Additional changes for:

author Mark Andrews <marka@isc.org>

Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)

committer Mark Andrews <marka@isc.org>

Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)
author Mark Andrews <marka@isc.org>
Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)
committer Mark Andrews <marka@isc.org>
Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c

index bdb4bb0f2274f26c6856e310e731e02c59b1ebce..191228e4b564b4026d745f70a9f13a94b667a8fc 100644 (file)
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
   * PERFORMANCE OF THIS SOFTWARE.
   */
  
-/* $Id: aclconf.c,v 1.12 2007/10/12 04:17:18 each Exp $ */
+/* $Id: aclconf.c,v 1.13 2007/10/18 05:42:03 marka Exp $ */
  
  #include <config.h>
  
@@ -239,13 +239,17 @@ cfg_acl_fromconfig(const cfg_obj_t *caml,
                         unsigned int    bitlen;
  
                         cfg_obj_asnetprefix(ce, &addr, &bitlen);
+
+                        /*
+                         * If nesting ACLs (nest_level != 0), we negate
+                         * the nestedacl element, not the iptable entry
+                         */
                         result = dns_iptable_addprefix(iptab, &addr, bitlen,
-                                                      ISC_TF(!neg));
+                                             ISC_TF(nest_level != 0 || !neg));
                         if (result != ISC_R_SUCCESS)
                                 goto cleanup;
  
                         if (nest_level != 0) {
-                               /* This prefix is going into a nested acl */
                                 de->type = dns_aclelementtype_nestedacl;
                                 de->negative = neg;
                         } else
author	Mark Andrews <marka@isc.org>
	Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)
committer	Mark Andrews <marka@isc.org>
	Thu, 18 Oct 2007 05:42:03 +0000 (05:42 +0000)