From b6c7ea563f8c1c3c6753923a36e3e29c22f6b683 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 30 May 2024 12:11:30 +0200 Subject: [PATCH] - Fix #1079: tags from tagged rpz zones are no longer honored after upgrade from 1.19.3 to 1.20.0. --- doc/Changelog | 4 + services/rpz.c | 17 ++- testdata/rpz_cname_tag.rpl | 250 +++++++++++++++++++++++++++++++++++++ 3 files changed, 269 insertions(+), 2 deletions(-) create mode 100644 testdata/rpz_cname_tag.rpl diff --git a/doc/Changelog b/doc/Changelog index c86cfc801..eeb3f740e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +30 May 2024: Wouter + - Fix #1079: tags from tagged rpz zones are no longer honored after + upgrade from 1.19.3 to 1.20.0. + 29 May 2024: Wouter - Merge #1078: Only check old pid if no username. diff --git a/services/rpz.c b/services/rpz.c index f036cc5fd..177d86e02 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -2435,11 +2435,10 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; } az = ms->env->auth_zones; + lock_rw_rdlock(&az->rpz_lock); verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL); - lock_rw_rdlock(&az->rpz_lock); - /* precedence of RPZ works, loosely, like this: * CNAMEs in order of the CNAME chain. rpzs in the order they are * configured. In an RPZ: first client-IP addr, then QNAME, then @@ -2454,6 +2453,13 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* lock_rw_unlock(&a->lock); continue; } + if(r->taglist && ms->client_info && + !taglist_intersect(r->taglist, r->taglistlen, + ms->client_info->taglist, + ms->client_info->taglen)) { + lock_rw_unlock(&a->lock); + continue; + } /* the nsdname has precedence over the nsip triggers */ z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, @@ -2512,6 +2518,13 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, lock_rw_unlock(&a->lock); continue; } + if(r->taglist && ms->client_info && + !taglist_intersect(r->taglist, r->taglistlen, + ms->client_info->taglist, + ms->client_info->taglen)) { + lock_rw_unlock(&a->lock); + continue; + } z = rpz_find_zone(r->local_zones, is->qchase.qname, is->qchase.qname_len, is->qchase.qclass, 0, 0, 0); if(z && r->action_override == RPZ_DISABLED_ACTION) { diff --git a/testdata/rpz_cname_tag.rpl b/testdata/rpz_cname_tag.rpl new file mode 100644 index 000000000..a545ef18c --- /dev/null +++ b/testdata/rpz_cname_tag.rpl @@ -0,0 +1,250 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + define-tag: "internal server" + access-control-tag: 192.0.0.0/8 "internal" + access-control-tag: 127.0.0.0/8 "server" + +rpz: + name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" + tags: "internal" + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +www.gotham.a A 1.2.3.61 +www.gotham2.a CNAME g2.target.a. +g2.target.a A 1.2.3.62 +www.gotham3.a CNAME g3.target.a. +g3.target.a CNAME g3b.target.a. +g3b.target.a A 1.2.3.63 +www.gotham4.a CNAME g4.target.a. +g4.target.a CNAME g4b.target.a. +g4b.target.a CNAME g4c.target.a. +g4c.target.a A 1.2.3.64 +; server for a. +32.40.30.20.10.rpz-nsip A 1.2.3.68 +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ handling of CNAMEs and tags. + +; a. +RANGE_BEGIN 0 1000 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +target.a. IN A +SECTION ANSWER +target.a. IN A 1.2.3.6 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.gotham.a. IN A +SECTION ANSWER +www.gotham.a. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.gotham2.a. IN A +SECTION ANSWER +www.gotham2.a. IN A 1.2.3.52 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.gotham3.a. IN A +SECTION ANSWER +www.gotham3.a. IN A 1.2.3.53 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.gotham4.a. IN A +SECTION ANSWER +www.gotham4.a. IN A 1.2.3.54 +ENTRY_END +RANGE_END + +; Test with zero rpz CNAMEs, no tag match for rpz answer. +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham.a. IN A +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.gotham.a. IN A +SECTION ANSWER +www.gotham.a. A 1.2.3.5 +ENTRY_END + +; Test with one rpz CNAME, no tag match for rpz answer. +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham2.a. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.gotham2.a. IN A +SECTION ANSWER +www.gotham2.a. A 1.2.3.52 +ENTRY_END + +; Test with two rpz CNAMEs, no tag match for rpz answer. +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham3.a. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.gotham3.a. IN A +SECTION ANSWER +www.gotham3.a. A 1.2.3.53 +ENTRY_END + +; Test with three rpz CNAMEs, no tag match for rpz answer. +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham4.a. IN A +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.gotham4.a. IN A +SECTION ANSWER +www.gotham4.a. A 1.2.3.54 +ENTRY_END + +; Test with zero rpz CNAMEs, rpz answer. Tag "internal" +STEP 50 QUERY ADDRESS 192.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham.a. IN A +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +www.gotham.a. IN A +SECTION ANSWER +www.gotham.a. A 1.2.3.61 +ENTRY_END + +; Test with one rpz CNAME, rpz answer. Tag "internal" +STEP 60 QUERY ADDRESS 192.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham2.a. IN A +ENTRY_END + +STEP 61 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +www.gotham2.a. IN A +SECTION ANSWER +www.gotham2.a. CNAME g2.target.a. +g2.target.a. A 1.2.3.62 +ENTRY_END + +; Test with two rpz CNAMEs, rpz answer. Tag "internal" +STEP 70 QUERY ADDRESS 192.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham3.a. IN A +ENTRY_END + +STEP 71 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +www.gotham3.a. IN A +SECTION ANSWER +www.gotham3.a. CNAME g3.target.a. +g3.target.a. CNAME g3b.target.a. +g3b.target.a. A 1.2.3.63 +ENTRY_END + +; Test with three rpz CNAMEs, rpz answer. Tag "internal" +STEP 80 QUERY ADDRESS 192.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.gotham4.a. IN A +ENTRY_END + +STEP 81 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +www.gotham4.a. IN A +SECTION ANSWER +www.gotham4.a. CNAME g4.target.a. +g4.target.a. CNAME g4b.target.a. +g4b.target.a. CNAME g4c.target.a. +g4c.target.a. A 1.2.3.64 +ENTRY_END + +SCENARIO_END -- 2.47.2