From 449a0bab092322ae36d695f376b06840590233fc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Wed, 24 May 2023 16:09:13 +0200
Subject: [PATCH] lib/rules forwarding: per-IP .tls

We planned it that way for the new config schema - and, why not.
---
 daemon/bindings/net.c     |  2 +-
 lib/rules/api.h           |  2 +-
 modules/policy/policy.lua | 25 +++++++++++++------------
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c
index f1fa6f3a3..42c6190ad 100644
--- a/daemon/bindings/net.c
+++ b/daemon/bindings/net.c
@@ -723,7 +723,7 @@ static int net_tls_client(lua_State *L)
 	/* check that only allowed keys are present */
 	{
 		const char *bad_key = lua_table_checkindices(L, (const char *[])
-			{ "1", "hostname", "ca_file", "pin_sha256", "insecure", NULL });
+			{ "1", "hostname", "ca_file", "pin_sha256", "insecure", "tls", NULL });
 		if (bad_key)
 			lua_error_p(L, "found unexpected key '%s'", bad_key);
 	}
diff --git a/lib/rules/api.h b/lib/rules/api.h
index 71549d7fc..8af5e9246 100644
--- a/lib/rules/api.h
+++ b/lib/rules/api.h
@@ -134,7 +134,7 @@ struct kr_rule_fwd_flags {
 	/// Beware of ABI: this struct is memcpy'd to/from rule DB.
 	bool
 		is_auth : 1,
-		is_tcp  : 1, /// forced TCP (e.g. DoT)
+		is_tcp  : 1, /// forced TCP; unused, not needed for DoT
 		is_nods : 1; /// disable local DNSSEC validation
 };
 typedef struct kr_rule_fwd_flags kr_rule_fwd_flags_t;
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index b4030375a..443fc0b03 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -863,24 +863,25 @@ Throws lua exceptions when detecting something fishy.
 \param subtree plain string
 \param options
   .auth targets are authoritative (false by default = resolver)
-  .tls use DoT (false by default, only for resolvers)
   .dnssec if overridden to false, don't validate DNSSEC locally
     - for resolvers we still do *not* send CD=1 upstream,
       i.e. we trust their DNSSEC validation.
     - for auths this inserts a negative trust anchor
       Beware that setting .set_insecure() *later* would override that.
-\param targets same format as policy.TLS_FORWARD()
+\param targets same format as policy.TLS_FORWARD() except that `tls = true`
+               can be specified for each address (defaults to false)
 --]]
 function policy.rule_forward_add(subtree, options, targets)
-	local port_default = 53
-	if options.tls or false then
-		port_default = 853
-		-- lots of code; easiest to just call it this way; checks and throws
-		policy.TLS_FORWARD(targets)
-	end
-
 	local targets_2 = {}
 	for _, target in ipairs(targets) do
+		local port_default = 53
+		if target.tls or false then
+			port_default = 853
+			-- lots of code; easiest to just call it this way; checks and throws
+			-- The extra .tls field gets ignored.
+			policy.TLS_FORWARD({target})
+		end
+
 		-- this also throws on failure
 		local sock = addr2sock(target[1], port_default)
 		if options.auth then
@@ -894,9 +895,9 @@ function policy.rule_forward_add(subtree, options, targets)
 
 	local subtree_dname = todname(subtree)
 	assert(ffi.C.kr_rule_forward(subtree_dname,
-			{ is_tcp = options.tls
-			, is_nods = options.dnssec == false
-			, is_auth = options.auth
+			{
+				is_nods = options.dnssec == false,
+				is_auth = options.auth,
 			},
 			targets_3
 		) == 0)
-- 
2.47.2