diff --git a/pdns/dnsdistdist/dnsdist-actions-factory.cc b/pdns/dnsdistdist/dnsdist-actions-factory.cc
index 6e0c19911746..da60abc75b75 100644
--- a/pdns/dnsdistdist/dnsdist-actions-factory.cc
+++ b/pdns/dnsdistdist/dnsdist-actions-factory.cc
@@ -397,7 +397,7 @@ class ERCodeAction : public DNSAction
 {
 public:
   ERCodeAction(uint8_t rcode, dnsdist::ResponseConfig responseConfig) :
-    d_responseConfig(std::move(responseConfig)), d_rcode(rcode)
+    d_responseConfig(responseConfig), d_rcode(rcode)
   {
   }
   DNSAction::Action operator()(DNSQuestion* dnsquestion, std::string* ruleresult) const override
@@ -463,9 +463,9 @@ class SpoofSVCAction : public DNSAction
 
 private:
   dnsdist::ResponseConfig d_responseConfig;
-  std::vector<std::vector<uint8_t>> d_payloads{};
-  std::set<std::pair<DNSName, ComboAddress>> d_additionals4{};
-  std::set<std::pair<DNSName, ComboAddress>> d_additionals6{};
+  std::vector<std::vector<uint8_t>> d_payloads;
+  std::set<std::pair<DNSName, ComboAddress>> d_additionals4;
+  std::set<std::pair<DNSName, ComboAddress>> d_additionals6;
 };
 
 class TCAction : public DNSAction
@@ -844,13 +844,13 @@ class SpoofAction : public DNSAction
     }
   }
 
-  SpoofAction(const DNSName& cname, const dnsdist::ResponseConfig& responseConfig) :
-    d_responseConfig(responseConfig), d_cname(cname)
+  SpoofAction(DNSName cname, const dnsdist::ResponseConfig& responseConfig) :
+    d_responseConfig(responseConfig), d_cname(std::move(cname))
   {
   }
 
-  SpoofAction(const PacketBuffer& rawresponse) :
-    d_raw(rawresponse)
+  SpoofAction(PacketBuffer rawresponse) :
+    d_raw(std::move(rawresponse))
   {
   }
 
@@ -867,12 +867,13 @@ class SpoofAction : public DNSAction
     if (!d_cname.empty()) {
       ret += d_cname.toString() + " ";
     }
-    if (d_rawResponses.size() > 0) {
+    if (!d_rawResponses.empty()) {
       ret += "raw bytes ";
     }
     else {
-      for (const auto& a : d_addrs)
-        ret += a.toString() + " ";
+      for (const auto& addr : d_addrs) {
+        ret += addr.toString() + " ";
+      }
     }
     return ret;
   }
@@ -884,7 +885,7 @@ class SpoofAction : public DNSAction
   std::vector<std::string> d_rawResponses;
   PacketBuffer d_raw;
   DNSName d_cname;
-  std::optional<uint16_t> d_rawTypeForAny{};
+  std::optional<uint16_t> d_rawTypeForAny;
 };
 
 DNSAction::Action SpoofAction::operator()(DNSQuestion* dnsquestion, std::string* ruleresult) const
@@ -1873,7 +1874,7 @@ class ClearRecordTypesResponseAction : public DNSResponseAction, public boost::n
   }
 
 private:
-  std::unordered_set<QType> d_qtypes{};
+  std::unordered_set<QType> d_qtypes;
 };
 
 class ContinueAction : public DNSAction
@@ -1915,8 +1916,8 @@ class ContinueAction : public DNSAction
 class HTTPStatusAction : public DNSAction
 {
 public:
-  HTTPStatusAction(uint16_t code, const PacketBuffer& body, std::string contentType, const dnsdist::ResponseConfig& responseConfig) :
-    d_responseConfig(responseConfig), d_body(body), d_contentType(std::move(contentType)), d_code(code)
+  HTTPStatusAction(uint16_t code, PacketBuffer body, std::string contentType, const dnsdist::ResponseConfig& responseConfig) :
+    d_responseConfig(responseConfig), d_body(std::move(body)), d_contentType(std::move(contentType)), d_code(code)
   {
   }
 
