mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- add always_deny action, use this one for RPZ
- use localzone's memory layout when removing rr from rrset
This commit is contained in:
parent
a16111d471
commit
ccb576f95e
@ -195,6 +195,8 @@ respip_action_cfg(struct respip_set* set, const char* ipstr,
|
|||||||
action = respip_always_nxdomain;
|
action = respip_always_nxdomain;
|
||||||
else if(strcmp(actnstr, "always_nodata") == 0)
|
else if(strcmp(actnstr, "always_nodata") == 0)
|
||||||
action = respip_always_nodata;
|
action = respip_always_nodata;
|
||||||
|
else if(strcmp(actnstr, "always_deny") == 0)
|
||||||
|
action = respip_always_deny;
|
||||||
else {
|
else {
|
||||||
log_err("unknown response-ip action %s", actnstr);
|
log_err("unknown response-ip action %s", actnstr);
|
||||||
return 0;
|
return 0;
|
||||||
@ -962,6 +964,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
|
|||||||
&& action != respip_always_transparent
|
&& action != respip_always_transparent
|
||||||
&& action != respip_always_nxdomain
|
&& action != respip_always_nxdomain
|
||||||
&& action != respip_always_nodata
|
&& action != respip_always_nodata
|
||||||
|
&& action != respip_always_deny
|
||||||
&& (result = respip_data_answer(action,
|
&& (result = respip_data_answer(action,
|
||||||
(data) ? data : raddr->data, qinfo->qtype, rep,
|
(data) ? data : raddr->data, qinfo->qtype, rep,
|
||||||
rrset_id, new_repp, tag, tag_datas, tag_datas_size,
|
rrset_id, new_repp, tag, tag_datas, tag_datas_size,
|
||||||
@ -1080,9 +1083,11 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
|
|||||||
} else {
|
} else {
|
||||||
qstate->respip_action_info = NULL;
|
qstate->respip_action_info = NULL;
|
||||||
}
|
}
|
||||||
if (new_rep == qstate->return_msg->rep &&
|
if (actinfo.action == respip_always_deny ||
|
||||||
|
(new_rep == qstate->return_msg->rep &&
|
||||||
(actinfo.action == respip_deny ||
|
(actinfo.action == respip_deny ||
|
||||||
actinfo.action == respip_inform_deny)) {
|
actinfo.action == respip_deny ||
|
||||||
|
actinfo.action == respip_inform_deny))) {
|
||||||
/* for deny-variant actions (unless response-ip
|
/* for deny-variant actions (unless response-ip
|
||||||
* data is applied), mark the query state so
|
* data is applied), mark the query state so
|
||||||
* the response will be dropped for all
|
* the response will be dropped for all
|
||||||
@ -1283,7 +1288,7 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
|
|||||||
txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen,
|
txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen,
|
||||||
"[%s] ", respip_actinfo->log_name);
|
"[%s] ", respip_actinfo->log_name);
|
||||||
}
|
}
|
||||||
txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen,
|
snprintf(txt+txtlen, sizeof(txt)-txtlen,
|
||||||
"%s/%d %s %s@%u", respip, respip_addr->net,
|
"%s/%d %s %s@%u", respip, respip_addr->net,
|
||||||
(actionstr) ? actionstr : "inform", srcip, port);
|
(actionstr) ? actionstr : "inform", srcip, port);
|
||||||
if(actionstr)
|
if(actionstr)
|
||||||
|
