isc_netaddr_fromsockaddr(&netaddr, sockaddr);
- result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, acl, env, &match,
- NULL);
-
- if (result != ISC_R_SUCCESS || match <= 0)
+ result = dns_acl_match(&netaddr, NULL, acl, env, &match, NULL);
+ if (result != ISC_R_SUCCESS || match <= 0) {
return (ISC_FALSE);
- else
+ } else {
return (ISC_TRUE);
+ }
}
static isc_result_t
if (result != ISC_R_SUCCESS)
return (result);
- result = dns_iptable_addprefix(acl->iptable, &addr, 96,
- ISC_TRUE, ISC_FALSE);
+ result = dns_iptable_addprefix(acl->iptable, &addr, 96, ISC_TRUE);
if (result == ISC_R_SUCCESS)
dns_acl_attach(acl, &named_g_mapped);
dns_acl_detach(&acl);
return (result);
result = dns_iptable_addprefix(src_acl->iptable, &netaddr,
- 128, ISC_TRUE, ISC_FALSE);
+ 128, ISC_TRUE);
if (result != ISC_R_SUCCESS)
goto clean;
named_geoip_load(NULL);
}
named_g_aclconfctx->geoip = named_g_geoip;
-
- obj = NULL;
- result = named_config_get(maps, "geoip-use-ecs", &obj);
- INSIST(result == ISC_R_SUCCESS);
- env->geoip_use_ecs = cfg_obj_asboolean(obj);
#endif /* HAVE_GEOIP */
/*
*/
static isc_result_t
get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
- dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs,
+ dns_message_t *message, dns_aclenv_t *env,
isc_result_t *sigresult, dns_view_t **viewp)
{
dns_view_t *view;
message->rdclass == dns_rdataclass_any)
{
dns_name_t *tsig = NULL;
- isc_netaddr_t *addr = NULL;
- isc_uint8_t *scope = NULL;
- isc_uint8_t source = 0;
*sigresult = dns_message_rechecksig(message, view);
if (*sigresult == ISC_R_SUCCESS) {
tsig = dns_tsigkey_identity(tsigkey);
}
- if (ecs != NULL) {
- addr = &ecs->addr;
- source = ecs->source;
- scope = &ecs->scope;
- }
-
- if (dns_acl_allowed(srcaddr, tsig, addr, source,
- scope, view->matchclients, env) &&
- dns_acl_allowed(destaddr, tsig, NULL, 0, NULL,
+ if (dns_acl_allowed(srcaddr, tsig,
+ view->matchclients, env) &&
+ dns_acl_allowed(destaddr, tsig,
view->matchdestinations, env) &&
!(view->matchrecursiveonly &&
(message->flags & DNS_MESSAGEFLAG_RD) == 0))
return (result);
}
-
static isc_result_t
mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
isc_result_t result;
isc_netaddr_fromsockaddr(&netaddr, fromaddr);
LOCK(&listener->lock);
- if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, listener->acl, env,
- &match, NULL) == ISC_R_SUCCESS && match > 0)
+ if ((dns_acl_match(&netaddr, NULL, listener->acl, env,
+ &match, NULL) == ISC_R_SUCCESS) && match > 0)
{
UNLOCK(&listener->lock);
return (ISC_TRUE);
tsig = dns_tsigkey_identity(mykey);
}
- if (dns_acl_allowed(&netsrc, tsig, NULL, 0, NULL,
- view->matchclients, env) &&
- dns_acl_allowed(&netdst, tsig, NULL, 0, NULL,
- view->matchdestinations, env))
+ if (dns_acl_allowed(&netsrc, tsig, view->matchclients, env) &&
+ dns_acl_allowed(&netdst, tsig, view->matchdestinations,
+ env))
+ {
break;
+ }
}
return (ISC_TF(view == myview));
}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
- ixfr-from-differences yes;
- check-integrity no;
- allow-query-on { 10.53.0.2; };
-};
-
-zone "." {
- type hint;
- file "../../common/root.hint";
-};
-
-zone "example" {
- type master;
- file "example.db";
-};
-
-zone "tsigzone" {
- type master;
- file "tsigzone.db";
- allow-transfer { ecs 10.53/16; !10/8; };
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-options {
- query-source address 10.53.0.2;
- notify-source 10.53.0.2;
- transfer-source 10.53.0.2;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.2; };
- listen-on-v6 { none; };
- recursion no;
- notify yes;
- ixfr-from-differences yes;
- check-integrity no;
- allow-query-on { 10.53.0.2; };
-};
-
-view one {
- match-clients { ecs 192.0.2/24; };
-
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
-
- zone "example" {
- type master;
- file "example.db";
- };
-};
-
-view two {
- zone "." {
- type hint;
- file "../../common/root.hint";
- };
-
- zone "example" {
- type master;
- file "example.db";
- };
-};
@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
-echo_i "testing EDNS client-subnet ACL processing"
-copy_setports ns2/named6.conf.in ns2/named.conf
-$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
-sleep 5
-
-# should fail
-t=`expr $t + 1`
-$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
-grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
-
-# should succeed
-t=`expr $t + 1`
-$DIG $DIGOPTS tsigzone. \
- @10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr > dig.out.${t}
-grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
-
-echo_i "testing EDNS client-subnet response scope"
-copy_setports ns2/named7.conf.in ns2/named.conf
-$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
-sleep 5
-
-t=`expr $t + 1`
-$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="10.53.0.1/32" > dig.out.${t}
-grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; }
-
-t=`expr $t + 1`
-$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="192.0.2.128/32" > dig.out.${t}
-grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; }
-
# AXFR tests against ns3
echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ geoip-use-ecs yes;
+};
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
+ret=0
+$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+grep "'geoip-use-ecs' is obsolete" checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ geoip-use-ecs no;
+};
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
- geoip-use-ecs no;
};
key rndc_key {
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP country database by code (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo_i "checking response scope using client subnet ($n)"
-ret=0
-$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1
-grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1
-$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1
-grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named2.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
status=`expr $status + $ret`
n=`expr $n + 1`
-echo_i "checking GeoIP region database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
-
echo_i "reloading server"
copy_setports ns2/named6.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP city database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named7.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP isp database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named8.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP org database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named9.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP asnum database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named10.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP asnum database - ASNNNN only (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named11.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP domain database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named12.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-n=`expr $n + 1`
-echo_i "checking GeoIP netspeed database (using client subnet) ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4; do
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
echo_i "reloading server"
copy_setports ns2/named13.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
-echo_i "reloading server"
-copy_setports ns2/named14.conf.in ns2/named.conf
-$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
-sleep 3
-
-n=`expr $n + 1`
-echo_i "checking geoip-use-ecs ($n)"
-ret=0
-lret=0
-for i in 1 2 3 4 5 6 7; do
- $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
- j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
- [ "$i" = "$j" ] || lret=1
- [ $lret -eq 1 ] && break
-
- $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1
- j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'`
- [ "$j" = "bogus" ] || lret=1
- [ $lret -eq 1 ] && break
-done
-[ $lret -eq 1 ] && ret=1
-[ $ret -eq 0 ] || echo_i "failed"
-status=`expr $status + $ret`
-
n=`expr $n + 1`
echo_i "reloading server with different geoip-directory ($n)"
copy_setports ns2/named15.conf.in ns2/named.conf
<term><command>geoip-use-ecs</command></term>
<listitem>
<para>
- When BIND is compiled with GeoIP support and configured
- with "geoip" ACL elements, this option indicates whether
- the EDNS Client Subnet option, if present in a request,
- should be used for matching against the GeoIP database.
- The default is
- <command>geoip-use-ecs</command> <userinput>yes</userinput>.
