From 1db3b38104c78be0323ded00f9f23a19dec6e58f Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Wed, 13 Mar 2024 13:45:04 +0100
Subject: [PATCH] - Fix #1029: rpz trigger clientip and action rpz-passthru not
 working   as expected.

---
 doc/Changelog                      |  4 ++
 services/rpz.c                     |  2 +
 testdata/rpz_passthru_clientip.rpl | 90 ++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 testdata/rpz_passthru_clientip.rpl

diff --git a/doc/Changelog b/doc/Changelog
index 5ffd4e798..95e27db44 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+13 March 2024: Wouter
+	- Fix #1029: rpz trigger clientip and action rpz-passthru not working
+	  as expected.
+
 12 March 2024: Yorgos
 	- Merge #1028: Clearer documentation for tcp-idle-timeout and
 	  edns-tcp-keepalive-timeout.
diff --git a/services/rpz.c b/services/rpz.c
index 32588b7a8..e8e7143ad 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -2527,6 +2527,8 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
 	client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action);
 	if(client_action == RPZ_PASSTHRU_ACTION) {
 		*passthru = 1;
+		ret = 0;
+		goto done;
 	}
 	if(*z_out == NULL || (client_action != RPZ_INVALID_ACTION &&
 			      client_action != RPZ_PASSTHRU_ACTION)) {
diff --git a/testdata/rpz_passthru_clientip.rpl b/testdata/rpz_passthru_clientip.rpl
new file mode 100644
index 000000000..1ffb79a00
--- /dev/null
+++ b/testdata/rpz_passthru_clientip.rpl
@@ -0,0 +1,90 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	access-control: 192.0.0.0/8 allow
+
+rpz:
+	name: "rpz.example.com."
+	rpz-log: yes
+	rpz-log-name: "rpz.example.com"
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz	3600	IN	SOA	ns1.rpz.example.com. hostmaster.rpz.example.com. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.rpz.example.com.
+	3600	IN	NS	ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+d.a	A 127.0.0.1
+32.1.5.0.192.rpz-client-ip CNAME rpz-passthru.
+32.2.5.0.192.rpz-client-ip CNAME rpz-drop.
+TEMPFILE_END
+
+stub-zone:
+	name: "a."
+	stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ passthru ends processing after clientip.
+
+; a.
+RANGE_BEGIN 0 1000
+	ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a. A 1.2.3.4
+ENTRY_END
+
+; This reply should get the rpz data
+STEP 20 QUERY ADDRESS 192.0.5.3
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+d.a.	IN	A
+SECTION ANSWER
+d.a. A 127.0.0.1
+ENTRY_END
+
+; This reply should be dropped.
+STEP 30 QUERY ADDRESS 192.0.5.2
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a.	IN	A
+ENTRY_END
+
+SCENARIO_END