modules/policy/rpz: Correct work if RRset is suffixed zone name

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 53a0ce7b8f24062634134744d77ab0767dde3f68..6cbc991bfcf06ba7cb5603d1437c4a6bb81db9d7 100644 (file)
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -378,6 +378,7 @@ end
 local function rpz_parse(action, path)
        local rules = {}
        local new_actions = {}
+       local origin = '.'
        local action_map = {
                -- RPZ Policy Actions
                ['\0'] = action,
@@ -418,6 +419,14 @@ local function rpz_parse(action, path)
                local name = ffi.string(parser.r_owner, parser.r_owner_length)
                local rdata = ffi.string(parser.r_data, parser.r_data_length)
 
+               if (parser.r_type == kres.type.SOA) then
+                       -- parser return \0 if SOA use @ as owner
+                       origin = (name == '\0') and origin or name
+                       goto continue
+               end
+
+               name = (name == origin) and name or name:gsub('%'..origin, '')
+
                if parser.r_type == kres.type.CNAME then
                        if action_map[rdata] then
                                rules[name] = action_map[rdata]
@@ -436,6 +445,8 @@ local function rpz_parse(action, path)
                                end
                        end
                end
+
+               ::continue::
        end
        collectgarbage()
        for k, v in pairs(new_actions) do

diff --git a/modules/policy/policy.rpz.test.lua b/modules/policy/policy.rpz.test.lua
index b63d850b19cd9184edff6f599d4e44270b05433f..e2637d933a17218da77bdb8413010bae8e713cd6 100644 (file)
--- a/modules/policy/policy.rpz.test.lua
+++ b/modules/policy/policy.rpz.test.lua
@@ -53,6 +53,8 @@ local function test_rpz()
                'rpzpassthru.', kres.type.A, kres.rcode.NOERROR, '127.0.0.9')
        check_answer('"A 192.168.55.5" return local A rrset',
                'rra.', kres.type.A, kres.rcode.NOERROR, '192.168.55.5')
+       check_answer('"A 192.168.66.6" with suffixed zone name in owner return local A rrset',
+               'rra-zonename-suffix.', kres.type.A, kres.rcode.NOERROR, '192.168.66.6')
        check_answer('non existing AAAA on rra domain return NODATA',
                'rra.', kres.type.AAAA, kres.rcode.NOERROR)
 end

diff --git a/modules/policy/policy.test.rpz b/modules/policy/policy.test.rpz
index 9ebaa17e377522c984159213b43918d1d91ca69a..dd8fe3979b11e3210ff3772f64fc03a6327b3bc2 100644 (file)
--- a/modules/policy/policy.test.rpz
+++ b/modules/policy/policy.test.rpz
@@ -1,9 +1,10 @@
 $TTL 30
-@        SOA nonexistent.nodomain.none. dummy.nodomain.none. 1 12h 15m 3w 2h
-         NS  nonexistant.nodomain.none.
+testdomain.            SOA nonexistent.testdomain. testdomain. 1 12h 15m 3w 2h
+                       NS  nonexistant.testdomain.
 
-nxdomain.      CNAME   .
-nodata.                CNAME   *.
-rpzdrop.       CNAME   rpz-drop.
-rpzpassthru.   CNAME   rpz-passthru.
-rra.           A       192.168.55.5
+nxdomain.              CNAME   .
+nodata.                        CNAME   *.
+rpzdrop.               CNAME   rpz-drop.
+rpzpassthru.           CNAME   rpz-passthru.
+rra.                   A       192.168.55.5
+rra-zonename-suffix.testdomain.                A       192.168.66.6