From 87743a9af17f16746c831560cd28048f3d1c5092 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 24 Jan 2024 17:24:45 +0100
Subject: [PATCH] Tidy filterpo.?? (reaching into iputils.hh as well).

---
 pdns/iputils.hh               |   6 +-
 pdns/recursordist/filterpo.cc | 289 +++++++++++++++++-----------------
 pdns/recursordist/filterpo.hh | 123 +++++++--------
 3 files changed, 205 insertions(+), 213 deletions(-)

diff --git a/pdns/iputils.hh b/pdns/iputils.hh
index 4ef0b8f764..55d641ae07 100644
--- a/pdns/iputils.hh
+++ b/pdns/iputils.hh
@@ -1187,13 +1187,13 @@ public:
   }
 
   //<! Returns "best match" for key_type, which might not be value
-  const node_type* lookup(const key_type& value) const {
+  [[nodiscard]] node_type* lookup(const key_type& value) const {
     uint8_t max_bits = value.getBits();
     return lookupImpl(value, max_bits);
   }
 
   //<! Perform best match lookup for value, using at most max_bits
-  const node_type* lookup(const ComboAddress& value, int max_bits = 128) const {
+  [[nodiscard]] node_type* lookup(const ComboAddress& value, int max_bits = 128) const {
     uint8_t addr_bits = value.getBits();
     if (max_bits < 0 || max_bits > addr_bits) {
       max_bits = addr_bits;
@@ -1297,7 +1297,7 @@ public:
 
 private:
 
-  const node_type* lookupImpl(const key_type& value, uint8_t max_bits) const {
+  [[nodiscard]] node_type* lookupImpl(const key_type& value, uint8_t max_bits) const {
     TreeNode *node = nullptr;
 
     if (value.isIPv4())
diff --git a/pdns/recursordist/filterpo.cc b/pdns/recursordist/filterpo.cc
index 66a29401ea..f73b95d54d 100644
--- a/pdns/recursordist/filterpo.cc
+++ b/pdns/recursordist/filterpo.cc
@@ -40,9 +40,7 @@ static const std::string rpzClientIPName("rpz-client-ip"),
   rpzNSDnameName("rpz-nsdname"),
   rpzNSIPName("rpz-nsip");
 
-DNSFilterEngine::DNSFilterEngine()
-{
-}
+DNSFilterEngine::DNSFilterEngine() = default;
 
 bool DNSFilterEngine::Zone::findExactQNamePolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const
 {
@@ -61,7 +59,7 @@ bool DNSFilterEngine::Zone::findExactNSPolicy(const DNSName& qname, DNSFilterEng
 
 bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
 {
-  if (const auto fnd = d_propolNSAddr.lookup(addr)) {
+  if (const auto* fnd = d_propolNSAddr.lookup(addr)) {
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzNSIPName);
@@ -73,7 +71,7 @@ bool DNSFilterEngine::Zone::findNSIPPolicy(const ComboAddress& addr, DNSFilterEn
 
 bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
 {
-  if (const auto fnd = d_postpolAddr.lookup(addr)) {
+  if (const auto* fnd = d_postpolAddr.lookup(addr)) {
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzIPName);
@@ -85,7 +83,7 @@ bool DNSFilterEngine::Zone::findResponsePolicy(const ComboAddress& addr, DNSFilt
 
 bool DNSFilterEngine::Zone::findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const
 {
-  if (const auto fnd = d_qpolAddr.lookup(addr)) {
+  if (const auto* fnd = d_qpolAddr.lookup(addr)) {
     pol = fnd->second;
     pol.d_trigger = Zone::maskToRPZ(fnd->first);
     pol.d_trigger.appendRawLabel(rpzClientIPName);
@@ -116,9 +114,9 @@ bool DNSFilterEngine::Zone::findNamedPolicy(const std::unordered_map<DNSName, DN
     return true;
   }
 
-  DNSName s(qname);
-  while (s.chopOff()) {
-    iter = polmap.find(g_wildcarddnsname + s);
+  DNSName sub(qname);
+  while (sub.chopOff()) {
+    iter = polmap.find(g_wildcarddnsname + sub);
     if (iter != polmap.end()) {
       pol = iter->second;
       pol.d_trigger = iter->first;
@@ -135,9 +133,9 @@ bool DNSFilterEngine::Zone::findExactNamedPolicy(const std::unordered_map<DNSNam
     return false;
   }
 
-  const auto& it = polmap.find(qname);
-  if (it != polmap.end()) {
-    pol = it->second;
+  const auto iter = polmap.find(qname);
+  if (iter != polmap.end()) {
+    pol = iter->second;
     pol.d_trigger = qname;
     pol.d_hit = qname.toStringNoDot();
     return true;
@@ -152,17 +150,14 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
   std::vector<bool> zoneEnabled(d_zones.size());
   size_t count = 0;
   bool allEmpty = true;
-  for (const auto& z : d_zones) {
+  for (const auto& zone : d_zones) {
     bool enabled = true;
-    const auto& zoneName = z->getName();
-    if (z->getPriority() >= pol.getPriority()) {
-      enabled = false;
-    }
-    else if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
+    const auto& zoneName = zone->getName();
+    if (zone->getPriority() >= pol.getPriority() || discardedPolicies.find(zoneName) != discardedPolicies.end()) {
       enabled = false;
     }
     else {
-      if (z->hasNSPolicies()) {
+      if (zone->hasNSPolicies()) {
         allEmpty = false;
       }
       else {
@@ -181,24 +176,24 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
   /* prepare the wildcard-based names */
   std::vector<DNSName> wcNames;
   wcNames.reserve(qname.countLabels());
-  DNSName s(qname);
-  while (s.chopOff()) {
-    wcNames.emplace_back(g_wildcarddnsname + s);
+  DNSName sub(qname);
+  while (sub.chopOff()) {
+    wcNames.emplace_back(g_wildcarddnsname + sub);
   }
 
   count = 0;
-  for (const auto& z : d_zones) {
+  for (const auto& zone : d_zones) {
     if (!zoneEnabled[count]) {
       ++count;
       continue;
     }
-    if (z->findExactNSPolicy(qname, pol)) {
+    if (zone->findExactNSPolicy(qname, pol)) {
       // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
       return true;
     }
 