@ -394,6 +394,27 @@ rrset_insert_rr(struct regional* region, struct packed_rrset_data* pd,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Delete RR from local-zone RRset, wastes memory as the deleted RRs cannot be
|
||||||
|
* free'd (regionally alloc'd) */
|
||||||
|
int
|
||||||
|
local_rrset_remove_rr(struct packed_rrset_data* pd, size_t index)
|
||||||
|
{
|
||||||
|
if(index >= pd->count) {
|
||||||
|
log_warn("Trying to remove RR with out of bound index");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if(index - 1 < pd->count) {
|
||||||
|
/* not removing last element */
|
||||||
|
size_t nexti = index + 1;
|
||||||
|
size_t num = pd->count - nexti;
|
||||||
|
memcpy(pd->rr_len+index, pd->rr_len+nexti, sizeof(*pd->rr_len)*num);
|
||||||
|
memcpy(pd->rr_ttl+index, pd->rr_ttl+nexti, sizeof(*pd->rr_ttl)*num);
|
||||||
|
memcpy(pd->rr_data+index, pd->rr_data+nexti, sizeof(*pd->rr_data)*num);
|
||||||
|
}
|
||||||
|
pd->count--;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
struct local_data*
|
struct local_data*
|
||||||
local_zone_find_data(struct local_zone* z, uint8_t* nm, size_t nmlen, int nmlabs)
|
local_zone_find_data(struct local_zone* z, uint8_t* nm, size_t nmlen, int nmlabs)
|
||||||
{
|
{
|
||||||
@ -1447,7 +1468,9 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
|
|||||||
struct comm_reply* repinfo, sldns_buffer* buf, struct regional* temp,
|
struct comm_reply* repinfo, sldns_buffer* buf, struct regional* temp,
|
||||||
struct local_data* ld, enum localzone_type lz_type)
|
struct local_data* ld, enum localzone_type lz_type)
|
||||||
{
|
{
|
||||||
if(lz_type == local_zone_deny || lz_type == local_zone_inform_deny) {
|
if(lz_type == local_zone_deny ||
|
||||||
|
lz_type == local_zone_always_deny ||
|
||||||
|
lz_type == local_zone_inform_deny) {
|
||||||
/** no reply at all, signal caller by clearing buffer. */
|
/** no reply at all, signal caller by clearing buffer. */
|
||||||
sldns_buffer_clear(buf);
|
sldns_buffer_clear(buf);
|
||||||
sldns_buffer_flip(buf);
|
sldns_buffer_flip(buf);
|
||||||
@ -1655,6 +1678,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
|||||||
&& lzt != local_zone_always_transparent
|
&& lzt != local_zone_always_transparent
|
||||||
&& lzt != local_zone_always_nxdomain
|
&& lzt != local_zone_always_nxdomain
|
||||||
&& lzt != local_zone_always_nodata
|
&& lzt != local_zone_always_nodata
|
||||||
|
&& lzt != local_zone_always_deny
|
||||||
&& local_data_answer(z, env, qinfo, edns, repinfo, buf, temp, labs,
|
&& local_data_answer(z, env, qinfo, edns, repinfo, buf, temp, labs,
|
||||||
&ld, lzt, tag, tag_datas, tag_datas_size, tagname, num_tags)) {
|
&ld, lzt, tag, tag_datas, tag_datas_size, tagname, num_tags)) {
|
||||||
lock_rw_unlock(&z->lock);
|
lock_rw_unlock(&z->lock);
|
||||||
@ -1685,6 +1709,7 @@ const char* local_zone_type2str(enum localzone_type t)
|
|||||||
case local_zone_always_refuse: return "always_refuse";
|
case local_zone_always_refuse: return "always_refuse";
|
||||||
case local_zone_always_nxdomain: return "always_nxdomain";
|
case local_zone_always_nxdomain: return "always_nxdomain";
|
||||||
case local_zone_always_nodata: return "always_nodata";
|
case local_zone_always_nodata: return "always_nodata";
