8:aa::123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e. IN A +SECTION ANSWER +e. IN A 10.10.10.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e. IN AAAA +SECTION ANSWER +e. IN AAAA 2001:db8:aa:bb::123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f. IN A +SECTION ANSWER +f. IN A 10.10.10.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f. IN AAAA +SECTION ANSWER +f. IN AAAA 2001:db8:aa:bb:cc::1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +g. IN A +SECTION ANSWER +g. IN A 192.0.2.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +g. IN AAAA +SECTION ANSWER +g. IN AAAA 2001:db8:aa:bb:cc::123 +ENTRY_END + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a. IN A +ENTRY_END + +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a. IN A +SECTION ANSWER +ENTRY_END + +STEP 3 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a. IN AAAA +ENTRY_END + +STEP 4 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a. IN AAAA +SECTION ANSWER +ENTRY_END + +STEP 5 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +b. IN A +ENTRY_END + +STEP 6 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +b. IN A +SECTION ANSWER +ENTRY_END + +STEP 7 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +b. IN AAAA +ENTRY_END + +STEP 8 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +b. IN AAAA +SECTION ANSWER +ENTRY_END + +STEP 9 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c. IN A +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c. IN A +SECTION ANSWER +ENTRY_END + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c. IN AAAA +ENTRY_END + +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c. IN AAAA +SECTION ANSWER +ENTRY_END + +STEP 13 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d. IN A +ENTRY_END + +STEP 14 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +d. IN A +SECTION ANSWER +ENTRY_END + +STEP 15 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d. IN AAAA +ENTRY_END + +STEP 16 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +d. IN AAAA +SECTION ANSWER +ENTRY_END + +STEP 17 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f. IN A +ENTRY_END + +STEP 18 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +f. IN A +SECTION ANSWER +f. IN A 10.10.10.10 +ENTRY_END + +STEP 19 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f. IN AAAA +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +f. IN AAAA +SECTION ANSWER +f. IN AAAA 2001:db8:aa:bb:cc::1 +ENTRY_END + +STEP 21 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +g. IN A +ENTRY_END + +STEP 22 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +g. IN A +SECTION ANSWER +g. IN A 203.0.113.123 +ENTRY_END + +STEP 23 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +g. IN AAAA +ENTRY_END + +STEP 24 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +g. IN AAAA +SECTION ANSWER +g. IN AAAA 2001:db8::123 +ENTRY_END + +; should be dropped +STEP 25 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e. IN A +ENTRY_END +STEP 26 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e. IN AAAA +ENTRY_END +STEP 27 TIME_PASSES ELAPSE 12 +SCENARIO_END