-    for (const auto& wc : wcNames) {
-      if (z->findExactNSPolicy(wc, pol)) {
+    for (const auto& wildcard : wcNames) {
+      if (zone->findExactNSPolicy(wildcard, pol)) {
         // cerr<<"Had a hit on the nameserver ("<<qname<<") used to process the query"<<endl;
         // Hit is not the wildcard passed to findExactQNamePolicy but the actual qname!
         pol.d_hit = qname.toStringNoDot();
@@ -214,16 +209,16 @@ bool DNSFilterEngine::getProcessingPolicy(const DNSName& qname, const std::unord
 bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& pol) const
 {
   //  cout<<"Got question for nameserver IP "<<address.toString()<<endl;
-  for (const auto& z : d_zones) {
-    if (z->getPriority() >= pol.getPriority()) {
+  for (const auto& zone : d_zones) {
+    if (zone->getPriority() >= pol.getPriority()) {
       break;
     }
-    const auto& zoneName = z->getName();
+    const auto& zoneName = zone->getName();
     if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
       continue;
     }
 
-    if (z->findNSIPPolicy(address, pol)) {
+    if (zone->findNSIPPolicy(address, pol)) {
       //      cerr<<"Had a hit on the nameserver ("<<address.toString()<<") used to process the query"<<endl;
       return true;
     }
@@ -231,19 +226,19 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
   return false;
 }
 
-bool DNSFilterEngine::getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& pol) const
+bool DNSFilterEngine::getClientPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& pol) const
 {
   // cout<<"Got question from "<<ca.toString()<<endl;
-  for (const auto& z : d_zones) {
-    if (z->getPriority() >= pol.getPriority()) {
+  for (const auto& zone : d_zones) {
+    if (zone->getPriority() >= pol.getPriority()) {
       break;
     }
-    const auto& zoneName = z->getName();
+    const auto& zoneName = zone->getName();
     if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
       continue;
     }
 
-    if (z->findClientPolicy(ca, pol)) {
+    if (zone->findClientPolicy(address, pol)) {
       // cerr<<"Had a hit on the IP address ("<<ca.toString()<<") of the client"<<endl;
       return true;
     }
@@ -257,18 +252,18 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
   std::vector<bool> zoneEnabled(d_zones.size());
   size_t count = 0;
   bool allEmpty = true;
-  for (const auto& z : d_zones) {
+  for (const auto& zone : d_zones) {
     bool enabled = true;
-    if (z->getPriority() >= pol.getPriority()) {
+    if (zone->getPriority() >= pol.getPriority()) {
       enabled = false;
     }
     else {
-      const auto& zoneName = z->getName();
+      const auto& zoneName = zone->getName();
       if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
         enabled = false;
       }
       else {
-        if (z->hasQNamePolicies()) {
+        if (zone->hasQNamePolicies()) {
           allEmpty = false;
         }
         else {
@@ -288,25 +283,25 @@ bool DNSFilterEngine::getQueryPolicy(const DNSName& qname, const std::unordered_
   /* prepare the wildcard-based names */
   std::vector<DNSName> wcNames;
   wcNames.reserve(qname.countLabels());
-  DNSName s(qname);
-  while (s.chopOff()) {
-    wcNames.emplace_back(g_wildcarddnsname + s);
+  DNSName sub(qname);
+  while (sub.chopOff()) {
+    wcNames.emplace_back(g_wildcarddnsname + sub);
   }
 
   count = 0;
-  for (const auto& z : d_zones) {
+  for (const auto& zone : d_zones) {
     if (!zoneEnabled[count]) {
       ++count;
       continue;
     }
 
-    if (z->findExactQNamePolicy(qname, pol)) {
+    if (zone->findExactQNamePolicy(qname, pol)) {
       // cerr<<"Had a hit on the name of the query"<<endl;
       return true;
     }
 
-    for (const auto& wc : wcNames) {
-      if (z->findExactQNamePolicy(wc, pol)) {
+    for (const auto& wildcard : wcNames) {
+      if (zone->findExactQNamePolicy(wildcard, pol)) {
         // cerr<<"Had a hit on the name of the query"<<endl;
         // Hit is not the wildcard passed to findExactQNamePolicy but the actual qname!
         pol.d_hit = qname.toStringNoDot();
@@ -333,35 +328,35 @@ bool DNSFilterEngine::getPostPolicy(const vector<DNSRecord>& records, const std:
 
 bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& pol) const
 {
-  ComboAddress ca;
+  ComboAddress address;
   if (record.d_place != DNSResourceRecord::ANSWER) {
     return false;
   }
 
   if (record.d_type == QType::A) {
     if (auto rec = getRR<ARecordContent>(record)) {
-      ca = rec->getCA();
+      address = rec->getCA();
     }
   }
   else if (record.d_type == QType::AAAA) {
     if (auto rec = getRR<AAAARecordContent>(record)) {
-      ca = rec->getCA();
+      address = rec->getCA();
     }
   }
   else {
     return false;
   }
 
-  for (const auto& z : d_zones) {
-    if (z->getPriority() >= pol.getPriority()) {
+  for (const auto& zone : d_zones) {
+    if (zone->getPriority() >= pol.getPriority()) {
       break;
     }
-    const auto& zoneName = z->getName();
+    const auto& zoneName = zone->getName();
     if (discardedPolicies.find(zoneName) != discardedPolicies.end()) {
       return false;
     }
 
