Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rec: correct appliedPolicyTrigger value for IP matches #10842

Merged
merged 5 commits into from Oct 18, 2021
Merged

rec: correct appliedPolicyTrigger value for IP matches #10842

merged 5 commits into from Oct 18, 2021

Conversation

omoerbeek
Copy link
Member

Short description

The key of the NetmaskTree contains the Netmask that matched and we can construct the trigger from it.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@omoerbeek omoerbeek added this to the rec-4.6.0 milestone Oct 14, 2021
rgacogne
rgacogne reviewed Oct 15, 2021
View reviewed changes
pdns/filterpo.cc Outdated
Comment on lines 59 to 60
key = fnd->first;
pol = fnd->second;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to update the d_trigger field of the returned policy here, instead of exposing the internal key?

Suggested change
key = fnd->first;
pol = fnd->second;
const auto& key = fnd->first;
pol = fnd->second;
pol.d_trigger = Zone::maskToRPZ(key);

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that is a good idea.

pdns/filterpo.cc Outdated Show resolved Hide resolved
pdns/recursordist/test-filterpo_cc.cc Outdated
DNSFilterEngine::Policy zonePolicy;
BOOST_CHECK(zone->findNSIPPolicy(nsIP, zonePolicy));
BOOST_CHECK(zone->findNSIPPolicy(nsIP, key, zonePolicy));
BOOST_CHECK(key == nsIP);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like all our tests are using an exact match (/32), perhaps we should test with at least one different mask? I know we do in the regression tests, though.

Copy link
Member Author

@omoerbeek omoerbeek Oct 15, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Extended the tests and found another case where the trigger value was not set properly: findExactNSPolicy.

Now I'm wondering if d_hit should be set in the find methods as well. Plus looking at the assignments to d_trigger in getQueryPolicy. They look redundant now.

@omoerbeek
Process review comments and extend unit tests
562c1c1
@omoerbeek
Also moved setting of hit value to find functions mostly.
f9de1f7 
In a few cases (wildcard processing) the matched value is not the
hit as seen by the find function and an overide is needed.
rgacogne
rgacogne approved these changes Oct 18, 2021
View reviewed changes
pdns/filterpo.cc Outdated
@@ -212,12 +222,9 @@ bool DNSFilterEngine::getProcessingPolicy(const ComboAddress& address, const std
continue;
}

Netmask key;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover?

pdns/filterpo.cc Outdated
@@ -236,6 +243,7 @@ bool DNSFilterEngine::getClientPolicy(const ComboAddress& ca, const std::unorder
continue;
}

Netmask key;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover as well?

pdns/filterpo.cc Outdated
@@ -355,10 +361,8 @@ bool DNSFilterEngine::getPostPolicy(const DNSRecord& record, const std::unordere
return false;
}

Netmask key;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover?

pdns/filterpo.cc Outdated
return true;
}

for (const auto& wc : wcNames) {
if (z->findExactQNamePolicy(wc, pol)) {
// cerr<<"Had a hit on the name of the query"<<endl;
pol.d_trigger = wc;
// Hit is not arg to findExactQNamePolicy!
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Hit is not arg to findExactQNamePolicy!
// Hit is not the wildcard passed to findExactQNamePolicy but the actual qname!

@omoerbeek omoerbeek merged commit d7104b9 into PowerDNS:master Oct 18, 2021
@omoerbeek omoerbeek deleted the rec-appliedPolicyTrigger-value branch October 18, 2021 11:53
@omoerbeek omoerbeek mentioned this pull request Oct 19, 2021
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rgacogne rgacogne rgacogne approved these changes

Assignees
No one assigned
Labels
defect rec
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@omoerbeek @rgacogne