From 1bf8a1384ede8e49374bb19b24d08e3c0eaa0021 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 24 May 2018 19:24:37 +0200 Subject: [PATCH] policy, view: documentation nitpicks It seems like implementation and docs got de-synchronized, probably at some point very long ago (years). --- modules/policy/README.rst | 19 +++++++++++-------- modules/view/README.rst | 2 +- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/modules/policy/README.rst b/modules/policy/README.rst index 73d8feebe..13c5e25b0 100644 --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@ -22,7 +22,7 @@ A *filter* selects which queries will be affected by specified *action*. There a - applies the action if QNAME suffix matches one of suffixes in the table (useful for "is domain in zone" rules), uses `Aho-Corasick`_ string matching algorithm `from CloudFlare `_ (BSD 3-clause) * :any:`policy.suffix_common` -* ``rpz`` +* ``rpz(default_action, path)`` - implements a subset of RPZ_ in zonefile format. See below for details: :any:`policy.rpz`. * custom filter function @@ -182,9 +182,9 @@ Most properties (actions, filters) are described above. Like suffix match, but you can also provide a common suffix of all matches for faster processing (nil otherwise). This function is faster for small suffix tables (in the order of "hundreds"). -.. function:: policy.rpz(action, path[, format]) +.. function:: policy.rpz(action, path) - :param action: the default action for match in the zone (e.g. RH-value `.`) + :param action: the default action for match in the zone; typically you want ``policy.DENY`` :param path: path to zone file | database Enforce RPZ_ rules. This can be used in conjunction with published blocklist feeds. @@ -194,13 +194,16 @@ Most properties (actions, filters) are described above. .. csv-table:: :header: "Policy Action", "RH Value", "Support" - "NXDOMAIN", "``.``", "**yes**" - "NODATA", "``*.``", "*partial*, implemented as NXDOMAIN" - "Unchanged", "``rpz-passthru.``", "**yes**" - "Nothing", "``rpz-drop.``", "**yes**" - "Truncated", "``rpz-tcp-only.``", "**yes**" + "``action`` is used", "``.``", "**yes**, if ``action`` is ``DENY``" + "``action`` is used ", "``*.``", "*partial* [#]_" + "``policy.PASS``", "``rpz-passthru.``", "**yes**" + "``policy.DROP``", "``rpz-drop.``", "**yes**" + "``policy.TC``", "``rpz-tcp-only.``", "**yes**" "Modified", "anything", "no" + .. [#] The specification for ``*.`` wants a ``NODATA`` answer. + For now, ``policy.DENY`` action doing ``NXDOMAIN`` is typically used instead. + .. csv-table:: :header: "Policy Trigger", "Support" diff --git a/modules/view/README.rst b/modules/view/README.rst index f367814af..71c13ab19 100644 --- a/modules/view/README.rst +++ b/modules/view/README.rst @@ -9,7 +9,7 @@ filters and ACLs, sort of like ISC BIND views. There are two identification mechanisms: -* ``subnet`` +* ``addr`` - identifies the client based on his subnet * ``tsig`` - identifies the client based on a TSIG key -- 2.47.2