isc_netaddr_fromsockaddr(&netaddr, sockaddr);
- result = dns_acl_match(&netaddr, NULL, acl, env, &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, acl, env, &match,
+ NULL);
if (result != ISC_R_SUCCESS || match <= 0)
return (ISC_FALSE);
isc_netaddr_fromsockaddr(&netaddr, fromaddr);
LOCK(&listener->lock);
- if (dns_acl_match(&netaddr, NULL, listener->acl, env,
+ if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, listener->acl, env,
&match, NULL) == ISC_R_SUCCESS && match > 0)
{
UNLOCK(&listener->lock);
* return with a positive value in match; for a match with a negated ACL
* element or radix entry, return with a negative value in match.
*/
+
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
+ const isc_netaddr_t *ecs,
+ isc_uint8_t ecslen,
+ isc_uint8_t *scope,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
const dns_aclelement_t **matchelt)
-{
- return (dns_acl_match2(reqaddr, reqsigner, NULL, 0, NULL, acl, env,
- match, matchelt));
-}
-
-isc_result_t
-dns_acl_match2(const isc_netaddr_t *reqaddr,
- const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
- const dns_acl_t *acl,
- const dns_aclenv_t *env,
- int *match,
- const dns_aclelement_t **matchelt)
{
isc_uint16_t bitlen;
isc_prefix_t pfx;
break;
}
- if (dns_aclelement_match2(reqaddr, reqsigner, ecs, ecslen,
- scope, e, env, matchelt))
+ if (dns_aclelement_match(reqaddr, reqsigner, ecs, ecslen,
+ scope, e, env, matchelt))
{
if (match_num == -1 || e->node_num < match_num) {
if (e->negative)
* a reference to a named ACL or a nested ACL, a matching element
* returned through 'matchelt' is not necessarily 'e' itself.
*/
+
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
+ const isc_netaddr_t *ecs,
+ isc_uint8_t ecslen,
+ isc_uint8_t *scope,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt)
-{
- return (dns_aclelement_match2(reqaddr, reqsigner, NULL, 0, NULL,
- e, env, matchelt));
-}
-
-isc_boolean_t
-dns_aclelement_match2(const isc_netaddr_t *reqaddr,
- const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
- const dns_aclelement_t *e,
- const dns_aclenv_t *env,
- const dns_aclelement_t **matchelt)
{
dns_acl_t *inner = NULL;
int indirectmatch;
INSIST(0);
}
- result = dns_acl_match2(reqaddr, reqsigner, ecs, ecslen, scope,
- inner, env, &indirectmatch, matchelt);
+ result = dns_acl_match(reqaddr, reqsigner, ecs, ecslen, scope,
+ inner, env, &indirectmatch, matchelt);
INSIST(result == ISC_R_SUCCESS);
/*
if (acl == NULL)
return (ISC_TRUE);
- result = dns_acl_match2(addr, signer, ecs_addr, ecs_addrlen,
- ecs_scope, acl, aclenv, &match, NULL);
+ result = dns_acl_match(addr, signer, ecs_addr, ecs_addrlen,
+ ecs_scope, acl, aclenv, &match, NULL);
if (result == ISC_R_SUCCESS && match > 0)
return (ISC_TRUE);
return (ISC_FALSE);
*/
isc_netaddr_fromsockaddr(&netaddr, &ev->address);
if (disp->mgr->blackhole != NULL &&
- dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
+ dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ disp->mgr->blackhole,
NULL, &match, NULL) == ISC_R_SUCCESS &&
match > 0)
{
#include <dns/rdata.h>
#include <dns/rdataset.h>
#include <dns/result.h>
+#include <string.h>
struct dns_dns64 {
unsigned char bits[16]; /*
return (DNS_R_DISALLOWED);
if (dns64->clients != NULL) {
- result = dns_acl_match(reqaddr, reqsigner, dns64->clients, env,
- &match, NULL);
+ result = dns_acl_match(reqaddr, reqsigner, NULL, 0, NULL,
+ dns64->clients, env, &match, NULL);
if (result != ISC_R_SUCCESS)
return (result);
if (match <= 0)
memmove(&ina.s_addr, a, 4);
isc_netaddr_fromin(&netaddr, &ina);
- result = dns_acl_match(&netaddr, NULL, dns64->mapped, env,
- &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ dns64->mapped, env, &match, NULL);
if (result != ISC_R_SUCCESS)
return (result);
if (match <= 0)
* Work out if this dns64 structure applies to this client.
