From: Evan Hunt Date: Fri, 27 Apr 2018 03:57:41 +0000 (-0700) Subject: remove the experimental authoritative ECS support from named X-Git-Tag: v9.13.1~31^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e324449349313eab1957caf684701207ba04629f;p=thirdparty%2Fbind9.git remove the experimental authoritative ECS support from named - mark the 'geoip-use-ecs' option obsolete; warn when it is used in named.conf - prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error since simply ignoring the tags could make ACLs behave unpredictably - re-simplify the radix and iptable code - clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed() and dns_geoip_match() so they no longer take ecs options - remove the ECS-specific unit and system test cases - remove references to ECS from the ARM --- diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index 627df09b4e2..029420b2ecd 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -230,13 +230,12 @@ address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) { isc_netaddr_fromsockaddr(&netaddr, sockaddr); - result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, acl, env, &match, - NULL); - - if (result != ISC_R_SUCCESS || match <= 0) + result = dns_acl_match(&netaddr, NULL, acl, env, &match, NULL); + if (result != ISC_R_SUCCESS || match <= 0) { return (ISC_FALSE); - else + } else { return (ISC_TRUE); + } } static isc_result_t diff --git a/bin/named/server.c b/bin/named/server.c index 8017a47be63..8844cf39533 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -3613,8 +3613,7 @@ create_mapped_acl(void) { if (result != ISC_R_SUCCESS) return (result); - result = dns_iptable_addprefix(acl->iptable, &addr, 96, - ISC_TRUE, ISC_FALSE); + result = dns_iptable_addprefix(acl->iptable, &addr, 96, ISC_TRUE); if (result == ISC_R_SUCCESS) dns_acl_attach(acl, &named_g_mapped); dns_acl_detach(&acl); @@ -6262,7 +6261,7 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr, return (result); result = dns_iptable_addprefix(src_acl->iptable, &netaddr, - 128, ISC_TRUE, ISC_FALSE); + 128, ISC_TRUE); if (result != ISC_R_SUCCESS) goto clean; @@ -7910,11 +7909,6 @@ load_configuration(const char *filename, named_server_t *server, named_geoip_load(NULL); } named_g_aclconfctx->geoip = named_g_geoip; - - obj = NULL; - result = named_config_get(maps, "geoip-use-ecs", &obj); - INSIST(result == ISC_R_SUCCESS); - env->geoip_use_ecs = cfg_obj_asboolean(obj); #endif /* HAVE_GEOIP */ /* @@ -9266,7 +9260,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) { */ static isc_result_t get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, - dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs, + dns_message_t *message, dns_aclenv_t *env, isc_result_t *sigresult, dns_view_t **viewp) { dns_view_t *view; @@ -9283,9 +9277,6 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, message->rdclass == dns_rdataclass_any) { dns_name_t *tsig = NULL; - isc_netaddr_t *addr = NULL; - isc_uint8_t *scope = NULL; - isc_uint8_t source = 0; *sigresult = dns_message_rechecksig(message, view); if (*sigresult == ISC_R_SUCCESS) { @@ -9295,15 +9286,9 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, tsig = dns_tsigkey_identity(tsigkey); } - if (ecs != NULL) { - addr = &ecs->addr; - source = ecs->source; - scope = &ecs->scope; - } - - if (dns_acl_allowed(srcaddr, tsig, addr, source, - scope, view->matchclients, env) && - dns_acl_allowed(destaddr, tsig, NULL, 0, NULL, + if (dns_acl_allowed(srcaddr, tsig, + view->matchclients, env) && + dns_acl_allowed(destaddr, tsig, view->matchdestinations, env) && !(view->matchrecursiveonly && (message->flags & DNS_MESSAGEFLAG_RD) == 0)) @@ -14420,7 +14405,6 @@ mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) { return (result); } - static isc_result_t mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) { isc_result_t result; diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c index 47f7faa68be..5bf1853d2ee 100644 --- a/bin/named/statschannel.c +++ b/bin/named/statschannel.c @@ -3196,8 +3196,8 @@ client_ok(const isc_sockaddr_t *fromaddr, void *arg) { isc_netaddr_fromsockaddr(&netaddr, fromaddr); LOCK(&listener->lock); - if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, listener->acl, env, - &match, NULL) == ISC_R_SUCCESS && match > 0) + if ((dns_acl_match(&netaddr, NULL, listener->acl, env, + &match, NULL) == ISC_R_SUCCESS) && match > 0) { UNLOCK(&listener->lock); return (ISC_TRUE); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 0a15234d4a3..a6a59c3231a 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -815,11 +815,12 @@ isself(dns_view_t *myview, dns_tsigkey_t *mykey, tsig = dns_tsigkey_identity(mykey); } - if (dns_acl_allowed(&netsrc, tsig, NULL, 0, NULL, - view->matchclients, env) && - dns_acl_allowed(&netdst, tsig, NULL, 0, NULL, - view->matchdestinations, env)) + if (dns_acl_allowed(&netsrc, tsig, view->matchclients, env) && + dns_acl_allowed(&netdst, tsig, view->matchdestinations, + env)) + { break; + } } return (ISC_TF(view == myview)); } diff --git a/bin/tests/system/acl/ns2/named6.conf.in b/bin/tests/system/acl/ns2/named6.conf.in deleted file mode 100644 index 805942dbae4..00000000000 --- a/bin/tests/system/acl/ns2/named6.conf.in +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - ixfr-from-differences yes; - check-integrity no; - allow-query-on { 10.53.0.2; }; -}; - -zone "." { - type hint; - file "../../common/root.hint"; -}; - -zone "example" { - type master; - file "example.db"; -}; - -zone "tsigzone" { - type master; - file "tsigzone.db"; - allow-transfer { ecs 10.53/16; !10/8; }; -}; diff --git a/bin/tests/system/acl/ns2/named7.conf.in b/bin/tests/system/acl/ns2/named7.conf.in deleted file mode 100644 index 5dde6580c64..00000000000 --- a/bin/tests/system/acl/ns2/named7.conf.in +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -options { - query-source address 10.53.0.2; - notify-source 10.53.0.2; - transfer-source 10.53.0.2; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.2; }; - listen-on-v6 { none; }; - recursion no; - notify yes; - ixfr-from-differences yes; - check-integrity no; - allow-query-on { 10.53.0.2; }; -}; - -view one { - match-clients { ecs 192.0.2/24; }; - - zone "." { - type hint; - file "../../common/root.hint"; - }; - - zone "example" { - type master; - file "example.db"; - }; -}; - -view two { - zone "." { - type hint; - file "../../common/root.hint"; - }; - - zone "example" { - type master; - file "example.db"; - }; -}; diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh index 09f31f2bb9b..93e5c72afd1 100644 --- a/bin/tests/system/acl/tests.sh +++ b/bin/tests/system/acl/tests.sh @@ -144,36 +144,6 @@ $DIG -p ${PORT} +tcp soa example. \ @10.53.0.2 -b 10.53.0.3 > dig.out.${t} grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } -echo_i "testing EDNS client-subnet ACL processing" -copy_setports ns2/named6.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i -sleep 5 - -# should fail -t=`expr $t + 1` -$DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; } - -# should succeed -t=`expr $t + 1` -$DIG $DIGOPTS tsigzone. \ - @10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr > dig.out.${t} -grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; } - -echo_i "testing EDNS client-subnet response scope" -copy_setports ns2/named7.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i -sleep 5 - -t=`expr $t + 1` -$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="10.53.0.1/32" > dig.out.${t} -grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; } - -t=`expr $t + 1` -$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="192.0.2.128/32" > dig.out.${t} -grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; } - # AXFR tests against ns3 echo_i "testing allow-transfer ACLs against ns3 (no existing zones)" diff --git a/bin/tests/system/checkconf/bad-geoip-use-ecs.conf b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf new file mode 100644 index 00000000000..37ecfdee6b9 --- /dev/null +++ b/bin/tests/system/checkconf/bad-geoip-use-ecs.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + geoip-use-ecs yes; +}; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 89b6fdaef32..1b099f10418 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -396,5 +396,13 @@ grep "trusted-key for dlv.isc.org still present" checkconf.out$n > /dev/null || if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi status=`expr $status + $ret` +echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" +ret=0 +$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 +[ -s checkconf.out$n ] || ret=1 +grep "'geoip-use-ecs' is obsolete" checkconf.out$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/checkconf/warn-geoip-use-ecs.conf b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf new file mode 100644 index 00000000000..9e2c76499da --- /dev/null +++ b/bin/tests/system/checkconf/warn-geoip-use-ecs.conf @@ -0,0 +1,14 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + geoip-use-ecs no; +}; diff --git a/bin/tests/system/geoip/ns2/named14.conf.in b/bin/tests/system/geoip/ns2/named14.conf.in index 6d9d9667b9d..9689b1e2bf4 100644 --- a/bin/tests/system/geoip/ns2/named14.conf.in +++ b/bin/tests/system/geoip/ns2/named14.conf.in @@ -21,7 +21,6 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; - geoip-use-ecs no; }; key rndc_key { diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh index cb1473af79a..0722b420c6f 100644 --- a/bin/tests/system/geoip/tests.sh +++ b/bin/tests/system/geoip/tests.sh @@ -35,30 +35,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP country database by code (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - -n=`expr $n + 1` -echo_i "checking response scope using client subnet ($n)" -ret=0 -$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1 -grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1 -$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1 -grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named2.