+ This option was part of an experimental implementation
+ of the EDNS CLIENT-SUBNET for authoritative servers,
+ but is now obsolete.
</para>
</listitem>
</varlistentry>
In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs
may include <option>key</option> elements, which specify the
- name of a TSIG or SIG(0) key, or <option>ecs</option>
- elements, which specify a network prefix but are only matched
- if that prefix matches an EDNS client subnet option included
- in the request.
+ name of a TSIG or SIG(0) key.
</para>
- <para>
- The EDNS Client Subnet (ECS) option is used by a recursive
- resolver to inform an authoritative name server of the network
- address block from which the original query was received, enabling
- authoritative servers to give different answers to the same
- resolver for different resolver clients. An ACL containing
- an element of the form
- <command>ecs <replaceable>prefix</replaceable></command>
- will match if a request arrives in containing an ECS option
- encoding an address within that prefix. If the request has no
- ECS option, then "ecs" elements are simply ignored. Addresses
- in ACLs that are not prefixed with "ecs" are matched only
- against the source address.
- </para>
- <note>
- <simpara>
- (Note: The authoritative ECS implementation in
- <command>named</command> is based on an early version of the
- specification, and is known to have incompatibilities with
- other implementations. It is also inefficient, requiring
- a separate view for each client subnet to be sent different
- answers, and it is unable to correct for overlapping subnets in
- the configuration. It can be used for testing purposes, but is
- not recommended for production use.)
- </simpara>
- </note>
<para>
When <acronym>BIND</acronym> 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
</para>
- <para>
- By default, if a DNS query includes an EDNS Client Subnet (ECS)
- option which encodes a non-zero address prefix, then GeoIP ACLs
- will be matched against that address prefix. Otherwise, they
- are matched against the source address of the query. To
- prevent GeoIP ACLs from matching against ECS options, set
- the <command>geoip-use-ecs</command> to <literal>no</literal>.
- </para>
<para>
Some example GeoIP ACLs:
</para>
result = ISC_R_RANGE;
}
+ obj = NULL;
+ (void)cfg_map_get(options, "geoip-use-ecs", &obj);
+ if (obj != NULL && cfg_obj_asboolean(obj)) {
+ cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+ "'geoip-use-ecs yes': "
+ "ECS can no longer be used in geoip ACLs");
+ if (result == ISC_R_SUCCESS) {
+ result = ISC_R_FAILURE;
+ }
+ }
+
return (result);
}
if (result != ISC_R_SUCCESS)
return (result);
- result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg),
- ISC_FALSE);
+ result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
if (result != ISC_R_SUCCESS) {
dns_acl_detach(&acl);
return (result);
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
REQUIRE(reqaddr != NULL);
REQUIRE(matchelt == NULL || *matchelt == NULL);
- REQUIRE(ecs != NULL || scope == NULL);
if (env != NULL && env->match_mapped &&
addr->family == AF_INET6 &&
/* Always match with host addresses. */
bitlen = (addr->family == AF_INET6) ? 128 : 32;
- NETADDR_TO_PREFIX_T(addr, pfx, bitlen, ISC_FALSE);
+ NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
/* Assume no match. */
*match = 0;
isc_refcount_destroy(&pfx.refcount);
- /*
- * If ecs is not NULL, we search the radix tree again to
- * see if we find a better match on an ECS node
- */
- if (ecs != NULL) {
- node = NULL;
- addr = ecs;
-
- if (env != NULL && env->match_mapped &&
- addr->family == AF_INET6 &&
- IN6_IS_ADDR_V4MAPPED(&addr->type.in6))
- {
- isc_netaddr_fromv4mapped(&v4addr, addr);
- addr = &v4addr;
- }
-
- NETADDR_TO_PREFIX_T(addr, pfx, ecslen, ISC_TRUE);
-
- result = isc_radix_search(acl->iptable->radix, &node, &pfx);
- if (result == ISC_R_SUCCESS && node != NULL) {
- int off = ISC_RADIX_OFF(&pfx);
- if (match_num == -1 ||
- node->node_num[off] < match_num)
- {
- match_num = node->node_num[off];
- if (scope != NULL)
- *scope = node->bit;
- if (*(isc_boolean_t *) node->data[off])
- *match = match_num;
- else
- *match = -match_num;
- }
- }
-
- isc_refcount_destroy(&pfx.refcount);
- }
-
/* Now search non-radix elements for a match with a lower node_num. */
for (i = 0; i < acl->length; i++) {
dns_aclelement_t *e = &acl->elements[i];
break;
}
- if (dns_aclelement_match(reqaddr, reqsigner, ecs, ecslen,
- scope, e, env, matchelt))
+ if (dns_aclelement_match(reqaddr, reqsigner, e, env, matchelt))
{
if (match_num == -1 || e->node_num < match_num) {
if (e->negative)
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt)
dns_acl_t *inner = NULL;
int indirectmatch;
isc_result_t result;
-#ifdef HAVE_GEOIP
- const isc_netaddr_t *addr = NULL;
-#endif
-
- REQUIRE(ecs != NULL || scope == NULL);
switch (e->type) {
case dns_aclelementtype_keyname:
case dns_aclelementtype_geoip:
if (env == NULL || env->geoip == NULL)
return (ISC_FALSE);
- addr = (env->geoip_use_ecs && ecs != NULL) ? ecs : reqaddr;
- return (dns_geoip_match(addr, scope, env->geoip,
- &e->geoip_elem));
+ return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem));
#endif
default:
/* Should be impossible. */
INSIST(0);
}
- result = dns_acl_match(reqaddr, reqsigner, ecs, ecslen, scope,
- inner, env, &indirectmatch, matchelt);
+ result = dns_acl_match(reqaddr, reqsigner, inner, env,
+ &indirectmatch, matchelt);
INSIST(result == ISC_R_SUCCESS);
/*
* If all nonexistent or negative then this node is secure.
*/
if ((data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
- (data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
- (data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
- (data[3] == NULL || !* (isc_boolean_t *) data[3]))
+ (data[1] == NULL || !* (isc_boolean_t *) data[1]))
+ {
return;
+ }
/*
- * If a loopback address found and the other family and
- * ecs entry doesn't exist or is negative, return.
+ * If a loopback address found and the other family
+ * entry doesn't exist or is negative, return.
*/
if (prefix->bitlen == 32 &&
htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
- (data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
- (data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
- (data[3] == NULL || !* (isc_boolean_t *) data[3]))
+ (data[1] == NULL || !* (isc_boolean_t *) data[1]))
+ {
return;
+ }
if (prefix->bitlen == 128 &&
IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
- (data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
- (data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
- (data[3] == NULL || !* (isc_boolean_t *) data[3]))
+ (data[0] == NULL || !* (isc_boolean_t *) data[0]))
+ {
return;
+ }
/* Non-negated, non-loopback */
insecure_prefix_found = ISC_TRUE; /* LOCKED */
*/
isc_boolean_t
dns_acl_allowed(isc_netaddr_t *addr, dns_name_t *signer,
- isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
- isc_uint8_t *ecs_scope, dns_acl_t *acl, dns_aclenv_t *aclenv)
+ dns_acl_t *acl, dns_aclenv_t *aclenv)
{
int match;
isc_result_t result;
- if (acl == NULL)
+ if (acl == NULL) {
return (ISC_TRUE);
- result = dns_acl_match(addr, signer, ecs_addr, ecs_addrlen,
- ecs_scope, acl, aclenv, &match, NULL);
- if (result == ISC_R_SUCCESS && match > 0)
+ }
+ result = dns_acl_match(addr, signer, acl, aclenv, &match, NULL);
+ if (result == ISC_R_SUCCESS && match > 0) {
return (ISC_TRUE);
+ }
return (ISC_FALSE);
}
env->match_mapped = ISC_FALSE;
#ifdef HAVE_GEOIP
env->geoip = NULL;
- env->geoip_use_ecs = ISC_FALSE;
#endif
return (ISC_R_SUCCESS);
t->match_mapped = s->match_mapped;
#ifdef HAVE_GEOIP
t->geoip = s->geoip;
- t->geoip_use_ecs = s->geoip_use_ecs;
#endif
}
*/
isc_netaddr_fromsockaddr(&netaddr, &ev->address);
if (disp->mgr->blackhole != NULL &&
- dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- disp->mgr->blackhole,
+ dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
NULL, &match, NULL) == ISC_R_SUCCESS &&
match > 0)
{
* information regarding copyright ownership.
