if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
az = ms->env->auth_zones;
+ lock_rw_rdlock(&az->rpz_lock);
verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
- lock_rw_rdlock(&az->rpz_lock);
-
/* precedence of RPZ works, loosely, like this:
* CNAMEs in order of the CNAME chain. rpzs in the order they are
* configured. In an RPZ: first client-IP addr, then QNAME, then
lock_rw_unlock(&a->lock);
continue;
}
+ if(r->taglist && ms->client_info &&
+ !taglist_intersect(r->taglist, r->taglistlen,
+ ms->client_info->taglist,
+ ms->client_info->taglen)) {
+ lock_rw_unlock(&a->lock);
+ continue;
+ }
/* the nsdname has precedence over the nsip triggers */
z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
lock_rw_unlock(&a->lock);
continue;
}
+ if(r->taglist && ms->client_info &&
+ !taglist_intersect(r->taglist, r->taglistlen,
+ ms->client_info->taglist,
+ ms->client_info->taglen)) {
+ lock_rw_unlock(&a->lock);
+ continue;
+ }
z = rpz_find_zone(r->local_zones, is->qchase.qname,
is->qchase.qname_len, is->qchase.qclass, 0, 0, 0);
if(z && r->action_override == RPZ_DISABLED_ACTION) {
--- /dev/null
+; config options
+server:
+ module-config: "respip validator iterator"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ access-control: 192.0.0.0/8 allow
+ define-tag: "internal server"
+ access-control-tag: 192.0.0.0/8 "internal"
+ access-control-tag: 127.0.0.0/8 "server"
+
+rpz:
+ name: "rpz.example.com."
+ rpz-log: yes
+ rpz-log-name: "rpz.example.com"
+ tags: "internal"
+ zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
+ 1379078166 28800 7200 604800 7200 )
+ 3600 IN NS ns1.rpz.example.com.
+ 3600 IN NS ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+www.gotham.a A 1.2.3.61
+www.gotham2.a CNAME g2.target.a.
+g2.target.a A 1.2.3.62
+www.gotham3.a CNAME g3.target.a.
+g3.target.a CNAME g3b.target.a.
+g3b.target.a A 1.2.3.63
+www.gotham4.a CNAME g4.target.a.
+g4.target.a CNAME g4b.target.a.
+g4b.target.a CNAME g4c.target.a.
+g4c.target.a A 1.2.3.64
+; server for a.
+32.40.30.20.10.rpz-nsip A 1.2.3.68
+TEMPFILE_END
+
+stub-zone:
+ name: "a."
+ stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ handling of CNAMEs and tags.
+
+; a.
+RANGE_BEGIN 0 1000
+ ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+target.a. IN A
+SECTION ANSWER
+target.a. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham.a. IN A
+SECTION ANSWER
+www.gotham.a. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham2.a. IN A
+SECTION ANSWER
+www.gotham2.a. IN A 1.2.3.52
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham3.a. IN A
+SECTION ANSWER
+www.gotham3.a. IN A 1.2.3.53
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham4.a. IN A
+SECTION ANSWER
+www.gotham4.a. IN A 1.2.3.54
+ENTRY_END
+RANGE_END
+
+; Test with zero rpz CNAMEs, no tag match for rpz answer.
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.a. IN A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham.a. IN A
+SECTION ANSWER
+www.gotham.a. A 1.2.3.5
+ENTRY_END
+
+; Test with one rpz CNAME, no tag match for rpz answer.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham2.a. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham2.a. IN A
+SECTION ANSWER
+www.gotham2.a. A 1.2.3.52
+ENTRY_END
+
+; Test with two rpz CNAMEs, no tag match for rpz answer.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham3.a. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham3.a. IN A
+SECTION ANSWER
+www.gotham3.a. A 1.2.3.53
+ENTRY_END
+
+; Test with three rpz CNAMEs, no tag match for rpz answer.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham4.a. IN A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham4.a. IN A
+SECTION ANSWER
+www.gotham4.a. A 1.2.3.54
+ENTRY_END
+
+; Test with zero rpz CNAMEs, rpz answer. Tag "internal"
+STEP 50 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.a. IN A
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham.a. IN A
+SECTION ANSWER
+www.gotham.a. A 1.2.3.61
+ENTRY_END
+
+; Test with one rpz CNAME, rpz answer. Tag "internal"
+STEP 60 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham2.a. IN A
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham2.a. IN A
+SECTION ANSWER
+www.gotham2.a. CNAME g2.target.a.
+g2.target.a. A 1.2.3.62
+ENTRY_END
+
+; Test with two rpz CNAMEs, rpz answer. Tag "internal"
+STEP 70 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham3.a. IN A
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham3.a. IN A
+SECTION ANSWER
+www.gotham3.a. CNAME g3.target.a.
+g3.target.a. CNAME g3b.target.a.
+g3b.target.a. A 1.2.3.63
+ENTRY_END
+
+; Test with three rpz CNAMEs, rpz answer. Tag "internal"
+STEP 80 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham4.a. IN A
+ENTRY_END
+
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham4.a. IN A
+SECTION ANSWER
+www.gotham4.a. CNAME g4.target.a.
+g4.target.a. CNAME g4b.target.a.
+g4b.target.a. CNAME g4c.target.a.
+g4c.target.a. A 1.2.3.64
+ENTRY_END
+
+SCENARIO_END
projects / thirdparty / unbound.git / commitdiff
