- Fix rpz tcp-only action with rpz triggers nsdname and nsip.

doc/Changelog

@@ -1,3 +1,6 @@
+18 September 2023: Wouter
+	- Fix rpz tcp-only action with rpz triggers nsdname and nsip.
+
 15 September 2023: Wouter
 	- Merge #936: Check for c99 with autoconf versions prior to 2.70.
 	- Fix to remove two c99 notations.

services/mesh.c

@@ -1224,11 +1224,12 @@ static inline int
 mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m)
 {
 	struct respip_action_info const* respip_info = m->s.respip_action_info;
-	return respip_info == NULL
+	return (respip_info == NULL
 			? 0
 			: (respip_info->rpz_used
 			&& !respip_info->rpz_disabled
-			&& respip_info->action == respip_truncate);
+			&& respip_info->action == respip_truncate))
+		|| m->s.tcp_required;
 }
 
 static inline int

services/rpz.c

@@ -2162,7 +2162,7 @@ rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:
@@ -2217,7 +2217,7 @@ rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:
@@ -2428,7 +2428,7 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
 	case RPZ_TCP_ONLY_ACTION:
 		/* basically a passthru here but the tcp-only will be
 		 * honored before the query gets sent. */
-		ms->respip_action_info->action = respip_truncate;
+		ms->tcp_required = 1;
 		ret = NULL;
 		break;
 	case RPZ_DROP_ACTION:

testdata/rpz_nsdname.rpl

@@ -225,6 +225,36 @@ ENTRY_END
 
 RANGE_END
 
+; dd. ------------------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 8.8.3.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+dd. IN NS
+SECTION ANSWER
+dd. IN NS ns1.dd.
+SECTION ADDITIONAL
+ns1.dd. IN A 8.8.3.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION AUTHORITY
+gotham.dd.	IN NS	ns1.gotham.dd.
+SECTION ADDITIONAL
+ns1.gotham.dd. IN A 192.0.3.1
+ENTRY_END
+
+RANGE_END
+
 ; ff. ------------------------------------------------------------------------
 RANGE_BEGIN 0 100
 	ADDRESS 8.8.6.8
@@ -303,6 +333,22 @@ ENTRY_END
 
 RANGE_END
 
+; ns1.gotham.dd. -------------------------------------------------------------
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.3.1
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+gotham.dd. IN A 192.0.3.2
+ENTRY_END
+
+RANGE_END
+
 ; ns1.gotham.ff. -------------------------------------------------------------
 RANGE_BEGIN 0 100
 	ADDRESS 192.0.5.1
@@ -387,4 +433,39 @@ SECTION ANSWER
 gotham.ff. IN A 127.0.0.1
 ENTRY_END
 
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+gotham.dd. IN A
+ENTRY_END
+
+; should come back truncated because TCP is required.
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA TC NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 42 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD
+SECTION QUESTION
+gotham.dd. IN A
+ENTRY_END
+
+STEP 43 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all TCP
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+gotham.dd. IN A
+SECTION ANSWER
+gotham.dd. IN A 192.0.3.2
+ENTRY_END
+
 SCENARIO_END

util/module.h

@@ -691,6 +691,8 @@ struct module_qstate {
 	struct respip_action_info* respip_action_info;
 	/** if the query is rpz passthru, no further rpz processing for it */
 	int rpz_passthru;
+	/* Flag tcp required. */
+	int tcp_required;
 
 	/** whether the reply should be dropped */
 	int is_drop;