*/
if (dns64->clients != NULL) {
- result = dns_acl_match(reqaddr, reqsigner,
- dns64->clients, env,
+ result = dns_acl_match(reqaddr, reqsigner, NULL, 0,
+ NULL, dns64->clients, env,
&match, NULL);
if (result != ISC_R_SUCCESS)
continue;
memmove(&in6.s6_addr, rdata.data, 16);
isc_netaddr_fromin6(&netaddr, &in6);
- result = dns_acl_match(&netaddr, NULL,
- dns64->excluded,
- env, &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, NULL,
+ 0, NULL,
+ dns64->excluded, env,
+ &match, NULL);
if (result == ISC_R_SUCCESS && match <= 0) {
answer = ISC_TRUE;
if (aaaaok == NULL)
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
+ const isc_netaddr_t *ecs,
+ isc_uint8_t ecslen,
+ isc_uint8_t *scope,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
const dns_aclelement_t **matchelt);
-
-isc_result_t
-dns_acl_match2(const isc_netaddr_t *reqaddr,
- const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
- const dns_acl_t *acl,
- const dns_aclenv_t *env,
- int *match,
- const dns_aclelement_t **matchelt);
/*%<
* General, low-level ACL matching. This is expected to
* be useful even for weird stuff like the topology and sortlist statements.
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
+ const isc_netaddr_t *ecs,
+ isc_uint8_t ecslen,
+ isc_uint8_t *scope,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt);
-
-isc_boolean_t
-dns_aclelement_match2(const isc_netaddr_t *reqaddr,
- const dns_name_t *reqsigner,
- const isc_netaddr_t *ecs,
- isc_uint8_t ecslen,
- isc_uint8_t *scope,
- const dns_aclelement_t *e,
- const dns_aclenv_t *env,
- const dns_aclelement_t **matchelt);
/*%<
* Like dns_acl_match, but matches against the single ACL element 'e'
* rather than a complete ACL, and returns ISC_TRUE iff it matched.
blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
if (blackhole != NULL) {
isc_netaddr_fromsockaddr(&netaddr, destaddr);
- if (dns_acl_match(&netaddr, NULL, blackhole,
+ if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, blackhole,
NULL, &match, NULL) == ISC_R_SUCCESS &&
match > 0)
drop = ISC_TRUE;
if (blackhole != NULL) {
int match;
- if (dns_acl_match(&ipaddr, NULL, blackhole,
+ if (dns_acl_match(&ipaddr, NULL, NULL, 0, NULL, blackhole,
&res->view->aclenv,
&match, NULL) == ISC_R_SUCCESS &&
match > 0)
isc_netaddr_fromin6(&netaddr, &in6a);
}
- result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
- &view->aclenv, &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ view->denyansweracl, &view->aclenv,
+ &match, NULL);
if (result == ISC_R_SUCCESS && match > 0) {
isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
rrl = view->rrl;
if (rrl->exempt != NULL) {
isc_netaddr_fromsockaddr(&netclient, client_addr);
- result = dns_acl_match(&netclient, NULL, rrl->exempt,
- &view->aclenv, &exempt_match, NULL);
+ result = dns_acl_match(&netclient, NULL, NULL, 0, NULL,
+ rrl->exempt, &view->aclenv,
+ &exempt_match, NULL);
if (result == ISC_R_SUCCESS && exempt_match > 0)
return (DNS_RRL_RESULT_OK);
}
if (!dns_name_issubdomain(name, rule->name)) {
continue;
}
- dns_acl_match(addr, NULL, env->localhost,
- NULL, &match, NULL);
+ dns_acl_match(addr, NULL, NULL, 0, NULL,
+ env->localhost, NULL, &match,
+ NULL);
if (match == 0) {
if (signer != NULL) {
isc_log_write(dns_lctx,
dns_acl_isinsecure
dns_acl_isnone
dns_acl_match
-dns_acl_match2
dns_acl_merge
dns_acl_none