|
||||||
|
case local_zone_always_deny: return "always_deny";
|
||||||
case local_zone_noview: return "noview";
|
case local_zone_noview: return "noview";
|
||||||
case local_zone_invalid: return "invalid";
|
case local_zone_invalid: return "invalid";
|
||||||
}
|
}
|
||||||
@ -1719,6 +1744,8 @@ int local_zone_str2type(const char* type, enum localzone_type* t)
|
|||||||
*t = local_zone_always_nxdomain;
|
*t = local_zone_always_nxdomain;
|
||||||
else if(strcmp(type, "always_nodata") == 0)
|
else if(strcmp(type, "always_nodata") == 0)
|
||||||
*t = local_zone_always_nodata;
|
*t = local_zone_always_nodata;
|
||||||
|
else if(strcmp(type, "always_deny") == 0)
|
||||||
|
*t = local_zone_always_deny;
|
||||||
else if(strcmp(type, "noview") == 0)
|
else if(strcmp(type, "noview") == 0)
|
||||||
*t = local_zone_noview;
|
*t = local_zone_noview;
|
||||||
else if(strcmp(type, "nodefault") == 0)
|
else if(strcmp(type, "nodefault") == 0)
|
||||||
|
@ -94,6 +94,8 @@ enum localzone_type {
|
|||||||
local_zone_always_nxdomain,
|
local_zone_always_nxdomain,
|
||||||
/** answer with noerror/nodata, even when there is local data */
|
/** answer with noerror/nodata, even when there is local data */
|
||||||
local_zone_always_nodata,
|
local_zone_always_nodata,
|
||||||
|
/** drop query, even when there is local data */
|
||||||
|
local_zone_always_deny,
|
||||||
/** answer not from the view, but global or no-answer */
|
/** answer not from the view, but global or no-answer */
|
||||||
local_zone_noview,
|
local_zone_noview,
|
||||||
/** Invalid type, cannot be used to generate answer */
|
/** Invalid type, cannot be used to generate answer */
|
||||||
@ -513,6 +515,15 @@ int rrstr_get_rr_content(const char* str, uint8_t** nm, uint16_t* type,
|
|||||||
int rrset_insert_rr(struct regional* region, struct packed_rrset_data* pd,
|
int rrset_insert_rr(struct regional* region, struct packed_rrset_data* pd,
|
||||||
uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr);
|
uint8_t* rdata, size_t rdata_len, time_t ttl, const char* rrstr);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Remove RR from rrset that is created using localzone's rrset_insert_rr.
|
||||||
|
* @param pd: the RRset containing the RR to remove
|
||||||
|
* @param index: index of RR to remove
|
||||||
|
* @return: 1 on success; 0 otherwise.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
local_rrset_remove_rr(struct packed_rrset_data* pd, size_t index);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Valid response ip actions for the IP-response-driven-action feature;
|
* Valid response ip actions for the IP-response-driven-action feature;
|
||||||
* defined here instead of in the respip module to enable sharing of enum
|
* defined here instead of in the respip module to enable sharing of enum
|
||||||
@ -543,6 +554,8 @@ enum respip_action {
|
|||||||
respip_always_nxdomain = local_zone_always_nxdomain,
|
respip_always_nxdomain = local_zone_always_nxdomain,
|
||||||
/** answer with nodata response */
|
/** answer with nodata response */
|
||||||
respip_always_nodata = local_zone_always_nodata,
