From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Tue, 4 Mar 2008 21:44:35 +0000 (+0000)
Subject: implement 'allow-from-file', based on a patch by Sten Spans, thanks!
X-Git-Tag: rec-3.1.7.1~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c95fc65342c203459fb9efe38cd143f40de975c;p=thirdparty%2Fpdns.git

implement 'allow-from-file', based on a patch by Sten Spans, thanks!


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1150 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml
index 0d0fede61d..937b49c971 100644
--- a/pdns/docs/pdns.sgml
+++ b/pdns/docs/pdns.sgml
@@ -7292,6 +7292,17 @@ local0.err                        /var/log/pdns.err
 	      </para>
 	    </listitem>
 	  </varlistentry>
+	  <varlistentry>
+	    <term>allow-from-file</term>
+	    <listitem>
+	      <para>
+		Like <command>allow-from</command>, except reading from file. Overrides the 'allow-from' setting. 
+		To use this feature, supply one netmask per line, with optional comments preceeded by a #.
+		Available since 3.1.5.
+	      </para>
+	    </listitem>
+	  </varlistentry>
+
 	  <varlistentry>
 	    <term>auth-can-lower-ttl</term>
 	    <listitem>
diff --git a/pdns/iputils.hh b/pdns/iputils.hh
index 3199010c55..19408e384b 100644
--- a/pdns/iputils.hh
+++ b/pdns/iputils.hh
@@ -1,6 +1,6 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002 - 2007  PowerDNS.COM BV
+    Copyright (C) 2002 - 2008  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License version 2
@@ -262,6 +262,11 @@ public:
     return (ip & d_mask) == (ntohl(d_network.sin4.sin_addr.s_addr) & d_mask);
   }
 
+  string toString() const
+  {
+    return d_network.toString()+"/"+boost::lexical_cast<string>(d_bits);
+  }
+
 private:
   ComboAddress d_network;
   uint32_t d_mask;
@@ -294,6 +299,23 @@ public:
     return d_masks.empty();
   }
 
+  unsigned int size()
+  {
+    return (unsigned int)d_masks.size();
+  }
+
+  string toString() const
+  {
+    ostringstream str;
+    for(container_t::const_iterator iter = d_masks.begin(); iter != d_masks.end(); ++iter) {
+      if(iter != d_masks.begin())
+	str <<", ";
+      str<<iter->toString();
+    }
+    return str.str();
+  }
+
+
 private:
   typedef vector<Netmask> container_t;
   container_t d_masks;
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 1252d4fa4d..464e682e3d 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1542,7 +1542,7 @@ void parseAuthAndForwards()
       //      cerr<<"Inserting '"<<domain<<"' to '"<<ad.d_server<<"'\n";
       SyncRes::s_domainmap[parts[0]]=ad;
     }
-    L<<Logger::Warning<<"Done parsing " << SyncRes::s_domainmap.size() - before<<" forwarding instructions"<<endl;
+    L<<Logger::Warning<<"Done parsing " << SyncRes::s_domainmap.size() - before<<" forwarding instructions from file '"<<::arg()["forward-zones-files"]<<"'"<<endl;
   }
 
   if(::arg().mustDo("export-etc-hosts")) {
@@ -1618,8 +1618,29 @@ int serviceMain(int argc, char*argv[])
     "according to the terms of the GPL version 2."<<endl;
   
   L<<Logger::Warning<<"Operating in "<<(sizeof(unsigned long)*8) <<" bits mode"<<endl;
-  
-  if(!::arg()["allow-from"].empty()) {
+
+  if(!::arg()["allow-from-file"].empty()) {
+    string line;
+    g_allowFrom=new NetmaskGroup;
+    ifstream ifs(::arg()["allow-from-file"].c_str());
+    if(!ifs) {
+	throw AhuException("Could not open '"+::arg()["allow-from-file"]+"': "+stringerror());
+    }
+
+    string::size_type pos;
+    while(getline(ifs,line)) {
+      pos=line.find('#');
+      if(pos!=string::npos)
+        line.resize(pos);
+      trim(line);
+      if(line.empty())
+        continue;
+
+      g_allowFrom->addMask(line);
+    }
+    L<<Logger::Warning<<"Done parsing " << g_allowFrom->size() <<" allow-from ranges from file '"<<::arg()["allow-from-file"]<<"' - overriding 'allow-from' setting"<<endl;
+  }
+  else if(!::arg()["allow-from"].empty()) {
     g_allowFrom=new NetmaskGroup;
     vector<string> ips;
     stringtok(ips, ::arg()["allow-from"], ", ");
@@ -1635,6 +1656,7 @@ int serviceMain(int argc, char*argv[])
   else if(::arg()["local-address"]!="127.0.0.1" && ::arg().asNum("local-port")==53)
     L<<Logger::Error<<"WARNING: Allowing queries from all IP addresses - this can be a security risk!"<<endl;
   
+
   if(!::arg()["dont-query"].empty()) {
     g_dontQuery=new NetmaskGroup;
     vector<string> ips;
@@ -1860,6 +1882,7 @@ int main(int argc, char **argv)
     ::arg().set("remotes-ringbuffer-entries", "maximum number of packets to store statistics for")="0";
     ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Recursor "VERSION" $Id$";
     ::arg().set("allow-from", "If set, only allow these comma separated netmasks to recurse")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
+    ::arg().set("allow-from-file", "If set, load allowed netmasks from this file")="";
     ::arg().set("dont-query", "If set, do not query these netmasks for DNS data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fe80::/10";
     ::arg().set("max-tcp-per-client", "If set, maximum number of TCP sessions per client (IP address)")="0";
     ::arg().set("fork", "If set, fork the daemon for possible double performance")="no";