*/
-
#include <config.h>
#include <isc/list.h>
return (DNS_R_DISALLOWED);
if (dns64->clients != NULL) {
- result = dns_acl_match(reqaddr, reqsigner, NULL, 0, NULL,
- dns64->clients, env, &match, NULL);
+ result = dns_acl_match(reqaddr, reqsigner, dns64->clients,
+ env, &match, NULL);
if (result != ISC_R_SUCCESS)
return (result);
if (match <= 0)
memmove(&ina.s_addr, a, 4);
isc_netaddr_fromin(&netaddr, &ina);
- result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- dns64->mapped, env, &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, dns64->mapped,
+ env, &match, NULL);
if (result != ISC_R_SUCCESS)
return (result);
if (match <= 0)
* Work out if this dns64 structure applies to this client.
*/
if (dns64->clients != NULL) {
- result = dns_acl_match(reqaddr, reqsigner, NULL, 0,
- NULL, dns64->clients, env,
+ result = dns_acl_match(reqaddr, reqsigner,
+ dns64->clients, env,
&match, NULL);
if (result != ISC_R_SUCCESS)
continue;
memmove(&in6.s6_addr, rdata.data, 16);
isc_netaddr_fromin6(&netaddr, &in6);
- result = dns_acl_match(&netaddr, NULL, NULL,
- 0, NULL,
+ result = dns_acl_match(&netaddr, NULL,
dns64->excluded, env,
&match, NULL);
if (result == ISC_R_SUCCESS && match <= 0) {
unsigned int family;
isc_uint32_t ipnum;
geoipv6_t ipnum6;
- isc_uint8_t scope;
GeoIPRecord *record;
GeoIPRegion *region;
const char *text;
static isc_result_t
set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6,
- isc_uint8_t scope, dns_geoip_subtype_t subtype, GeoIPRecord *record,
+ dns_geoip_subtype_t subtype, GeoIPRecord *record,
GeoIPRegion *region, char *name, const char *text, int id)
{
geoip_state_t *state = NULL;
state->family = family;
state->subtype = subtype;
- state->scope = scope;
state->record = record;
state->region = region;
state->name = name;
static const char *
country_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
unsigned int family,
- isc_uint32_t ipnum, const geoipv6_t *ipnum6,
- isc_uint8_t *scope)
+ isc_uint32_t ipnum, const geoipv6_t *ipnum6)
{
geoip_state_t *prev_state = NULL;
const char *text = NULL;
- GeoIPLookup gl;
REQUIRE(db != NULL);
prev_state = get_state_for(family, ipnum, ipnum6);
if (prev_state != NULL && prev_state->subtype == subtype) {
text = prev_state->text;
- if (scope != NULL)
- *scope = prev_state->scope;
}
if (text == NULL) {
switch (subtype) {
case dns_geoip_country_code:
if (family == AF_INET)
- text = GeoIP_country_code_by_ipnum_gl(db,
- ipnum, &gl);
+ text = GeoIP_country_code_by_ipnum(db, ipnum);
#ifdef HAVE_GEOIP_V6
else
- text = GeoIP_country_code_by_ipnum_v6_gl(db,
- *ipnum6, &gl);
+ text = GeoIP_country_code_by_ipnum_v6(db,
+ *ipnum6);
#endif
break;
case dns_geoip_country_code3:
if (family == AF_INET)
- text = GeoIP_country_code3_by_ipnum_gl(db,
- ipnum, &gl);
+ text = GeoIP_country_code3_by_ipnum(db, ipnum);
#ifdef HAVE_GEOIP_V6
else
- text = GeoIP_country_code3_by_ipnum_v6_gl(db,
- *ipnum6, &gl);
+ text = GeoIP_country_code3_by_ipnum_v6(db,
+ *ipnum6);
#endif
break;
case dns_geoip_country_name:
if (family == AF_INET)
- text = GeoIP_country_name_by_ipnum_gl(db,
- ipnum, &gl);
+ text = GeoIP_country_name_by_ipnum(db, ipnum);
#ifdef HAVE_GEOIP_V6
else
- text = GeoIP_country_name_by_ipnum_v6_gl(db,
- *ipnum6, &gl);
+ text = GeoIP_country_name_by_ipnum_v6(db,
+ *ipnum6);
#endif
break;
default:
if (text == NULL)
return (NULL);
- if (scope != NULL)
- *scope = gl.netmask;
-
- set_state(family, ipnum, ipnum6, gl.netmask, subtype,
+ set_state(family, ipnum, ipnum6, subtype,
NULL, NULL, NULL, text, 0);
}
static GeoIPRecord *
city_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
unsigned int family, isc_uint32_t ipnum,
- const geoipv6_t *ipnum6,
- isc_uint8_t *scope)
+ const geoipv6_t *ipnum6)
{
GeoIPRecord *record = NULL;
geoip_state_t *prev_state = NULL;
prev_state = get_state_for(family, ipnum, ipnum6);
if (prev_state != NULL && is_city(prev_state->subtype)) {
record = prev_state->record;
- if (scope != NULL)
- *scope = record->netmask;
}
if (record == NULL) {
if (record == NULL)
return (NULL);
- if (scope != NULL)
- *scope = record->netmask;
-
- set_state(family, ipnum, ipnum6, record->netmask, subtype,
- record, NULL, NULL, NULL, 0);
+ set_state(family, ipnum, ipnum6, subtype, record,
+ NULL, NULL, NULL, 0);
}
return (record);
* outside the Region database.
*/
static GeoIPRegion *
-region_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
- isc_uint32_t ipnum, isc_uint8_t *scope)
-{
+region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) {
GeoIPRegion *region = NULL;
geoip_state_t *prev_state = NULL;
- GeoIPLookup gl;
REQUIRE(db != NULL);
prev_state = get_state_for(AF_INET, ipnum, NULL);
if (prev_state != NULL && is_region(prev_state->subtype)) {
region = prev_state->region;
- if (scope != NULL)
- *scope = prev_state->scope;
}
if (region == NULL) {
- region = GeoIP_region_by_ipnum_gl(db, ipnum, &gl);
+ region = GeoIP_region_by_ipnum(db, ipnum);
if (region == NULL)
return (NULL);
- if (scope != NULL)
- *scope = gl.netmask;
-
- set_state(AF_INET, ipnum, NULL, gl.netmask,
- subtype, NULL, region, NULL, NULL, 0);
+ set_state(AF_INET, ipnum, NULL, subtype, NULL,
+ region, NULL, NULL, 0);
}
return (region);
* or was for a search of a different subtype.