-    if (z->findResponsePolicy(ca, pol)) {
+    if (zone->findResponsePolicy(address, pol)) {
       return true;
     }
   }
@@ -371,16 +366,17 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
 
 void DNSFilterEngine::assureZones(size_t zone)
 {
-  if (d_zones.size() <= zone)
+  if (d_zones.size() <= zone) {
     d_zones.resize(zone + 1);
+  }
 }
 
 void DNSFilterEngine::Zone::addNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& n, Policy&& pol, bool ignoreDuplicate, PolicyType ptype)
 {
-  auto it = map.find(n);
+  auto iter = map.find(n);
 
-  if (it != map.end()) {
-    auto& existingPol = it->second;
+  if (iter != map.end()) {
+    auto& existingPol = iter->second;
 
     if (pol.d_kind != PolicyKind::Custom && !ignoreDuplicate) {
       if (d_zoneData->d_ignoreDuplicates) {
@@ -407,27 +403,25 @@ void DNSFilterEngine::Zone::addNameTrigger(std::unordered_map<DNSName, Policy>&
   }
 }
 
-void DNSFilterEngine::Zone::addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, Policy&& pol, bool ignoreDuplicate, PolicyType ptype)
+void DNSFilterEngine::Zone::addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& netmask, Policy&& pol, bool ignoreDuplicate, PolicyType ptype)
 {
-  bool exists = nmt.has_key(nm);
+  bool exists = nmt.has_key(netmask);
 
   if (exists) {
-    // XXX NetMaskTree's node_type has a non-const second, but lookup() returns a const node_type *, so we cannot modify second
-    // Should look into making lookup) return a non-const node_type *...
-    auto& existingPol = const_cast<Policy&>(nmt.lookup(nm)->second);
+    auto& existingPol = nmt.lookup(netmask)->second;
 
     if (pol.d_kind != PolicyKind::Custom && !ignoreDuplicate) {
       if (d_zoneData->d_ignoreDuplicates) {
         return;
       }
-      throw std::runtime_error("Adding a " + getTypeToString(ptype) + "-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following netmask: " + nm.toString());
+      throw std::runtime_error("Adding a " + getTypeToString(ptype) + "-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following netmask: " + netmask.toString());
     }
 
     if (existingPol.d_kind != PolicyKind::Custom && !ignoreDuplicate) {
       if (d_zoneData->d_ignoreDuplicates) {
         return;
       }
-      throw std::runtime_error("Adding a " + getTypeToString(ptype) + "-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following netmask: " + nm.toString());
+      throw std::runtime_error("Adding a " + getTypeToString(ptype) + "-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following netmask: " + netmask.toString());
     }
 
     existingPol.d_custom.reserve(existingPol.d_custom.size() + pol.d_custom.size());
@@ -437,13 +431,13 @@ void DNSFilterEngine::Zone::addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Ne
   else {
     pol.d_zoneData = d_zoneData;
     pol.d_type = ptype;
-    nmt.insert(nm).second = std::move(pol);
+    nmt.insert(netmask).second = std::move(pol);
   }
 }
 
-bool DNSFilterEngine::Zone::rmNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& n, const Policy& pol)
+bool DNSFilterEngine::Zone::rmNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& name, const Policy& pol)
 {
-  auto found = map.find(n);
+  auto found = map.find(name);
   if (found == map.end()) {
     return false;
   }
@@ -457,7 +451,7 @@ bool DNSFilterEngine::Zone::rmNameTrigger(std::unordered_map<DNSName, Policy>& m
   /* for custom types, we might have more than one type,
      and then we need to remove only the right ones. */
   bool result = false;
-  for (auto& toRemove : pol.d_custom) {
+  for (const auto& toRemove : pol.d_custom) {
     for (auto it = existing.d_custom.begin(); it != existing.d_custom.end(); ++it) {
       if (**it == *toRemove) {
         existing.d_custom.erase(it);
@@ -468,7 +462,7 @@ bool DNSFilterEngine::Zone::rmNameTrigger(std::unordered_map<DNSName, Policy>& m
   }
 
   // No records left for this trigger?
-  if (existing.d_custom.size() == 0) {
+  if (existing.d_custom.empty()) {
     map.erase(found);
     return true;
   }
@@ -476,18 +470,16 @@ bool DNSFilterEngine::Zone::rmNameTrigger(std::unordered_map<DNSName, Policy>& m
   return result;
 }
 
-bool DNSFilterEngine::Zone::rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, const Policy& pol)
+bool DNSFilterEngine::Zone::rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& netmask, const Policy& pol)
 {
-  bool found = nmt.has_key(nm);
+  bool found = nmt.has_key(netmask);
   if (!found) {
     return false;
   }
 
-  // XXX NetMaskTree's node_type has a non-const second, but lookup() returns a const node_type *, so we cannot modify second
-  // Should look into making lookup) return a non-const node_type *...
-  auto& existing = const_cast<Policy&>(nmt.lookup(nm)->second);
+  auto& existing = nmt.lookup(netmask)->second;
   if (existing.d_kind != DNSFilterEngine::PolicyKind::Custom) {
-    nmt.erase(nm);
+    nmt.erase(netmask);
     return true;
   }
 
@@ -495,7 +487,7 @@ bool DNSFilterEngine::Zone::rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Net
      and then we need to remove only the right ones. */
 
   bool result = false;
-  for (auto& toRemove : pol.d_custom) {
+  for (const auto& toRemove : pol.d_custom) {
     for (auto it = existing.d_custom.begin(); it != existing.d_custom.end(); ++it) {
       if (**it == *toRemove) {
         existing.d_custom.erase(it);
@@ -506,62 +498,62 @@ bool DNSFilterEngine::Zone::rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Net
   }
 