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -137,20 +113,6 @@ done status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking GeoIP region database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - - echo_i "reloading server" copy_setports ns2/named6.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -182,20 +144,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP city database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named7.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -215,20 +163,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP isp database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named8.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -248,20 +182,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP org database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named9.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -281,20 +201,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP asnum database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named10.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -314,20 +220,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP asnum database - ASNNNN only (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named11.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -347,20 +239,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP domain database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named12.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -380,20 +258,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -n=`expr $n + 1` -echo_i "checking GeoIP netspeed database (using client subnet) ($n)" -ret=0 -lret=0 -for i in 1 2 3 4; do - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - echo_i "reloading server" copy_setports ns2/named13.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i @@ -426,30 +290,6 @@ done [ $ret -eq 0 ] || echo_i "failed" status=`expr $status + $ret` -echo_i "reloading server" -copy_setports ns2/named14.conf.in ns2/named.conf -$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i -sleep 3 - -n=`expr $n + 1` -echo_i "checking geoip-use-ecs ($n)" -ret=0 -lret=0 -for i in 1 2 3 4 5 6 7; do - $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 - j=`cat dig.out.ns2.test$n.$i | tr -d '"'` - [ "$i" = "$j" ] || lret=1 - [ $lret -eq 1 ] && break - - $DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1 - j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'` - [ "$j" = "bogus" ] || lret=1 - [ $lret -eq 1 ] && break -done -[ $lret -eq 1 ] && ret=1 -[ $ret -eq 0 ] || echo_i "failed" -status=`expr $status + $ret` - n=`expr $n + 1` echo_i "reloading server with different geoip-directory ($n)" copy_setports ns2/named15.conf.in ns2/named.conf diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 64e2d2d19ba..fdfa9882758 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -5795,12 +5795,9 @@ options { geoip-use-ecs - When BIND is compiled with GeoIP support and configured - with "geoip" ACL elements, this option indicates whether - the EDNS Client Subnet option, if present in a request, - should be used for matching against the GeoIP database. - The default is - geoip-use-ecs yes. + This option was part of an experimental implementation + of the EDNS CLIENT-SUBNET for authoritative servers, + but is now obsolete. @@ -16712,37 +16709,8 @@ zone "example.com" { In addition to network addresses and prefixes, which are matched against the source address of the DNS request, ACLs may include elements, which specify the - name of a TSIG or SIG(0) key, or - elements, which specify a network prefix but are only matched - if that prefix matches an EDNS client subnet option included - in the request. + name of a TSIG or SIG(0) key. - - The EDNS Client Subnet (ECS) option is used by a recursive - resolver to inform an authoritative name server of the network - address block from which the original query was received, enabling - authoritative servers to give different answers to the same - resolver for different resolver clients. An ACL containing - an element of the form - ecs prefix - will match if a request arrives in containing an ECS option - encoding an address within that prefix. If the request has no - ECS option, then "ecs" elements are simply ignored. Addresses - in ACLs that are not prefixed with "ecs" are matched only - against the source address. - - - - (Note: The authoritative ECS implementation in - named is based on an early version of the - specification, and is known to have incompatibilities with - other implementations. It is also inefficient, requiring - a separate view for each client subnet to be sent different - answers, and it is unable to correct for overlapping subnets in - the configuration. It can be used for testing purposes, but is - not recommended for production use.) - - When BIND 9 is built with GeoIP support, ACLs can also be used for geographic access restrictions. @@ -16787,14 +16755,6 @@ zone "example.com" { database if it is installed, or the "region" database if it is installed, or the "country" database, in that order. - - By default, if a DNS query includes an EDNS Client Subnet (ECS) - option which encodes a non-zero address prefix, then GeoIP ACLs - will be matched against that address prefix. Otherwise, they - are matched against the source address of the query. To - prevent GeoIP ACLs from matching against ECS options, set - the geoip-use-ecs to no. - Some example GeoIP ACLs: diff --git a/lib/bind9/check.c b/lib/bind9/check.c index d57d4ee00ed..b7e276e14b4 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -1602,6 +1602,17 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx, result = ISC_R_RANGE; } + obj = NULL; + (void)cfg_map_get(options, "geoip-use-ecs", &obj); + if (obj != NULL && cfg_obj_asboolean(obj)) { + cfg_obj_log(obj, logctx, ISC_LOG_ERROR, + "'geoip-use-ecs yes': " + "ECS can no longer be used in geoip ACLs"); + if (result == ISC_R_SUCCESS) { + result = ISC_R_FAILURE; + } + } + return (result); } diff --git a/lib/dns/acl.c b/lib/dns/acl.c index 9a9d56ccfe9..925e7ff2949 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -100,8 +100,7 @@ dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) { if (result != ISC_R_SUCCESS) return (result); - result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg), - ISC_FALSE); + result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg)); if (result != ISC_R_SUCCESS) { dns_acl_detach(&acl); return (result); @@ -183,9 +182,6 @@ dns_acl_isnone(dns_acl_t *acl) isc_result_t dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, - isc_uint8_t ecslen, - isc_uint8_t *scope, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, @@ -202,7 +198,6 @@ dns_acl_match(const isc_netaddr_t *reqaddr, REQUIRE(reqaddr != NULL); REQUIRE(matchelt == NULL || *matchelt == NULL); - REQUIRE(ecs != NULL || scope == NULL); if (env != NULL && env->match_mapped && addr->family == AF_INET6 && @@ -214,7 +209,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, /* Always match with host addresses. */ bitlen = (addr->family == AF_INET6) ? 128 : 32; - NETADDR_TO_PREFIX_T(addr, pfx, bitlen, ISC_FALSE); + NETADDR_TO_PREFIX_T(addr, pfx, bitlen); /* Assume no match. */ *match = 0; @@ -234,43 +229,6 @@ dns_acl_match(const isc_netaddr_t *reqaddr, isc_refcount_destroy(&pfx.refcount); - /* - * If ecs is not NULL, we search the radix tree again to - * see if we find a better match on an ECS node - */ - if (ecs != NULL) { - node = NULL; - addr = ecs; - - if (env != NULL && env->match_mapped && - addr->family == AF_INET6 && - IN6_IS_ADDR_V4MAPPED(&addr->type.in6)) - { - isc_netaddr_fromv4mapped(&v4addr, addr); - addr = &v4addr; - } - - NETADDR_TO_PREFIX_T(addr, pfx, ecslen, ISC_TRUE); - - result = isc_radix_search(acl->iptable->radix, &node, &pfx); - if (result == ISC_R_SUCCESS && node != NULL) { - int off = ISC_RADIX_OFF(&pfx); - if (match_num == -1 || - node->node_num[off] < match_num) - { - match_num = node->node_num[off]; - if (scope != NULL) - *scope = node->bit; - if (*(isc_boolean_t *) node->data[off]) - *match = match_num; - else - *match = -match_num; - } - } - - isc_refcount_destroy(&pfx.refcount); - } - /* Now search non-radix elements for a match with a lower node_num. */ for (i = 0; i < acl->length; i++) { dns_aclelement_t *e = &acl->elements[i]; @@ -280,8 +238,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, break; } - if (dns_aclelement_match(reqaddr, reqsigner, ecs, ecslen, - scope, e, env, matchelt)) + if (dns_aclelement_match(reqaddr, reqsigner, e, env, matchelt)) { if (match_num == -1 || e->node_num < match_num) { if (e->negative) @@ -418,9 +375,6 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) isc_boolean_t dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, - isc_uint8_t ecslen, - isc_uint8_t *scope, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) @@ -428,11 +382,6 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, dns_acl_t *inner = NULL; int indirectmatch; isc_result_t result; -#ifdef HAVE_GEOIP - const isc_netaddr_t *addr = NULL; -#endif - - REQUIRE(ecs != NULL || scope == NULL); switch (e->type) { case dns_aclelementtype_keyname: @@ -464,17 +413,15 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr, case dns_aclelementtype_geoip: if (env == NULL || env->geoip == NULL) return (ISC_FALSE); - addr = (env->geoip_use_ecs && ecs != NULL) ? ecs : reqaddr; - return (dns_geoip_match(addr, scope, env->geoip, - &e->geoip_elem)); + return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem)); #endif default: /* Should be impossible. */ INSIST(0); } - result = dns_acl_match(reqaddr, reqsigner, ecs, ecslen, scope, - inner, env, &indirectmatch, matchelt); + result = dns_acl_match(reqaddr, reqsigner, inner, env, + &indirectmatch, matchelt); INSIST(result == ISC_R_SUCCESS); /* @@ -566,28 +513,28 @@ is_insecure(isc_prefix_t *prefix, void **data) { * If all nonexistent or negative then this node is secure. */ if ((data[0] == NULL || !