|
respip_always_nodata = local_zone_always_nodata,
|
||||||
|
/** answer with nodata response */
|
||||||
|
respip_always_deny = local_zone_always_deny,
|
||||||
|
|
||||||
/* The rest of the values are only possible as
|
/* The rest of the values are only possible as
|
||||||
* access-control-tag-action */
|
* access-control-tag-action */
|
||||||
|
@ -197,7 +197,7 @@ rpz_action_to_localzone_type(enum rpz_action a)
|
|||||||
switch(a) {
|
switch(a) {
|
||||||
case RPZ_NXDOMAIN_ACTION: return local_zone_always_nxdomain;
|
case RPZ_NXDOMAIN_ACTION: return local_zone_always_nxdomain;
|
||||||
case RPZ_NODATA_ACTION: return local_zone_always_nodata;
|
case RPZ_NODATA_ACTION: return local_zone_always_nodata;
|
||||||
case RPZ_DROP_ACTION: return local_zone_deny;
|
case RPZ_DROP_ACTION: return local_zone_always_deny;
|
||||||
case RPZ_PASSTHRU_ACTION: return local_zone_always_transparent;
|
case RPZ_PASSTHRU_ACTION: return local_zone_always_transparent;
|
||||||
case RPZ_LOCAL_DATA_ACTION:
|
case RPZ_LOCAL_DATA_ACTION:
|
||||||
case RPZ_CNAME_OVERRIDE_ACTION:
|
case RPZ_CNAME_OVERRIDE_ACTION:
|
||||||
@ -215,7 +215,7 @@ rpz_action_to_respip_action(enum rpz_action a)
|
|||||||
switch(a) {
|
switch(a) {
|
||||||
case RPZ_NXDOMAIN_ACTION: return respip_always_nxdomain;
|
case RPZ_NXDOMAIN_ACTION: return respip_always_nxdomain;
|
||||||
case RPZ_NODATA_ACTION: return respip_always_nodata;
|
case RPZ_NODATA_ACTION: return respip_always_nodata;
|
||||||
case RPZ_DROP_ACTION: return respip_deny;
|
case RPZ_DROP_ACTION: return respip_always_deny;
|
||||||
case RPZ_PASSTHRU_ACTION: return respip_always_transparent;
|
case RPZ_PASSTHRU_ACTION: return respip_always_transparent;
|
||||||
case RPZ_LOCAL_DATA_ACTION:
|
case RPZ_LOCAL_DATA_ACTION:
|
||||||
case RPZ_CNAME_OVERRIDE_ACTION:
|
case RPZ_CNAME_OVERRIDE_ACTION:
|
||||||
@ -233,7 +233,7 @@ localzone_type_to_rpz_action(enum localzone_type lzt)
|
|||||||
switch(lzt) {
|
switch(lzt) {
|
||||||
case local_zone_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
|
case local_zone_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
|
||||||
case local_zone_always_nodata: return RPZ_NODATA_ACTION;
|
case local_zone_always_nodata: return RPZ_NODATA_ACTION;
|
||||||
case local_zone_deny: return RPZ_DROP_ACTION;
|
case local_zone_always_deny: return RPZ_DROP_ACTION;
|
||||||
case local_zone_always_transparent: return RPZ_PASSTHRU_ACTION;
|
case local_zone_always_transparent: return RPZ_PASSTHRU_ACTION;
|
||||||
case local_zone_redirect: return RPZ_LOCAL_DATA_ACTION;
|
case local_zone_redirect: return RPZ_LOCAL_DATA_ACTION;
|
||||||
case local_zone_invalid:
|
case local_zone_invalid:
|
||||||
@ -248,7 +248,7 @@ respip_action_to_rpz_action(enum respip_action a)
|
|||||||
switch(a) {
|
switch(a) {
|
||||||
case respip_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
|
case respip_always_nxdomain: return RPZ_NXDOMAIN_ACTION;
|
||||||
case respip_always_nodata: return RPZ_NODATA_ACTION;
|
case respip_always_nodata: return RPZ_NODATA_ACTION;
|
||||||
case respip_deny: return RPZ_DROP_ACTION;
|
case respip_always_deny: return RPZ_DROP_ACTION;
|