   // No records left for this trigger?
-  if (existing.d_custom.size() == 0) {
-    nmt.erase(nm);
+  if (existing.d_custom.empty()) {
+    nmt.erase(netmask);
     return true;
   }
 
   return result;
 }
 
-void DNSFilterEngine::Zone::addClientTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate)
+void DNSFilterEngine::Zone::addClientTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate)
 {
-  addNetmaskTrigger(d_qpolAddr, nm, std::move(pol), ignoreDuplicate, PolicyType::ClientIP);
+  addNetmaskTrigger(d_qpolAddr, netmask, std::move(pol), ignoreDuplicate, PolicyType::ClientIP);
 }
 
-void DNSFilterEngine::Zone::addResponseTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate)
+void DNSFilterEngine::Zone::addResponseTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate)
 {
-  addNetmaskTrigger(d_postpolAddr, nm, std::move(pol), ignoreDuplicate, PolicyType::ResponseIP);
+  addNetmaskTrigger(d_postpolAddr, netmask, std::move(pol), ignoreDuplicate, PolicyType::ResponseIP);
 }
 
-void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy&& pol, bool ignoreDuplicate)
+void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& dnsname, Policy&& pol, bool ignoreDuplicate)
 {
-  addNameTrigger(d_qpolName, n, std::move(pol), ignoreDuplicate, PolicyType::QName);
+  addNameTrigger(d_qpolName, dnsname, std::move(pol), ignoreDuplicate, PolicyType::QName);
 }
 
-void DNSFilterEngine::Zone::addNSTrigger(const DNSName& n, Policy&& pol, bool ignoreDuplicate)
+void DNSFilterEngine::Zone::addNSTrigger(const DNSName& dnsname, Policy&& pol, bool ignoreDuplicate)
 {
-  addNameTrigger(d_propolName, n, std::move(pol), ignoreDuplicate, PolicyType::NSDName);
+  addNameTrigger(d_propolName, dnsname, std::move(pol), ignoreDuplicate, PolicyType::NSDName);
 }
 
-void DNSFilterEngine::Zone::addNSIPTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate)
+void DNSFilterEngine::Zone::addNSIPTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate)
 {
-  addNetmaskTrigger(d_propolNSAddr, nm, std::move(pol), ignoreDuplicate, PolicyType::NSIP);
+  addNetmaskTrigger(d_propolNSAddr, netmask, std::move(pol), ignoreDuplicate, PolicyType::NSIP);
 }
 
-bool DNSFilterEngine::Zone::rmClientTrigger(const Netmask& nm, const Policy& pol)
+bool DNSFilterEngine::Zone::rmClientTrigger(const Netmask& netmask, const Policy& pol)
 {
-  return rmNetmaskTrigger(d_qpolAddr, nm, pol);
+  return rmNetmaskTrigger(d_qpolAddr, netmask, pol);
 }
 
-bool DNSFilterEngine::Zone::rmResponseTrigger(const Netmask& nm, const Policy& pol)
+bool DNSFilterEngine::Zone::rmResponseTrigger(const Netmask& netmask, const Policy& pol)
 {
-  return rmNetmaskTrigger(d_postpolAddr, nm, pol);
+  return rmNetmaskTrigger(d_postpolAddr, netmask, pol);
 }
 
-bool DNSFilterEngine::Zone::rmQNameTrigger(const DNSName& n, const Policy& pol)
+bool DNSFilterEngine::Zone::rmQNameTrigger(const DNSName& dnsname, const Policy& pol)
 {
-  return rmNameTrigger(d_qpolName, n, pol);
+  return rmNameTrigger(d_qpolName, dnsname, pol);
 }
 
-bool DNSFilterEngine::Zone::rmNSTrigger(const DNSName& n, const Policy& pol)
+bool DNSFilterEngine::Zone::rmNSTrigger(const DNSName& dnsname, const Policy& pol)
 {
-  return rmNameTrigger(d_propolName, n, pol);
+  return rmNameTrigger(d_propolName, dnsname, pol);
 }
 
-bool DNSFilterEngine::Zone::rmNSIPTrigger(const Netmask& nm, const Policy& pol)
+bool DNSFilterEngine::Zone::rmNSIPTrigger(const Netmask& netmask, const Policy& pol)
 {
-  return rmNetmaskTrigger(d_propolNSAddr, nm, pol);
+  return rmNetmaskTrigger(d_propolNSAddr, netmask, pol);
 }
 
 std::string DNSFilterEngine::Policy::getLogString() const
@@ -578,26 +570,26 @@ void DNSFilterEngine::Policy::info(Logr::Priority prio, const std::shared_ptr<Lo
 
 DNSRecord DNSFilterEngine::Policy::getRecordFromCustom(const DNSName& qname, const std::shared_ptr<const DNSRecordContent>& custom) const
 {
-  DNSRecord dr;
-  dr.d_name = qname;
-  dr.d_type = custom->getType();
-  dr.d_ttl = d_ttl;
-  dr.d_class = QClass::IN;
-  dr.d_place = DNSResourceRecord::ANSWER;
-  dr.setContent(custom);
+  DNSRecord dnsrecord;
+  dnsrecord.d_name = qname;
+  dnsrecord.d_type = custom->getType();
+  dnsrecord.d_ttl = d_ttl;
+  dnsrecord.d_class = QClass::IN;
+  dnsrecord.d_place = DNSResourceRecord::ANSWER;
+  dnsrecord.setContent(custom);
 
-  if (dr.d_type == QType::CNAME) {
+  if (dnsrecord.d_type == QType::CNAME) {
     const auto content = std::dynamic_pointer_cast<const CNAMERecordContent>(custom);
     if (content) {
       DNSName target = content->getTarget();
       if (target.isWildcard()) {
         target.chopOff();
-        dr.setContent(std::make_shared<CNAMERecordContent>(qname + target));
+        dnsrecord.setContent(std::make_shared<CNAMERecordContent>(qname + target));
       }
     }
   }
 
