mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-01-31 18:59:27 -05:00
rpz: apply trigger at query time not response time
This commit is contained in:
mb
parent
f7fb338c95
commit
354c19f6ac
2 changed files with 29 additions and 5 deletions
|
|
@ -2471,6 +2471,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||||
/* Add the current set of unused targets to our queue. */
|
/* Add the current set of unused targets to our queue. */
|
||||||
delegpt_add_unused_targets(iq->dp);
|
delegpt_add_unused_targets(iq->dp);
|
||||||
|
|
||||||
|
rpz_iterator_module_callback(qstate, iq);
|
||||||
|
|
||||||
/* Select the next usable target, filtering out unsuitable targets. */
|
/* Select the next usable target, filtering out unsuitable targets. */
|
||||||
target = iter_server_selection(ie, qstate->env, iq->dp,
|
target = iter_server_selection(ie, qstate->env, iq->dp,
|
||||||
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
|
iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
|
||||||
|
|
@ -2660,15 +2662,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||||
{
|
{
|
||||||
int dnsseclame = 0;
|
int dnsseclame = 0;
|
||||||
enum response_type type;
|
enum response_type type;
|
||||||
int rpz_filter_result;
|
//int rpz_filter_result;
|
||||||
|
|
||||||
iq->num_current_queries--;
|
iq->num_current_queries--;
|
||||||
|
|
||||||
if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
|
if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response))
|
||||||
log_err("unable to call query_response callback");
|
log_err("unable to call query_response callback");
|
||||||
|
|
||||||
rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
|
//rpz_filter_result = rpz_iterator_module_callback(qstate, iq);
|
||||||
if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
|
//if(rpz_filter_result > 0) { next_state(iq, FINISHED_STATE); }
|
||||||
|
|
||||||
if(iq->response == NULL) {
|
if(iq->response == NULL) {
|
||||||
/* Don't increment qname when QNAME minimisation is enabled */
|
/* Don't increment qname when QNAME minimisation is enabled */
|
||||||
|
|
|
||||||
|
|
@ -53,6 +53,7 @@
|
||||||
#include "util/data/msgencode.h"
|
#include "util/data/msgencode.h"
|
||||||
#include "services/cache/dns.h"
|
#include "services/cache/dns.h"
|
||||||
#include "iterator/iterator.h"
|
#include "iterator/iterator.h"
|
||||||
|
#include "iterator/iter_delegpt.h"
|
||||||
|
|
||||||
typedef struct resp_addr rpz_aclnode_type;
|
typedef struct resp_addr rpz_aclnode_type;
|
||||||
|
|
||||||
|
|
@ -1489,16 +1490,35 @@ rpz_patch_localdata(struct dns_msg* response, struct clientip_synthesized_rr* da
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct clientip_synthesized_rr*
|
||||||
|
rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz,
|
||||||
|
struct iter_qstate* is)
|
||||||
|
{
|
||||||
|
struct delegpt_addr* cursor;
|
||||||
|
struct clientip_synthesized_rr* action = NULL;
|
||||||
|
if(is->dp == NULL) { return NULL; }
|
||||||
|
for(cursor = is->dp->target_list; cursor != NULL; cursor = cursor->next_target) {
|
||||||
|
if(cursor->bogus) { continue; }
|
||||||
|
action = rpz_ipbased_trigger_lookup(rpz->ns_set, &cursor->addr, cursor->addrlen);
|
||||||
|
if(action != NULL) { return action; }
|
||||||
|
}
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
|
rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
|
||||||
{
|
{
|
||||||
struct auth_zones* az = ms->env->auth_zones;
|
struct auth_zones* az;
|
||||||
struct auth_zone* a;
|
struct auth_zone* a;
|
||||||
struct clientip_synthesized_rr* raddr;
|
struct clientip_synthesized_rr* raddr;
|
||||||
enum rpz_action action = RPZ_INVALID_ACTION;
|
enum rpz_action action = RPZ_INVALID_ACTION;
|
||||||
struct rpz* r;
|
struct rpz* r;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
|
if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
|
||||||
|
|
||||||
|
az = ms->env->auth_zones;
|
||||||
|
|
||||||
verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
|
verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
|
||||||
|
|
||||||
lock_rw_rdlock(&az->rpz_lock);
|
lock_rw_rdlock(&az->rpz_lock);
|
||||||
|
|
@ -1507,7 +1527,7 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
|
||||||
for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
|
for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) {
|
||||||
lock_rw_rdlock(&a->lock);
|
lock_rw_rdlock(&a->lock);
|
||||||
r = a->rpz;
|
r = a->rpz;
|
||||||
raddr = rpz_ipbased_trigger_lookup(r->ns_set, &ms->reply->addr, ms->reply->addrlen);
|
raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
|
||||||
if(raddr != NULL) {
|
if(raddr != NULL) {
|
||||||
lock_rw_unlock(&a->lock);
|
lock_rw_unlock(&a->lock);
|
||||||
break;
|
break;
|
||||||
|
|
@ -1515,6 +1535,8 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
|
||||||
lock_rw_unlock(&a->lock);
|
lock_rw_unlock(&a->lock);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
lock_rw_unlock(&az->rpz_lock);
|
||||||
|
|
||||||
if(raddr == NULL) { return 0; }
|
if(raddr == NULL) { return 0; }
|
||||||
|
|
||||||
verbose(VERB_ALGO, "rpz: iterator callback: nsip: apply action=%s",
|
verbose(VERB_ALGO, "rpz: iterator callback: nsip: apply action=%s",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue