From: Artem Boldariev Date: Thu, 4 Nov 2021 14:52:49 +0000 (+0200) Subject: Extend ACL syntax handling code with 'port' and 'transport' options X-Git-Tag: v9.17.21~13^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af2d065c21e9bc9589492a658e102b14015adfc4;p=thirdparty%2Fbind9.git Extend ACL syntax handling code with 'port' and 'transport' options This commit extends ACL syntax handling code with 'port' and 'transport' options. Currently, the extended syntax is available only for allow-transfer options. --- diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 28a39c45e01..644c70430aa 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -166,7 +166,8 @@ OPTIONS allow-query-on { address_match_element; ... }; allow-recursion { address_match_element; ... }; allow-recursion-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; + allow-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; also-notify [ port integer ] [ dscp integer ] { ( @@ -605,7 +606,8 @@ VIEW allow-query-on { address_match_element; ... }; allow-recursion { address_match_element; ... }; allow-recursion-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; + allow-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; also-notify [ port integer ] [ dscp integer ] { ( @@ -889,7 +891,8 @@ VIEW allow-notify { address_match_element; ... }; allow-query { address_match_element; ... }; allow-query-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; + allow-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; also-notify [ port integer ] [ dscp integer ] { ( @@ -1009,7 +1012,8 @@ ZONE allow-notify { address_match_element; ... }; allow-query { address_match_element; ... }; allow-query-on { address_match_element; ... }; - allow-transfer { address_match_element; ... }; + allow-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; also-notify [ port integer ] [ dscp integer ] { ( diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index de092a77df4..1e285a2d0e8 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -233,7 +233,8 @@ options { allow\-query\-on { address_match_element; ... }; allow\-recursion { address_match_element; ... }; allow\-recursion\-on { address_match_element; ... }; - allow\-transfer { address_match_element; ... }; + allow\-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow\-update { address_match_element; ... }; allow\-update\-forwarding { address_match_element; ... }; also\-notify [ port integer ] [ dscp integer ] { ( @@ -708,7 +709,8 @@ view string [ class ] { allow\-query\-on { address_match_element; ... }; allow\-recursion { address_match_element; ... }; allow\-recursion\-on { address_match_element; ... }; - allow\-transfer { address_match_element; ... }; + allow\-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow\-update { address_match_element; ... }; allow\-update\-forwarding { address_match_element; ... }; also\-notify [ port integer ] [ dscp integer ] { ( @@ -992,7 +994,8 @@ view string [ class ] { allow\-notify { address_match_element; ... }; allow\-query { address_match_element; ... }; allow\-query\-on { address_match_element; ... }; - allow\-transfer { address_match_element; ... }; + allow\-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow\-update { address_match_element; ... }; allow\-update\-forwarding { address_match_element; ... }; also\-notify [ port integer ] [ dscp integer ] { ( @@ -1116,7 +1119,8 @@ zone string [ class ] { allow\-notify { address_match_element; ... }; allow\-query { address_match_element; ... }; allow\-query\-on { address_match_element; ... }; - allow\-transfer { address_match_element; ... }; + allow\-transfer [ port integer ] [ transport string ] { + address_match_element; ... }; allow\-update { address_match_element; ... }; allow\-update\-forwarding { address_match_element; ... }; also\-notify [ port integer ] [ dscp integer ] { ( diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt index e51eee9bcc9..69134fd1f4d 100644 --- a/doc/misc/master.zoneopt +++ b/doc/misc/master.zoneopt @@ -2,7 +2,7 @@ zone [ ] { type ( master | primary ); allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst index 985e2b404ff..597a8dbdd90 100644 --- a/doc/misc/master.zoneopt.rst +++ b/doc/misc/master.zoneopt.rst @@ -4,7 +4,7 @@ type ( master | primary ); allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/mirror.zoneopt b/doc/misc/mirror.zoneopt index 50556fc9ec0..a21182789d7 100644 --- a/doc/misc/mirror.zoneopt +++ b/doc/misc/mirror.zoneopt @@ -3,7 +3,7 @@ zone [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/mirror.zoneopt.rst b/doc/misc/mirror.zoneopt.rst index d481248fb09..668207601c4 100644 --- a/doc/misc/mirror.zoneopt.rst +++ b/doc/misc/mirror.zoneopt.rst @@ -5,7 +5,7 @@ allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/options b/doc/misc/options index 86967657ae4..b62967ef0c6 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -90,7 +90,8 @@ options { allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -484,7 +485,8 @@ view [ ] { allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -770,7 +772,8 @@ view [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -886,7 +889,8 @@ zone [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( diff --git a/doc/misc/options.active b/doc/misc/options.active index bd4ceb26ae8..a3e2fbe3f0e 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -89,7 +89,8 @@ options { allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -481,7 +482,8 @@ view [ ] { allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -765,7 +767,8 @@ view [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( @@ -880,7 +883,8 @@ zone [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst index 2c440420f1b..8e69a096864 100644 --- a/doc/misc/options.grammar.rst +++ b/doc/misc/options.grammar.rst @@ -9,7 +9,8 @@ allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { + ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt index be63c04e103..5fbbc065bce 100644 --- a/doc/misc/slave.zoneopt +++ b/doc/misc/slave.zoneopt @@ -3,7 +3,7 @@ zone [ ] { allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst index 93996f47d87..3a603a044ca 100644 --- a/doc/misc/slave.zoneopt.rst +++ b/doc/misc/slave.zoneopt.rst @@ -5,7 +5,7 @@ allow-notify { ; ... }; allow-query { ; ... }; allow-query-on { ; ... }; - allow-transfer { ; ... }; + allow-transfer [ port ] [ transport ] { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ dscp ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) [ port ( | * ) ] [ dscp ]; diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d127b6efa59..1130983732c 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -475,6 +475,47 @@ checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig, if (acl != NULL) { dns_acl_detach(&acl); } + + if (strcasecmp(aclname, "allow-transfer") == 0 && + cfg_obj_istuple(aclobj)) { + const cfg_obj_t *obj_port = cfg_tuple_get( + cfg_tuple_get(aclobj, "port-transport"), "port"); + const cfg_obj_t *obj_proto = cfg_tuple_get( + cfg_tuple_get(aclobj, "port-transport"), "transport"); + + if (cfg_obj_isuint32(obj_port) && + cfg_obj_asuint32(obj_port) >= UINT16_MAX) { + cfg_obj_log(obj_port, logctx, ISC_LOG_ERROR, + "port value '%u' is out of range", + + cfg_obj_asuint32(obj_port)); + if (result == ISC_R_SUCCESS) { + result = ISC_R_RANGE; + } + } + + if (cfg_obj_isstring(obj_proto)) { + const char *allowed[] = { "tcp", "tls" }; + const char *transport = cfg_obj_asstring(obj_proto); + bool found = false; + for (size_t i = 0; i < ARRAY_SIZE(allowed); i++) { + if (strcasecmp(transport, allowed[i]) == 0) { + found = true; + } + } + + if (!found) { + cfg_obj_log(obj_proto, logctx, ISC_LOG_ERROR, + "'%s' is not a valid transport " + "protocol for " + "zone " + "transfers. Please specify either " + "'tcp' or 'tls'", + transport); + result = ISC_R_FAILURE; + } + } + } return (result); } diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index f748199b744..9f2fea573ba 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -627,7 +627,7 @@ cfg_acl_fromconfig(const cfg_obj_t *caml, const cfg_obj_t *cctx, } isc_result_t -cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, +cfg_acl_fromconfig2(const cfg_obj_t *acl_data, const cfg_obj_t *cctx, isc_log_t *lctx, cfg_aclconfctx_t *ctx, isc_mem_t *mctx, unsigned int nest_level, uint16_t family, dns_acl_t **target) { @@ -638,6 +638,9 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, dns_iptable_t *iptab; int new_nest_level = 0; bool setpos; + const cfg_obj_t *caml = NULL; + const cfg_obj_t *obj_acl_tuple = NULL; + const cfg_obj_t *obj_port = NULL, *obj_proto = NULL; if (nest_level != 0) { new_nest_level = nest_level - 1; @@ -647,6 +650,19 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, REQUIRE(target != NULL); REQUIRE(*target == NULL || DNS_ACL_VALID(*target)); + REQUIRE(acl_data != NULL); + if (cfg_obj_islist(acl_data)) { + caml = acl_data; + } else { + INSIST(cfg_obj_istuple(acl_data)); + caml = cfg_tuple_get(acl_data, "acl"); + INSIST(caml != NULL); + obj_acl_tuple = cfg_tuple_get(acl_data, "port-transport"); + INSIST(obj_acl_tuple != NULL); + obj_port = cfg_tuple_get(obj_acl_tuple, "port"); + obj_proto = cfg_tuple_get(obj_acl_tuple, "protocol"); + } + if (*target != NULL) { /* * If target already points to an ACL, then we're being diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 4ba4b0a17ce..86d1bf16d93 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -185,6 +185,39 @@ static cfg_type_t cfg_type_listenon = { "listenon", cfg_parse_tuple, /*% acl */ +/* + * Encrypted transfer related definitions + */ + +static cfg_tuplefielddef_t cfg_transport_acl_tuple_fields[] = { + { "port", &cfg_type_optional_port, 0 }, + { "transport", &cfg_type_astring, 0 }, + { NULL, NULL, 0 } +}; +static cfg_type_t cfg_transport_acl_tuple = { + "transport-acl tuple", cfg_parse_kv_tuple, + cfg_print_kv_tuple, cfg_doc_kv_tuple, + &cfg_rep_tuple, cfg_transport_acl_tuple_fields +}; + +static cfg_tuplefielddef_t cfg_transport_acl_fields[] = { + { "port-transport", &cfg_transport_acl_tuple, 0 }, + { "aml", &cfg_type_bracketed_aml, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_type_t cfg_type_transport_acl = { + "transport-acl", cfg_parse_tuple, cfg_print_tuple, + cfg_doc_tuple, &cfg_rep_tuple, cfg_transport_acl_fields +}; + +/* + * NOTE: To enable syntax which allows specifying port and protocol, + * replace 'cfg_type_bracketed_aml' with + * 'cfg_type_transport_acl'. + * + * Example: acl port 853 protocol tls { ... }; + */ static cfg_tuplefielddef_t acl_fields[] = { { "name", &cfg_type_astring, 0 }, { "value", &cfg_type_bracketed_aml, 0 }, @@ -2174,6 +2207,13 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { * Note: CFG_ZONE_* options indicate in which zone types this clause is * legal. */ +/* + * NOTE: To enable syntax which allows specifying port and protocol + * within 'allow-*' clauses, replace 'cfg_type_bracketed_aml' with + * 'cfg_type_transport_acl'. + * + * Example: allow-transfer port 853 protocol tls { ... }; + */ static cfg_clausedef_t zone_clauses[] = { { "allow-notify", &cfg_type_bracketed_aml, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, @@ -2183,7 +2223,7 @@ static cfg_clausedef_t zone_clauses[] = { { "allow-query-on", &cfg_type_bracketed_aml, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_ZONE_REDIRECT | CFG_ZONE_STATICSTUB }, - { "allow-transfer", &cfg_type_bracketed_aml, + { "allow-transfer", &cfg_type_transport_acl, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, { "allow-update", &cfg_type_bracketed_aml, CFG_ZONE_PRIMARY }, { "allow-update-forwarding", &cfg_type_bracketed_aml,