mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix rpz that the rpz override is taken in case of clientip triggers.
Fix that the clientip passthru action is logged. Fix that the clientip localdata action is logged. Fix rpz override action cname for the clientip trigger.
This commit is contained in:
parent
1db3b38104
commit
4f417262e3
@ -1,6 +1,10 @@
|
||||
13 March 2024: Wouter
|
||||
- Fix #1029: rpz trigger clientip and action rpz-passthru not working
|
||||
as expected.
|
||||
- Fix rpz that the rpz override is taken in case of clientip triggers.
|
||||
Fix that the clientip passthru action is logged. Fix that the
|
||||
clientip localdata action is logged. Fix rpz override action cname
|
||||
for the clientip trigger.
|
||||
|
||||
12 March 2024: Yorgos
|
||||
- Merge #1028: Clearer documentation for tcp-idle-timeout and
|
||||
|
@ -1876,6 +1876,26 @@ nodata:
|
||||
rrset_count, rcode, rsoa);
|
||||
}
|
||||
|
||||
static void
|
||||
rpz_apply_clientip_cname_override_action(struct rpz* r,
|
||||
struct query_info* qinfo, struct regional* temp)
|
||||
{
|
||||
if(!r)
|
||||
return;
|
||||
qinfo->local_alias = regional_alloc_zero(temp,
|
||||
sizeof(struct local_rrset));
|
||||
if(qinfo->local_alias == NULL)
|
||||
return; /* out of memory */
|
||||
qinfo->local_alias->rrset = regional_alloc_init(temp,
|
||||
r->cname_override, sizeof(*r->cname_override));
|
||||
if(qinfo->local_alias->rrset == NULL) {
|
||||
qinfo->local_alias = NULL;
|
||||
return; /* out of memory */
|
||||
}
|
||||
qinfo->local_alias->rrset->rk.dname = qinfo->qname;
|
||||
qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len;
|
||||
}
|
||||
|
||||
/** add additional section SOA record to the reply.
|
||||
* Since this gets fed into the normal iterator answer creation, it
|
||||
* gets minimal-responses applied to it, that can remove the additional SOA
|
||||
@ -2525,7 +2545,18 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
|
||||
az, qinfo, repinfo, taglist, taglen, stats, z_out, a_out, r_out);
|
||||
|
||||
client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action);
|
||||
if(node != NULL && *r_out &&
|
||||
(*r_out)->action_override != RPZ_NO_OVERRIDE_ACTION) {
|
||||
client_action = (*r_out)->action_override;
|
||||
}
|
||||
if(client_action == RPZ_PASSTHRU_ACTION) {
|
||||
if(*r_out && (*r_out)->log)
|
||||
log_rpz_apply(
|
||||
(node?"clientip":"qname"),
|
||||
((*z_out)?(*z_out)->name:NULL),
|
||||
(node?&node->node:NULL),
|
||||
client_action, qinfo, repinfo, NULL,
|
||||
(*r_out)->log_name);
|
||||
*passthru = 1;
|
||||
ret = 0;
|
||||
goto done;
|
||||
@ -2543,14 +2574,12 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
|
||||
if(client_action == RPZ_LOCAL_DATA_ACTION) {
|
||||
rpz_apply_clientip_localdata_action(node, env, qinfo,
|
||||
edns, repinfo, buf, temp, *a_out);
|
||||
ret = 1;
|
||||
} else if(client_action == RPZ_CNAME_OVERRIDE_ACTION) {
|
||||
rpz_apply_clientip_cname_override_action(*r_out,
|
||||
qinfo, temp);
|
||||
ret = 0;
|
||||
} else {
|
||||
if(*r_out && (*r_out)->log)
|
||||
log_rpz_apply(
|
||||
(node?"clientip":"qname"),
|
||||
((*z_out)?(*z_out)->name:NULL),
|
||||
(node?&node->node:NULL),
|
||||
client_action, qinfo, repinfo, NULL,
|
||||
(*r_out)->log_name);
|
||||
local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns,
|
||||
repinfo, buf, temp, 0 /* no local data used */,
|
||||
rpz_action_to_localzone_type(client_action));
|
||||
@ -2558,8 +2587,15 @@ rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env,
|
||||
LDNS_RCODE_WIRE(sldns_buffer_begin(buf))
|
||||
== LDNS_RCODE_NXDOMAIN)
|
||||
LDNS_RA_CLR(sldns_buffer_begin(buf));
|
||||
ret = 1;
|
||||
}
|
||||
ret = 1;
|
||||
if(*r_out && (*r_out)->log)
|
||||
log_rpz_apply(
|
||||
(node?"clientip":"qname"),
|
||||
((*z_out)?(*z_out)->name:NULL),
|
||||
(node?&node->node:NULL),
|
||||
client_action, qinfo, repinfo, NULL,
|
||||
(*r_out)->log_name);
|
||||
goto done;
|
||||
}
|
||||
ret = -1;
|
||||
|
269
testdata/rpz_clientip_override.rpl
vendored
Normal file
269
testdata/rpz_clientip_override.rpl
vendored
Normal file
@ -0,0 +1,269 @@
|
||||
; config options
|
||||
server:
|
||||
module-config: "respip validator iterator"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: no
|
||||
access-control: 192.0.0.0/8 allow
|
||||
|
||||
rpz:
|
||||
name: "rpz.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz.example.com"
|
||||
rpz-action-override: "nxdomain"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz.example.com
|
||||
TEMPFILE_CONTENTS rpz.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz.example.com.