*/
static char *
-name_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
- isc_uint32_t ipnum, isc_uint8_t *scope)
-{
+name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) {
char *name = NULL;
geoip_state_t *prev_state = NULL;
- GeoIPLookup gl;
REQUIRE(db != NULL);
prev_state = get_state_for(AF_INET, ipnum, NULL);
if (prev_state != NULL && prev_state->subtype == subtype) {
name = prev_state->name;
- if (scope != NULL)
- *scope = prev_state->scope;
}
if (name == NULL) {
- name = GeoIP_name_by_ipnum_gl(db, ipnum, &gl);
+ name = GeoIP_name_by_ipnum(db, ipnum);
if (name == NULL)
return (NULL);
- if (scope != NULL)
- *scope = gl.netmask;
-
- set_state(AF_INET, ipnum, NULL, gl.netmask,
- subtype, NULL, NULL, name, NULL, 0);
+ set_state(AF_INET, ipnum, NULL, subtype, NULL, NULL,
+ name, NULL, 0);
}
return (name);
* different subtype.
*/
static int
-netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
- isc_uint32_t ipnum, isc_uint8_t *scope)
-{
+netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) {
geoip_state_t *prev_state = NULL;
isc_boolean_t found = ISC_FALSE;
- GeoIPLookup gl;
int id = -1;
REQUIRE(db != NULL);
prev_state = get_state_for(AF_INET, ipnum, NULL);
if (prev_state != NULL && prev_state->subtype == subtype) {
id = prev_state->id;
- if (scope != NULL)
- *scope = prev_state->scope;
found = ISC_TRUE;
}
if (!found) {
- id = GeoIP_id_by_ipnum_gl(db, ipnum, &gl);
+ id = GeoIP_id_by_ipnum(db, ipnum);
if (id == 0)
return (0);
- if (scope != NULL)
- *scope = gl.netmask;
-
- set_state(AF_INET, ipnum, NULL, gl.netmask,
- subtype, NULL, NULL, NULL, NULL, id);
+ set_state(AF_INET, ipnum, NULL, subtype, NULL,
+ NULL, NULL, NULL, id);
}
return (id);
#endif /* HAVE_GEOIP */
isc_boolean_t
-dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope,
+dns_geoip_match(const isc_netaddr_t *reqaddr,
const dns_geoip_databases_t *geoip,
const dns_geoip_elem_t *elt)
{
INSIST(elt->as_string != NULL);
- cs = country_lookup(db, subtype, family, ipnum, ipnum6, scope);
+ cs = country_lookup(db, subtype, family, ipnum, ipnum6);
if (cs != NULL && strncasecmp(elt->as_string, cs, maxlen) == 0)
return (ISC_TRUE);
break;
return (ISC_FALSE);
record = city_lookup(db, subtype, family,
- ipnum, ipnum6, scope);
+ ipnum, ipnum6);
if (record == NULL)
break;
return (ISC_FALSE);
record = city_lookup(db, subtype, family,
- ipnum, ipnum6, scope);
+ ipnum, ipnum6);
if (record == NULL)
break;
return (ISC_FALSE);
record = city_lookup(db, subtype, family,
- ipnum, ipnum6, scope);
+ ipnum, ipnum6);
if (record == NULL)
break;
if (family == AF_INET6)
return (ISC_FALSE);
- region = region_lookup(geoip->region, subtype, ipnum, scope);
+ region = region_lookup(geoip->region, subtype, ipnum);
if (region == NULL)
break;
if (family == AF_INET6)
return (ISC_FALSE);
- s = name_lookup(db, subtype, ipnum, scope);
+ s = name_lookup(db, subtype, ipnum);
if (s != NULL) {
size_t l;
if (strcasecmp(elt->as_string, s) == 0)
if (family == AF_INET6)
return (ISC_FALSE);
- id = netspeed_lookup(geoip->netspeed, subtype, ipnum, scope);
+ id = netspeed_lookup(geoip->netspeed, subtype, ipnum);
if (id == elt->as_int)
return (ISC_TRUE);
break;
isc_boolean_t match_mapped;
#ifdef HAVE_GEOIP
dns_geoip_databases_t *geoip;
- isc_boolean_t geoip_use_ecs;
#endif
};
isc_boolean_t
dns_acl_allowed(isc_netaddr_t *addr, dns_name_t *signer,
- isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen,
- isc_uint8_t *ecs_scope, dns_acl_t *acl, dns_aclenv_t
- *aclenv);
+ dns_acl_t *acl, dns_aclenv_t *aclenv);
/*%<
* Return #ISC_TRUE iff the 'addr', 'signer', or ECS values are
* permitted by 'acl' in environment 'aclenv'.
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
* be useful even for weird stuff like the topology and sortlist statements.
*
* Match the address 'reqaddr', and optionally the key name 'reqsigner',
- * and optionally the client prefix 'ecs' of length 'ecslen'
- * (reported via EDNS client subnet option) against 'acl'.
- *
- * 'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs'
- * and 'ecslen', then 'scope' will be set to indicate the netmask that
- * matched.
+ * against 'acl'. 'reqsigner' may be NULL.
*
* If there is a match, '*match' will be set to an integer whose absolute
* value corresponds to the order in which the matching value was inserted
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt);
ISC_LANG_BEGINDECLS
isc_boolean_t
-dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope,
+dns_geoip_match(const isc_netaddr_t *reqaddr,
const dns_geoip_databases_t *geoip,
const dns_geoip_elem_t *elt);
* information regarding copyright ownership.
*/
-
#ifndef DNS_IPTABLE_H
#define DNS_IPTABLE_H 1
isc_result_t
dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr,
- isc_uint16_t bitlen, isc_boolean_t pos,
- isc_boolean_t is_ecs);
+ isc_uint16_t bitlen, isc_boolean_t pos);
/*
* Add an IP prefix to an existing IP table
*/
*/
isc_result_t
dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr,
- isc_uint16_t bitlen, isc_boolean_t pos,
- isc_boolean_t is_ecs)
+ isc_uint16_t bitlen, isc_boolean_t pos)
{
isc_result_t result;
isc_prefix_t pfx;
INSIST(DNS_IPTABLE_VALID(tab));
INSIST(tab->radix);
- NETADDR_TO_PREFIX_T(addr, pfx, bitlen, is_ecs);
+ NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
if (result != ISC_R_SUCCESS) {
if (pfx.family == AF_UNSPEC) {
/* "any" or "none" */
INSIST(pfx.bitlen == 0);
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
if (node->data[i] == NULL)
node->data[i] = pos ? &dns_iptable_pos
: &dns_iptable_neg;
* could be a security risk. To prevent this, we
* just leave the negative nodes negative.
*/
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
if (!pos) {
if (node->data[i] &&
*(isc_boolean_t *) node->data[i])
* information regarding copyright ownership.
