allow-query-on { address_match_element; ... };
allow-recursion { address_match_element; ... };
allow-recursion-on { address_match_element; ... };
- allow-transfer { address_match_element; ... };
+ allow-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow-update { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
also-notify [ port integer ] [ dscp integer ] { (
allow-query-on { address_match_element; ... };
allow-recursion { address_match_element; ... };
allow-recursion-on { address_match_element; ... };
- allow-transfer { address_match_element; ... };
+ allow-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow-update { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
also-notify [ port integer ] [ dscp integer ] { (
allow-notify { address_match_element; ... };
allow-query { address_match_element; ... };
allow-query-on { address_match_element; ... };
- allow-transfer { address_match_element; ... };
+ allow-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow-update { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
also-notify [ port integer ] [ dscp integer ] { (
allow-notify { address_match_element; ... };
allow-query { address_match_element; ... };
allow-query-on { address_match_element; ... };
- allow-transfer { address_match_element; ... };
+ allow-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow-update { address_match_element; ... };
allow-update-forwarding { address_match_element; ... };
also-notify [ port integer ] [ dscp integer ] { (
allow\-query\-on { address_match_element; ... };
allow\-recursion { address_match_element; ... };
allow\-recursion\-on { address_match_element; ... };
- allow\-transfer { address_match_element; ... };
+ allow\-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow\-update { address_match_element; ... };
allow\-update\-forwarding { address_match_element; ... };
also\-notify [ port integer ] [ dscp integer ] { (
allow\-query\-on { address_match_element; ... };
allow\-recursion { address_match_element; ... };
allow\-recursion\-on { address_match_element; ... };
- allow\-transfer { address_match_element; ... };
+ allow\-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow\-update { address_match_element; ... };
allow\-update\-forwarding { address_match_element; ... };
also\-notify [ port integer ] [ dscp integer ] { (
allow\-notify { address_match_element; ... };
allow\-query { address_match_element; ... };
allow\-query\-on { address_match_element; ... };
- allow\-transfer { address_match_element; ... };
+ allow\-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow\-update { address_match_element; ... };
allow\-update\-forwarding { address_match_element; ... };
also\-notify [ port integer ] [ dscp integer ] { (
allow\-notify { address_match_element; ... };
allow\-query { address_match_element; ... };
allow\-query\-on { address_match_element; ... };
- allow\-transfer { address_match_element; ... };
+ allow\-transfer [ port integer ] [ transport string ] {
+ address_match_element; ... };
allow\-update { address_match_element; ... };
allow\-update\-forwarding { address_match_element; ... };
also\-notify [ port integer ] [ dscp integer ] { (
type ( master | primary );
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
type ( master | primary );
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-query-on { <address_match_element>; ... };
allow-recursion { <address_match_element>; ... };
allow-recursion-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer [ port <integer> ] [ transport <string> ] {
+ <address_match_element>; ... };
allow-update { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { (
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
allow-query-on { <address_match_element>; ... };
- allow-transfer { <address_match_element>; ... };
+ allow-transfer
[ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow-update-forwarding { <address_match_element>; ... };
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
if (acl != NULL) {
dns_acl_detach(&acl);
}
+
+ if (strcasecmp(aclname, "allow-transfer") == 0 &&
