Lines Matching defs:policy
971 dns_rpz_policy_t policy, dns_rpz_type_t type,
986 if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) {
1015 dns_rpz_type2str(type), dns_rpz_policy2str(policy),
1080 * Get a policy rewrite zone database.
1100 * logging is disabled for some policy zones.
4269 st->m.policy = DNS_RPZ_POLICY_MISS;
4319 * the earliest configured policy zone (rpz->num)
4325 if (st->m.policy != DNS_RPZ_POLICY_MISS) {
4387 * to check the contents of that rrset for hits by eligible policy zones.
4422 st->m.policy = DNS_RPZ_POLICY_ERROR;
4430 st->m.policy = DNS_RPZ_POLICY_ERROR;
4445 st->m.policy = DNS_RPZ_POLICY_ERROR;
4500 * Compute a policy owner name, p_name, in a policy zone given the needed
4501 * policy type and the trigger name.
4516 * The policy owner name consists of a suffix depending on the type
4517 * and policy zone and a prefix that is the longest possible string
4518 * from the trigger name that keesp the resulting policy owner name
4576 * Look in policy zone rpz for a policy of rpz_type by p_name.
4578 * the target of a CNAME policy for the old style passthru encoding.
4579 * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep,
4582 * The caller must decide if the found policy is most suitable, including
4583 * better than a previously found policy.
4608 * request from the policy zone.
4698 * DNAME policy RRs have very few if any uses that are not
4704 * with a single policy zone when we have no summary database.
4721 dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix,
4731 st->m.policy = policy;
4740 * Save the replacement rdataset from the policy
4754 * Check this address in every eligible policy zone.
4772 dns_rpz_policy_t policy;
4794 * Do not try applying policy zones that cannot replace a
4795 * previously found policy zone.
4800 if (st->m.policy != DNS_RPZ_POLICY_MISS) {
4810 * Get the policy for a prefix at least as long
4821 p_rdatasetp, &policy);
4825 * Continue after a policy record that is missing
4828 * policy zone updates.
4836 st->m.policy = DNS_RPZ_POLICY_ERROR;
4840 * Forget this policy if it is not preferable
4841 * to the previously found policy.
4842 * If this policy is not good, then stop looking
4843 * because none of the later policy zones would work.
4845 * With more than one applicable policy, prefer
4846 * the earliest configured policy,
4854 * reject this policy. If this policy can't work,
4857 if (st->m.policy != DNS_RPZ_POLICY_MISS &&
4866 * policy zone. The radix tree in the policy zone
4869 if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
4873 policy, p_name, prefix, result,
4881 * and try the next eligible policy zone.
4883 rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
4894 * all eligible rpz_type (IP or NSIP) response policy rewrite rules.
4944 if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
4945 client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
4990 * that trigger all eligible IP or NSIP policy rules.
5068 dns_rpz_policy_t policy;
5081 * Use the summary database to find the bit mask of policy zones
5083 * is only one eligible policy zone so that wildcard triggers
5100 * Check the trigger name in every policy zone that the summary data
5105 * one policy zone.
5112 * Do not check policy zones that cannot replace a previously
5113 * found policy.
5116 if (st->m.policy != DNS_RPZ_POLICY_MISS) {
5125 * Get the next policy zone's record for this trigger name.
5134 rdatasetp, &policy);
5138 * Continue after a missing policy record
5141 * policy zone updates.
5149 st->m.policy = DNS_RPZ_POLICY_ERROR;
5153 * With more than one applicable policy, prefer
5154 * the earliest configured policy,
5160 if (st->m.policy != DNS_RPZ_POLICY_MISS &&
5172 * 24.0.3.2.10.rpz-ip. to find the policy rule for
5181 * policy. Check that we have not trigger on one
5200 if (rpz->policy != DNS_RPZ_POLICY_DISABLED) {
5204 policy, p_name, 0, result,
5208 * After a hit, higher numbered policy zones
5216 * and try the next eligible policy zone.
5218 rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
5259 * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
5310 st->m.policy = DNS_RPZ_POLICY_MISS;
5382 * Get bits for the policy zones that do not need
5436 * For example, consider 2 policy zones, both with qname and
5514 if (st->m.policy == DNS_RPZ_POLICY_ERROR)
5569 st->m.policy = DNS_RPZ_POLICY_ERROR;
5625 if (st->m.policy != DNS_RPZ_POLICY_MISS &&
5626 st->m.policy != DNS_RPZ_POLICY_ERROR &&
5627 st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
5628 st->m.policy = st->m.rpz->policy;
5629 if (st->m.policy == DNS_RPZ_POLICY_MISS ||
5630 st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
5631 st->m.policy == DNS_RPZ_POLICY_ERROR) {
5632 if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
5634 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
5639 if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
5640 CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy");
5652 * See if response policy zone rewriting is allowed by a lack of interest
5757 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
5763 * response policy zone cannot verify.
6777 * Has response policy changed out from under us?
7252 if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS)
7254 if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
7255 rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
7256 (rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY ||
7258 rpz_st->m.policy != DNS_RPZ_POLICY_ERROR)
7284 switch (rpz_st->m.policy) {
7292 rpz_st->m.policy,
7300 rpz_st->m.policy,
7354 * response-policy statement
7370 * response policy zone cannot verify.
7377 rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,