From fb8c5a764d52c19d9330a095b0b1f766f41cb080 Mon Sep 17 00:00:00 2001 From: mb Date: Tue, 3 Nov 2020 11:02:36 +0100 Subject: [PATCH] RPZ: provide tcp-only triggers for respip actions --- services/mesh.c | 20 ++++++++++++++++++++ services/rpz.c | 6 ++---- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/services/mesh.c b/services/mesh.c index cd9050936..a255595e8 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -1175,6 +1175,22 @@ mesh_do_callback(struct mesh_state* m, int rcode, struct reply_info* rep, m->s.env->mesh->num_reply_addrs--; } +static inline int +mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m) +{ + struct respip_action_info const* respip_info = m->s.respip_action_info; + return respip_info == NULL + ? 0 + : (respip_info->rpz_used + && !respip_info->rpz_disabled + && respip_info->action == respip_truncate); +} + +static inline int +mesh_is_udp(struct mesh_reply const* r) { + return r->query_reply.c->type == comm_udp; +} + /** * Send reply to mesh reply entry * @param m: mesh state to send it for. @@ -1193,6 +1209,10 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep, struct timeval end_time; struct timeval duration; int secure; + + rcode = mesh_is_udp(r) && mesh_is_rpz_respip_tcponly_action(m) + ? (rcode|BIT_TC) : rcode; + /* Copy the client's EDNS for later restore, to make sure the edns * compare is with the correct edns options. */ struct edns_data edns_bak = r->edns; diff --git a/services/rpz.c b/services/rpz.c index 25f8c8892..fb047a7f2 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -480,6 +480,8 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, char* rrstr; int newzone = 0; + verbose(VERB_ALGO, "RPZ: insert qname trigger: %s", rpz_action_to_string(a)); + if(a == RPZ_INVALID_ACTION) { verbose(VERB_ALGO, "RPZ: skipping unsupported action: %s", rpz_action_to_string(a)); @@ -487,10 +489,6 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, return; } - if(a == RPZ_TCP_ONLY_ACTION) { - verbose(VERB_ALGO, "RPZ: insert qname trigger: tcp-only"); - } - lock_rw_wrlock(&r->local_zones->lock); /* exact match */ z = local_zones_find(r->local_zones, dname, dnamelen, dnamelabs,