-  return dr;
+  return dnsrecord;
 }
 
 std::vector<DNSRecord> DNSFilterEngine::Policy::getCustomRecords(const DNSName& qname, uint16_t qtype) const
@@ -613,21 +605,21 @@ std::vector<DNSRecord> DNSFilterEngine::Policy::getCustomRecords(const DNSName&
       continue;
     }
 
-    DNSRecord dr;
-    dr.d_name = qname;
-    dr.d_type = custom->getType();
-    dr.d_ttl = d_ttl;
-    dr.d_class = QClass::IN;
-    dr.d_place = DNSResourceRecord::ANSWER;
-    dr.setContent(custom);
+    DNSRecord dnsrecord;
+    dnsrecord.d_name = qname;
+    dnsrecord.d_type = custom->getType();
+    dnsrecord.d_ttl = d_ttl;
+    dnsrecord.d_class = QClass::IN;
+    dnsrecord.d_place = DNSResourceRecord::ANSWER;
+    dnsrecord.setContent(custom);
 
-    if (dr.d_type == QType::CNAME) {
+    if (dnsrecord.d_type == QType::CNAME) {
       const auto content = std::dynamic_pointer_cast<const CNAMERecordContent>(custom);
       if (content) {
         DNSName target = content->getTarget();
         if (target.isWildcard()) {
           target.chopOff();
-          dr.setContent(std::make_shared<CNAMERecordContent>(qname + target));
+          dnsrecord.setContent(std::make_shared<CNAMERecordContent>(qname + target));
         }
       }
     }
@@ -688,41 +680,41 @@ std::vector<DNSRecord> DNSFilterEngine::Policy::getRecords(const DNSName& qname)
     result = getCustomRecords(qname, QType::ANY);
   }
   else {
-    DNSRecord dr;
-    dr.d_name = qname;
-    dr.d_ttl = static_cast<uint32_t>(d_ttl);
-    dr.d_type = QType::CNAME;
-    dr.d_class = QClass::IN;
-    dr.setContent(DNSRecordContent::make(QType::CNAME, QClass::IN, getKindToString(d_kind)));
-    result.push_back(std::move(dr));
+    DNSRecord dnsrecord;
+    dnsrecord.d_name = qname;
+    dnsrecord.d_ttl = static_cast<uint32_t>(d_ttl);
+    dnsrecord.d_type = QType::CNAME;
+    dnsrecord.d_class = QClass::IN;
+    dnsrecord.setContent(DNSRecordContent::make(QType::CNAME, QClass::IN, getKindToString(d_kind)));
+    result.push_back(std::move(dnsrecord));
   }
 
   return result;
 }
 
-void DNSFilterEngine::Zone::dumpNamedPolicy(FILE* fp, const DNSName& name, const Policy& pol)
+void DNSFilterEngine::Zone::dumpNamedPolicy(FILE* filePtr, const DNSName& name, const Policy& pol)
 {
   auto records = pol.getRecords(name);
-  for (const auto& dr : records) {
-    fprintf(fp, "%s %" PRIu32 " IN %s %s\n", dr.d_name.toString().c_str(), dr.d_ttl, QType(dr.d_type).toString().c_str(), dr.getContent()->getZoneRepresentation().c_str());
+  for (const auto& record : records) {
+    fprintf(filePtr, "%s %" PRIu32 " IN %s %s\n", record.d_name.toString().c_str(), record.d_ttl, QType(record.d_type).toString().c_str(), record.getContent()->getZoneRepresentation().c_str());
   }
 }
 
-DNSName DNSFilterEngine::Zone::maskToRPZ(const Netmask& nm)
+DNSName DNSFilterEngine::Zone::maskToRPZ(const Netmask& netmask)
 {
-  int bits = nm.getBits();
+  int bits = netmask.getBits();
   DNSName res(std::to_string(bits));
-  const auto& addr = nm.getNetwork();
+  const auto& addr = netmask.getNetwork();
 
   if (addr.isIPv4()) {
-    const uint8_t* bytes = reinterpret_cast<const uint8_t*>(&addr.sin4.sin_addr.s_addr);
-    res += DNSName(std::to_string(bytes[3]) + "." + std::to_string(bytes[2]) + "." + std::to_string(bytes[1]) + "." + std::to_string(bytes[0]));
+    const auto* bytes = reinterpret_cast<const uint8_t*>(&addr.sin4.sin_addr.s_addr); // NOLINT(cppcoreguidelines-pro-type-reinterpret-cast)
+    res += DNSName(std::to_string(bytes[3]) + "." + std::to_string(bytes[2]) + "." + std::to_string(bytes[1]) + "." + std::to_string(bytes[0])); // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
   }
   else {
     DNSName temp;
     static_assert(sizeof(addr.sin6.sin6_addr.s6_addr) == sizeof(uint16_t) * 8);
-    auto src = reinterpret_cast<const uint16_t*>(&addr.sin6.sin6_addr.s6_addr);
-    std::array<uint16_t, 8> elems;
+    const auto* src = reinterpret_cast<const uint16_t*>(&addr.sin6.sin6_addr.s6_addr); // NOLINT(cppcoreguidelines-pro-type-reinterpret-cast)
+    std::array<uint16_t, 8> elems{};
 
     // this routine was adopted from libc's inet_ntop6, written by Paul Vixie
     // because the RPZ spec (https://datatracker.ietf.org/doc/html/draft-vixie-dnsop-dns-rpz-00#section-4.1.1) says:
@@ -740,9 +732,10 @@ DNSName DNSFilterEngine::Zone::maskToRPZ(const Netmask& nm)
       int base, len;
     } best = {-1, 0}, cur = {-1, 0};
 
