- Fix rpz tcp-only action with rpz triggers nsdname and nsip.

diff --git a/doc/Changelog b/doc/Changelog
index 998b0d33cc81c9a879099c4657d45dc3b5abc7cf..1ff496d82f2927f1919eae9228834aa975b41661 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+18 September 2023: Wouter
+       - Fix rpz tcp-only action with rpz triggers nsdname and nsip.
+
 15 September 2023: Wouter
        - Merge #936: Check for c99 with autoconf versions prior to 2.70.
        - Fix to remove two c99 notations.

diff --git a/services/mesh.c b/services/mesh.c
index 52d14a2d1f54fe8e8d1d40d8d57bffa0ba9e74c8..be968e42234f597eaf5b18f255a0df006526283d 100644 (file)
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -1224,11 +1224,12 @@ static inline int
 mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
 {
        struct respip_action_info const* respip_info = m->s.respip_action_info;
-       return respip_info == NULL
+       return (respip_info == NULL
                        ? 0
                        : (respip_info->rpz_used
                        && !respip_info->rpz_disabled
-                       && respip_info->action == respip_truncate);
+                       && respip_info->action == respip_truncate))
+               || m->s.tcp_required;
 }
 
 static inline int

diff --git a/services/rpz.c b/services/rpz.c
index 6ce83cb66a358cf7ed371f8b1612a62f723cde3a..7f7a2fa9b11163380482288f9d9f5ef3655d749d 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -2162,7 +2162,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
        case RPZ_TCP_ONLY_ACTION:
                /* basically a passthru here but the tcp-only will be
                 * honored before the query gets sent. */
-               ms->respip_action_info->action = respip_truncate;
+               ms->tcp_required = 1;
                ret = NULL;
                break;
        case RPZ_DROP_ACTION:
@@ -2217,7 +2217,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
        case RPZ_TCP_ONLY_ACTION:
                /* basically a passthru here but the tcp-only will be
                 * honored before the query gets sent. */
-               ms->respip_action_info->action = respip_truncate;
+               ms->tcp_required = 1;
                ret = NULL;
                break;
        case RPZ_DROP_ACTION:
@@ -2428,7 +2428,7 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
        case RPZ_TCP_ONLY_ACTION:
                /* basically a passthru here but the tcp-only will be
                 * honored before the query gets sent. */
-               ms->respip_action_info->action = respip_truncate;
+               ms->tcp_required = 1;
                ret = NULL;
                break;
        case RPZ_DROP_ACTION:

diff --git a/testdata/rpz_nsdname.rpl b/testdata/rpz_nsdname.rpl
index 1c678cc13bad7abe0566c175a5a2ea2cd682e3b5..a4e9bb31d30ed08b90736ba1c0db84456436d3e4 100644 (file)
--- a/testdata/rpz_nsdname.rpl
+++ b/testdata/rpz_nsdname.rpl
@@ -225,6 +225,36 @@ ENTRY_END
 
 RANGE_END
 
+; dd. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+       ADDRESS 8.8.3.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+dd. IN NS
+SECTION ANSWER
+dd. IN NS ns1.dd.
+SECTION ADDITIONAL
+ns1.dd. IN A 8.8.3.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION AUTHORITY
+gotham.dd.     IN NS   ns1.gotham.dd.
+SECTION ADDITIONAL
+ns1.gotham.dd. IN A 192.0.3.1
+ENTRY_END
+
+RANGE_END
+
 ; ff. ------------------------------------------------------------------------
 RANGE_BEGIN 0 100
        ADDRESS 8.8.6.8
@@ -303,6 +333,22 @@ ENTRY_END
 
 RANGE_END
 
+; ns1.gotham.dd. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+       ADDRESS 192.0.3.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+gotham.dd. IN A 192.0.3.2
+ENTRY_END
+
+RANGE_END
+
 ; ns1.gotham.ff. -------------------------------------------------------------
 RANGE_BEGIN 0 100
        ADDRESS 192.0.5.1
@@ -387,4 +433,39 @@ SECTION ANSWER
 gotham.ff. IN A 127.0.0.1
 ENTRY_END
 
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.dd. IN A
+ENTRY_END
+
+; should come back truncated because TCP is required.
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA TC NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 42 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+gotham.dd. IN A
+ENTRY_END
+
+STEP 43 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+gotham.dd. IN A 192.0.3.2
+ENTRY_END
+
 SCENARIO_END

diff --git a/util/module.h b/util/module.h
index d25bebd1561d5de4c7c7375432b1360e94822bd2..8a9da3f931a128c6cbff0eac7a4876dca4aea21e 100644 (file)
--- a/util/module.h
+++ b/util/module.h
@@ -691,6 +691,8 @@ struct module_qstate {
        struct respip_action_info* respip_action_info;
        /** if the query is rpz passthru, no further rpz processing for it */
        int rpz_passthru;
+       /* Flag tcp required. */
+       int tcp_required;
 
        /** whether the reply should be dropped */
        int is_drop;