unbound 1.15.0: A rpz-passthru action is not ending RPZ zone processing

[pettai]

Describe the bug
It seems that even thought "hiting" a rpz-passthru in a RPZ zone, unbound continues to process matching against the after-coming RPZ zones (removing the possibility to override entries in after-coming RPZ zones):

Feb 15 12:49:08 punoqun unbound: [31724:2] info: rpz: applied [wl.zone] api.zoomeye.org. rpz-passthru ::1@48753 api.zoomeye.org. A IN
Feb 15 12:49:08 punoqun unbound: [31724:2] info: RPZ applied [zone3.misc.rpz] 168.80.0.0/15 rpz-nxdomain ::1@48753 api.zoomeye.org. A IN

To reproduce
Run unbound with simple RPZ configuration:

rpz:
	name: "wl.zone"
	zonefile: "/etc/unbound/rpz/wl.zone"
	#rpz-action-override: passthru    # this option doesn't make a difference in this case
	rpz-log: yes
	rpz-log-name: wl.zone

rpz:
	name: "zone3.misc.rpz.switch.ch."
	zonefile: "/etc/unbound/rpz/zone3.misc.rpz.switch.ch.zone"
	master: localhost@5353
	rpz-action-override: nxdomain   # this is needed as default action points at a web page
	rpz-log: yes
	rpz-log-name: zone3.misc.rpz

Expected behavior
A rpz-passthru hit should end all further RPZ zone processing.
(However this is a tricky one as the QNAME is whitelisted but the hit is on the response IP...)

System:

• Unbound version: 1.15.0 release
• OS: Ubuntu 18.04
• unbound -V output:

Version 1.15.0

Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --disable-rpath --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key --with-libevent --with-libhiredis --with-libnghttp2 --with-pythonmodule --enable-cachedb --enable-subnet --enable-dnstap --enable-systemd --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --libdir=/usr/lib
Linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1  11 Sep 2018
Linked modules: dns64 python cachedb subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

[wcawijngaards]

Thanks for the report, fixed it! The issue was that the passthru would work correctly, also between RPZ zones, but only within a particular callback. It needed to be kept stored in a member variable to be used in subsequent callbacks, this is what caused the failure with another RPZ action applied at the later callback in the problem you found.

[pettai]

I looked a little more on the blocked domain:

host:~$ host api.zoomeye.org
api.zoomeye.org is an alias for 15dcd082f081e272.cdn.jiashule.com.
15dcd082f081e272.cdn.jiashule.com has address 160.116.186.18
15dcd082f081e272.cdn.jiashule.com has address 118.143.194.182
host:~$ host 15dcd082f081e272.cdn.jiashule.com.
15dcd082f081e272.cdn.jiashule.com has address 160.116.186.18
15dcd082f081e272.cdn.jiashule.com has address 168.80.171.96
host:~$ host 15dcd082f081e272.cdn.jiashule.com.
15dcd082f081e272.cdn.jiashule.com has address 160.116.186.18
15dcd082f081e272.cdn.jiashule.com has address 118.143.194.182

I tried to add the CNAME to wl.zone too, but the result becomes the same

Feb 15 15:14:45 punoqun unbound: [31724:0] info: rpz: applied [wl.zone] 15dcd082f081e272.cdn.jiashule.com. rpz-passthru ::1@44696 15dcd082f081e272.cdn.jiashule.com. A IN
Feb 15 15:14:45 punoqun unbound: [31724:0] info: RPZ applied [zone3.misc.rpz] 168.80.0.0/15 rpz-nxdomain ::1@44696 15dcd082f081e272.cdn.jiashule.com. A IN

[pettai]

Hmm... I cherry-picked your patch and rebuilt unbound, but it still fails:

Feb 15 17:29:08 punoqun unbound: [7141:2] info: rpz: applied [wl.zone] 15dcd082f081e272.cdn.jiashule.com. rpz-passthru 127.0.0.1@51845 15dcd082f081e272.cdn.jiashule.com. A IN
Feb 15 17:29:09 punoqun unbound: [7141:0] info: rpz: applied [wl.zone] 15dcd082f081e272.cdn.jiashule.com. rpz-passthru ::1@44696 15dcd082f081e272.cdn.jiashule.com. A IN
Feb 15 17:29:09 punoqun unbound: [7141:2] info: RPZ applied [zone3.misc.rpz] 168.80.0.0/15 rpz-nxdomain 127.0.0.1@51845 15dcd082f081e272.cdn.jiashule.com. A IN
Feb 15 17:29:09 punoqun unbound: [7141:0] info: RPZ applied [zone3.misc.rpz] 160.116.0.0/15 rpz-nxdomain ::1@44696 15dcd082f081e272.cdn.jiashule.com. A IN

@wcawijngaards any Ideas?

[wcawijngaards]

So I reproduced it with a different code path, and the exact configuration that you used missed out. Fixed that in the commit and now it works also for qname trigger from the rpz localzone type. Thanks for the detailed report! I needed to know the exact rpz triggers that did not set the passthru correctly.