*/
-
/*! \file */
#include <config.h>
blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
if (blackhole != NULL) {
isc_netaddr_fromsockaddr(&netaddr, destaddr);
- if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, blackhole,
- NULL, &match, NULL) == ISC_R_SUCCESS &&
+ if (dns_acl_match(&netaddr, NULL, blackhole, NULL,
+ &match, NULL) == ISC_R_SUCCESS &&
match > 0)
+ {
drop = ISC_TRUE;
+ }
}
if (drop) {
isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
if (blackhole != NULL) {
int match;
- if (dns_acl_match(&ipaddr, NULL, NULL, 0, NULL, blackhole,
- &res->view->aclenv,
- &match, NULL) == ISC_R_SUCCESS &&
+ if ((dns_acl_match(&ipaddr, NULL, blackhole,
+ &res->view->aclenv, &match,
+ NULL) == ISC_R_SUCCESS) &&
match > 0)
+ {
aborted = ISC_TRUE;
+ }
}
if (peer != NULL &&
isc_netaddr_fromin6(&netaddr, &in6a);
}
- result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- view->denyansweracl, &view->aclenv,
- &match, NULL);
-
+ result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
+ &view->aclenv, &match, NULL);
if (result == ISC_R_SUCCESS && match > 0) {
isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
dns_name_format(name, namebuf, sizeof(namebuf));
rrl = view->rrl;
if (rrl->exempt != NULL) {
isc_netaddr_fromsockaddr(&netclient, client_addr);
- result = dns_acl_match(&netclient, NULL, NULL, 0, NULL,
- rrl->exempt, &view->aclenv,
- &exempt_match, NULL);
+ result = dns_acl_match(&netclient, NULL, rrl->exempt,
+ &view->aclenv, &exempt_match, NULL);
if (result == ISC_R_SUCCESS && exempt_match > 0)
return (DNS_RRL_RESULT_OK);
}
if (!dns_name_issubdomain(name, rule->name)) {
continue;
}
- dns_acl_match(addr, NULL, NULL, 0, NULL,
- env->localhost, NULL, &match,
- NULL);
+ dns_acl_match(addr, NULL, env->localhost,
+ NULL, &match, NULL);
if (match == 0) {
if (signer != NULL) {
isc_log_write(dns_lctx,
* information regarding copyright ownership.
*/
-
/*! \file */
#include <config.h>
}
ATF_TC_BODY(dns_acl_isinsecure, tc) {
isc_result_t result;
- unsigned int pass;
- struct {
- isc_boolean_t first;
- isc_boolean_t second;
- } ecs[] = {
- { ISC_FALSE, ISC_FALSE },
- { ISC_TRUE, ISC_TRUE },
- { ISC_TRUE, ISC_FALSE },
- { ISC_FALSE, ISC_TRUE }
- };
-
dns_acl_t *any = NULL;
dns_acl_t *none = NULL;
dns_acl_t *notnone = NULL;
dns_acl_t *notany = NULL;
- dns_acl_t *pos4pos6 = NULL;
- dns_acl_t *notpos4pos6 = NULL;
- dns_acl_t *neg4pos6 = NULL;
- dns_acl_t *notneg4pos6 = NULL;
- dns_acl_t *pos4neg6 = NULL;
- dns_acl_t *notpos4neg6 = NULL;
- dns_acl_t *neg4neg6 = NULL;
- dns_acl_t *notneg4neg6 = NULL;
-
- dns_acl_t *loop4 = NULL;
- dns_acl_t *notloop4 = NULL;
-
- dns_acl_t *loop6 = NULL;
- dns_acl_t *notloop6 = NULL;
-
- dns_acl_t *loop4pos6 = NULL;
- dns_acl_t *notloop4pos6 = NULL;
- dns_acl_t *loop4neg6 = NULL;
- dns_acl_t *notloop4neg6 = NULL;
-
- struct in_addr inaddr;
- isc_netaddr_t addr;
-
UNUSED(tc);
result = dns_test_begin(NULL, ISC_FALSE);
dns_acl_detach(¬any);
dns_acl_detach(¬none);
- for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) {
- result = dns_acl_create(mctx, 1, &pos4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬pos4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, &neg4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬neg4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, &pos4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬pos4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, &neg4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬neg4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(pos4pos6->iptable, &addr, 8,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* 0a00:: */
- result = dns_iptable_addprefix(pos4pos6->iptable, &addr, 8,
- ISC_TRUE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(neg4pos6->iptable, &addr, 8,
- ISC_FALSE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* 0a00::/8 */
- result = dns_iptable_addprefix(neg4pos6->iptable, &addr, 8,
- ISC_TRUE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(pos4neg6->iptable, &addr, 8,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* !0a00::/8 */
- result = dns_iptable_addprefix(pos4neg6->iptable, &addr, 8,
- ISC_FALSE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(neg4neg6->iptable, &addr, 8,
- ISC_FALSE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* !0a00::/8 */
- result = dns_iptable_addprefix(neg4neg6->iptable, &addr, 8,
- ISC_FALSE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- ATF_CHECK(dns_acl_isinsecure(pos4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
- ATF_CHECK(dns_acl_isinsecure(neg4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
- ATF_CHECK(dns_acl_isinsecure(pos4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
- ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
-
- dns_acl_detach(&pos4pos6);
- dns_acl_detach(¬pos4pos6);
- dns_acl_detach(&neg4pos6);
- dns_acl_detach(¬neg4pos6);
- dns_acl_detach(&pos4neg6);
- dns_acl_detach(¬pos4neg6);
- dns_acl_detach(&neg4neg6);
- dns_acl_detach(¬neg4neg6);
-
- result = dns_acl_create(mctx, 1, &loop4);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬loop4);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, &loop6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬loop6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(loop4->iptable, &addr, 32,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */
- result = dns_iptable_addprefix(loop6->iptable, &addr, 128,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- if (!ecs[pass].first) {
- ATF_CHECK(!dns_acl_isinsecure(loop4));
- ATF_CHECK(!dns_acl_isinsecure(notloop4));
- ATF_CHECK(!dns_acl_isinsecure(loop6));
- ATF_CHECK(!dns_acl_isinsecure(notloop6));
- } else if (ecs[pass].first) {
- ATF_CHECK(dns_acl_isinsecure(loop4));
- ATF_CHECK(!dns_acl_isinsecure(notloop4));
- ATF_CHECK(dns_acl_isinsecure(loop6));
- ATF_CHECK(!dns_acl_isinsecure(notloop6));
- }
-
- dns_acl_detach(&loop4);
- dns_acl_detach(¬loop4);
- dns_acl_detach(&loop6);
- dns_acl_detach(¬loop6);
-
- result = dns_acl_create(mctx, 1, &loop4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬loop4pos6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, &loop4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_create(mctx, 1, ¬loop4neg6);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(loop4pos6->iptable, &addr, 32,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* f700:0001::/32 */
- result = dns_iptable_addprefix(loop4pos6->iptable, &addr, 32,
- ISC_TRUE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */
- isc_netaddr_fromin(&addr, &inaddr);
- result = dns_iptable_addprefix(loop4neg6->iptable, &addr, 32,
- ISC_TRUE, ecs[pass].first);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- addr.family = AF_INET6; /* !f700:0001::/32 */
- result = dns_iptable_addprefix(loop4neg6->iptable, &addr, 32,
- ISC_FALSE, ecs[pass].second);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
- ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
-
- if (!ecs[pass].first && !ecs[pass].second) {
- ATF_CHECK(dns_acl_isinsecure(loop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
- } else if (ecs[pass].first && !ecs[pass].second) {
- ATF_CHECK(dns_acl_isinsecure(loop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
- ATF_CHECK(dns_acl_isinsecure(loop4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
- } else if (!ecs[pass].first && ecs[pass].second) {
- ATF_CHECK(dns_acl_isinsecure(loop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
- } else {
- ATF_CHECK(dns_acl_isinsecure(loop4pos6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
- ATF_CHECK(dns_acl_isinsecure(loop4neg6));
- ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
- }
-
- dns_acl_detach(&loop4pos6);
- dns_acl_detach(¬loop4pos6);
- dns_acl_detach(&loop4neg6);
- dns_acl_detach(¬loop4neg6);
- }
-
dns_test_end();
}
* information regarding copyright ownership.