||||||
case respip_always_transparent: return RPZ_PASSTHRU_ACTION;
|
case respip_always_transparent: return RPZ_PASSTHRU_ACTION;
|
||||||
case respip_redirect: return RPZ_LOCAL_DATA_ACTION;
|
case respip_redirect: return RPZ_LOCAL_DATA_ACTION;
|
||||||
case respip_invalid:
|
case respip_invalid:
|
||||||
@ -689,11 +689,8 @@ rpz_data_delete_rr(struct local_zone* z, uint8_t* policydname,
|
|||||||
|
|
||||||
}
|
}
|
||||||
if(d->count > 1) {
|
if(d->count > 1) {
|
||||||
struct packed_rrset_data* new;
|
if(!local_rrset_remove_rr(d, index))
|
||||||
new = packed_rrset_remove_rr(d, index, z->region);
|
|
||||||
if(!new)
|
|
||||||
return 0;
|
return 0;
|
||||||
p->rrset->entry.data = new;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -731,11 +728,8 @@ rpz_rrset_delete_rr(struct resp_addr* raddr, uint16_t rr_type, uint8_t* rdata,
|
|||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
if(d->count > 1) {
|
if(d->count > 1) {
|
||||||
struct packed_rrset_data* new;
|
if(!local_rrset_remove_rr(d, index))
|
||||||
new = packed_rrset_remove_rr(d, index, region);
|
|
||||||
if(!new)
|
|
||||||
return 0;
|
return 0;
|
||||||
raddr->data->entry.data = new;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -44,6 +44,7 @@
|
|||||||
|
|
||||||
#include "services/localzone.h"
|
#include "services/localzone.h"
|
||||||
#include "util/locks.h"
|
#include "util/locks.h"
|
||||||
|
#include "util/log.h"
|
||||||
#include "util/config_file.h"
|
#include "util/config_file.h"
|
||||||
#include "services/authzone.h"
|
#include "services/authzone.h"
|
||||||
#include "sldns/sbuffer.h"
|
#include "sldns/sbuffer.h"
|
||||||
|
378
testdata/rpz_ixfr.rpl
vendored
Normal file
378
testdata/rpz_ixfr.rpl
vendored
Normal file
@ -0,0 +1,378 @@
|
|||||||
|
; config options
|
||||||
|
server:
|
||||||
|
module-config: "respip validator iterator"
|
||||||
|
target-fetch-policy: "0 0 0 0 0"
|
||||||
|
qname-minimisation: no
|
||||||
|
|
||||||
|
rpz:
|
||||||
|
name: "rpz.example.com."
|
||||||
|
master: 10.20.30.40
|
||||||
|
zonefile:
|
||||||
|
TEMPFILE_NAME rpz.example.com
|
||||||
|
TEMPFILE_CONTENTS rpz.example.com
|
||||||
|
rpz.example.com. 3600 IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
|
||||||
|
rpz.example.com. 3600 IN NS ns.rpz.example.net.
|
||||||
|
a.rpz.example.com. IN CNAME *.
|
||||||
|
c.rpz.example.com. IN TXT "hello from initial RPZ"
|
||||||
|
c.rpz.example.com. IN TXT "another hello from initial RPZ"
|
||||||
|
c.rpz.example.com. IN TXT "yet another hello from initial RPZ"
|
||||||
|
d.rpz.example.com. IN CNAME .
|
||||||
|
32.1.123.0.10.rpz-ip.rpz.example.com. CNAME *.
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4
|
||||||
|
32.4.123.0.10.rpz-ip.rpz.example.com. CNAME .
|
||||||
|
TEMPFILE_END
|
||||||
|
|
||||||
|
stub-zone:
|
||||||
|
name: "."
|
||||||
|
stub-addr: 10.20.30.40
|
||||||
|
|
||||||
|
CONFIG_END
|
||||||
|
|
||||||
|
SCENARIO_BEGIN Test RPZ QNAME trigger, loaded using IXFR
|
||||||
|
|
||||||
|
RANGE_BEGIN 0 100
|
||||||
|
ADDRESS 10.20.30.40
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
. IN NS
|
||||||
|
SECTION ANSWER
|
||||||
|
. IN NS ns.