+ cfg_obj_istuple(aclobj)) {
+ const cfg_obj_t *obj_port = cfg_tuple_get(
+ cfg_tuple_get(aclobj, "port-transport"), "port");
+ const cfg_obj_t *obj_proto = cfg_tuple_get(
+ cfg_tuple_get(aclobj, "port-transport"), "transport");
+
+ if (cfg_obj_isuint32(obj_port) &&
+ cfg_obj_asuint32(obj_port) >= UINT16_MAX) {
+ cfg_obj_log(obj_port, logctx, ISC_LOG_ERROR,
+ "port value '%u' is out of range",
+
+ cfg_obj_asuint32(obj_port));
+ if (result == ISC_R_SUCCESS) {
+ result = ISC_R_RANGE;
+ }
+ }
+
+ if (cfg_obj_isstring(obj_proto)) {
+ const char *allowed[] = { "tcp", "tls" };
+ const char *transport = cfg_obj_asstring(obj_proto);
+ bool found = false;
+ for (size_t i = 0; i < ARRAY_SIZE(allowed); i++) {
+ if (strcasecmp(transport, allowed[i]) == 0) {
+ found = true;
+ }
+ }
+
+ if (!found) {
+ cfg_obj_log(obj_proto, logctx, ISC_LOG_ERROR,
+ "'%s' is not a valid transport "
+ "protocol for "
+ "zone "
+ "transfers. Please specify either "
+ "'tcp' or 'tls'",
+ transport);
+ result = ISC_R_FAILURE;
+ }
+ }
+ }
return (result);
}
}
isc_result_t
-cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+cfg_acl_fromconfig2(const cfg_obj_t *acl_data, const cfg_obj_t *cctx,
isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx,
unsigned int nest_level, uint16_t family,
dns_acl_t **target) {
dns_iptable_t *iptab;
int new_nest_level = 0;
bool setpos;
+ const cfg_obj_t *caml = NULL;
+ const cfg_obj_t *obj_acl_tuple = NULL;
+ const cfg_obj_t *obj_port = NULL, *obj_proto = NULL;
if (nest_level != 0) {
new_nest_level = nest_level - 1;
REQUIRE(target != NULL);
REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
+ REQUIRE(acl_data != NULL);
+ if (cfg_obj_islist(acl_data)) {
+ caml = acl_data;
+ } else {
+ INSIST(cfg_obj_istuple(acl_data));
+ caml = cfg_tuple_get(acl_data, "acl");
+ INSIST(caml != NULL);
+ obj_acl_tuple = cfg_tuple_get(acl_data, "port-transport");
+ INSIST(obj_acl_tuple != NULL);
+ obj_port = cfg_tuple_get(obj_acl_tuple, "port");
+ obj_proto = cfg_tuple_get(obj_acl_tuple, "protocol");
+ }
+
if (*target != NULL) {
/*
* If target already points to an ACL, then we're being
/*% acl */
+/*
+ * Encrypted transfer related definitions
+ */
+
+static cfg_tuplefielddef_t cfg_transport_acl_tuple_fields[] = {
+ { "port", &cfg_type_optional_port, 0 },
+ { "transport", &cfg_type_astring, 0 },
+ { NULL, NULL, 0 }
+};
+static cfg_type_t cfg_transport_acl_tuple = {
+ "transport-acl tuple", cfg_parse_kv_tuple,
+ cfg_print_kv_tuple, cfg_doc_kv_tuple,
+ &cfg_rep_tuple, cfg_transport_acl_tuple_fields
+};
+
+static cfg_tuplefielddef_t cfg_transport_acl_fields[] = {
+ { "port-transport", &cfg_transport_acl_tuple, 0 },
+ { "aml", &cfg_type_bracketed_aml, 0 },
+ { NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_transport_acl = {
+ "transport-acl", cfg_parse_tuple, cfg_print_tuple,
+ cfg_doc_tuple, &cfg_rep_tuple, cfg_transport_acl_fields
+};
+
+/*
+ * NOTE: To enable syntax which allows specifying port and protocol,
+ * replace 'cfg_type_bracketed_aml' with
+ * 'cfg_type_transport_acl'.
+ *
+ * Example: acl port 853 protocol tls { ... };
+ */
static cfg_tuplefielddef_t acl_fields[] = { { "name", &cfg_type_astring, 0 },
{ "value", &cfg_type_bracketed_aml,
0 },
* Note: CFG_ZONE_* options indicate in which zone types this clause is
* legal.
*/
+/*
+ * NOTE: To enable syntax which allows specifying port and protocol
+ * within 'allow-*' clauses, replace 'cfg_type_bracketed_aml' with
+ * 'cfg_type_transport_acl'.
+ *
+ * Example: allow-transfer port 853 protocol tls { ... };
+ */
static cfg_clausedef_t zone_clauses[] = {
{ "allow-notify", &cfg_type_bracketed_aml,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "allow-query-on", &cfg_type_bracketed_aml,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB },
- { "allow-transfer", &cfg_type_bracketed_aml,
+ { "allow-transfer", &cfg_type_transport_acl,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR },
{ "allow-update", &cfg_type_bracketed_aml, CFG_ZONE_PRIMARY },
{ "allow-update-forwarding", &cfg_type_bracketed_aml,
projects / thirdparty / bind9.git / commitdiff