*/
-
/*! \file */
#include <config.h>
}
static isc_boolean_t
-do_lookup_string(const char *addr, isc_uint8_t *scope,
- dns_geoip_subtype_t subtype, const char *string)
+do_lookup_string(const char *addr, dns_geoip_subtype_t subtype,
+ const char *string)
{
dns_geoip_elem_t elt;
struct in_addr in4;
elt.subtype = subtype;
strlcpy(elt.as_string, string, sizeof(elt.as_string));
- return (dns_geoip_match(&na, scope, &geoip, &elt));
+ return (dns_geoip_match(&na, &geoip, &elt));
}
static isc_boolean_t
-do_lookup_string_v6(const char *addr, isc_uint8_t *scope,
- dns_geoip_subtype_t subtype, const char *string)
+do_lookup_string_v6(const char *addr, dns_geoip_subtype_t subtype,
+ const char *string)
{
dns_geoip_elem_t elt;
struct in6_addr in6;
elt.subtype = subtype;
strlcpy(elt.as_string, string, sizeof(elt.as_string));
- return (dns_geoip_match(&na, scope, &geoip, &elt));
+ return (dns_geoip_match(&na, &geoip, &elt));
}
static isc_boolean_t
-do_lookup_int(const char *addr, isc_uint8_t *scope,
- dns_geoip_subtype_t subtype, int id)
-{
+do_lookup_int(const char *addr, dns_geoip_subtype_t subtype, int id) {
dns_geoip_elem_t elt;
struct in_addr in4;
isc_netaddr_t na;
elt.subtype = subtype;
elt.as_int = id;
- return (dns_geoip_match(&na, scope, &geoip, &elt));
+ return (dns_geoip_match(&na, &geoip, &elt));
}
/*
ATF_TC_BODY(country, tc) {
isc_result_t result;
isc_boolean_t match;
- isc_uint8_t scope;
UNUSED(tc);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.1", &scope,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_country_code, "AU");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 32);
- match = do_lookup_string("10.53.0.1", &scope,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_country_code3, "AUS");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 32);
- match = do_lookup_string("10.53.0.1", &scope,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_country_name, "Australia");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 32);
- match = do_lookup_string("192.0.2.128", &scope,
+ match = do_lookup_string("192.0.2.128",
dns_geoip_country_code, "O1");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 24);
- match = do_lookup_string("192.0.2.128", &scope,
+ match = do_lookup_string("192.0.2.128",
dns_geoip_country_name, "Other");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 24);
dns_test_end();
}
ATF_TC_BODY(country_v6, tc) {
isc_result_t result;
isc_boolean_t match;
- isc_uint8_t scope;
UNUSED(tc);
atf_tc_skip("Database not available");
}
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_country_code, "AU");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 128);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_country_code3, "AUS");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 128);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_country_name, "Australia");
ATF_CHECK(match);
- ATF_CHECK_EQ(scope, 128);
dns_test_end();
}
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_continentcode, "NA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_countrycode, "US");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_countrycode3, "USA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_countryname, "United States");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_region, "CA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_regionname, "California");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_name, "Redwood City");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_city_postalcode, "94063");
ATF_CHECK(match);
- match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_areacode, 650);
+ match = do_lookup_int("10.53.0.1", dns_geoip_city_areacode, 650);
ATF_CHECK(match);
- match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_metrocode, 807);
+ match = do_lookup_int("10.53.0.1", dns_geoip_city_metrocode, 807);
ATF_CHECK(match);
dns_test_end();
atf_tc_skip("Database not available");
}
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_continentcode, "NA");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_countrycode, "US");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_countrycode3, "USA");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_countryname,
"United States");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_region, "CA");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_regionname, "California");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_name, "Redwood City");
ATF_CHECK(match);
- match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL,
+ match = do_lookup_string_v6("fd92:7065:b8e:ffff::1",
dns_geoip_city_postalcode, "94063");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_region_code, "CA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_region_name, "California");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.1", NULL,
+ match = do_lookup_string("10.53.0.1",
dns_geoip_region_countrycode, "US");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode, "US");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode3, "USA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countryname, "United States");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_regionname, "Virginia");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_region, "VA");
ATF_CHECK(match);
GeoIP_delete(geoip.city_v4);
geoip.city_v4 = NULL;
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode, "AU");
ATF_CHECK(match);
* Note, region doesn't support code3 or countryname, so
* the next two would be answered from the country database instead
*/
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode3, "CAN");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countryname, "Canada");
ATF_CHECK(match);
GeoIP_delete(geoip.region);
geoip.region = NULL;
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode, "CA");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countrycode3, "CAN");
ATF_CHECK(match);
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_countryname, "Canada");
ATF_CHECK(match);
}
- match = do_lookup_string("10.53.0.3", NULL, dns_geoip_as_asnum,
+ match = do_lookup_string("10.53.0.3", dns_geoip_as_asnum,
"AS100003 Three Network Labs");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.1", NULL, dns_geoip_isp_name,
+ match = do_lookup_string("10.53.0.1", dns_geoip_isp_name,
"One Systems, Inc.");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.2", NULL, dns_geoip_org_name,
+ match = do_lookup_string("10.53.0.2", dns_geoip_org_name,
"Two Technology Ltd.");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_string("10.53.0.4", NULL,
+ match = do_lookup_string("10.53.0.4",
dns_geoip_domain_name, "four.com");
ATF_CHECK(match);
atf_tc_skip("Database not available");
}
- match = do_lookup_int("10.53.0.1", NULL, dns_geoip_netspeed_id, 0);
+ match = do_lookup_int("10.53.0.1", dns_geoip_netspeed_id, 0);
ATF_CHECK(match);
- match = do_lookup_int("10.53.0.2", NULL, dns_geoip_netspeed_id, 1);
+ match = do_lookup_int("10.53.0.2", dns_geoip_netspeed_id, 1);
ATF_CHECK(match);
- match = do_lookup_int("10.53.0.3", NULL, dns_geoip_netspeed_id, 2);
+ match = do_lookup_int("10.53.0.3", dns_geoip_netspeed_id, 2);
ATF_CHECK(match);
- match = do_lookup_int("10.53.0.4", NULL, dns_geoip_netspeed_id, 3);
+ match = do_lookup_int("10.53.0.4", dns_geoip_netspeed_id, 3);
ATF_CHECK(match);
dns_test_end();
tsigkey = dns_message_gettsigkey(msg);
tsig = dns_tsigkey_identity(tsigkey);
if (i >= zone->masterscnt && zone->notify_acl != NULL &&
- dns_acl_match(&netaddr, tsig, NULL, 0, NULL, zone->notify_acl,
- &zone->view->aclenv, &match,
- NULL) == ISC_R_SUCCESS &&
+ (dns_acl_match(&netaddr, tsig, zone->notify_acl,
+ &zone->view->aclenv, &match,
+ NULL) == ISC_R_SUCCESS) &&
match > 0)
{
/* Accept notify. */
#ifndef _RADIX_H
#define _RADIX_H
-#define NETADDR_TO_PREFIX_T(na,pt,bits,is_ecs) \
+#define NETADDR_TO_PREFIX_T(na,pt,bits) \
do { \
const void *p = na; \
memset(&(pt), 0, sizeof(pt)); \
(pt).family = AF_UNSPEC; \
(pt).bitlen = 0; \
} \
- (pt).ecs = is_ecs; \
isc_refcount_init(&(pt).refcount, 0); \
} while(0)
isc_mem_t *mctx;
unsigned int family; /* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
unsigned int bitlen; /* 0 for "any" */
- isc_boolean_t ecs; /* ISC_TRUE for an EDNS client subnet address */
isc_refcount_t refcount;
union {
struct in_addr sin;
* return the one that was added first.
*
* An IPv4 prefix and an IPv6 prefix may share a radix tree node if they
- * have the same length and bit pattern (e.g., 127/8 and 7f::/8). Also,
- * a node that matches a client address may also match an EDNS client
- * subnet address. To disambiguate between these, node_num and data
- * are four-element arrays;
+ * have the same length and bit pattern (e.g., 127/8 and 7f::/8). To
+ * disambiguate between them, node_num and data are two-element arrays:
*
* - node_num[0] and data[0] are used for IPv4 client addresses
- * - node_num[1] and data[1] for IPv4 client subnet addresses
- * - node_num[2] and data[2] are used for IPv6 client addresses
- * - node_num[3] and data[3] for IPv6 client subnet addresses
+ * - node_num[1] and data[1] are used for IPv6 client addresses
*
* A prefix of 0/0 (aka "any" or "none"), is always stored as IPv4,
- * but matches IPv6 addresses too, as well as all client subnet
- * addresses.
+ * but matches all IPv6 addresses too.
*/
-#define ISC_RADIX_OFF(p) \
- ((((p)->family == AF_INET6) ? 1 : 0) + ((p)->ecs ? 2 : 0))
+#define ISC_RADIX_OFF(p) (((p)->family == AF_INET6) ? 1 : 0)
typedef struct isc_radix_node {
isc_mem_t *mctx;
isc_prefix_t *prefix; /* who we are in radix tree */
struct isc_radix_node *l, *r; /* left and right children */
struct isc_radix_node *parent; /* may be used */
- void *data[4]; /* pointers to IPv4 and IPV6 data */
- int node_num[4]; /* which node this was in the tree,
+ void *data[2]; /* pointers to IPv4 and IPV6 data */
+ int node_num[2]; /* which node this was in the tree,
or -1 for glue nodes */
} isc_radix_node_t;
* information regarding copyright ownership.
*/
-
/*
* This source was adapted from MRT's RCS Ids:
* Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp
}
prefix->family = family;
- prefix->ecs = ISC_FALSE;
prefix->mctx = NULL;
isc_mem_attach(mctx, &prefix->mctx);
func(Xrn->data);
} else {
INSIST(Xrn->data[0] == NULL &&
- Xrn->data[1] == NULL &&
- Xrn->data[2] == NULL &&
- Xrn->data[3] == NULL);
+ Xrn->data[1] == NULL);
}
isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn));
if (node == NULL)
return (ISC_R_NOMEMORY);
node->bit = bitlen;
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 2; i++) {
node->node_num[i] = -1;
+ }
node->prefix = NULL;
result = _ref_prefix(radix->mctx, &node->prefix, prefix);
if (result != ISC_R_SUCCESS) {
* added to num_added_node at the end of
* the merge operation--we don't do it here.
*/
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
if (source->node_num[i] != -1)
node->node_num[i] =
radix->num_added_node +
int next = ++radix->num_added_node;
if (fam == AF_UNSPEC) {
/* "any" or "none" */
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 2; i++) {
node->node_num[i] = next;
+ }
} else {
node->node_num[ISC_RADIX_OFF(prefix)] = next;
}
/* Set node_num only if it hasn't been set before */
if (source != NULL) {
/* Merging nodes */
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
if (node->node_num[i] == -1 &&
- source->node_num[i] != -1) {
+ source->node_num[i] != -1)
+ {
node->node_num[i] =
radix->num_added_node +
source->node_num[i];
if (fam == AF_UNSPEC) {
/* "any" or "none" */
int next = radix->num_added_node + 1;
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++)
+ {
if (node->node_num[i] == -1) {
node->node_num[i] =
next;
return (result);
}
INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
- node->data[1] == NULL && node->node_num[1] == -1 &&
- node->data[2] == NULL && node->node_num[2] == -1 &&
- node->data[3] == NULL && node->node_num[3] == -1);
+ node->data[1] == NULL && node->node_num[1] == -1);
if (source != NULL) {
/* Merging node */
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
int cur = radix->num_added_node;
if (source->node_num[i] != -1) {
node->node_num[i] =
int next = ++radix->num_added_node;
if (fam == AF_UNSPEC) {
/* "any" or "none" */
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 2; i++) {
node->node_num[i] = next;
+ }
} else {
node->node_num[ISC_RADIX_OFF(prefix)] = next;
}
}
new_node->parent = NULL;
new_node->l = new_node->r = NULL;
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
new_node->node_num[i] = -1;
new_node->data[i] = NULL;
}
if (source != NULL) {
/* Merging node */
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
int cur = radix->num_added_node;
if (source->node_num[i] != -1) {
new_node->node_num[i] =
int next = ++radix->num_added_node;
if (fam == AF_UNSPEC) {
/* "any" or "none" */
- for (i = 0; i < 4; i++)
+ for (i = 0; i < 2; i++)
new_node->node_num[i] = next;
} else {
new_node->node_num[ISC_RADIX_OFF(prefix)] = next;
glue->bit = differ_bit;
glue->prefix = NULL;
glue->parent = node->parent;
- for (i = 0; i < 4; i++) {
+ for (i = 0; i < 2; i++) {
glue->data[i] = NULL;
glue->node_num[i] = -1;
}
in_addr.s_addr = inet_addr("3.3.3.0");
isc_netaddr_fromin(&netaddr, &in_addr);
- NETADDR_TO_PREFIX_T(&netaddr, prefix, 24, ISC_FALSE);
+ NETADDR_TO_PREFIX_T(&netaddr, prefix, 24);
node = NULL;
result = isc_radix_insert(radix, &node, NULL, &prefix);
in_addr.s_addr = inet_addr("3.3.0.0");
isc_netaddr_fromin(&netaddr, &in_addr);
- NETADDR_TO_PREFIX_T(&netaddr, prefix, 16, ISC_FALSE);
+ NETADDR_TO_PREFIX_T(&netaddr, prefix, 16);
node = NULL;
result = isc_radix_insert(radix, &node, NULL, &prefix);
in_addr.s_addr = inet_addr("3.3.3.3");
isc_netaddr_fromin(&netaddr, &in_addr);
- NETADDR_TO_PREFIX_T(&netaddr, prefix, 22, ISC_FALSE);
+ NETADDR_TO_PREFIX_T(&netaddr, prefix, 22);
node = NULL;
result = isc_radix_search(radix, &node, &prefix);
/* Network prefix */
isc_netaddr_t addr;
unsigned int bitlen;
- isc_boolean_t setecs;
cfg_obj_asnetprefix(ce, &addr, &bitlen);
if (family != 0 && family != addr.family) {
* the nestedacl element, not the iptable entry.
*/
setpos = ISC_TF(nest_level != 0 || !neg);
- setecs = cfg_obj_istype(ce, &cfg_type_ecsprefix);
result = dns_iptable_addprefix(iptab, &addr, bitlen,
- setpos, setecs);
+ setpos);
if (result != ISC_R_SUCCESS)
goto cleanup;
/* Iptable entry with zero bit length. */
setpos = ISC_TF(nest_level != 0 || !neg);
result = dns_iptable_addprefix(iptab, NULL, 0,
- setpos,
- ISC_FALSE);
+ setpos);
if (result != ISC_R_SUCCESS)
goto cleanup;
*/
setpos = ISC_TF(nest_level != 0 || neg);
result = dns_iptable_addprefix(iptab, NULL, 0,
- setpos,
- ISC_FALSE);
+ setpos);
if (result != ISC_R_SUCCESS)
goto cleanup;
* information regarding copyright ownership.