dns_aclelement_match
-dns_aclelement_match2
dns_aclenv_copy
dns_aclenv_destroy
dns_aclenv_init
tsigkey = dns_message_gettsigkey(msg);
tsig = dns_tsigkey_identity(tsigkey);
if (i >= zone->masterscnt && zone->notify_acl != NULL &&
- dns_acl_match(&netaddr, tsig, zone->notify_acl,
- &zone->view->aclenv,
- &match, NULL) == ISC_R_SUCCESS &&
+ dns_acl_match(&netaddr, tsig, NULL, 0, NULL, zone->notify_acl,
+ &zone->view->aclenv, &match,
+ NULL) == ISC_R_SUCCESS &&
match > 0)
{
/* Accept notify. */
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL,
+ dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
client->sctx->blackholeacl,
env, &match, NULL) == ISC_R_SUCCESS &&
match > 0)
int match;
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
- result = dns_acl_match(&netaddr, NULL, view->pad_acl,
- env, &match, NULL);
+ result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ view->pad_acl, env, &match,
+ NULL);
if (result == ISC_R_SUCCESS && match > 0) {
INSIST(count < DNS_EDNSOPTIONS);
env = ns_interfacemgr_getaclenv(client->interface->mgr);
if (!TCP_CLIENT(client)) {
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL, client->sctx->blackholeacl,
- env, &match, NULL) == ISC_R_SUCCESS &&
+ dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ client->sctx->blackholeacl, env, &match,
+ NULL) == ISC_R_SUCCESS &&
match > 0)
{
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->sctx->blackholeacl != NULL &&
- dns_acl_match(&netaddr, NULL,
- client->sctx->blackholeacl,
- env, &match, NULL) == ISC_R_SUCCESS &&
+ dns_acl_match(&netaddr, NULL, NULL, 0, NULL,
+ client->sctx->blackholeacl,
+ env, &match, NULL) == ISC_R_SUCCESS &&
match > 0)
{
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
ecs_addrlen = client->ecs.source;
}
- result = dns_acl_match2(netaddr, client->signer,
- ecs_addr, ecs_addrlen, NULL, acl,
- env, &match, NULL);
+ result = dns_acl_match(netaddr, client->signer,
+ ecs_addr, ecs_addrlen, NULL, acl,
+ env, &match, NULL);
if (result != ISC_R_SUCCESS)
goto deny; /* Internal error, already logged. */
* See if the address matches the listen-on statement;
* if not, ignore the interface.
*/
- (void)dns_acl_match(&listen_netaddr, NULL, le->acl,
- &mgr->aclenv, &match, NULL);
+ (void)dns_acl_match(&listen_netaddr, NULL, NULL, 0,
+ NULL, le->acl, &mgr->aclenv,
+ &match, NULL);
if (match <= 0)
continue;
ele != NULL;
ele = ISC_LIST_NEXT(ele, link)) {
(void)dns_acl_match(&listen_netaddr,
+ NULL, NULL, 0,
NULL, ele->acl,
- NULL, &match, NULL);
+ NULL, &match,
+ NULL);
if (match > 0 &&
(ele->port == le->port ||
ele->port == 0))
try_elt = e;
}
- if (dns_aclelement_match(clientaddr, NULL, try_elt, env,
- &matched_elt))
+ if (dns_aclelement_match(clientaddr, NULL, NULL, 0, NULL,
+ try_elt, env, &matched_elt))
{
if (order_elt != NULL) {
if (order_elt->type ==
const dns_acl_t *sortacl = sla->acl;
int match;
- (void)dns_acl_match(addr, NULL, sortacl, env, &match, NULL);
+ (void)dns_acl_match(addr, NULL, NULL, 0, NULL, sortacl, env, &match,
+ NULL);
if (match > 0)
return (match);
else if (match < 0)
const dns_aclenv_t *env = sla->env;
const dns_aclelement_t *element = sla->element;
- if (dns_aclelement_match(addr, NULL, element, env, NULL)) {
+ if (dns_aclelement_match(addr, NULL, NULL, 0, NULL, element, env,
+ NULL)) {
return (0);
}
projects / thirdparty / bind9.git / commitdiff
