From f9de1f7fd8e37ba91b8b4c85082b2f16c8890cba Mon Sep 17 00:00:00 2001
From: Otto <otto.moerbeek@open-xchange.com>
Date: Fri, 15 Oct 2021 12:07:29 +0200
Subject: [PATCH] Also moved setting of hit value to find functions mostly.

In a few cases (wildcard processing) the matched value is not the
hit as seen by the find function and an overide is needed.
---
 pdns/filterpo.cc                      | 14 +++++---------
 pdns/recursordist/test-filterpo_cc.cc |  3 +++
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/pdns/filterpo.cc b/pdns/filterpo.cc
index a1161745e9..fc9d916482 100644
--- a/pdns/filterpo.cc
+++ b/pdns/filterpo.cc
@@ -64,6 +64,7 @@ bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, DNSFilterEn
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzNSIPName);
+    pol.d_hit = addr.toString();
     return true;
   }
   return false;
@@ -75,6 +76,7 @@ bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, DNSFilt
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzIPName);
+    pol.d_hit = addr.toString();
     return true;
   }
   return false;
@@ -86,6 +88,7 @@ bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, DNSFilter
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzClientIPName);
+    pol.d_hit = addr.toString();
     return true;
   }
   return false;
@@ -190,13 +193,13 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
     }
     if (z->findExactNSPolicy(qname, pol)) {
       // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
-      pol.d_hit = qname.toStringNoDot();
       return true;
     }
 
     for (const auto& wc : wcNames) {
       if (z->findExactNSPolicy(wc, pol)) {
         // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
+        // Hit is not arg to findExactNSPolicy!
         pol.d_hit = qname.toStringNoDot();
         return true;
       }
@@ -222,7 +225,6 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
     Netmask key;
     if(z->findNSIPPolicy(address, pol)) {
       //      cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
-      pol.d_hit = address.toString();
       return true;
     }
   }
@@ -244,7 +246,6 @@ bool DNSFilterEngine::getClientPolicy(const ComboAddress& ca, const std::unorder
     Netmask key;
     if (z->findClientPolicy(ca, pol)) {
       // cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
-      pol.d_hit = ca.toString();
       return true;
     }
   }
@@ -301,15 +302,13 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
 
     if (z->findExactQNamePolicy(qname, pol)) {
       // cerr<<"Had a hit on the name of the query"<<endl;
-      pol.d_trigger = qname;
-      pol.d_hit = qname.toStringNoDot();
       return true;
     }
 
     for (const auto& wc : wcNames) {
       if (z->findExactQNamePolicy(wc, pol)) {
         // cerr<<"Had a hit on the name of the query"<<endl;
-        pol.d_trigger = wc;
+        // Hit is not arg to findExactQNamePolicy!
         pol.d_hit = qname.toStringNoDot();
         return true;
       }
@@ -364,9 +363,6 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
 
     Netmask key;
     if (z->findResponsePolicy(ca, pol)) {
-      pol.d_trigger = Zone::maskToRPZ(key);
-      pol.d_trigger.appendRawLabel(rpzIPName);
-      pol.d_hit = ca.toString();
       return true;
     }
   }
diff --git a/pdns/recursordist/test-filterpo_cc.cc b/pdns/recursordist/test-filterpo_cc.cc
index 5cb8cfb2fe..9b0ff1fe19 100644
--- a/pdns/recursordist/test-filterpo_cc.cc
+++ b/pdns/recursordist/test-filterpo_cc.cc
@@ -115,6 +115,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
     BOOST_CHECK(zone->findNSIPPolicy(nsIP, zonePolicy));
     BOOST_CHECK(zonePolicy == matchingPolicy);
     BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.0.2.0.192.rpz-nsip"));
+    BOOST_CHECK_EQUAL(zonePolicy.d_hit, nsIP.toString());
   }
 
   {
@@ -173,6 +174,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
     BOOST_CHECK(zone->findClientPolicy(clientIP, zonePolicy));
     BOOST_CHECK(zonePolicy == matchingPolicy);
     BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.128.2.0.192.rpz-client-ip"));
+    BOOST_CHECK_EQUAL(zonePolicy.d_hit, clientIP.toString());
   }
 
   {
@@ -196,6 +198,7 @@ BOOST_AUTO_TEST_CASE(test_filter_policies_basic)
     BOOST_CHECK(zone->findResponsePolicy(responseIP, zonePolicy));
     BOOST_CHECK(zonePolicy == matchingPolicy);
     BOOST_CHECK_EQUAL(zonePolicy.d_trigger, DNSName("31.254.2.0.192.rpz-ip"));
+    BOOST_CHECK_EQUAL(zonePolicy.d_hit, responseIP.toString());
   }
 
   {
-- 
2.47.2