*/
-
#ifndef ISCCFG_NAMEDCONF_H
#define ISCCFG_NAMEDCONF_H 1
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
/*%< A key reference, used as an ACL element */
-/*%< An EDNS client subnet address, used as an ACL element */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ecsprefix;
-
/*%< Zone options */
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_zoneopts;
#endif /* HAVE_DNSTAP */
#ifdef HAVE_GEOIP
{ "geoip-directory", &cfg_type_qstringornone, 0 },
- { "geoip-use-ecs", &cfg_type_boolean, 0 },
#else
{ "geoip-directory", &cfg_type_qstringornone,
CFG_CLAUSEFLAG_NOTCONFIGURED },
- { "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif /* HAVE_GEOIP */
+ { "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "heartbeat-interval", &cfg_type_uint32, 0 },
{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
}
#endif /* HAVE_GEOIP */
-/*%
- * An EDNS client subnet address
- */
-
-static keyword_type_t ecs_kw = { "ecs", &cfg_type_netprefix };
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ecsprefix = {
- "edns_client_subnet", parse_keyvalue, print_keyvalue, doc_keyvalue,
- &cfg_rep_netprefix, &ecs_kw
-};
-
/*%
* A "controls" statement is represented as a map with the multivalued
* "inet" and "unix" clauses.
if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
- } else if (pctx->token.type == isc_tokentype_string &&
- (strcasecmp(TOKEN_STRING(pctx), "ecs") == 0)) {
- CHECK(cfg_parse_obj(pctx, &cfg_type_ecsprefix, ret));
} else if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) {
#ifdef HAVE_GEOIP
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- client->sctx->blackholeacl,
- env, &match, NULL) == ISC_R_SUCCESS &&
+ (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl,
+ env, &match, NULL) == ISC_R_SUCCESS) &&
match > 0)
+ {
return (DNS_R_BLACKHOLED);
+ }
sockflags |= ISC_SOCKFLAG_NORETRY;
}
name = &client->message->tsigkey->name;
if (client->view->nocasecompress == NULL ||
- !dns_acl_allowed(&netaddr, name, NULL, 0, NULL,
+ !dns_acl_allowed(&netaddr, name,
client->view->nocasecompress, env))
{
dns_compress_setsensitive(&cctx, ISC_TRUE);
int match;
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
- result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- view->pad_acl, env, &match,
- NULL);
+ result = dns_acl_match(&netaddr, NULL, view->pad_acl,
+ env, &match, NULL);
if (result == ISC_R_SUCCESS && match > 0) {
INSIST(count < DNS_EDNSOPTIONS);
isc_boolean_t notimp;
size_t reqsize;
dns_aclenv_t *env;
- dns_ecs_t *ecs = NULL;
#ifdef HAVE_DNSTAP
dns_dtmsgtype_t dtmsgtype;
#endif
env = ns_interfacemgr_getaclenv(client->interface->mgr);
if (!TCP_CLIENT(client)) {
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- client->sctx->blackholeacl, env, &match,
- NULL) == ISC_R_SUCCESS &&
+ (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl,
+ env, &match, NULL) == ISC_R_SUCCESS) &&
match > 0)
{
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
isc_sockaddr_fromnetaddr(&client->destsockaddr, &client->destaddr, 0);
- if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) {
- ecs = &client->ecs;
- }
result = client->sctx->matchingview(&netaddr, &client->destaddr,
- client->message, env, ecs,
+ client->message, env,
&sigresult, &client->view);
if (result != ISC_R_SUCCESS) {
char classname[DNS_RDATACLASS_FORMATSIZE];
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
- client->sctx->blackholeacl,
- env, &match, NULL) == ISC_R_SUCCESS &&
+ (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl,
+ env, &match, NULL) == ISC_R_SUCCESS) &&
match > 0)
{
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
"no more TCP clients(accept): %s",
isc_result_totext(result));
} else if (client->sctx->keepresporder == NULL ||
- !dns_acl_allowed(&netaddr, NULL, NULL, 0, NULL,
+ !dns_acl_allowed(&netaddr, NULL,
client->sctx->keepresporder, env))
{
client->pipelined = ISC_TRUE;
isc_result_t result;
dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->interface->mgr);
isc_netaddr_t tmpnetaddr;
- isc_netaddr_t *ecs_addr = NULL;
- isc_uint8_t ecs_addrlen = 0;
int match;
if (acl == NULL) {
netaddr = &tmpnetaddr;
}
- if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) {
- ecs_addr = &client->ecs.addr;
- ecs_addrlen = client->ecs.source;
- }
-
- result = dns_acl_match(netaddr, client->signer,
- ecs_addr, ecs_addrlen, NULL, acl,
+ result = dns_acl_match(netaddr, client->signer, acl,
env, &match, NULL);
-
if (result != ISC_R_SUCCESS)
goto deny; /* Internal error, already logged. */
*/
typedef isc_result_t
(*ns_matchview_t)(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
- dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs,
+ dns_message_t *message, dns_aclenv_t *env,
isc_result_t *sigresultp, dns_view_t **viewp);
/*%
/* First add localhost address */
prefixlen = (netaddr->family == AF_INET) ? 32 : 128;
result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable,
- netaddr, prefixlen, ISC_TRUE, ISC_FALSE);
+ netaddr, prefixlen, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
}
result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable,
- netaddr, prefixlen, ISC_TRUE, ISC_FALSE);
+ netaddr, prefixlen, ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
* See if the address matches the listen-on statement;
* if not, ignore the interface.
*/
- (void)dns_acl_match(&listen_netaddr, NULL, NULL, 0,
- NULL, le->acl, &mgr->aclenv,
- &match, NULL);
- if (match <= 0)
+ (void)dns_acl_match(&listen_netaddr, NULL, le->acl,
+ &mgr->aclenv, &match, NULL);
+ if (match <= 0) {
continue;
+ }
if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) {
setup_listenon(mgr, &interface, le->port);
match = 0;
for (ele = ISC_LIST_HEAD(ext_listen->elts);
ele != NULL;
- ele = ISC_LIST_NEXT(ele, link)) {
+ ele = ISC_LIST_NEXT(ele, link))
+ {
(void)dns_acl_match(&listen_netaddr,
- NULL, NULL, 0,
NULL, ele->acl,
NULL, &match,
- NULL);
+ NULL);
if (match > 0 &&
(ele->port == le->port ||
ele->port == 0))
+ {
break;
- else
+ } else {
match = 0;
+ }
}
if (ipv6_wildcard == ISC_TRUE && match == 0)
continue;
try_elt = e;
}
- if (dns_aclelement_match(clientaddr, NULL, NULL, 0, NULL,
- try_elt, env, &matched_elt))
+ if (dns_aclelement_match(clientaddr, NULL, try_elt,
+ env, &matched_elt))
{
if (order_elt != NULL) {
if (order_elt->type ==
const dns_acl_t *sortacl = sla->acl;
int match;
- (void)dns_acl_match(addr, NULL, NULL, 0, NULL, sortacl, env, &match,
- NULL);
- if (match > 0)
+ (void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL);
+ if (match > 0) {
return (match);
- else if (match < 0)
+ } else if (match < 0) {
return (INT_MAX - (-match));
- else
+ } else {
return (INT_MAX / 2);
+ }
}
int
const dns_aclenv_t *env = sla->env;
const dns_aclelement_t *element = sla->element;
- if (dns_aclelement_match(addr, NULL, NULL, 0, NULL, element, env,
- NULL)) {
+ if (dns_aclelement_match(addr, NULL, element, env, NULL)) {
return (0);
}
static isc_result_t
matchview(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
- dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs,
+ dns_message_t *message, dns_aclenv_t *env,
isc_result_t *sigresultp, dns_view_t **viewp)
{
UNUSED(srcaddr);
UNUSED(destaddr);
UNUSED(message);
UNUSED(env);
- UNUSED(ecs);
UNUSED(sigresultp);
UNUSED(viewp);
projects / thirdparty / bind9.git / commitdiff