|
||||||
|
SECTION ADDITIONAL
|
||||||
|
ns. IN NS 10.20.30.40
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
b. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
b. TXT "hello from upstream"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
d. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
d. TXT "hello from upstream"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
a.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
a.rpz-ip. IN A 10.0.123.1
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
c.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
c.rpz-ip. IN A 10.0.123.3
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR AA
|
||||||
|
SECTION QUESTION
|
||||||
|
d.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
d.rpz-ip. IN A 10.0.123.4
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
rpz.example.com. IN SOA
|
||||||
|
SECTION ANSWER
|
||||||
|
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qname qtype
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
rpz.example.com. IN IXFR
|
||||||
|
SECTION ANSWER
|
||||||
|
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
|
||||||
|
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
|
||||||
|
a.rpz.example.com. IN CNAME *.
|
||||||
|
c.rpz.example.com. IN TXT "hello from initial RPZ"
|
||||||
|
c.rpz.example.com. IN TXT "another hello from initial RPZ"
|
||||||
|
d.rpz.example.com. IN CNAME .
|
||||||
|
32.1.123.0.10.rpz-ip.rpz.example.com. CNAME *.
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4
|
||||||
|
32.4.123.0.10.rpz-ip.rpz.example.com. CNAME .
|
||||||
|
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
|
||||||
|
b.rpz.example.com. TXT "hello from RPZ"
|
||||||
|
c.rpz.example.com. TXT "hello from RPZ"
|
||||||
|
a.rpz.example.com. CNAME .
|
||||||
|
32.1.123.0.10.rpz-ip.rpz.example.com. CNAME .
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.5
|
||||||
|
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.6
|
||||||
|
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
RANGE_END
|
||||||
|
|
||||||
|
STEP 1 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
b. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 2 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
b. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
b. IN TXT "hello from upstream"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 3 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
a. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 4 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
a. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 5 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
a.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 6 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
a.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 7 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
c. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 8 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
c. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
c. IN TXT "yet another hello from initial RPZ"
|
||||||
|
c. IN TXT "another hello from initial RPZ"
|
||||||
|
c. IN TXT "hello from initial RPZ"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 9 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
c.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 10 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
c.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
c.rpz-ip. IN A 10.66.0.4
|
||||||
|
c.rpz-ip. IN A 10.66.0.3
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 11 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
d. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 12 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NXDOMAIN
|
||||||
|
SECTION QUESTION
|
||||||
|
d. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 13 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
d.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
|
||||||
|
STEP 15 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NXDOMAIN
|
||||||
|
SECTION QUESTION
|
||||||
|
d.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 16 TIME_PASSES ELAPSE 1
|
||||||
|
STEP 30 TIME_PASSES ELAPSE 3600
|
||||||
|
STEP 40 TRAFFIC
|
||||||
|
|
||||||
|
STEP 50 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
b. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 51 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
b. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
b. IN TXT "hello from RPZ"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 52 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
a. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 53 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NXDOMAIN
|
||||||
|
SECTION QUESTION
|
||||||
|
a. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 54 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
a.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 55 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NXDOMAIN
|
||||||
|
SECTION QUESTION
|
||||||
|
a.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 56 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
c. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 57 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA AA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
c. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
c. IN TXT "hello from RPZ"
|
||||||
|
c. IN TXT "yet another hello from initial RPZ"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 58 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
c.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 59 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
c.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
c.rpz-ip. IN A 10.66.0.6
|
||||||
|
c.rpz-ip. IN A 10.66.0.5
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 60 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
d. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 61 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
d. IN TXT
|
||||||
|
SECTION ANSWER
|
||||||
|
d. IN TXT "hello from upstream"
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 62 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
d.rpz-ip. IN A
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 63 CHECK_ANSWER
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH all
|
||||||
|
REPLY QR RD RA NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
d.rpz-ip. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
d.rpz-ip. IN A 10.0.123.4
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
|
SCENARIO_END
|
19
testdata/rpz_qname_override.rpl
vendored
19
testdata/rpz_qname_override.rpl
vendored
@ -64,6 +64,16 @@ $ORIGIN rpz6.example.com.
