Allow Lua access to the result of the Policy Engine decision, skip RPZ #4324

Merged
merged 31 commits into from Aug 26, 2016

Projects

None yet

3 participants

@rgacogne
Member

This PR includes and supersedes #4236 with:

  • a new prerpz hook allowing to completely disable the processing filtering policies by setting wantsRPZ to false, or to disable only selected policies by using dq:discardPolicy(policyname)
  • fix the recursor regression tests
  • actually fails if the recursor regression tests fail
@pieterlexis pieterlexis commented on an outdated diff Aug 23, 2016
pdns/pdns_recursor.cc
@@ -730,11 +730,8 @@ void startDoResolve(void *p)
if(!g_quiet || tracedQuery) {
L<<Logger::Warning<<t_id<<" ["<<MT->getTid()<<"/"<<MT->numProcesses()<<"] " << (dc->d_tcp ? "TCP " : "") << "question for '"<<dc->d_mdp.d_qname<<"|"
<<DNSRecordContent::NumberToType(dc->d_mdp.d_qtype)<<"' from "<<dc->getRemote();
-#ifdef HAVE_PROTOBUF
@pieterlexis
pieterlexis Aug 23, 2016 edited Member

@rgacogne Judging by our IRC convo on ECS a few days ago (and the failed CentOS6 build for this branch), this will break when compiling without on non-protobuf. Could you revert this commit?

@rgacogne
Member

Good catch, reverted.

@pieterlexis pieterlexis commented on an outdated diff Aug 23, 2016
pdns/filterpo.cc
if(iter != polmap.end()) {
- pol=iter->second;
- return true;
+ pol=iter->second;
+ return true;
}
@pieterlexis
pieterlexis Aug 23, 2016 Member

needs an s.chopOff() in the if(first) block.. otherwise we will test *.full.domain.name for full.domain.name as well

pieterlexis and others added some commits Jul 22, 2016
@pieterlexis @rgacogne pieterlexis lua-recursor4.cc: whitespace fixes 805f3e0
@pieterlexis @rgacogne pieterlexis Recursor: Always log EDNS clientsubnet in trace 480f553
@pieterlexis @rgacogne pieterlexis pdns_recursor.cc: Move comment to the right place 54be222
@pieterlexis @rgacogne pieterlexis Allow Lua to modify the RPZ decision
in preResolve() and postResolve(), the user can now modify the whole
appliedPolicy. For clarity, the appliedPolicy elements have been named
policySomething. one can set the policyKind with the helper
pdns.policykinds.Name.

When the query is not marked as 'handled' by the Lua function, the
(possibly modified) policy is applied to the query.
db486de
@pieterlexis @rgacogne pieterlexis RPZ: Always set the policy name
For slaved zones, set it to the name of the zone by default. For
file-based RPZs, use "rpzFile";
0022e5e
@pieterlexis @rgacogne pieterlexis RPZ: filter correctly by name
Closes #4086
5678437
@pieterlexis @rgacogne pieterlexis Add basic RPZ tests 6de632a
@pieterlexis @rgacogne pieterlexis Add RPZ lua tests baa13bf
@pieterlexis @rgacogne pieterlexis RPZ tests: add test for #4086 6e39dfd
@pieterlexis @rgacogne pieterlexis RPZ: Add metrics for the Policy Engine
Closes #2895
7a25883
@pieterlexis @rgacogne pieterlexis RPZ: Implement NSDNAME and NSIP RPZ capabilities
Closes #2897

This also adds an extra bool 'wantsRPZ' to the Lua engine so RPZ
processing can be disabled for queries (Closes #4226).

Furthermore, IPv6 for RPZ is implemented.
b8470ad
@pieterlexis @rgacogne pieterlexis RPZ: Tests for wantsRPZ override, NSDNAME and NSIP 3ad9140
@rgacogne rgacogne rec: Add a 'prerpz' hook to be able to discard selected RPZ policies 0a27305
@rgacogne rgacogne Minor indentation fixes in `loadRecursorLuaConfig()` fdd86ca
@rgacogne rgacogne `protobufLogQuery()` never actually gets an applied policy 07ebe7c
@rgacogne rgacogne Add documentation for the `prerpz` hook b92bc9a
@rgacogne rgacogne Add regression tests for prerpz 528a3e7
@pieterlexis @rgacogne pieterlexis Recursor tests: Fail on failed tests 9ddecb7
@pieterlexis @rgacogne pieterlexis Recursor tests: we use bashisms now aba6c82
@pieterlexis @rgacogne pieterlexis recursor regression tests: have the socket live in /tmp 2a6da08
@rgacogne rgacogne Fix hardcoded prefix in lowercase-outgoing test ab92081
@rgacogne rgacogne Actually fail on failed recursor tests 5aa8336
@rgacogne rgacogne Fix hardcoded prefix in auth-zone-delegation test 9826e24
@rgacogne rgacogne Recursor config for the regression tests is still in configs 76419f7
@rgacogne rgacogne Fix counting of `rec_control help` elements and grep syntax d122f7d
@rgacogne rgacogne rec: Fix rec_control man page tests 7194cb6
@rgacogne rgacogne Revert "Recursor: Always log EDNS clientsubnet in trace"
This reverts commit 601b188.

`dc->d_ednssubnet` is only available when protobuf support is enabled.
6e986f5
@pieterlexis @rgacogne pieterlexis fix subtle bug in findNamedPolicy bef458b
@rgacogne rgacogne rec: The prerpz hook didn't return anything when compiled w/o Lua 711b92d
@pieterlexis pieterlexis The return value for prerpz is unused adbb5ce
@rgacogne rgacogne Merge pull request #3 from pieterlexis/lua-RPZ-discard-rebased-doc-up…
…date

The return value for prerpz is unused
dfe46fe
@ahupowerdns ahupowerdns merged commit 405ceb7 into PowerDNS:master Aug 26, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:lua-RPZ-discard-rebased branch Aug 26, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment