- Fix #1079: tags from tagged rpz zones are no longer honored after

upgrade from 1.19.3 to 1.20.0.

doc/Changelog

@@ -1,3 +1,7 @@
+30 May 2024: Wouter
+	- Fix #1079: tags from tagged rpz zones are no longer honored after
+	  upgrade from 1.19.3 to 1.20.0.
+
 29 May 2024: Wouter
 	- Merge #1078: Only check old pid if no username.
 

services/rpz.c

@@ -2435,11 +2435,10 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 	if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; }
 
 	az = ms->env->auth_zones;
+	lock_rw_rdlock(&az->rpz_lock);
 
 	verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL);
 
-	lock_rw_rdlock(&az->rpz_lock);
-
 	/* precedence of RPZ works, loosely, like this:
 	 * CNAMEs in order of the CNAME chain. rpzs in the order they are
 	 * configured. In an RPZ: first client-IP addr, then QNAME, then
@@ -2454,6 +2453,13 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 			lock_rw_unlock(&a->lock);
 			continue;
 		}
+		if(r->taglist && ms->client_info &&
+			!taglist_intersect(r->taglist, r->taglistlen,
+				ms->client_info->taglist,
+				ms->client_info->taglen)) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
 
 		/* the nsdname has precedence over the nsip triggers */
 		z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
@@ -2512,6 +2518,13 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
 			lock_rw_unlock(&a->lock);
 			continue;
 		}
+		if(r->taglist && ms->client_info &&
+			!taglist_intersect(r->taglist, r->taglistlen,
+				ms->client_info->taglist,
+				ms->client_info->taglen)) {
+			lock_rw_unlock(&a->lock);
+			continue;
+		}
 		z = rpz_find_zone(r->local_zones, is->qchase.qname,
 			is->qchase.qname_len, is->qchase.qclass, 0, 0, 0);
 		if(z && r->action_override == RPZ_DISABLED_ACTION) {

testdata/rpz_cname_tag.rpl

@@ -0,0 +1,250 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+	define-tag: "internal server"
+	access-control-tag: 192.0.0.0/8 "internal"
+	access-control-tag: 127.0.0.0/8 "server"
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	tags: "internal"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+www.gotham.a A 1.2.3.61
+www.gotham2.a CNAME g2.target.a.
+g2.target.a A 1.2.3.62
+www.gotham3.a CNAME g3.target.a.
+g3.target.a CNAME g3b.target.a.
+g3b.target.a A 1.2.3.63
+www.gotham4.a CNAME g4.target.a.
+g4.target.a CNAME g4b.target.a.
+g4b.target.a CNAME g4c.target.a.
+g4c.target.a A 1.2.3.64
+; server for a.
+32.40.30.20.10.rpz-nsip A 1.2.3.68
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ handling of CNAMEs and tags.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+target.a. IN A
+SECTION ANSWER
+target.a. IN A 1.2.3.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham.a. IN A
+SECTION ANSWER
+www.gotham.a. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham2.a. IN A
+SECTION ANSWER
+www.gotham2.a. IN A 1.2.3.52
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham3.a. IN A
+SECTION ANSWER
+www.gotham3.a. IN A 1.2.3.53
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham4.a. IN A
+SECTION ANSWER
+www.gotham4.a. IN A 1.2.3.54
+ENTRY_END
+RANGE_END
+
+; Test with zero rpz CNAMEs, no tag match for rpz answer.
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.a.	IN	A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham.a.	IN	A
+SECTION ANSWER
+www.gotham.a. A 1.2.3.5
+ENTRY_END
+
+; Test with one rpz CNAME, no tag match for rpz answer.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham2.a.	IN	A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham2.a.	IN	A
+SECTION ANSWER
+www.gotham2.a. A 1.2.3.52
+ENTRY_END
+
+; Test with two rpz CNAMEs, no tag match for rpz answer.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham3.a.	IN	A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham3.a.	IN	A
+SECTION ANSWER
+www.gotham3.a. A 1.2.3.53
+ENTRY_END
+
+; Test with three rpz CNAMEs, no tag match for rpz answer.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham4.a.	IN	A
+ENTRY_END
+
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham4.a.	IN	A
+SECTION ANSWER
+www.gotham4.a. A 1.2.3.54
+ENTRY_END
+
+; Test with zero rpz CNAMEs, rpz answer. Tag "internal"
+STEP 50 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.a.	IN	A
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham.a.	IN	A
+SECTION ANSWER
+www.gotham.a. A 1.2.3.61
+ENTRY_END
+
+; Test with one rpz CNAME, rpz answer. Tag "internal"
+STEP 60 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham2.a.	IN	A
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham2.a.	IN	A
+SECTION ANSWER
+www.gotham2.a. CNAME g2.target.a.
+g2.target.a. A 1.2.3.62
+ENTRY_END
+
+; Test with two rpz CNAMEs, rpz answer. Tag "internal"
+STEP 70 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham3.a.	IN	A
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham3.a.	IN	A
+SECTION ANSWER
+www.gotham3.a. CNAME g3.target.a.
+g3.target.a. CNAME g3b.target.a.
+g3b.target.a. A 1.2.3.63
+ENTRY_END
+
+; Test with three rpz CNAMEs, rpz answer. Tag "internal"
+STEP 80 QUERY ADDRESS 192.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham4.a.	IN	A
+ENTRY_END
+
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham4.a.	IN	A
+SECTION ANSWER
+www.gotham4.a. CNAME g4.target.a.
+g4.target.a. CNAME g4b.target.a.
+g4b.target.a. CNAME g4c.target.a.
+g4c.target.a. A 1.2.3.64
+ENTRY_END
+
+SCENARIO_END