These are chat archives for CZ-NIC/knot-resolver

12th
Jul 2018
Robert Šefr
@robcza
Jul 12 2018 16:14

@vcunat thank you a lot, the suffix really is easier and works fine. Got me further, but experienced weird behavior with views, as I would like to use this policy in particular views.
The following works fine (queries to *.lan are forwarded when sent from localhost):
view:addr('127.0.0.1/32', policy.suffix(policy.STUB('10.10.0.1'), {todname('lan.')}))

This works fine as well, it sends all the PTR queries to the 10.0.0.0/8 subnet to the 10.10.0.1 server
policy.add(policy.suffix(policy.STUB('10.10.0.1'), {todname('10.in-addr.arpa')}))

However I need to forward just from chosen IP addresses and the view does not actually work (I'm getting the message "Blocking is mandated by standards...")
view:addr('127.0.0.1/32', policy.suffix(policy.STUB('10.10.0.1'), {todname('10.in-addr.arpa')}))

Could it be that the default policy has higher priority than the view?

Vladimír Čunát
@vcunat
Jul 12 2018 16:19
Modules make a list, and their equivalent phases are executed in that order. You can specify order on loading , e.g. modules = { 'view < policy' }, but I expect the problem is that policy won't consider whether viewtook an action before it and will block the query anyway.
Maybe I would set STUB from policy and block lan. in view unless in allowed subnet.
(I expect that to work in either ordering of the two modules.)
Robert Šefr
@robcza
Jul 12 2018 16:24
Just tested modules = { 'view < policy' } and it is indeed blocked as well. Will test the reversed logic, still not used to it, but it can actually lead to the solution.
Vladimír Čunát
@vcunat
Jul 12 2018 16:24
I wonder if on the whole this would be simpler if the modules were merged and there was only a single ordered list of "policy/view" rules.
Robert Šefr
@robcza
Jul 12 2018 16:26
well, from my point of view, a policy is just a view for a 0.0.0.0/0 range
Vladimír Čunát
@vcunat
Jul 12 2018 16:28
:+1:
Robert Šefr
@robcza
Jul 12 2018 21:31

got it. bit tricky to setup, but now works fine and is easy to modify:

policy.add(policy.suffix(policy.STUB('10.10.0.1'), {todname('10.in-addr.arpa')}))
view:addr('127.0.0.1/32', policy.suffix(policy.PASS, {todname('10.in-addr.arpa.')}))
view:addr('0.0.0.0/0', policy.suffix(policy.DENY, {todname('10.in-addr.arpa.')}))

This configuration snippet will forward PTR requests for local subnet from 127.0.0.1 to 10.10.0.1. More source subnets can be easily added by adding more lines like the second one before the last one.
thanks for pointing me to the right direction @vcunat