-    for (int i = 0; i < (int)elems.size(); i++) {
-      elems[i] = ntohs(src[i]);
-      if (elems[i] == 0) {
+    const int size = elems.size();
+    for (int i = 0; i < size; i++) {
+      elems.at(i) = ntohs(src[i]); // NOLINT(cppcoreguidelines-pro-bounds-pointer-arithmetic)
+      if (elems.at(i) == 0) {
         if (cur.base == -1) { // start of a run of zeroes
           cur = {i, 1};
         }
@@ -784,41 +777,41 @@ DNSName DNSFilterEngine::Zone::maskToRPZ(const Netmask& nm)
   return res;
 }
 
-void DNSFilterEngine::Zone::dumpAddrPolicy(FILE* fp, const Netmask& nm, const DNSName& name, const Policy& pol)
+void DNSFilterEngine::Zone::dumpAddrPolicy(FILE* filePtr, const Netmask& netmask, const DNSName& name, const Policy& pol)
 {
-  DNSName full = maskToRPZ(nm);
+  DNSName full = maskToRPZ(netmask);
   full += name;
 
   auto records = pol.getRecords(full);
-  for (const auto& dr : records) {
-    fprintf(fp, "%s %" PRIu32 " IN %s %s\n", dr.d_name.toString().c_str(), dr.d_ttl, QType(dr.d_type).toString().c_str(), dr.getContent()->getZoneRepresentation().c_str());
+  for (const auto& record : records) {
+    fprintf(filePtr, "%s %" PRIu32 " IN %s %s\n", record.d_name.toString().c_str(), record.d_ttl, QType(record.d_type).toString().c_str(), record.getContent()->getZoneRepresentation().c_str());
   }
 }
 
-void DNSFilterEngine::Zone::dump(FILE* fp) const
+void DNSFilterEngine::Zone::dump(FILE* filePtr) const
 {
   /* fake the SOA record */
   auto soa = DNSRecordContent::make(QType::SOA, QClass::IN, "fake.RPZ. hostmaster.fake.RPZ. " + std::to_string(d_serial) + " " + std::to_string(d_refresh) + " 600 3600000 604800");
-  fprintf(fp, "%s IN SOA %s\n", d_domain.toString().c_str(), soa->getZoneRepresentation().c_str());
+  fprintf(filePtr, "%s IN SOA %s\n", d_domain.toString().c_str(), soa->getZoneRepresentation().c_str());
 
   for (const auto& pair : d_qpolName) {
-    dumpNamedPolicy(fp, pair.first + d_domain, pair.second);
+    dumpNamedPolicy(filePtr, pair.first + d_domain, pair.second);
   }
 
   for (const auto& pair : d_propolName) {
-    dumpNamedPolicy(fp, pair.first + DNSName(rpzNSDnameName) + d_domain, pair.second);
+    dumpNamedPolicy(filePtr, pair.first + DNSName(rpzNSDnameName) + d_domain, pair.second);
   }
 
   for (const auto& pair : d_qpolAddr) {
-    dumpAddrPolicy(fp, pair.first, DNSName(rpzClientIPName) + d_domain, pair.second);
+    dumpAddrPolicy(filePtr, pair.first, DNSName(rpzClientIPName) + d_domain, pair.second);
   }
 
   for (const auto& pair : d_propolNSAddr) {
-    dumpAddrPolicy(fp, pair.first, DNSName(rpzNSIPName) + d_domain, pair.second);
+    dumpAddrPolicy(filePtr, pair.first, DNSName(rpzNSIPName) + d_domain, pair.second);
   }
 
   for (const auto& pair : d_postpolAddr) {
-    dumpAddrPolicy(fp, pair.first, DNSName(rpzIPName) + d_domain, pair.second);
+    dumpAddrPolicy(filePtr, pair.first, DNSName(rpzIPName) + d_domain, pair.second);
   }
 }
 
diff --git a/pdns/recursordist/filterpo.hh b/pdns/recursordist/filterpo.hh
index 6c427ea730..7d20b7a387 100644
--- a/pdns/recursordist/filterpo.hh
+++ b/pdns/recursordist/filterpo.hh
@@ -85,7 +85,7 @@ public:
     NSDName,
     NSIP
   };
-  typedef uint16_t Priority;
+  using Priority = uint16_t;
   static const Priority maximumPriority = std::numeric_limits<Priority>::max();
 
   static std::string getKindToString(PolicyKind kind);
@@ -113,7 +113,7 @@ public:
     }
 
     Policy(PolicyKind kind, PolicyType type, int32_t ttl = 0, std::shared_ptr<PolicyZoneData> data = nullptr, const std::vector<std::shared_ptr<const DNSRecordContent>>& custom = {}) :
-      d_custom(custom), d_zoneData(data), d_ttl(ttl), d_kind(kind), d_type(type)
+      d_custom(custom), d_zoneData(std::move(data)), d_ttl(ttl), d_kind(kind), d_type(type)
     {
     }
 
@@ -122,7 +122,7 @@ public:
       return d_kind == rhs.d_kind && d_type == rhs.d_type && d_ttl == rhs.d_ttl && d_custom == rhs.d_custom;
     }
 
-    const std::string& getName() const
+    [[nodiscard]] const std::string& getName() const
     {
       static const std::string notSet;
       if (d_zoneData) {
@@ -146,7 +146,7 @@ public:
       d_zoneData = std::move(newZoneData);
     }
 
-    const std::unordered_set<std::string>& getTags() const
+    [[nodiscard]] const std::unordered_set<std::string>& getTags() const
     {
       static const std::unordered_set<std::string> notSet;
       if (d_zoneData) {
@@ -155,7 +155,7 @@ public:
       return notSet;
     }
 
-    Priority getPriority() const
+    [[nodiscard]] Priority getPriority() const
     {
       static Priority notSet = maximumPriority;
       if (d_zoneData) {
@@ -164,7 +164,7 @@ public:
       return notSet;
     }
 
-    bool policyOverridesGettag() const
+    [[nodiscard]] bool policyOverridesGettag() const
     {
       if (d_zoneData) {
         return d_zoneData->d_policyOverridesGettag;
@@ -189,15 +189,15 @@ public:
       return false;
     }
 
-    bool wasHit() const
+    [[nodiscard]] bool wasHit() const
     {
       return (d_type != DNSFilterEngine::PolicyType::None && d_kind != DNSFilterEngine::PolicyKind::NoAction);
     }
 
-    std::string getLogString() const;
+    [[nodiscard]] std::string getLogString() const;
     void info(Logr::Priority prio, const std::shared_ptr<Logr::Logger>& log) const;
-    std::vector<DNSRecord> getCustomRecords(const DNSName& qname, uint16_t qtype) const;
-    std::vector<DNSRecord> getRecords(const DNSName& qname) const;
+    [[nodiscard]] std::vector<DNSRecord> getCustomRecords(const DNSName& qname, uint16_t qtype) const;
+    [[nodiscard]] std::vector<DNSRecord> getRecords(const DNSName& qname) const;
 
     std::vector<std::shared_ptr<const DNSRecordContent>> d_custom;
     std::shared_ptr<PolicyZoneData> d_zoneData{nullptr};
@@ -218,7 +218,7 @@ public:
     }
 
   private:
-    DNSRecord getRecordFromCustom(const DNSName& qname, const std::shared_ptr<const DNSRecordContent>& custom) const;
+    [[nodiscard]] DNSRecord getRecordFromCustom(const DNSName& qname, const std::shared_ptr<const DNSRecordContent>& custom) const;
   };
 
   class Zone
@@ -277,27 +277,27 @@ public:
     {
       d_zoneData->d_soa = std::move(soa);
     }
-    const std::string& getName() const
+    [[nodiscard]] const std::string& getName() const
     {
       return d_zoneData->d_name;
     }
 
-    DNSName getDomain() const
+    [[nodiscard]] DNSName getDomain() const
     {
       return d_domain;
     }
 
-    uint32_t getRefresh() const
+    [[nodiscard]] uint32_t getRefresh() const
     {
       return d_refresh;
     }
 
-    uint32_t getSerial() const
+    [[nodiscard]] uint32_t getSerial() const
     {
       return d_serial;
     }
 
-    size_t size() const
+    [[nodiscard]] size_t size() const
     {
       return d_qpolAddr.size() + d_postpolAddr.size() + d_propolName.size() + d_propolNSAddr.size() + d_qpolName.size();
     }
@@ -312,19 +312,19 @@ public:
       d_zoneData->d_ignoreDuplicates = flag;
     }
 
-    void dump(FILE* fp) const;
+    void dump(FILE* filePtr) const;
 
-    void addClientTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
-    void addQNameTrigger(const DNSName& nm, Policy&& pol, bool ignoreDuplicate = false);
-    void addNSTrigger(const DNSName& dn, Policy&& pol, bool ignoreDuplicate = false);
-    void addNSIPTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
-    void addResponseTrigger(const Netmask& nm, Policy&& pol, bool ignoreDuplicate = false);
+    void addClientTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate = false);
+    void addQNameTrigger(const DNSName& dnsname, Policy&& pol, bool ignoreDuplicate = false);
+    void addNSTrigger(const DNSName& dnsname, Policy&& pol, bool ignoreDuplicate = false);
+    void addNSIPTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate = false);
+    void addResponseTrigger(const Netmask& netmask, Policy&& pol, bool ignoreDuplicate = false);
 
-    bool rmClientTrigger(const Netmask& nm, const Policy& pol);
-    bool rmQNameTrigger(const DNSName& nm, const Policy& pol);
-    bool rmNSTrigger(const DNSName& dn, const Policy& pol);
-    bool rmNSIPTrigger(const Netmask& nm, const Policy& pol);
-    bool rmResponseTrigger(const Netmask& nm, const Policy& pol);
+    bool rmClientTrigger(const Netmask& netmask, const Policy& pol);
+    bool rmQNameTrigger(const DNSName& dnsname, const Policy& pol);
+    bool rmNSTrigger(const DNSName& dnsname, const Policy& pol);
+    bool rmNSIPTrigger(const Netmask& netmask, const Policy& pol);
+    bool rmResponseTrigger(const Netmask& netmask, const Policy& pol);
 
     bool findExactQNamePolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const;
     bool findExactNSPolicy(const DNSName& qname, DNSFilterEngine::Policy& pol) const;
@@ -332,48 +332,47 @@ public:
     bool findResponsePolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const;
     bool findClientPolicy(const ComboAddress& addr, DNSFilterEngine::Policy& pol) const;
 
-    bool hasClientPolicies() const
+    [[nodiscard]] bool hasClientPolicies() const
     {
       return !d_qpolAddr.empty();
     }
-    bool hasQNamePolicies() const
+    [[nodiscard]] bool hasQNamePolicies() const
     {
       return !d_qpolName.empty();
     }
-    bool hasNSPolicies() const
+    [[nodiscard]] bool hasNSPolicies() const
     {
       return !d_propolName.empty();
     }
-    bool hasNSIPPolicies() const
+    [[nodiscard]] bool hasNSIPPolicies() const
     {
       return !d_propolNSAddr.empty();
     }
-    bool hasResponsePolicies() const
+    [[nodiscard]] bool hasResponsePolicies() const
     {
       return !d_postpolAddr.empty();
     }
-    Priority getPriority() const
+    [[nodiscard]] Priority getPriority() const
     {
       return d_zoneData->d_priority;
     }
-    void setPriority(Priority p)
+    void setPriority(Priority priority)
     {
-      d_zoneData->d_priority = p;
+      d_zoneData->d_priority = priority;
     }
 