@@ -2250,16 +2251,14 @@ class SetExtendedDNSErrorResponseAction : public DNSResponseAction
 class LimitTTLResponseAction : public DNSResponseAction, public boost::noncopyable
 {
 public:
-  LimitTTLResponseAction() {}
-
-  LimitTTLResponseAction(uint32_t min, uint32_t max = std::numeric_limits<uint32_t>::max(), const std::unordered_set<QType>& types = {}) :
-    d_types(types), d_min(min), d_max(max)
+  LimitTTLResponseAction(uint32_t min, uint32_t max = std::numeric_limits<uint32_t>::max(), std::unordered_set<QType> types = {}) :
+    d_types(std::move(types)), d_min(min), d_max(max)
   {
   }
 
-  DNSResponseAction::Action operator()(DNSResponse* dr, std::string* ruleresult) const override
+  DNSResponseAction::Action operator()(DNSResponse* dnsResponse, std::string* ruleresult) const override
   {
-    dnsdist::PacketMangling::restrictDNSPacketTTLs(dr->getMutableData(), d_min, d_max, d_types);
+    dnsdist::PacketMangling::restrictDNSPacketTTLs(dnsResponse->getMutableData(), d_min, d_max, d_types);
     return DNSResponseAction::Action::None;
   }
 
@@ -2292,22 +2291,22 @@ class LimitTTLResponseAction : public DNSResponseAction, public boost::noncopyab
 
 std::shared_ptr<DNSAction> getLuaAction(dnsdist::actions::LuaActionFunction function)
 {
-  return std::shared_ptr<DNSAction>(new LuaAction(function));
+  return std::shared_ptr<DNSAction>(new LuaAction(std::move(function)));
 }
 
 std::shared_ptr<DNSAction> getLuaFFIAction(dnsdist::actions::LuaActionFFIFunction function)
 {
-  return std::shared_ptr<DNSAction>(new LuaFFIAction(function));
+  return std::shared_ptr<DNSAction>(new LuaFFIAction(std::move(function)));
 }
 
 std::shared_ptr<DNSResponseAction> getLuaResponseAction(dnsdist::actions::LuaResponseActionFunction function)
 {
-  return std::shared_ptr<DNSResponseAction>(new LuaResponseAction(function));
+  return std::shared_ptr<DNSResponseAction>(new LuaResponseAction(std::move(function)));
 }
 
 std::shared_ptr<DNSResponseAction> getLuaFFIResponseAction(dnsdist::actions::LuaResponseActionFFIFunction function)
 {
-  return std::shared_ptr<DNSResponseAction>(new LuaFFIResponseAction(function));
+  return std::shared_ptr<DNSResponseAction>(new LuaFFIResponseAction(std::move(function)));
 }
 
 #ifndef DISABLE_PROTOBUF
@@ -2323,12 +2322,12 @@ std::shared_ptr<DNSResponseAction> getRemoteLogResponseAction(RemoteLogActionCon
 
 std::shared_ptr<DNSAction> getDnstapLogAction(const std::string& identity, std::shared_ptr<RemoteLoggerInterface> logger, std::optional<DnstapAlterFunction> alterFunc)
 {
-  return std::shared_ptr<DNSAction>(new DnstapLogAction(identity, logger, alterFunc));
+  return std::shared_ptr<DNSAction>(new DnstapLogAction(identity, logger, std::move(alterFunc)));
 }
 
 std::shared_ptr<DNSResponseAction> getDnstapLogResponseAction(const std::string& identity, std::shared_ptr<RemoteLoggerInterface> logger, std::optional<DnstapAlterResponseFunction> alterFunc)
 {
-  return std::shared_ptr<DNSResponseAction>(new DnstapLogResponseAction(identity, logger, alterFunc));
+  return std::shared_ptr<DNSResponseAction>(new DnstapLogResponseAction(identity, logger, std::move(alterFunc)));
 }
 #endif /* DISABLE_PROTOBUF */
 
@@ -2347,14 +2346,14 @@ std::shared_ptr<DNSAction> getKeyValueStoreRangeLookupAction(std::shared_ptr<Key
 #ifdef HAVE_DNS_OVER_HTTPS
 std::shared_ptr<DNSAction> getHTTPStatusAction(uint16_t status, PacketBuffer&& body, const std::string& contentType, const dnsdist::ResponseConfig& responseConfig)
 {
-  return std::shared_ptr<DNSAction>(new HTTPStatusAction(status, body, contentType, responseConfig));
+  return std::shared_ptr<DNSAction>(new HTTPStatusAction(status, std::move(body), contentType, responseConfig));
 }
 