|
|||||||
e TXT "should be override by cname"
|
e TXT "should be override by cname"
|
||||||
TEMPFILE_END
|
TEMPFILE_END
|
||||||
|
|
||||||
|
rpz:
|
||||||
|
name: "rpz7.example.com."
|
||||||
|
rpz-action-override: drop
|
||||||
|
zonefile:
|
||||||
|
TEMPFILE_NAME rpz7.example.com
|
||||||
|
TEMPFILE_CONTENTS rpz7.example.com
|
||||||
|
$ORIGIN rpz7.example.com.
|
||||||
|
f TXT "should be override by drop policy"
|
||||||
|
TEMPFILE_END
|
||||||
|
|
||||||
stub-zone:
|
stub-zone:
|
||||||
name: "d."
|
name: "d."
|
||||||
stub-addr: 10.20.30.40
|
stub-addr: 10.20.30.40
|
||||||
@ -175,4 +185,13 @@ e. IN CNAME d.
|
|||||||
d. IN TXT "answer from upstream ns"
|
d. IN TXT "answer from upstream ns"
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
|
||||||
|
; check drop override, would be localdata without override
|
||||||
|
STEP 60 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
f. IN TXT
|
||||||
|
ENTRY_END
|
||||||
|
; no answer is checked at exit of testbound.
|
||||||
|
|
||||||
SCENARIO_END
|
SCENARIO_END
|
||||||
|
30
testdata/rpz_respip_override.rpl
vendored
30
testdata/rpz_respip_override.rpl
vendored
@ -64,6 +64,16 @@ $ORIGIN rpz6.example.com.
|
|||||||
32.6.113.0.203.rpz-ip A 192.0.2.6
|
32.6.113.0.203.rpz-ip A 192.0.2.6
|
||||||
TEMPFILE_END
|
TEMPFILE_END
|
||||||
|
|
||||||
|
rpz:
|
||||||
|
name: "rpz7.example.com."
|
||||||
|
rpz-action-override: drop
|
||||||
|
zonefile:
|
||||||
|
TEMPFILE_NAME rpz7.example.com
|
||||||
|
TEMPFILE_CONTENTS rpz7.example.com
|
||||||
|
$ORIGIN rpz7.example.com.
|
||||||
|
32.7.113.0.203.rpz-ip A 192.0.2.7
|
||||||
|
TEMPFILE_END
|
||||||
|
|
||||||
stub-zone:
|
stub-zone:
|
||||||
name: "."
|
name: "."
|
||||||
stub-addr: 10.20.30.40
|
stub-addr: 10.20.30.40
|
||||||
@ -146,6 +156,16 @@ SECTION ANSWER
|
|||||||
e. IN A 203.0.113.6
|
e. IN A 203.0.113.6
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
|
||||||
|
ENTRY_BEGIN
|
||||||
|
MATCH opcode qtype qname
|
||||||
|
ADJUST copy_id
|
||||||
|
REPLY QR NOERROR
|
||||||
|
SECTION QUESTION
|
||||||
|
f. IN A
|
||||||
|
SECTION ANSWER
|
||||||
|
f. IN A 203.0.113.7
|
||||||
|
ENTRY_END
|
||||||
|
|
||||||
RANGE_END
|
RANGE_END
|
||||||
|
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
@ -232,4 +252,14 @@ e. IN CNAME ns.
|
|||||||
ns. IN A 10.20.30.40
|
ns. IN A 10.20.30.40
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
|
||||||
|
STEP 11 QUERY
|
||||||
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
|
SECTION QUESTION
|
||||||
|
f. IN A
|
||||||
|
ENTRY_END
|
||||||
|
; no answer is checked at exit of testbound.
|
||||||
|
|
||||||
|
STEP 12 TIME_PASSES ELAPSE 10
|
||||||
|
|
||||||
SCENARIO_END
|
SCENARIO_END
|
||||||
|
Loading…
Reference in New Issue
Block a user