From: Otto Date: Wed, 13 Oct 2021 13:45:16 +0000 (+0200) Subject: Put the right string into appliedPolicyTrigger for Netmask matching rules X-Git-Tag: rec-4.6.0-alpha2~10^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b143b5f53285957a7230a6e192935a4a45f3454d;p=thirdparty%2Fpdns.git Put the right string into appliedPolicyTrigger for Netmask matching rules (ns, client, response). The NetMaskTree has it. --- diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc index 1716f99481..0a3f0f3b4f 100644 --- a/pdns/filterpo.cc +++ b/pdns/filterpo.cc @@ -53,27 +53,30 @@ bool DNSFilterEngine::Zone::findExactNSPolicy(const DNSName& qname, DNSFilterEng return findExactNamedPolicy(d_propolName, qname, pol); } -bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const +bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const { if (const auto fnd = d_propolNSAddr.lookup(addr)) { + key = fnd->first; pol = fnd->second; return true; } return false; } -bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const +bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const { if (const auto fnd = d_postpolAddr.lookup(addr)) { + key = fnd->first; pol = fnd->second; return true; } return false; } -bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const +bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const { if (const auto fnd = d_qpolAddr.lookup(addr)) { + key = fnd->first; pol = fnd->second; return true; } @@ -212,10 +215,10 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std continue; } - if(z->findNSIPPolicy(address, pol)) { + Netmask key; + if(z->findNSIPPolicy(address, key, pol)) { // cerr<<"Had a hit on the nameserver ("<findClientPolicy(ca, pol)) { + Netmask key; + if (z->findClientPolicy(ca, key, pol)) { // cerr<<"Had a hit on the IP address ("<findResponsePolicy(ca, pol)) { - pol.d_trigger = Zone::maskToRPZ(ca); + Netmask key; + if (z->findResponsePolicy(ca, key, pol)) { + pol.d_trigger = Zone::maskToRPZ(key); pol.d_trigger.appendRawLabel(rpzIPName); pol.d_hit = ca.toString(); return true; diff --git a/pdns/filterpo.hh b/pdns/filterpo.hh index 971aabd476..47f1d9a6de 100644 --- a/pdns/filterpo.hh +++ b/pdns/filterpo.hh @@ -263,9 +263,9 @@ public: bool findExactQNamePolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const; bool findExactNSPolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const; - bool findNSIPPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const; - bool findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const; - bool findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const; + bool findNSIPPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const; + bool findResponsePolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const; + bool findClientPolicy(const ComboAddress& addr, Netmask& key, DNSFilterEngine::Policy& pol) const; bool hasClientPolicies() const { diff --git a/pdns/recursordist/test-filterpo_cc.cc b/pdns/recursordist/test-filterpo_cc.cc index 5b48fb5687..065fe4c3cb 100644 --- a/pdns/recursordist/test-filterpo_cc.cc +++ b/pdns/recursordist/test-filterpo_cc.cc @@ -107,8 +107,10 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) const auto matchingPolicy = dfe.getProcessingPolicy(nsIP, std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::NSIP); BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findNSIPPolicy(nsIP, zonePolicy)); + BOOST_CHECK(zone->findNSIPPolicy(nsIP, key, zonePolicy)); + BOOST_CHECK(key == nsIP); BOOST_CHECK(zonePolicy == matchingPolicy); } @@ -116,8 +118,9 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) /* allowed NS IP */ const auto matchingPolicy = dfe.getProcessingPolicy(ComboAddress("192.0.2.142"), std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findNSIPPolicy(ComboAddress("192.0.2.142"), zonePolicy) == false); + BOOST_CHECK(zone->findNSIPPolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false); } { @@ -158,8 +161,10 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) const auto matchingPolicy = dfe.getClientPolicy(clientIP, std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ClientIP); BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findClientPolicy(clientIP, zonePolicy)); + BOOST_CHECK(zone->findClientPolicy(clientIP, key, zonePolicy)); + BOOST_CHECK(key == clientIP); BOOST_CHECK(zonePolicy == matchingPolicy); } @@ -167,8 +172,9 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) /* not blocked */ const auto matchingPolicy = dfe.getClientPolicy(ComboAddress("192.0.2.142"), std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findClientPolicy(ComboAddress("192.0.2.142"), zonePolicy) == false); + BOOST_CHECK(zone->findClientPolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false); BOOST_CHECK(zone->findExactQNamePolicy(DNSName("totally.legit."), zonePolicy) == false); } @@ -180,8 +186,10 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) const auto matchingPolicy = dfe.getPostPolicy({dr}, std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::ResponseIP); BOOST_CHECK(matchingPolicy.d_kind == DNSFilterEngine::PolicyKind::Drop); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findResponsePolicy(responseIP, zonePolicy)); + BOOST_CHECK(zone->findResponsePolicy(responseIP, key, zonePolicy)); + BOOST_CHECK(key == responseIP); BOOST_CHECK(zonePolicy == matchingPolicy); } @@ -192,8 +200,9 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic) dr.d_content = DNSRecordContent::mastermake(QType::A, QClass::IN, "192.0.2.142"); const auto matchingPolicy = dfe.getPostPolicy({dr}, std::unordered_map(), DNSFilterEngine::maximumPriority); BOOST_CHECK(matchingPolicy.d_type == DNSFilterEngine::PolicyType::None); + Netmask key; DNSFilterEngine::Policy zonePolicy; - BOOST_CHECK(zone->findResponsePolicy(ComboAddress("192.0.2.142"), zonePolicy) == false); + BOOST_CHECK(zone->findResponsePolicy(ComboAddress("192.0.2.142"), key, zonePolicy) == false); } BOOST_CHECK_EQUAL(zone->size(), 7U);