-    static DNSName maskToRPZ(const Netmask& nm);
+    static DNSName maskToRPZ(const Netmask& netmask);
 
   private:
     void addNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& n, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
-    void addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
-    bool rmNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& n, const Policy& pol);
-    bool rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& nm, const Policy& pol);
+    void addNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& netmask, Policy&& pol, bool ignoreDuplicate, PolicyType ptype);
+    static bool rmNameTrigger(std::unordered_map<DNSName, Policy>& map, const DNSName& n, const Policy& pol);
+    static bool rmNetmaskTrigger(NetmaskTree<Policy>& nmt, const Netmask& netmask, const Policy& pol);
 
-  private:
     static bool findExactNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
     static bool findNamedPolicy(const std::unordered_map<DNSName, DNSFilterEngine::Policy>& polmap, const DNSName& qname, DNSFilterEngine::Policy& pol);
-    static void dumpNamedPolicy(FILE* fp, const DNSName& name, const Policy& pol);
-    static void dumpAddrPolicy(FILE* fp, const Netmask& nm, const DNSName& name, const Policy& pol);
+    static void dumpNamedPolicy(FILE* filePtr, const DNSName& name, const Policy& pol);
+    static void dumpAddrPolicy(FILE* filePtr, const Netmask& netmask, const DNSName& name, const Policy& pol);
 
     std::unordered_map<DNSName, Policy> d_qpolName; // QNAME trigger (RPZ)
     NetmaskTree<Policy> d_qpolAddr; // Source address
@@ -389,15 +388,15 @@ public:
   DNSFilterEngine();
   void clear()
   {
-    for (auto& z : d_zones) {
-      z->clear();
+    for (auto& zone : d_zones) {
+      zone->clear();
     }
   }
   void clearZones()
   {
     d_zones.clear();
   }
-  const std::shared_ptr<Zone> getZone(size_t zoneIdx) const
+  [[nodiscard]] std::shared_ptr<Zone> getZone(size_t zoneIdx) const
   {
     std::shared_ptr<Zone> result{nullptr};
     if (zoneIdx < d_zones.size()) {
@@ -405,7 +404,7 @@ public:
     }
     return result;
   }
-  const std::shared_ptr<Zone> getZone(const std::string& name) const
+  [[nodiscard]] std::shared_ptr<Zone> getZone(const std::string& name) const
   {
     for (const auto& zone : d_zones) {
       const auto& zName = zone->getName();
@@ -415,75 +414,75 @@ public:
     }
     return nullptr;
   }
-  size_t addZone(std::shared_ptr<Zone> newZone)
+  size_t addZone(const std::shared_ptr<Zone>& newZone)
   {
     newZone->setPriority(d_zones.size());
     d_zones.push_back(newZone);
     return (d_zones.size() - 1);
   }
-  void setZone(size_t zoneIdx, std::shared_ptr<Zone> newZone)
+  void setZone(size_t zoneIdx, const std::shared_ptr<Zone>& newZone)
   {
     if (newZone) {
       assureZones(zoneIdx);
       newZone->setPriority(zoneIdx);
-      d_zones[zoneIdx] = std::move(newZone);
+      d_zones[zoneIdx] = newZone;
     }
   }
 
   bool getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
-  bool getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
+  bool getClientPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
   bool getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
   bool getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
   bool getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
   bool getPostPolicy(const DNSRecord& record, const std::unordered_map<std::string, bool>& discardedPolicies, Policy& policy) const;
 
   // A few convenience methods for the unit test code
-  Policy getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Priority p) const
+  [[nodiscard]] Policy getQueryPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Priority priority) const
   {
     Policy policy;
     policy.d_zoneData = std::make_shared<PolicyZoneData>();
-    policy.d_zoneData->d_priority = p;
+    policy.d_zoneData->d_priority = priority;
     getQueryPolicy(qname, discardedPolicies, policy);
     return policy;
   }
 
-  Policy getClientPolicy(const ComboAddress& ca, const std::unordered_map<std::string, bool>& discardedPolicies, Priority p) const
+  [[nodiscard]] Policy getClientPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Priority priority) const
   {
     Policy policy;
     policy.d_zoneData = std::make_shared<PolicyZoneData>();
-    policy.d_zoneData->d_priority = p;
-    getClientPolicy(ca, discardedPolicies, policy);
+    policy.d_zoneData->d_priority = priority;
+    getClientPolicy(address, discardedPolicies, policy);
     return policy;
   }
 
-  Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Priority p) const
+  [[nodiscard]] Policy getProcessingPolicy(const DNSName& qname, const std::unordered_map<std::string, bool>& discardedPolicies, Priority priority) const
   {
     Policy policy;
     policy.d_zoneData = std::make_shared<PolicyZoneData>();
-    policy.d_zoneData->d_priority = p;
+    policy.d_zoneData->d_priority = priority;
     getProcessingPolicy(qname, discardedPolicies, policy);
     return policy;
   }
 
-  Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Priority p) const
+  [[nodiscard]] Policy getProcessingPolicy(const ComboAddress& address, const std::unordered_map<std::string, bool>& discardedPolicies, Priority priority) const
   {
     Policy policy;
     policy.d_zoneData = std::make_shared<PolicyZoneData>();
-    policy.d_zoneData->d_priority = p;
+    policy.d_zoneData->d_priority = priority;
     getProcessingPolicy(address, discardedPolicies, policy);
     return policy;
   }
 
-  Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string, bool>& discardedPolicies, Priority p) const
+  [[nodiscard]] Policy getPostPolicy(const vector<DNSRecord>& records, const std::unordered_map<std::string, bool>& discardedPolicies, Priority priority) const
   {
     Policy policy;
     policy.d_zoneData = std::make_shared<PolicyZoneData>();
-    policy.d_zoneData->d_priority = p;
+    policy.d_zoneData->d_priority = priority;
     getPostPolicy(records, discardedPolicies, policy);
     return policy;
   }
 
-  size_t size() const
+  [[nodiscard]] size_t size() const
   {
     return d_zones.size();
   }
-- 
2.47.2