|
||||
3600 IN NS ns2.rpz.example.com.
|
||||
$ORIGIN rpz.example.com.
|
||||
32.1.5.0.192.rpz-client-ip CNAME rpz-passthru.
|
||||
32.2.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
rpz:
|
||||
name: "rpz2.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz2.example.com"
|
||||
rpz-action-override: "nodata"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz2.example.com
|
||||
TEMPFILE_CONTENTS rpz2.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz2 3600 IN SOA ns1.rpz2.example.com. hostmaster.rpz2.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz2.example.com.
|
||||
3600 IN NS ns2.rpz2.example.com.
|
||||
$ORIGIN rpz2.example.com.
|
||||
32.4.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
rpz:
|
||||
name: "rpz3.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz3.example.com"
|
||||
rpz-action-override: "passthru"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz3.example.com
|
||||
TEMPFILE_CONTENTS rpz3.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz3 3600 IN SOA ns1.rpz3.example.com. hostmaster.rpz3.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz3.example.com.
|
||||
3600 IN NS ns2.rpz3.example.com.
|
||||
$ORIGIN rpz3.example.com.
|
||||
32.5.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
rpz:
|
||||
name: "rpz4.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz4.example.com"
|
||||
rpz-action-override: "drop"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz4.example.com
|
||||
TEMPFILE_CONTENTS rpz4.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz4 3600 IN SOA ns1.rpz4.example.com. hostmaster.rpz4.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz4.example.com.
|
||||
3600 IN NS ns2.rpz4.example.com.
|
||||
$ORIGIN rpz4.example.com.
|
||||
32.5.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
32.6.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
rpz:
|
||||
name: "rpz5.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz5.example.com"
|
||||
rpz-action-override: "cname"
|
||||
rpz-cname-override: "target.a"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz5.example.com
|
||||
TEMPFILE_CONTENTS rpz5.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz5 3600 IN SOA ns1.rpz5.example.com. hostmaster.rpz5.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz5.example.com.
|
||||
3600 IN NS ns2.rpz5.example.com.
|
||||
$ORIGIN rpz5.example.com.
|
||||
32.7.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
rpz:
|
||||
name: "rpz6.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz6.example.com"
|
||||
rpz-action-override: "disabled"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz6.example.com
|
||||
TEMPFILE_CONTENTS rpz6.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz6 3600 IN SOA ns1.rpz6.example.com. hostmaster.rpz6.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz6.example.com.
|
||||
3600 IN NS ns2.rpz6.example.com.
|
||||
$ORIGIN rpz6.example.com.
|
||||
32.8.5.0.192.rpz-client-ip A 1.2.3.5
|
||||
TEMPFILE_END
|
||||
|
||||
stub-zone:
|
||||
name: "a."
|
||||
stub-addr: 10.20.30.40
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test RPZ action override with trigger from clientip.
|
||||
|
||||
; a.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 10.20.30.40
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
d.a. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
target.a. IN A
|
||||
SECTION ANSWER
|
||||
target.a. IN A 1.2.3.6
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 10 QUERY ADDRESS 192.0.5.2
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 11 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
STEP 20 QUERY ADDRESS 192.0.5.1
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 21 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
STEP 30 QUERY ADDRESS 192.0.5.3
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 31 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
d.a. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 QUERY ADDRESS 192.0.5.4
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 41 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
ENTRY_END
|
||||
|
||||
STEP 50 QUERY ADDRESS 192.0.5.5
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 51 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
d.a. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 60 QUERY ADDRESS 192.0.5.6
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
; dropped.
|
||||
|
||||
STEP 70 QUERY ADDRESS 192.0.5.7
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 71 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
d.a. CNAME target.a.
|
||||
target.a. A 1.2.3.6
|
||||
ENTRY_END
|
||||
|
||||
STEP 80 QUERY ADDRESS 192.0.5.8
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 81 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
d.a. IN A
|
||||
SECTION ANSWER
|
||||
d.a. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
Loading…
Reference in New Issue
Block a user