 #endif
 
 std::shared_ptr<DNSResponseAction> getLimitTTLResponseAction(uint32_t min, uint32_t max, std::unordered_set<QType> types)
 {
-  return std::shared_ptr<DNSResponseAction>(new LimitTTLResponseAction(min, max, types));
+  return std::shared_ptr<DNSResponseAction>(new LimitTTLResponseAction(min, max, std::move(types)));
 }
 
 std::shared_ptr<DNSResponseAction> getMinTTLResponseAction(uint32_t min)
@@ -2364,7 +2363,7 @@ std::shared_ptr<DNSResponseAction> getMinTTLResponseAction(uint32_t min)
 
 std::shared_ptr<DNSResponseAction> getClearRecordTypesResponseAction(std::unordered_set<QType> types)
 {
-  return std::shared_ptr<DNSResponseAction>(new ClearRecordTypesResponseAction(types));
+  return std::shared_ptr<DNSResponseAction>(new ClearRecordTypesResponseAction(std::move(types)));
 }
 
 std::shared_ptr<DNSAction> getContinueAction(std::shared_ptr<DNSAction> action)
@@ -2447,6 +2446,8 @@ std::shared_ptr<DNSAction> getTeeAction(const ComboAddress& rca, std::optional<C
   return std::shared_ptr<DNSAction>(new TeeAction(rca, lca, addECS, addProxyProtocol));
 }
 
+// NOLINTNEXTLINE(bugprone-suspicious-include)
 #include "dnsdist-actions-factory-generated.cc"
+// NOLINTNEXTLINE(bugprone-suspicious-include)
 #include "dnsdist-response-actions-factory-generated.cc"
 }
diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
index a40c21bbe390..0a0721d7d768 100644
--- a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+++ b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
@@ -786,6 +786,36 @@ static void loadWebServer(const dnsdist::rust::settings::WebserverConfiguration&
     config.d_apiReadWrite = webConfig.api_read_write;
   });
 }
+
+static void loadCustomPolicies(const ::rust::Vec<dnsdist::rust::settings::CustomLoadBalancingPolicyConfiguration>& customPolicies)
+{
+  for (const auto& policy : customPolicies) {
+    if (policy.ffi) {
+      if (policy.per_thread) {
+        auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::string(policy.function_code));
+        registerType<ServerPolicy>(policyObj, policy.name);
+      }
+      else {
+        ServerPolicy::ffipolicyfunc_t function;
+
+        if (!getLuaFunctionFromConfiguration(function, policy.function_name, policy.function_code, policy.function_file, "FFI load-balancing policy")) {
+          throw std::runtime_error("Custom FFI load-balancing policy '" + std::string(policy.name) + "' could not be created: no valid function name, Lua code or Lua file");
+        }
+        auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::move(function));
+        registerType<ServerPolicy>(policyObj, policy.name);
+      }
+    }
+    else {
+      ServerPolicy::policyfunc_t function;
+      if (!getLuaFunctionFromConfiguration(function, policy.function_name, policy.function_code, policy.function_file, "load-balancing policy")) {
+        throw std::runtime_error("Custom load-balancing policy '" + std::string(policy.name) + "' could not be created: no valid function name, Lua code or Lua file");
+      }
+      auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::move(function), true);
+      registerType<ServerPolicy>(policyObj, policy.name);
+    }
+  }
+}
+
 #endif /* defined(HAVE_YAML_CONFIGURATION) */
 
 bool loadConfigurationFromFile(const std::string& fileName, bool isClient, bool configCheck)
@@ -970,31 +1000,7 @@ bool loadConfigurationFromFile(const std::string& fileName, bool isClient, bool
       registerType<DNSDistPacketCache>(packetCacheObj, cache.name);
     }
 
-    for (const auto& policy : globalConfig.load_balancing_policies.custom_policies) {
-      if (policy.ffi) {
-        if (policy.per_thread) {
-          auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::string(policy.function_code));
-          registerType<ServerPolicy>(policyObj, policy.name);
-        }
-        else {
-          ServerPolicy::ffipolicyfunc_t function;
-
-          if (!getLuaFunctionFromConfiguration(function, policy.function_name, policy.function_code, policy.function_file, "FFI load-balancing policy")) {
-            throw std::runtime_error("Custom FFI load-balancing policy '" + std::string(policy.name) + "' could not be created: no valid function name, Lua code or Lua file");
-          }
-          auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::move(function));
-          registerType<ServerPolicy>(policyObj, policy.name);
-        }
-      }
-      else {
-        ServerPolicy::policyfunc_t function;
-        if (!getLuaFunctionFromConfiguration(function, policy.function_name, policy.function_code, policy.function_file, "load-balancing policy")) {
-          throw std::runtime_error("Custom load-balancing policy '" + std::string(policy.name) + "' could not be created: no valid function name, Lua code or Lua file");
-        }
-        auto policyObj = std::make_shared<ServerPolicy>(std::string(policy.name), std::move(function), true);
-        registerType<ServerPolicy>(policyObj, policy.name);
-      }
-    }
+    loadCustomPolicies(globalConfig.load_balancing_policies.custom_policies);
 