* (isc_boolean_t *) data[0]) && - (data[1] == NULL || !* (isc_boolean_t *) data[1]) && - (data[2] == NULL || !* (isc_boolean_t *) data[2]) && - (data[3] == NULL || !* (isc_boolean_t *) data[3])) + (data[1] == NULL || !* (isc_boolean_t *) data[1])) + { return; + } /* - * If a loopback address found and the other family and - * ecs entry doesn't exist or is negative, return. + * If a loopback address found and the other family + * entry doesn't exist or is negative, return. */ if (prefix->bitlen == 32 && htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK && - (data[1] == NULL || !* (isc_boolean_t *) data[1]) && - (data[2] == NULL || !* (isc_boolean_t *) data[2]) && - (data[3] == NULL || !* (isc_boolean_t *) data[3])) + (data[1] == NULL || !* (isc_boolean_t *) data[1])) + { return; + } if (prefix->bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) && - (data[0] == NULL || !* (isc_boolean_t *) data[0]) && - (data[2] == NULL || !* (isc_boolean_t *) data[2]) && - (data[3] == NULL || !* (isc_boolean_t *) data[3])) + (data[0] == NULL || !* (isc_boolean_t *) data[0])) + { return; + } /* Non-negated, non-loopback */ insecure_prefix_found = ISC_TRUE; /* LOCKED */ @@ -659,18 +606,18 @@ dns_acl_isinsecure(const dns_acl_t *a) { */ isc_boolean_t dns_acl_allowed(isc_netaddr_t *addr, dns_name_t *signer, - isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, - isc_uint8_t *ecs_scope, dns_acl_t *acl, dns_aclenv_t *aclenv) + dns_acl_t *acl, dns_aclenv_t *aclenv) { int match; isc_result_t result; - if (acl == NULL) + if (acl == NULL) { return (ISC_TRUE); - result = dns_acl_match(addr, signer, ecs_addr, ecs_addrlen, - ecs_scope, acl, aclenv, &match, NULL); - if (result == ISC_R_SUCCESS && match > 0) + } + result = dns_acl_match(addr, signer, acl, aclenv, &match, NULL); + if (result == ISC_R_SUCCESS && match > 0) { return (ISC_TRUE); + } return (ISC_FALSE); } @@ -692,7 +639,6 @@ dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) { env->match_mapped = ISC_FALSE; #ifdef HAVE_GEOIP env->geoip = NULL; - env->geoip_use_ecs = ISC_FALSE; #endif return (ISC_R_SUCCESS); @@ -711,7 +657,6 @@ dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) { t->match_mapped = s->match_mapped; #ifdef HAVE_GEOIP t->geoip = s->geoip; - t->geoip_use_ecs = s->geoip_use_ecs; #endif } diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 55b2eab85ac..0bcbabe5fcf 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -1127,8 +1127,7 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) { */ isc_netaddr_fromsockaddr(&netaddr, &ev->address); if (disp->mgr->blackhole != NULL && - dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - disp->mgr->blackhole, + dns_acl_match(&netaddr, NULL, disp->mgr->blackhole, NULL, &match, NULL) == ISC_R_SUCCESS && match > 0) { diff --git a/lib/dns/dns64.c b/lib/dns/dns64.c index 44917187b08..220caaad007 100644 --- a/lib/dns/dns64.c +++ b/lib/dns/dns64.c @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - #include #include @@ -138,8 +137,8 @@ dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr, return (DNS_R_DISALLOWED); if (dns64->clients != NULL) { - result = dns_acl_match(reqaddr, reqsigner, NULL, 0, NULL, - dns64->clients, env, &match, NULL); + result = dns_acl_match(reqaddr, reqsigner, dns64->clients, + env, &match, NULL); if (result != ISC_R_SUCCESS) return (result); if (match <= 0) @@ -152,8 +151,8 @@ dns_dns64_aaaafroma(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr, memmove(&ina.s_addr, a, 4); isc_netaddr_fromin(&netaddr, &ina); - result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - dns64->mapped, env, &match, NULL); + result = dns_acl_match(&netaddr, NULL, dns64->mapped, + env, &match, NULL); if (result != ISC_R_SUCCESS) return (result); if (match <= 0) @@ -227,8 +226,8 @@ dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr, * Work out if this dns64 structure applies to this client. */ if (dns64->clients != NULL) { - result = dns_acl_match(reqaddr, reqsigner, NULL, 0, - NULL, dns64->clients, env, + result = dns_acl_match(reqaddr, reqsigner, + dns64->clients, env, &match, NULL); if (result != ISC_R_SUCCESS) continue; @@ -266,8 +265,7 @@ dns_dns64_aaaaok(const dns_dns64_t *dns64, const isc_netaddr_t *reqaddr, memmove(&in6.s6_addr, rdata.data, 16); isc_netaddr_fromin6(&netaddr, &in6); - result = dns_acl_match(&netaddr, NULL, NULL, - 0, NULL, + result = dns_acl_match(&netaddr, NULL, dns64->excluded, env, &match, NULL); if (result == ISC_R_SUCCESS && match <= 0) { diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c index cb354820512..e619b318791 100644 --- a/lib/dns/geoip.c +++ b/lib/dns/geoip.c @@ -67,7 +67,6 @@ typedef struct geoip_state { unsigned int family; isc_uint32_t ipnum; geoipv6_t ipnum6; - isc_uint8_t scope; GeoIPRecord *record; GeoIPRegion *region; const char *text; @@ -159,7 +158,7 @@ clean_state(geoip_state_t *state) { static isc_result_t set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6, - isc_uint8_t scope, dns_geoip_subtype_t subtype, GeoIPRecord *record, + dns_geoip_subtype_t subtype, GeoIPRecord *record, GeoIPRegion *region, char *name, const char *text, int id) { geoip_state_t *state = NULL; @@ -201,7 +200,6 @@ set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6, state->family = family; state->subtype = subtype; - state->scope = scope; state->record = record; state->region = region; state->name = name; @@ -248,12 +246,10 @@ get_state_for(unsigned int family, isc_uint32_t ipnum, static const char * country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, unsigned int family, - isc_uint32_t ipnum, const geoipv6_t *ipnum6, - isc_uint8_t *scope) + isc_uint32_t ipnum, const geoipv6_t *ipnum6) { geoip_state_t *prev_state = NULL; const char *text = NULL; - GeoIPLookup gl; REQUIRE(db != NULL); @@ -266,40 +262,35 @@ country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, prev_state = get_state_for(family, ipnum, ipnum6); if (prev_state != NULL && prev_state->subtype == subtype) { text = prev_state->text; - if (scope != NULL) - *scope = prev_state->scope; } if (text == NULL) { switch (subtype) { case dns_geoip_country_code: if (family == AF_INET) - text = GeoIP_country_code_by_ipnum_gl(db, - ipnum, &gl); + text = GeoIP_country_code_by_ipnum(db, ipnum); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_code_by_ipnum_v6_gl(db, - *ipnum6, &gl); + text = GeoIP_country_code_by_ipnum_v6(db, + *ipnum6); #endif break; case dns_geoip_country_code3: if (family == AF_INET) - text = GeoIP_country_code3_by_ipnum_gl(db, - ipnum, &gl); + text = GeoIP_country_code3_by_ipnum(db, ipnum); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_code3_by_ipnum_v6_gl(db, - *ipnum6, &gl); + text = GeoIP_country_code3_by_ipnum_v6(db, + *ipnum6); #endif break; case dns_geoip_country_name: if (family == AF_INET) - text = GeoIP_country_name_by_ipnum_gl(db, - ipnum, &gl); + text = GeoIP_country_name_by_ipnum(db, ipnum); #ifdef HAVE_GEOIP_V6 else - text = GeoIP_country_name_by_ipnum_v6_gl(db, - *ipnum6, &gl); + text = GeoIP_country_name_by_ipnum_v6(db, + *ipnum6); #endif break; default: @@ -309,10 +300,7 @@ country_lookup(GeoIP *db, dns_geoip_subtype_t subtype, if (text == NULL) return (NULL); - if (scope != NULL) - *scope = gl.netmask; - - set_state(family, ipnum, ipnum6, gl.netmask, subtype, + set_state(family, ipnum, ipnum6, subtype, NULL, NULL, NULL, text, 0); } @@ -402,8 +390,7 @@ is_city(dns_geoip_subtype_t subtype) { static GeoIPRecord * city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, unsigned int family, isc_uint32_t ipnum, - const geoipv6_t *ipnum6, - isc_uint8_t *scope) + const geoipv6_t *ipnum6) { GeoIPRecord *record = NULL; geoip_state_t *prev_state = NULL; @@ -419,8 +406,6 @@ city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, prev_state = get_state_for(family, ipnum, ipnum6); if (prev_state != NULL && is_city(prev_state->subtype)) { record = prev_state->record; - if (scope != NULL) - *scope = record->netmask; } if (record == NULL) { @@ -433,11 +418,8 @@ city_lookup(GeoIP *db, dns_geoip_subtype_t subtype, if (record == NULL) return (NULL); - if (scope != NULL) - *scope = record->netmask; - - set_state(family, ipnum, ipnum6, record->netmask, subtype, - record, NULL, NULL, NULL, 0); + set_state(family, ipnum, ipnum6, subtype, record, + NULL, NULL, NULL, 0); } return (record); @@ -485,32 +467,24 @@ is_region(dns_geoip_subtype_t subtype) { * outside the Region database. */ static GeoIPRegion * -region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, - isc_uint32_t ipnum, isc_uint8_t *scope) -{ +region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { GeoIPRegion *region = NULL; geoip_state_t *prev_state = NULL; - GeoIPLookup gl; REQUIRE(db != NULL); prev_state = get_state_for(AF_INET, ipnum, NULL); if (prev_state != NULL && is_region(prev_state->subtype)) { region = prev_state->region; - if (scope != NULL) - *scope = prev_state->scope; } if (region == NULL) { - region = GeoIP_region_by_ipnum_gl(db, ipnum, &gl); + region = GeoIP_region_by_ipnum(db, ipnum); if (region == NULL) return (NULL); - if (scope != NULL) - *scope = gl.netmask; - - set_state(AF_INET, ipnum, NULL, gl.netmask, - subtype, NULL, region, NULL, NULL, 0); + set_state(AF_INET, ipnum, NULL, subtype, NULL, + region, NULL, NULL, 0); } return (region); @@ -522,32 +496,24 @@ region_lookup(GeoIP *db, dns_geoip_subtype_t subtype, * or was for a search of a different subtype. */ static char * -name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, - isc_uint32_t ipnum, isc_uint8_t *scope) -{ +name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { char *name = NULL; geoip_state_t *prev_state = NULL; - GeoIPLookup gl; REQUIRE(db != NULL); prev_state = get_state_for(AF_INET, ipnum, NULL); if (prev_state != NULL && prev_state->subtype == subtype) { name = prev_state->name; - if (scope != NULL) - *scope = prev_state->scope; } if (name == NULL) { - name = GeoIP_name_by_ipnum_gl(db, ipnum, &gl); + name = GeoIP_name_by_ipnum(db, ipnum); if (name == NULL) return (NULL); - if (scope != NULL) - *scope = gl.netmask; - - set_state(AF_INET, ipnum, NULL, gl.netmask, - subtype, NULL, NULL, name, NULL, 0); + set_state(AF_INET, ipnum, NULL, subtype, NULL, NULL, + name, NULL, 0); } return (name); @@ -559,12 +525,9 @@ name_lookup(GeoIP *db, dns_geoip_subtype_t subtype, * different subtype. */ static int -netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, - isc_uint32_t ipnum, isc_uint8_t *scope) -{ +netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, isc_uint32_t ipnum) { geoip_state_t *prev_state = NULL; isc_boolean_t found = ISC_FALSE; - GeoIPLookup gl; int id = -1; REQUIRE(db != NULL); @@ -572,21 +535,16 @@ netspeed_lookup(GeoIP *db, dns_geoip_subtype_t subtype, prev_state = get_state_for(AF_INET, ipnum, NULL); if (prev_state != NULL && prev_state->subtype == subtype) { id = prev_state->id; - if (scope != NULL) - *scope = prev_state->scope; found = ISC_TRUE; } if (!found) { - id = GeoIP_id_by_ipnum_gl(db, ipnum, &gl); + id = GeoIP_id_by_ipnum(db, ipnum); if (id == 0) return (0); - if (scope != NULL) - *scope = gl.netmask; - - set_state(AF_INET, ipnum, NULL, gl.netmask, - subtype, NULL, NULL, NULL, NULL, id); + set_state(AF_INET, ipnum, NULL, subtype, NULL, + NULL, NULL, NULL, id); } return (id); @@ -648,7 +606,7 @@ fix_subtype(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip, #endif /* HAVE_GEOIP */ isc_boolean_t -dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, +dns_geoip_match(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip, const dns_geoip_elem_t *elt) { @@ -711,7 +669,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, INSIST(elt->as_string != NULL); - cs = country_lookup(db, subtype, family, ipnum, ipnum6, scope); + cs = country_lookup(db, subtype, family, ipnum, ipnum6); if (cs != NULL && strncasecmp(elt->as_string, cs, maxlen) == 0) return (ISC_TRUE); break; @@ -732,7 +690,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, return (ISC_FALSE); record = city_lookup(db, subtype, family, - ipnum, ipnum6, scope); + ipnum, ipnum6); if (record == NULL) break; @@ -748,7 +706,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, return (ISC_FALSE); record = city_lookup(db, subtype, family, - ipnum, ipnum6, scope); + ipnum, ipnum6); if (record == NULL) break; @@ -762,7 +720,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, return (ISC_FALSE); record = city_lookup(db, subtype, family, - ipnum, ipnum6, scope); + ipnum, ipnum6); if (record == NULL) break; @@ -783,7 +741,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, if (family == AF_INET6) return (ISC_FALSE); - region = region_lookup(geoip->region, subtype, ipnum, scope); + region = region_lookup(geoip->region, subtype, ipnum); if (region == NULL) break; @@ -817,7 +775,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, if (family == AF_INET6) return (ISC_FALSE); - s = name_lookup(db, subtype, ipnum, scope); + s = name_lookup(db, subtype, ipnum); if (s != NULL) { size_t l; if (strcasecmp(elt->as_string, s) == 0) @@ -842,7 +800,7 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, if (family == AF_INET6) return (ISC_FALSE); - id = netspeed_lookup(geoip->netspeed, subtype, ipnum, scope); + id = netspeed_lookup(geoip->netspeed, subtype, ipnum); if (id == elt->as_int) return (ISC_TRUE); break; diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index e5f703e35ec..94b16bd82da 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -95,7 +95,6 @@ struct dns_aclenv { isc_boolean_t match_mapped; #ifdef HAVE_GEOIP dns_geoip_databases_t *geoip; - isc_boolean_t geoip_use_ecs; #endif }; @@ -188,9 +187,7 @@ dns_acl_isinsecure(const dns_acl_t *a); isc_boolean_t dns_acl_allowed(isc_netaddr_t *addr, dns_name_t *signer, - isc_netaddr_t *ecs_addr, isc_uint8_t ecs_addrlen, - isc_uint8_t *ecs_scope, dns_acl_t *acl, dns_aclenv_t - *aclenv); + dns_acl_t *acl, dns_aclenv_t *aclenv); /*%< * Return #ISC_TRUE iff the 'addr', 'signer', or ECS values are * permitted by 'acl' in environment 'aclenv'. @@ -211,9 +208,6 @@ dns_aclenv_destroy(dns_aclenv_t *env); isc_result_t dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, - isc_uint8_t ecslen, - isc_uint8_t *scope, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, @@ -223,12 +217,7 @@ dns_acl_match(const isc_netaddr_t *reqaddr, * be useful even for weird stuff like the topology and sortlist statements. * * Match the address 'reqaddr', and optionally the key name 'reqsigner', - * and optionally the client prefix 'ecs' of length 'ecslen' - * (reported via EDNS client subnet option) against 'acl'. - * - * 'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs' - * and 'ecslen', then 'scope' will be set to indicate the netmask that - * matched. + * against 'acl'. 'reqsigner' may be NULL. * * If there is a match, '*match' will be set to an integer whose absolute * value corresponds to the order in which the matching value was inserted @@ -252,9 +241,6 @@ dns_acl_match(const isc_netaddr_t *reqaddr, isc_boolean_t dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, - const isc_netaddr_t *ecs, - isc_uint8_t ecslen, - isc_uint8_t *scope, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt); diff --git a/lib/dns/include/dns/geoip.h b/lib/dns/include/dns/geoip.h index b45d5419fd2..38b1e664189 100644 --- a/lib/dns/include/dns/geoip.h +++ b/lib/dns/include/dns/geoip.h @@ -103,7 +103,7 @@ typedef struct dns_geoip_databases { ISC_LANG_BEGINDECLS isc_boolean_t -dns_geoip_match(const isc_netaddr_t *reqaddr, isc_uint8_t *scope, +dns_geoip_match(const isc_netaddr_t *reqaddr, const dns_geoip_databases_t *geoip, const dns_geoip_elem_t *elt); diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h index 636884ec67c..ea3dd20c873 100644 --- a/lib/dns/include/dns/iptable.h +++ b/lib/dns/include/dns/iptable.h @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - #ifndef DNS_IPTABLE_H #define DNS_IPTABLE_H 1 @@ -44,8 +43,7 @@ dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target); isc_result_t dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr, - isc_uint16_t bitlen, isc_boolean_t pos, - isc_boolean_t is_ecs); + isc_uint16_t bitlen, isc_boolean_t pos); /* * Add an IP prefix to an existing IP table */ diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c index f44bae7d634..2d723685278 100644 --- a/lib/dns/iptable.c +++ b/lib/dns/iptable.c @@ -56,8 +56,7 @@ static isc_boolean_t dns_iptable_pos = ISC_TRUE; */ isc_result_t dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr, - isc_uint16_t bitlen, isc_boolean_t pos, - isc_boolean_t is_ecs) + isc_uint16_t bitlen, isc_boolean_t pos) { isc_result_t result; isc_prefix_t pfx; @@ -67,7 +66,7 @@ dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr, INSIST(DNS_IPTABLE_VALID(tab)); INSIST(tab->radix); - NETADDR_TO_PREFIX_T(addr, pfx, bitlen, is_ecs); + NETADDR_TO_PREFIX_T(addr, pfx, bitlen); result = isc_radix_insert(tab->radix, &node, NULL, &pfx); if (result != ISC_R_SUCCESS) { @@ -79,7 +78,7 @@ dns_iptable_addprefix(dns_iptable_t *tab, const isc_netaddr_t *addr, if (pfx.family == AF_UNSPEC) { /* "any" or "none" */ INSIST(pfx.bitlen == 0); - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { if (node->data[i] == NULL) node->data[i] = pos ? &dns_iptable_pos : &dns_iptable_neg; @@ -122,7 +121,7 @@ dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos) * could be a security risk. To prevent this, we * just leave the negative nodes negative. */ - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { if (!pos) { if (node->data[i] && *(isc_boolean_t *) node->data[i]) diff --git a/lib/dns/request.c b/lib/dns/request.c index 679013dc1e4..b55d3fd86e5 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - /*! \file */ #include @@ -507,10 +506,12 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) { blackhole = dns_dispatchmgr_getblackhole(dispatchmgr); if (blackhole != NULL) { isc_netaddr_fromsockaddr(&netaddr, destaddr); - if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, blackhole, - NULL, &match, NULL) == ISC_R_SUCCESS && + if (dns_acl_match(&netaddr, NULL, blackhole, NULL, + &match, NULL) == ISC_R_SUCCESS && match > 0) + { drop = ISC_TRUE; + } } if (drop) { isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr)); diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 390fbc79a2c..a959876f8d8 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -3756,11 +3756,13 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr) { if (blackhole != NULL) { int match; - if (dns_acl_match(&ipaddr, NULL, NULL, 0, NULL, blackhole, - &res->view->aclenv, - &match, NULL) == ISC_R_SUCCESS && + if ((dns_acl_match(&ipaddr, NULL, blackhole, + &res->view->aclenv, &match, + NULL) == ISC_R_SUCCESS) && match > 0) + { aborted = ISC_TRUE; + } } if (peer != NULL && @@ -6517,10 +6519,8 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, isc_netaddr_fromin6(&netaddr, &in6a); } - result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - view->denyansweracl, &view->aclenv, - &match, NULL); - + result = dns_acl_match(&netaddr, NULL, view->denyansweracl, + &view->aclenv, &match, NULL); if (result == ISC_R_SUCCESS && match > 0) { isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf)); dns_name_format(name, namebuf, sizeof(namebuf)); diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c index 22860ad3495..a6616c55502 100644 --- a/lib/dns/rrl.c +++ b/lib/dns/rrl.c @@ -1022,9 +1022,8 @@ dns_rrl(dns_view_t *view, rrl = view->rrl; if (rrl->exempt != NULL) { isc_netaddr_fromsockaddr(&netclient, client_addr); - result = dns_acl_match(&netclient, NULL, NULL, 0, NULL, - rrl->exempt, &view->aclenv, - &exempt_match, NULL); + result = dns_acl_match(&netclient, NULL, rrl->exempt, + &view->aclenv, &exempt_match, NULL); if (result == ISC_R_SUCCESS && exempt_match > 0) return (DNS_RRL_RESULT_OK); } diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c index 6b7aca1fe59..703e579dd61 100644 --- a/lib/dns/ssu.c +++ b/lib/dns/ssu.c @@ -417,9 +417,8 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer, if (!dns_name_issubdomain(name, rule->name)) { continue; } - dns_acl_match(addr, NULL, NULL, 0, NULL, - env->localhost, NULL, &match, - NULL); + dns_acl_match(addr, NULL, env->localhost, + NULL, &match, NULL); if (match == 0) { if (signer != NULL) { isc_log_write(dns_lctx, diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c index acf29570d6d..910c68c9547 100644 --- a/lib/dns/tests/acl_test.c +++ b/lib/dns/tests/acl_test.c @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - /*! \file */ #include @@ -38,45 +37,11 @@ ATF_TC_HEAD(dns_acl_isinsecure, tc) { } ATF_TC_BODY(dns_acl_isinsecure, tc) { isc_result_t result; - unsigned int pass; - struct { - isc_boolean_t first; - isc_boolean_t second; - } ecs[] = { - { ISC_FALSE, ISC_FALSE }, - { ISC_TRUE, ISC_TRUE }, - { ISC_TRUE, ISC_FALSE }, - { ISC_FALSE, ISC_TRUE } - }; - dns_acl_t *any = NULL; dns_acl_t *none = NULL; dns_acl_t *notnone = NULL; dns_acl_t *notany = NULL; - dns_acl_t *pos4pos6 = NULL; - dns_acl_t *notpos4pos6 = NULL; - dns_acl_t *neg4pos6 = NULL; - dns_acl_t *notneg4pos6 = NULL; - dns_acl_t *pos4neg6 = NULL; - dns_acl_t *notpos4neg6 = NULL; - dns_acl_t *neg4neg6 = NULL; - dns_acl_t *notneg4neg6 = NULL; - - dns_acl_t *loop4 = NULL; - dns_acl_t *notloop4 = NULL; - - dns_acl_t *loop6 = NULL; - dns_acl_t *notloop6 = NULL; - - dns_acl_t *loop4pos6 = NULL; - dns_acl_t *notloop4pos6 = NULL; - dns_acl_t *loop4neg6 = NULL; - dns_acl_t *notloop4neg6 = NULL; - - struct in_addr inaddr; - isc_netaddr_t addr; - UNUSED(tc); result = dns_test_begin(NULL, ISC_FALSE); @@ -110,219 +75,6 @@ ATF_TC_BODY(dns_acl_isinsecure, tc) { dns_acl_detach(¬any); dns_acl_detach(¬none); - for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) { - result = dns_acl_create(mctx, 1, &pos4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬pos4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, &neg4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬neg4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, &pos4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬pos4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, &neg4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬neg4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(pos4pos6->iptable, &addr, 8, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* 0a00:: */ - result = dns_iptable_addprefix(pos4pos6->iptable, &addr, 8, - ISC_TRUE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(neg4pos6->iptable, &addr, 8, - ISC_FALSE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* 0a00::/8 */ - result = dns_iptable_addprefix(neg4pos6->iptable, &addr, 8, - ISC_TRUE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x0a000000); /* 10.0.0.0/8 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(pos4neg6->iptable, &addr, 8, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* !0a00::/8 */ - result = dns_iptable_addprefix(pos4neg6->iptable, &addr, 8, - ISC_FALSE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x0a000000); /* !10.0.0.0/8 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(neg4neg6->iptable, &addr, 8, - ISC_FALSE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* !0a00::/8 */ - result = dns_iptable_addprefix(neg4neg6->iptable, &addr, 8, - ISC_FALSE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - ATF_CHECK(dns_acl_isinsecure(pos4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notpos4pos6)); - ATF_CHECK(dns_acl_isinsecure(neg4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notneg4pos6)); - ATF_CHECK(dns_acl_isinsecure(pos4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notpos4neg6)); - ATF_CHECK(!dns_acl_isinsecure(neg4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notneg4neg6)); - - dns_acl_detach(&pos4pos6); - dns_acl_detach(¬pos4pos6); - dns_acl_detach(&neg4pos6); - dns_acl_detach(¬neg4pos6); - dns_acl_detach(&pos4neg6); - dns_acl_detach(¬pos4neg6); - dns_acl_detach(&neg4neg6); - dns_acl_detach(¬neg4neg6); - - result = dns_acl_create(mctx, 1, &loop4); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬loop4); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, &loop6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬loop6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(loop4->iptable, &addr, 32, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notloop4, loop4, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - isc_netaddr_fromin6(&addr, &in6addr_loopback); /* ::1 */ - result = dns_iptable_addprefix(loop6->iptable, &addr, 128, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notloop6, loop6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - if (!ecs[pass].first) { - ATF_CHECK(!dns_acl_isinsecure(loop4)); - ATF_CHECK(!dns_acl_isinsecure(notloop4)); - ATF_CHECK(!dns_acl_isinsecure(loop6)); - ATF_CHECK(!dns_acl_isinsecure(notloop6)); - } else if (ecs[pass].first) { - ATF_CHECK(dns_acl_isinsecure(loop4)); - ATF_CHECK(!dns_acl_isinsecure(notloop4)); - ATF_CHECK(dns_acl_isinsecure(loop6)); - ATF_CHECK(!dns_acl_isinsecure(notloop6)); - } - - dns_acl_detach(&loop4); - dns_acl_detach(¬loop4); - dns_acl_detach(&loop6); - dns_acl_detach(¬loop6); - - result = dns_acl_create(mctx, 1, &loop4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬loop4pos6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, &loop4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_create(mctx, 1, ¬loop4neg6); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(loop4pos6->iptable, &addr, 32, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* f700:0001::/32 */ - result = dns_iptable_addprefix(loop4pos6->iptable, &addr, 32, - ISC_TRUE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - inaddr.s_addr = htonl(0x7f000001); /* 127.0.0.1 */ - isc_netaddr_fromin(&addr, &inaddr); - result = dns_iptable_addprefix(loop4neg6->iptable, &addr, 32, - ISC_TRUE, ecs[pass].first); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - addr.family = AF_INET6; /* !f700:0001::/32 */ - result = dns_iptable_addprefix(loop4neg6->iptable, &addr, 32, - ISC_FALSE, ecs[pass].second); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE); - ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); - - if (!ecs[pass].first && !ecs[pass].second) { - ATF_CHECK(dns_acl_isinsecure(loop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(loop4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); - } else if (ecs[pass].first && !ecs[pass].second) { - ATF_CHECK(dns_acl_isinsecure(loop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); - ATF_CHECK(dns_acl_isinsecure(loop4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); - } else if (!ecs[pass].first && ecs[pass].second) { - ATF_CHECK(dns_acl_isinsecure(loop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(loop4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); - } else { - ATF_CHECK(dns_acl_isinsecure(loop4pos6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4pos6)); - ATF_CHECK(dns_acl_isinsecure(loop4neg6)); - ATF_CHECK(!dns_acl_isinsecure(notloop4neg6)); - } - - dns_acl_detach(&loop4pos6); - dns_acl_detach(¬loop4pos6); - dns_acl_detach(&loop4neg6); - dns_acl_detach(¬loop4neg6); - } - dns_test_end(); } diff --git a/lib/dns/tests/geoip_test.c b/lib/dns/tests/geoip_test.c index ee3e7be28d8..9d937003179 100644 --- a/lib/dns/tests/geoip_test.c +++ b/lib/dns/tests/geoip_test.c @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - /*! \file */ #include @@ -132,8 +131,8 @@ load_geoip(const char *dir) { } static isc_boolean_t -do_lookup_string(const char *addr, isc_uint8_t *scope, - dns_geoip_subtype_t subtype, const char *string) +do_lookup_string(const char *addr, dns_geoip_subtype_t subtype, + const char *string) { dns_geoip_elem_t elt; struct in_addr in4; @@ -145,12 +144,12 @@ do_lookup_string(const char *addr, isc_uint8_t *scope, elt.subtype = subtype; strlcpy(elt.as_string, string, sizeof(elt.as_string)); - return (dns_geoip_match(&na, scope, &geoip, &elt)); + return (dns_geoip_match(&na, &geoip, &elt)); } static isc_boolean_t -do_lookup_string_v6(const char *addr, isc_uint8_t *scope, - dns_geoip_subtype_t subtype, const char *string) +do_lookup_string_v6(const char *addr, dns_geoip_subtype_t subtype, + const char *string) { dns_geoip_elem_t elt; struct in6_addr in6; @@ -162,13 +161,11 @@ do_lookup_string_v6(const char *addr, isc_uint8_t *scope, elt.subtype = subtype; strlcpy(elt.as_string, string, sizeof(elt.as_string)); - return (dns_geoip_match(&na, scope, &geoip, &elt)); + return (dns_geoip_match(&na, &geoip, &elt)); } static isc_boolean_t -do_lookup_int(const char *addr, isc_uint8_t *scope, - dns_geoip_subtype_t subtype, int id) -{ +do_lookup_int(const char *addr, dns_geoip_subtype_t subtype, int id) { dns_geoip_elem_t elt; struct in_addr in4; isc_netaddr_t na; @@ -179,7 +176,7 @@ do_lookup_int(const char *addr, isc_uint8_t *scope, elt.subtype = subtype; elt.as_int = id; - return (dns_geoip_match(&na, scope, &geoip, &elt)); + return (dns_geoip_match(&na, &geoip, &elt)); } /* @@ -194,7 +191,6 @@ ATF_TC_HEAD(country, tc) { ATF_TC_BODY(country, tc) { isc_result_t result; isc_boolean_t match; - isc_uint8_t scope; UNUSED(tc); @@ -209,30 +205,25 @@ ATF_TC_BODY(country, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", &scope, + match = do_lookup_string("10.53.0.1", dns_geoip_country_code, "AU"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 32); - match = do_lookup_string("10.53.0.1", &scope, + match = do_lookup_string("10.53.0.1", dns_geoip_country_code3, "AUS"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 32); - match = do_lookup_string("10.53.0.1", &scope, + match = do_lookup_string("10.53.0.1", dns_geoip_country_name, "Australia"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 32); - match = do_lookup_string("192.0.2.128", &scope, + match = do_lookup_string("192.0.2.128", dns_geoip_country_code, "O1"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 24); - match = do_lookup_string("192.0.2.128", &scope, + match = do_lookup_string("192.0.2.128", dns_geoip_country_name, "Other"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 24); dns_test_end(); } @@ -245,7 +236,6 @@ ATF_TC_HEAD(country_v6, tc) { ATF_TC_BODY(country_v6, tc) { isc_result_t result; isc_boolean_t match; - isc_uint8_t scope; UNUSED(tc); @@ -260,20 +250,17 @@ ATF_TC_BODY(country_v6, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_country_code, "AU"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 128); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_country_code3, "AUS"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 128); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", &scope, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_country_name, "Australia"); ATF_CHECK(match); - ATF_CHECK_EQ(scope, 128); dns_test_end(); } @@ -300,42 +287,42 @@ ATF_TC_BODY(city, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_continentcode, "NA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_region, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_regionname, "California"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_name, "Redwood City"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_city_postalcode, "94063"); ATF_CHECK(match); - match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_areacode, 650); + match = do_lookup_int("10.53.0.1", dns_geoip_city_areacode, 650); ATF_CHECK(match); - match = do_lookup_int("10.53.0.1", NULL, dns_geoip_city_metrocode, 807); + match = do_lookup_int("10.53.0.1", dns_geoip_city_metrocode, 807); ATF_CHECK(match); dns_test_end(); @@ -363,36 +350,36 @@ ATF_TC_BODY(city_v6, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_continentcode, "NA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_region, "CA"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_regionname, "California"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_name, "Redwood City"); ATF_CHECK(match); - match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", NULL, + match = do_lookup_string_v6("fd92:7065:b8e:ffff::1", dns_geoip_city_postalcode, "94063"); ATF_CHECK(match); @@ -422,15 +409,15 @@ ATF_TC_BODY(region, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_region_code, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_region_name, "California"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.1", NULL, + match = do_lookup_string("10.53.0.1", dns_geoip_region_countrycode, "US"); ATF_CHECK(match); @@ -464,30 +451,30 @@ ATF_TC_BODY(best, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode, "US"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode3, "USA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countryname, "United States"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_regionname, "Virginia"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_region, "VA"); ATF_CHECK(match); GeoIP_delete(geoip.city_v4); geoip.city_v4 = NULL; - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode, "AU"); ATF_CHECK(match); @@ -495,26 +482,26 @@ ATF_TC_BODY(best, tc) { * Note, region doesn't support code3 or countryname, so * the next two would be answered from the country database instead */ - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode3, "CAN"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countryname, "Canada"); ATF_CHECK(match); GeoIP_delete(geoip.region); geoip.region = NULL; - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode, "CA"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countrycode3, "CAN"); ATF_CHECK(match); - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_countryname, "Canada"); ATF_CHECK(match); @@ -545,7 +532,7 @@ ATF_TC_BODY(asnum, tc) { } - match = do_lookup_string("10.53.0.3", NULL, dns_geoip_as_asnum, + match = do_lookup_string("10.53.0.3", dns_geoip_as_asnum, "AS100003 Three Network Labs"); ATF_CHECK(match); @@ -574,7 +561,7 @@ ATF_TC_BODY(isp, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.1", NULL, dns_geoip_isp_name, + match = do_lookup_string("10.53.0.1", dns_geoip_isp_name, "One Systems, Inc."); ATF_CHECK(match); @@ -603,7 +590,7 @@ ATF_TC_BODY(org, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.2", NULL, dns_geoip_org_name, + match = do_lookup_string("10.53.0.2", dns_geoip_org_name, "Two Technology Ltd."); ATF_CHECK(match); @@ -632,7 +619,7 @@ ATF_TC_BODY(domain, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_string("10.53.0.4", NULL, + match = do_lookup_string("10.53.0.4", dns_geoip_domain_name, "four.com"); ATF_CHECK(match); @@ -661,16 +648,16 @@ ATF_TC_BODY(netspeed, tc) { atf_tc_skip("Database not available"); } - match = do_lookup_int("10.53.0.1", NULL, dns_geoip_netspeed_id, 0); + match = do_lookup_int("10.53.0.1", dns_geoip_netspeed_id, 0); ATF_CHECK(match); - match = do_lookup_int("10.53.0.2", NULL, dns_geoip_netspeed_id, 1); + match = do_lookup_int("10.53.0.2", dns_geoip_netspeed_id, 1); ATF_CHECK(match); - match = do_lookup_int("10.53.0.3", NULL, dns_geoip_netspeed_id, 2); + match = do_lookup_int("10.53.0.3", dns_geoip_netspeed_id, 2); ATF_CHECK(match); - match = do_lookup_int("10.53.0.4", NULL, dns_geoip_netspeed_id, 3); + match = do_lookup_int("10.53.0.4", dns_geoip_netspeed_id, 3); ATF_CHECK(match); dns_test_end(); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 158e6f83c00..8681b76f07c 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -13205,9 +13205,9 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, tsigkey = dns_message_gettsigkey(msg); tsig = dns_tsigkey_identity(tsigkey); if (i >= zone->masterscnt && zone->notify_acl != NULL && - dns_acl_match(&netaddr, tsig, NULL, 0, NULL, zone->notify_acl, - &zone->view->aclenv, &match, - NULL) == ISC_R_SUCCESS && + (dns_acl_match(&netaddr, tsig, zone->notify_acl, + &zone->view->aclenv, &match, + NULL) == ISC_R_SUCCESS) && match > 0) { /* Accept notify. */ diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h index 131a865d5bb..9b5e2c555b8 100644 --- a/lib/isc/include/isc/radix.h +++ b/lib/isc/include/isc/radix.h @@ -27,7 +27,7 @@ #ifndef _RADIX_H #define _RADIX_H -#define NETADDR_TO_PREFIX_T(na,pt,bits,is_ecs) \ +#define NETADDR_TO_PREFIX_T(na,pt,bits) \ do { \ const void *p = na; \ memset(&(pt), 0, sizeof(pt)); \ @@ -44,7 +44,6 @@ (pt).family = AF_UNSPEC; \ (pt).bitlen = 0; \ } \ - (pt).ecs = is_ecs; \ isc_refcount_init(&(pt).refcount, 0); \ } while(0) @@ -52,7 +51,6 @@ typedef struct isc_prefix { isc_mem_t *mctx; unsigned int family; /* AF_INET | AF_INET6, or AF_UNSPEC for "any" */ unsigned int bitlen; /* 0 for "any" */ - isc_boolean_t ecs; /* ISC_TRUE for an EDNS client subnet address */ isc_refcount_t refcount; union { struct in_addr sin; @@ -77,23 +75,17 @@ typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **); * return the one that was added first. * * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they - * have the same length and bit pattern (e.g., 127/8 and 7f::/8). Also, - * a node that matches a client address may also match an EDNS client - * subnet address. To disambiguate between these, node_num and data - * are four-element arrays; + * have the same length and bit pattern (e.g., 127/8 and 7f::/8). To + * disambiguate between them, node_num and data are two-element arrays: * * - node_num[0] and data[0] are used for IPv4 client addresses - * - node_num[1] and data[1] for IPv4 client subnet addresses - * - node_num[2] and data[2] are used for IPv6 client addresses - * - node_num[3] and data[3] for IPv6 client subnet addresses + * - node_num[1] and data[1] are used for IPv6 client addresses * * A prefix of 0/0 (aka "any" or "none"), is always stored as IPv4, - * but matches IPv6 addresses too, as well as all client subnet - * addresses. + * but matches all IPv6 addresses too. */ -#define ISC_RADIX_OFF(p) \ - ((((p)->family == AF_INET6) ? 1 : 0) + ((p)->ecs ? 2 : 0)) +#define ISC_RADIX_OFF(p) (((p)->family == AF_INET6) ? 1 : 0) typedef struct isc_radix_node { isc_mem_t *mctx; @@ -101,8 +93,8 @@ typedef struct isc_radix_node { isc_prefix_t *prefix; /* who we are in radix tree */ struct isc_radix_node *l, *r; /* left and right children */ struct isc_radix_node *parent; /* may be used */ - void *data[4]; /* pointers to IPv4 and IPV6 data */ - int node_num[4]; /* which node this was in the tree, + void *data[2]; /* pointers to IPv4 and IPV6 data */ + int node_num[2]; /* which node this was in the tree, or -1 for glue nodes */ } isc_radix_node_t; diff --git a/lib/isc/radix.c b/lib/isc/radix.c index 191d783671f..e8ca32bdc08 100644 --- a/lib/isc/radix.c +++ b/lib/isc/radix.c @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - /* * This source was adapted from MRT's RCS Ids: * Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp @@ -64,7 +63,6 @@ _new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest, } prefix->family = family; - prefix->ecs = ISC_FALSE; prefix->mctx = NULL; isc_mem_attach(mctx, &prefix->mctx); @@ -181,9 +179,7 @@ _clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) { func(Xrn->data); } else { INSIST(Xrn->data[0] == NULL && - Xrn->data[1] == NULL && - Xrn->data[2] == NULL && - Xrn->data[3] == NULL); + Xrn->data[1] == NULL); } isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn)); @@ -327,8 +323,9 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, if (node == NULL) return (ISC_R_NOMEMORY); node->bit = bitlen; - for (i = 0; i < 4; i++) + for (i = 0; i < 2; i++) { node->node_num[i] = -1; + } node->prefix = NULL; result = _ref_prefix(radix->mctx, &node->prefix, prefix); if (result != ISC_R_SUCCESS) { @@ -347,7 +344,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, * added to num_added_node at the end of * the merge operation--we don't do it here. */ - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { if (source->node_num[i] != -1) node->node_num[i] = radix->num_added_node + @@ -358,8 +355,9 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 2; i++) { node->node_num[i] = next; + } } else { node->node_num[ISC_RADIX_OFF(prefix)] = next; } @@ -427,9 +425,10 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, /* Set node_num only if it hasn't been set before */ if (source != NULL) { /* Merging nodes */ - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { if (node->node_num[i] == -1 && - source->node_num[i] != -1) { + source->node_num[i] != -1) + { node->node_num[i] = radix->num_added_node + source->node_num[i]; @@ -440,7 +439,8 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, if (fam == AF_UNSPEC) { /* "any" or "none" */ int next = radix->num_added_node + 1; - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) + { if (node->node_num[i] == -1) { node->node_num[i] = next; @@ -464,12 +464,10 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, return (result); } INSIST(node->data[0] == NULL && node->node_num[0] == -1 && - node->data[1] == NULL && node->node_num[1] == -1 && - node->data[2] == NULL && node->node_num[2] == -1 && - node->data[3] == NULL && node->node_num[3] == -1); + node->data[1] == NULL && node->node_num[1] == -1); if (source != NULL) { /* Merging node */ - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { int cur = radix->num_added_node; if (source->node_num[i] != -1) { node->node_num[i] = @@ -481,8 +479,9 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 2; i++) { node->node_num[i] = next; + } } else { node->node_num[ISC_RADIX_OFF(prefix)] = next; } @@ -514,7 +513,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, } new_node->parent = NULL; new_node->l = new_node->r = NULL; - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { new_node->node_num[i] = -1; new_node->data[i] = NULL; } @@ -522,7 +521,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, if (source != NULL) { /* Merging node */ - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { int cur = radix->num_added_node; if (source->node_num[i] != -1) { new_node->node_num[i] = @@ -534,7 +533,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, int next = ++radix->num_added_node; if (fam == AF_UNSPEC) { /* "any" or "none" */ - for (i = 0; i < 4; i++) + for (i = 0; i < 2; i++) new_node->node_num[i] = next; } else { new_node->node_num[ISC_RADIX_OFF(prefix)] = next; @@ -581,7 +580,7 @@ isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target, glue->bit = differ_bit; glue->prefix = NULL; glue->parent = node->parent; - for (i = 0; i < 4; i++) { + for (i = 0; i < 2; i++) { glue->data[i] = NULL; glue->node_num[i] = -1; } diff --git a/lib/isc/tests/radix_test.c b/lib/isc/tests/radix_test.c index 6ca730dff51..77fc8d3a7ac 100644 --- a/lib/isc/tests/radix_test.c +++ b/lib/isc/tests/radix_test.c @@ -46,7 +46,7 @@ ATF_TC_BODY(isc_radix_search, tc) { in_addr.s_addr = inet_addr("3.3.3.0"); isc_netaddr_fromin(&netaddr, &in_addr); - NETADDR_TO_PREFIX_T(&netaddr, prefix, 24, ISC_FALSE); + NETADDR_TO_PREFIX_T(&netaddr, prefix, 24); node = NULL; result = isc_radix_insert(radix, &node, NULL, &prefix); @@ -56,7 +56,7 @@ ATF_TC_BODY(isc_radix_search, tc) { in_addr.s_addr = inet_addr("3.3.0.0"); isc_netaddr_fromin(&netaddr, &in_addr); - NETADDR_TO_PREFIX_T(&netaddr, prefix, 16, ISC_FALSE); + NETADDR_TO_PREFIX_T(&netaddr, prefix, 16); node = NULL; result = isc_radix_insert(radix, &node, NULL, &prefix); @@ -66,7 +66,7 @@ ATF_TC_BODY(isc_radix_search, tc) { in_addr.s_addr = inet_addr("3.3.3.3"); isc_netaddr_fromin(&netaddr, &in_addr); - NETADDR_TO_PREFIX_T(&netaddr, prefix, 22, ISC_FALSE); + NETADDR_TO_PREFIX_T(&netaddr, prefix, 22); node = NULL; result = isc_radix_search(radix, &node, &prefix); diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index b3650c231a2..f9289d84bee 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -711,7 +711,6 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, /* Network prefix */ isc_netaddr_t addr; unsigned int bitlen; - isc_boolean_t setecs; cfg_obj_asnetprefix(ce, &addr, &bitlen); if (family != 0 && family != addr.family) { @@ -739,9 +738,8 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, * the nestedacl element, not the iptable entry. */ setpos = ISC_TF(nest_level != 0 || !neg); - setecs = cfg_obj_istype(ce, &cfg_type_ecsprefix); result = dns_iptable_addprefix(iptab, &addr, bitlen, - setpos, setecs); + setpos); if (result != ISC_R_SUCCESS) goto cleanup; @@ -815,8 +813,7 @@ nested_acl: /* Iptable entry with zero bit length. */ setpos = ISC_TF(nest_level != 0 || !neg); result = dns_iptable_addprefix(iptab, NULL, 0, - setpos, - ISC_FALSE); + setpos); if (result != ISC_R_SUCCESS) goto cleanup; @@ -836,8 +833,7 @@ nested_acl: */ setpos = ISC_TF(nest_level != 0 || neg); result = dns_iptable_addprefix(iptab, NULL, 0, - setpos, - ISC_FALSE); + setpos); if (result != ISC_R_SUCCESS) goto cleanup; diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h index 0a191c9a33b..f75e56191fe 100644 --- a/lib/isccfg/include/isccfg/namedconf.h +++ b/lib/isccfg/include/isccfg/namedconf.h @@ -9,7 +9,6 @@ * information regarding copyright ownership. */ - #ifndef ISCCFG_NAMEDCONF_H #define ISCCFG_NAMEDCONF_H 1 @@ -47,9 +46,6 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sessionkey; LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref; /*%< A key reference, used as an ACL element */ -/*%< An EDNS client subnet address, used as an ACL element */ -LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ecsprefix; - /*%< Zone options */ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_zoneopts; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 870c61df598..c9cd59bd8d8 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1084,12 +1084,11 @@ options_clauses[] = { #endif /* HAVE_DNSTAP */ #ifdef HAVE_GEOIP { "geoip-directory", &cfg_type_qstringornone, 0 }, - { "geoip-use-ecs", &cfg_type_boolean, 0 }, #else { "geoip-directory", &cfg_type_qstringornone, CFG_CLAUSEFLAG_NOTCONFIGURED }, - { "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTCONFIGURED }, #endif /* HAVE_GEOIP */ + { "geoip-use-ecs", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "heartbeat-interval", &cfg_type_uint32, 0 }, { "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP }, @@ -3045,16 +3044,6 @@ doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type) { } #endif /* HAVE_GEOIP */ -/*% - * An EDNS client subnet address - */ - -static keyword_type_t ecs_kw = { "ecs", &cfg_type_netprefix }; -LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_ecsprefix = { - "edns_client_subnet", parse_keyvalue, print_keyvalue, doc_keyvalue, - &cfg_rep_netprefix, &ecs_kw -}; - /*% * A "controls" statement is represented as a map with the multivalued * "inet" and "unix" clauses. @@ -3394,9 +3383,6 @@ parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, if (pctx->token.type == isc_tokentype_string && (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) { CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret)); - } else if (pctx->token.type == isc_tokentype_string && - (strcasecmp(TOKEN_STRING(pctx), "ecs") == 0)) { - CHECK(cfg_parse_obj(pctx, &cfg_type_ecsprefix, ret)); } else if (pctx->token.type == isc_tokentype_string && (strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) { #ifdef HAVE_GEOIP diff --git a/lib/ns/client.c b/lib/ns/client.c index 59e4b00de18..8c0a0a7aa93 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -950,11 +950,12 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); if (client->sctx->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - client->sctx->blackholeacl, - env, &match, NULL) == ISC_R_SUCCESS && + (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, + env, &match, NULL) == ISC_R_SUCCESS) && match > 0) + { return (DNS_R_BLACKHOLED); + } sockflags |= ISC_SOCKFLAG_NORETRY; } @@ -1146,7 +1147,7 @@ client_send(ns_client_t *client) { name = &client->message->tsigkey->name; if (client->view->nocasecompress == NULL || - !dns_acl_allowed(&netaddr, name, NULL, 0, NULL, + !dns_acl_allowed(&netaddr, name, client->view->nocasecompress, env)) { dns_compress_setsensitive(&cctx, ISC_TRUE); @@ -1755,9 +1756,8 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, int match; isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); - result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - view->pad_acl, env, &match, - NULL); + result = dns_acl_match(&netaddr, NULL, view->pad_acl, + env, &match, NULL); if (result == ISC_R_SUCCESS && match > 0) { INSIST(count < DNS_EDNSOPTIONS); @@ -2266,7 +2266,6 @@ ns__client_request(isc_task_t *task, isc_event_t *event) { isc_boolean_t notimp; size_t reqsize; dns_aclenv_t *env; - dns_ecs_t *ecs = NULL; #ifdef HAVE_DNSTAP dns_dtmsgtype_t dtmsgtype; #endif @@ -2379,9 +2378,8 @@ ns__client_request(isc_task_t *task, isc_event_t *event) { env = ns_interfacemgr_getaclenv(client->interface->mgr); if (!TCP_CLIENT(client)) { if (client->sctx->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - client->sctx->blackholeacl, env, &match, - NULL) == ISC_R_SUCCESS && + (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, + env, &match, NULL) == ISC_R_SUCCESS) && match > 0) { ns_client_log(client, DNS_LOGCATEGORY_SECURITY, @@ -2632,11 +2630,8 @@ ns__client_request(isc_task_t *task, isc_event_t *event) { isc_sockaddr_fromnetaddr(&client->destsockaddr, &client->destaddr, 0); - if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { - ecs = &client->ecs; - } result = client->sctx->matchingview(&netaddr, &client->destaddr, - client->message, env, ecs, + client->message, env, &sigresult, &client->view); if (result != ISC_R_SUCCESS) { char classname[DNS_RDATACLASS_FORMATSIZE]; @@ -3200,9 +3195,8 @@ client_newconn(isc_task_t *task, isc_event_t *event) { isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); if (client->sctx->blackholeacl != NULL && - dns_acl_match(&netaddr, NULL, NULL, 0, NULL, - client->sctx->blackholeacl, - env, &match, NULL) == ISC_R_SUCCESS && + (dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl, + env, &match, NULL) == ISC_R_SUCCESS) && match > 0) { ns_client_log(client, DNS_LOGCATEGORY_SECURITY, @@ -3235,7 +3229,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) { "no more TCP clients(accept): %s", isc_result_totext(result)); } else if (client->sctx->keepresporder == NULL || - !dns_acl_allowed(&netaddr, NULL, NULL, 0, NULL, + !dns_acl_allowed(&netaddr, NULL, client->sctx->keepresporder, env)) { client->pipelined = ISC_TRUE; @@ -3733,8 +3727,6 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, isc_result_t result; dns_aclenv_t *env = ns_interfacemgr_getaclenv(client->interface->mgr); isc_netaddr_t tmpnetaddr; - isc_netaddr_t *ecs_addr = NULL; - isc_uint8_t ecs_addrlen = 0; int match; if (acl == NULL) { @@ -3749,15 +3741,8 @@ ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr, netaddr = &tmpnetaddr; } - if ((client->attributes & NS_CLIENTATTR_HAVEECS) != 0) { - ecs_addr = &client->ecs.addr; - ecs_addrlen = client->ecs.source; - } - - result = dns_acl_match(netaddr, client->signer, - ecs_addr, ecs_addrlen, NULL, acl, + result = dns_acl_match(netaddr, client->signer, acl, env, &match, NULL); - if (result != ISC_R_SUCCESS) goto deny; /* Internal error, already logged. */ diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h index 7f738ccd839..880de7dad21 100644 --- a/lib/ns/include/ns/server.h +++ b/lib/ns/include/ns/server.h @@ -59,7 +59,7 @@ typedef void */ typedef isc_result_t (*ns_matchview_t)(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, - dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs, + dns_message_t *message, dns_aclenv_t *env, isc_result_t *sigresultp, dns_view_t **viewp); /*% diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 9538d7fe99b..622189a090f 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -760,7 +760,7 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { /* First add localhost address */ prefixlen = (netaddr->family == AF_INET) ? 32 : 128; result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable, - netaddr, prefixlen, ISC_TRUE, ISC_FALSE); + netaddr, prefixlen, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); @@ -790,7 +790,7 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) { } result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable, - netaddr, prefixlen, ISC_TRUE, ISC_FALSE); + netaddr, prefixlen, ISC_TRUE); if (result != ISC_R_SUCCESS) return (result); @@ -1049,11 +1049,11 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, * See if the address matches the listen-on statement; * if not, ignore the interface. */ - (void)dns_acl_match(&listen_netaddr, NULL, NULL, 0, - NULL, le->acl, &mgr->aclenv, - &match, NULL); - if (match <= 0) + (void)dns_acl_match(&listen_netaddr, NULL, le->acl, + &mgr->aclenv, &match, NULL); + if (match <= 0) { continue; + } if (adjusting == ISC_FALSE && dolistenon == ISC_TRUE) { setup_listenon(mgr, &interface, le->port); @@ -1081,18 +1081,20 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen, match = 0; for (ele = ISC_LIST_HEAD(ext_listen->elts); ele != NULL; - ele = ISC_LIST_NEXT(ele, link)) { + ele = ISC_LIST_NEXT(ele, link)) + { (void)dns_acl_match(&listen_netaddr, - NULL, NULL, 0, NULL, ele->acl, NULL, &match, - NULL); + NULL); if (match > 0 && (ele->port == le->port || ele->port == 0)) + { break; - else + } else { match = 0; + } } if (ipv6_wildcard == ISC_TRUE && match == 0) continue; diff --git a/lib/ns/sortlist.c b/lib/ns/sortlist.c index f83689bc57c..3d6ce88a446 100644 --- a/lib/ns/sortlist.c +++ b/lib/ns/sortlist.c @@ -64,8 +64,8 @@ ns_sortlist_setup(dns_acl_t *acl, dns_aclenv_t *env, try_elt = e; } - if (dns_aclelement_match(clientaddr, NULL, NULL, 0, NULL, - try_elt, env, &matched_elt)) + if (dns_aclelement_match(clientaddr, NULL, try_elt, + env, &matched_elt)) { if (order_elt != NULL) { if (order_elt->type == @@ -115,14 +115,14 @@ ns_sortlist_addrorder2(const isc_netaddr_t *addr, const void *arg) { const dns_acl_t *sortacl = sla->acl; int match; - (void)dns_acl_match(addr, NULL, NULL, 0, NULL, sortacl, env, &match, - NULL); - if (match > 0) + (void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL); + if (match > 0) { return (match); - else if (match < 0) + } else if (match < 0) { return (INT_MAX - (-match)); - else + } else { return (INT_MAX / 2); + } } int @@ -131,8 +131,7 @@ ns_sortlist_addrorder1(const isc_netaddr_t *addr, const void *arg) { const dns_aclenv_t *env = sla->env; const dns_aclelement_t *element = sla->element; - if (dns_aclelement_match(addr, NULL, NULL, 0, NULL, element, env, - NULL)) { + if (dns_aclelement_match(addr, NULL, element, env, NULL)) { return (0); } diff --git a/lib/ns/tests/nstest.c b/lib/ns/tests/nstest.c index 11e12c7e9c5..16c2dfaf3f0 100644 --- a/lib/ns/tests/nstest.c +++ b/lib/ns/tests/nstest.c @@ -87,14 +87,13 @@ static isc_logcategory_t categories[] = { static isc_result_t matchview(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr, - dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs, + dns_message_t *message, dns_aclenv_t *env, isc_result_t *sigresultp, dns_view_t **viewp) { UNUSED(srcaddr); UNUSED(destaddr); UNUSED(message); UNUSED(env); - UNUSED(ecs); UNUSED(sigresultp); UNUSED(viewp);