struct dns_ssurule {
unsigned int magic;
bool grant; /*%< is this a grant or a deny? */
- dns_ssumatchtype_t matchtype; /*%< which type of pattern match?
- * */
+ dns_ssumatchtype_t matchtype; /*%< which type of pattern match? */
dns_name_t *identity; /*%< the identity to match */
dns_name_t *name; /*%< the name being updated */
unsigned int ntypes; /*%< number of data types covered */
dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
const dns_name_t *name, const isc_netaddr_t *addr,
bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type,
- const dst_key_t *key) {
- dns_ssurule_t *rule;
- unsigned int i;
+ const dst_key_t *key, const dns_ssurule_t **rulep) {
dns_fixedname_t fixed;
- dns_name_t *wildcard;
- dns_name_t *tcpself;
dns_name_t *stfself;
- isc_result_t result;
+ dns_name_t *tcpself;
+ dns_name_t *wildcard;
+ dns_ssurule_t *rule;
int match;
+ isc_result_t result;
+ unsigned int i;
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(signer == NULL || dns_name_isabsolute(signer));
continue;
}
}
+ if (rule->grant && rulep != NULL) {
+ *rulep = rule;
+ }
return (rule->grant);
}
static isc_result_t
ssu_checkrule(void *data, dns_rdataset_t *rrset) {
- ssu_check_t *ssuinfo = data;
bool result;
+ const dns_ssurule_t *rule = NULL;
+ ssu_check_t *ssuinfo = data;
/*
* If we're deleting all records, it's ok to delete RRSIG and NSEC even
rrset->type == dns_rdatatype_nsec) {
return (ISC_R_SUCCESS);
}
- result = dns_ssutable_checkrules(
- ssuinfo->table, ssuinfo->signer, ssuinfo->name, ssuinfo->addr,
- ssuinfo->tcp, ssuinfo->aclenv, rrset->type, ssuinfo->key);
+ result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
+ ssuinfo->name, ssuinfo->addr,
+ ssuinfo->tcp, ssuinfo->aclenv,
+ rrset->type, ssuinfo->key, &rule);
return (result == true ? ISC_R_SUCCESS : ISC_R_FAILURE);
}
uint64_t records;
dns_aclenv_t *env =
ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+ size_t ruleslen = 0;
+ size_t rule;
+ const dns_ssurule_t **rules = NULL;
INSIST(event->ev_type == DNS_EVENT_UPDATE);
/*
* Perform the Update Section Prescan.
*/
+ if (ssutable != NULL) {
+ ruleslen = request->counts[DNS_SECTION_UPDATE];
+ rules = isc_mem_get(mctx, sizeof(*rules) * ruleslen);
+ memset(rules, 0, sizeof(*rules) * ruleslen);
+ }
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+ for (rule = 0,
+ result = dns_message_firstname(request, DNS_SECTION_UPDATE);
result == ISC_R_SUCCESS;
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+ rule++, result = dns_message_nextname(request, DNS_SECTION_UPDATE))
{
dns_name_t *name = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_ttl_t ttl;
dns_rdataclass_t update_class;
+
+ INSIST(ssutable == NULL || rule < ruleslen);
+
get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
&rdata, &covers, &ttl, &update_class);
if (!dns_ssutable_checkrules(
ssutable, client->signer, name,
&netaddr, TCPCLIENT(client), env,
- rdata.type, tsigkey))
+ rdata.type, tsigkey, &rules[rule]))
{
FAILC(DNS_R_REFUSED, "rejected by "
"secure update");
*/
options = dns_zone_getoptions(zone);
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+ for (rule = 0,
+ result = dns_message_firstname(request, DNS_SECTION_UPDATE);
result == ISC_R_SUCCESS;
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+ rule++, result = dns_message_nextname(request, DNS_SECTION_UPDATE))
{
dns_name_t *name = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataclass_t update_class;
bool flag;
+ INSIST(ssutable == NULL || rule < ruleslen);
+
get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
&rdata, &covers, &ttl, &update_class);
dns_db_detach(&db);
}
+ if (rules != NULL) {
+ isc_mem_put(mctx, rules, sizeof(*rules) * ruleslen);
+ }
+
if (ssutable != NULL) {
dns_ssutable_detach(&ssutable);
}
projects / thirdparty / bind9.git / commitdiff