     if (!globalConfig.load_balancing_policies.default_policy.empty()) {
       auto policy = getRegisteredTypeByName<ServerPolicy>(globalConfig.load_balancing_policies.default_policy);
@@ -1588,7 +1594,9 @@ std::shared_ptr<DNSSelector> getByNameSelector(const ByNameSelectorConfiguration
   return dnsdist::configuration::yaml::getRegisteredTypeByName<DNSSelector>(config.selector_name);
 }
 
+// NOLINTNEXTLINE(bugprone-suspicious-include)
 #include "dnsdist-rust-bridge-actions-generated.cc"
+// NOLINTNEXTLINE(bugprone-suspicious-include)
 #include "dnsdist-rust-bridge-selectors-generated.cc"
 }
 #endif /* defined(HAVE_YAML_CONFIGURATION) */
diff --git a/pdns/dnsdistdist/dnsdist-lua-actions.cc b/pdns/dnsdistdist/dnsdist-lua-actions.cc
index 5015bed07314..65cd1d085338 100644
--- a/pdns/dnsdistdist/dnsdist-lua-actions.cc
+++ b/pdns/dnsdistdist/dnsdist-lua-actions.cc
@@ -138,19 +138,19 @@ void setupLuaActions(LuaContext& luaCtx)
   luaCtx.registerFunction("reload", &DNSResponseAction::reload);
 
   luaCtx.writeFunction("LuaAction", [](dnsdist::actions::LuaActionFunction function) {
-    return dnsdist::actions::getLuaAction(function);
+    return dnsdist::actions::getLuaAction(std::move(function));
   });
 
   luaCtx.writeFunction("LuaFFIAction", [](dnsdist::actions::LuaActionFFIFunction function) {
-    return dnsdist::actions::getLuaFFIAction(function);
+    return dnsdist::actions::getLuaFFIAction(std::move(function));
   });
 
   luaCtx.writeFunction("LuaResponseAction", [](dnsdist::actions::LuaResponseActionFunction function) {
-    return dnsdist::actions::getLuaResponseAction(function);
+    return dnsdist::actions::getLuaResponseAction(std::move(function));
   });
 
   luaCtx.writeFunction("LuaFFIResponseAction", [](dnsdist::actions::LuaResponseActionFFIFunction function) {
-    return dnsdist::actions::getLuaFFIResponseAction(function);
+    return dnsdist::actions::getLuaFFIResponseAction(std::move(function));
   });
 
   luaCtx.writeFunction("SpoofAction", [](LuaTypeOrArrayOf<std::string> inp, boost::optional<responseParams_t> vars) {
diff --git a/pdns/dnsdistdist/dnsdist-lua-rules.cc b/pdns/dnsdistdist/dnsdist-lua-rules.cc
index 52468bce21d0..44942e902f33 100644
--- a/pdns/dnsdistdist/dnsdist-lua-rules.cc
+++ b/pdns/dnsdistdist/dnsdist-lua-rules.cc
@@ -576,11 +576,11 @@ void setupLuaRules(LuaContext& luaCtx)
     return std::shared_ptr<DNSRule>(new NotRule(rule));
   });
 
-  luaCtx.writeFunction("LuaRule", [](dnsdist::selectors::LuaSelectorFunction function) {
+  luaCtx.writeFunction("LuaRule", [](const dnsdist::selectors::LuaSelectorFunction& function) {
     return std::shared_ptr<DNSRule>(dnsdist::selectors::getLuaSelector(function));
   });
 
-  luaCtx.writeFunction("LuaFFIRule", [](dnsdist::selectors::LuaSelectorFFIFunction function) {
+  luaCtx.writeFunction("LuaFFIRule", [](const dnsdist::selectors::LuaSelectorFFIFunction& function) {
     return std::shared_ptr<DNSRule>(dnsdist::selectors::getLuaFFISelector(function));
   });