From 4b30e88eec76bc12819fe0fe1da97fad00ba7d98 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 May 2024 12:44:26 +0200 Subject: [PATCH] - Fix for #1079: fix RPZ taglist in iterator callback that no client info is like no taglist intersection. --- doc/Changelog | 2 ++ services/rpz.c | 8 ++++---- testdata/rpz_cname_tag.rpl | 31 +++++++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index eeb3f740e..5f3e8d4fe 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,8 @@ 30 May 2024: Wouter - Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. + - Fix for #1079: fix RPZ taglist in iterator callback that no client + info is like no taglist intersection. 29 May 2024: Wouter - Merge #1078: Only check old pid if no username. diff --git a/services/rpz.c b/services/rpz.c index 177d86e02..1223f6771 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -2453,10 +2453,10 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* lock_rw_unlock(&a->lock); continue; } - if(r->taglist && ms->client_info && + if(r->taglist && (!ms->client_info || !taglist_intersect(r->taglist, r->taglistlen, ms->client_info->taglist, - ms->client_info->taglen)) { + ms->client_info->taglen))) { lock_rw_unlock(&a->lock); continue; } @@ -2518,10 +2518,10 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, lock_rw_unlock(&a->lock); continue; } - if(r->taglist && ms->client_info && + if(r->taglist && (!ms->client_info || !taglist_intersect(r->taglist, r->taglistlen, ms->client_info->taglist, - ms->client_info->taglen)) { + ms->client_info->taglen))) { lock_rw_unlock(&a->lock); continue; } diff --git a/testdata/rpz_cname_tag.rpl b/testdata/rpz_cname_tag.rpl index a545ef18c..fb782b685 100644 --- a/testdata/rpz_cname_tag.rpl +++ b/testdata/rpz_cname_tag.rpl @@ -4,9 +4,11 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: no access-control: 192.0.0.0/8 allow + access-control: 193.0.0.0/8 allow define-tag: "internal server" access-control-tag: 192.0.0.0/8 "internal" access-control-tag: 127.0.0.0/8 "server" + ; 193.0.0.0/8 has no tags rpz: name: "rpz.example.com." @@ -34,6 +36,7 @@ g4b.target.a CNAME g4c.target.a. g4c.target.a A 1.2.3.64 ; server for a. 32.40.30.20.10.rpz-nsip A 1.2.3.68 +www.gotham5.a TXT "txt5" TEMPFILE_END stub-zone: @@ -95,6 +98,16 @@ www.gotham4.a. IN A SECTION ANSWER www.gotham4.a. IN A 1.2.3.54 ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.gotham5.a. IN TXT +SECTION ANSWER +www.gotham5.a. IN TXT "gotham5" +ENTRY_END RANGE_END ; Test with zero rpz CNAMEs, no tag match for rpz answer. @@ -247,4 +260,22 @@ g4b.target.a. CNAME g4c.target.a. g4c.target.a. A 1.2.3.64 ENTRY_END +; Test with zero rpz CNAMEs, no tags for the query, and so no rpz answer. +STEP 90 QUERY ADDRESS 193.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham5.a. IN TXT +ENTRY_END + +STEP 91 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.gotham5.a. IN TXT +SECTION ANSWER +www.gotham5.a. IN TXT "gotham5" +ENTRY_END + SCENARIO_END -- 2.47.2