From 354c19f6ace2e23b30678a6d8d62db24efefd5aa Mon Sep 17 00:00:00 2001
From: mb <mb@64k.by>
Date: Tue, 24 Nov 2020 09:33:08 +0100
Subject: [PATCH] rpz: apply trigger at query time not response time

---
 iterator/iterator.c |  8 +++++---
 services/rpz.c      | 26 ++++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/iterator/iterator.c b/iterator/iterator.c
index fcda1bb3b..f2585be31 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2471,6 +2471,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* Add the current set of unused targets to our queue. */
 	delegpt_add_unused_targets(iq->dp);
 
+	rpz_iterator_module_callback(qstate, iq);
+
 	/* Select the next usable target, filtering out unsuitable targets. */
 	target = iter_server_selection(ie, qstate->env, iq->dp, 
 		iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
@@ -2660,15 +2662,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 {
 	int dnsseclame = 0;
 	enum response_type type;
-	int rpz_filter_result;
+	//int rpz_filter_result;
 
 	iq->num_current_queries--;
 
 	if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
 		log_err("unable to call query_response callback");
 
-	rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
-	if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
+	//rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
+	//if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
 
 	if(iq->response == NULL) {
 		/* Don't increment qname when QNAME minimisation is enabled */
diff --git a/services/rpz.c b/services/rpz.c
index eae3feeeb..5b5c10eb8 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -53,6 +53,7 @@
 #include "util/data/msgencode.h"
 #include "services/cache/dns.h"
 #include "iterator/iterator.h"
+#include "iterator/iter_delegpt.h"
 
 typedef struct resp_addr rpz_aclnode_type;
 
@@ -1489,16 +1490,35 @@ rpz_patch_localdata(struct dns_msg* response, struct clientip_synthesized_rr* da
 	return 1;
 }
 
+struct clientip_synthesized_rr*
+rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz,
+					    struct iter_qstate* is)
+{
+	struct delegpt_addr* cursor;
+	struct clientip_synthesized_rr* action = NULL;
+	if(is->dp == NULL) { return NULL; }
+	for(cursor = is->dp->target_list; cursor != NULL; cursor = cursor->next_target) {
+		if(cursor->bogus) { continue; }
+		action = rpz_ipbased_trigger_lookup(rpz->ns_set, &cursor->addr, cursor->addrlen);
+		if(action != NULL) { return action; }
+	}
+	return NULL;
+}
+
 int
 rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
 {
-	struct auth_zones* az = ms->env->auth_zones;
+	struct auth_zones* az;
 	struct auth_zone* a;
 	struct clientip_synthesized_rr* raddr;
 	enum rpz_action action = RPZ_INVALID_ACTION;
 	struct rpz* r;
 	int ret = 0;
 
+	if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
+
+	az = ms->env->auth_zones;
+
 	verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
 
 	lock_rw_rdlock(&az->rpz_lock);
@@ -1507,7 +1527,7 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
 	for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
 		lock_rw_rdlock(&a->lock);
 		r = a->rpz;
-		raddr = rpz_ipbased_trigger_lookup(r->ns_set, &ms->reply->addr, ms->reply->addrlen);
+		raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
 		if(raddr != NULL) {
 			lock_rw_unlock(&a->lock);
 			break;
@@ -1515,6 +1535,8 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
 		lock_rw_unlock(&a->lock);
 	}
 
+	lock_rw_unlock(&az->rpz_lock);
+
 	if(raddr == NULL) { return 0; }
 
 	verbose(VERB_ALGO, "rpz: iterator callback: nsip: apply action=%s",
-- 
2.47.3